npm - @private.me/xbind - Versions diffs - 1.2.0 - Mend

@private.me/xbind 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/AGENTS.md +778 -0
package/LICENSE.md +27 -0
package/README.md +400 -0
package/dist-standalone/_deps/crypto/base64.d.ts +29 -0
package/dist-standalone/_deps/crypto/base64.js +97 -0
package/dist-standalone/_deps/crypto/cjs/base64.js +103 -0
package/dist-standalone/_deps/crypto/cjs/errors.js +119 -0
package/dist-standalone/_deps/crypto/cjs/hmac.js +71 -0
package/dist-standalone/_deps/crypto/cjs/index.js +86 -0
package/dist-standalone/_deps/crypto/cjs/padding.js +57 -0
package/dist-standalone/_deps/crypto/cjs/share-header.js +68 -0
package/dist-standalone/_deps/crypto/cjs/shares.js +152 -0
package/dist-standalone/_deps/crypto/cjs/tlv.js +199 -0
package/dist-standalone/_deps/crypto/cjs/uuid.js +61 -0
package/dist-standalone/_deps/crypto/cjs/verify.js +24 -0
package/dist-standalone/_deps/crypto/cjs/xorida.js +221 -0
package/dist-standalone/_deps/crypto/errors.d.ts +51 -0
package/dist-standalone/_deps/crypto/errors.js +109 -0
package/dist-standalone/_deps/crypto/hmac.d.ts +39 -0
package/dist-standalone/_deps/crypto/hmac.js +66 -0
package/dist-standalone/_deps/crypto/index.d.ts +20 -0
package/dist-standalone/_deps/crypto/index.js +45 -0
package/dist-standalone/_deps/crypto/padding.d.ts +19 -0
package/dist-standalone/_deps/crypto/padding.js +53 -0
package/dist-standalone/_deps/crypto/share-header.d.ts +44 -0
package/dist-standalone/_deps/crypto/share-header.js +63 -0
package/dist-standalone/_deps/crypto/shares.d.ts +27 -0
package/dist-standalone/_deps/crypto/shares.js +148 -0
package/dist-standalone/_deps/crypto/tlv.d.ts +26 -0
package/dist-standalone/_deps/crypto/tlv.js +195 -0
package/dist-standalone/_deps/crypto/uuid.d.ts +22 -0
package/dist-standalone/_deps/crypto/uuid.js +56 -0
package/dist-standalone/_deps/crypto/verify.d.ts +15 -0
package/dist-standalone/_deps/crypto/verify.js +15 -0
package/dist-standalone/_deps/crypto/xorida.d.ts +44 -0
package/dist-standalone/_deps/crypto/xorida.js +215 -0
package/dist-standalone/_deps/mldsa-wasm/LICENSE +24 -0
package/dist-standalone/_deps/mldsa-wasm/dist/mldsa.js +1920 -0
package/dist-standalone/_deps/mldsa-wasm/package.json +46 -0
package/dist-standalone/_deps/mldsa-wasm/types/mldsa.d.ts +30 -0
package/dist-standalone/_deps/shared/cjs/errors.js +582 -0
package/dist-standalone/_deps/shared/cjs/index.js +492 -0
package/dist-standalone/_deps/shared/cjs/package.json +1 -0
package/dist-standalone/_deps/shared/cjs/types.js +403 -0
package/dist-standalone/_deps/shared/errors.d.ts +48 -0
package/dist-standalone/_deps/shared/errors.d.ts.map +1 -0
package/dist-standalone/_deps/shared/errors.js +192 -0
package/dist-standalone/_deps/shared/errors.js.map +1 -0
package/dist-standalone/_deps/shared/index.d.ts +4 -0
package/dist-standalone/_deps/shared/index.d.ts.map +1 -0
package/dist-standalone/_deps/shared/index.js +78 -0
package/dist-standalone/_deps/shared/index.js.map +1 -0
package/dist-standalone/_deps/shared/types.d.ts +1097 -0
package/dist-standalone/_deps/shared/types.d.ts.map +1 -0
package/dist-standalone/_deps/shared/types.js +89 -0
package/dist-standalone/_deps/shared/types.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/errors.d.ts +115 -0
package/dist-standalone/_deps/ux-helpers/cjs/errors.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/errors.js +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/errors.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/index.d.ts +13 -0
package/dist-standalone/_deps/ux-helpers/cjs/index.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/index.js +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/index.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/package.json +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/pagination.d.ts +39 -0
package/dist-standalone/_deps/ux-helpers/cjs/pagination.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/pagination.js +83 -0
package/dist-standalone/_deps/ux-helpers/cjs/pagination.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/progress.d.ts +99 -0
package/dist-standalone/_deps/ux-helpers/cjs/progress.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/progress.js +143 -0
package/dist-standalone/_deps/ux-helpers/cjs/progress.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/search.d.ts +32 -0
package/dist-standalone/_deps/ux-helpers/cjs/search.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/search.js +119 -0
package/dist-standalone/_deps/ux-helpers/cjs/search.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/types.d.ts +109 -0
package/dist-standalone/_deps/ux-helpers/cjs/types.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/types.js +8 -0
package/dist-standalone/_deps/ux-helpers/cjs/types.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/errors.d.ts +115 -0
package/dist-standalone/_deps/ux-helpers/errors.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/errors.js +253 -0
package/dist-standalone/_deps/ux-helpers/errors.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/index.d.ts +13 -0
package/dist-standalone/_deps/ux-helpers/index.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/index.js +16 -0
package/dist-standalone/_deps/ux-helpers/index.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/pagination.d.ts +39 -0
package/dist-standalone/_deps/ux-helpers/pagination.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/pagination.js +79 -0
package/dist-standalone/_deps/ux-helpers/pagination.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/progress.d.ts +99 -0
package/dist-standalone/_deps/ux-helpers/progress.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/progress.js +138 -0
package/dist-standalone/_deps/ux-helpers/progress.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/search.d.ts +32 -0
package/dist-standalone/_deps/ux-helpers/search.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/search.js +116 -0
package/dist-standalone/_deps/ux-helpers/search.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/types.d.ts +109 -0
package/dist-standalone/_deps/ux-helpers/types.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/types.js +7 -0
package/dist-standalone/_deps/ux-helpers/types.js.map +1 -0
package/dist-standalone/_deps/xchange/auto-accept.d.ts +127 -0
package/dist-standalone/_deps/xchange/auto-accept.js +1 -0
package/dist-standalone/_deps/xchange/cjs/auto-accept.js +1 -0
package/dist-standalone/_deps/xchange/cjs/errors.js +1 -0
package/dist-standalone/_deps/xchange/cjs/index.js +1 -0
package/dist-standalone/_deps/xchange/cjs/invite-client.js +1 -0
package/dist-standalone/_deps/xchange/cjs/lazy-init.js +1 -0
package/dist-standalone/_deps/xchange/cjs/package.json +1 -0
package/dist-standalone/_deps/xchange/cjs/trust-integration.js +1 -0
package/dist-standalone/_deps/xchange/cjs/xchange.js +1 -0
package/dist-standalone/_deps/xchange/errors.d.ts +69 -0
package/dist-standalone/_deps/xchange/errors.js +1 -0
package/dist-standalone/_deps/xchange/index.d.ts +15 -0
package/dist-standalone/_deps/xchange/index.js +1 -0
package/dist-standalone/_deps/xchange/invite-client.d.ts +178 -0
package/dist-standalone/_deps/xchange/invite-client.js +1 -0
package/dist-standalone/_deps/xchange/lazy-init.d.ts +176 -0
package/dist-standalone/_deps/xchange/lazy-init.js +1 -0
package/dist-standalone/_deps/xchange/trust-integration.d.ts +102 -0
package/dist-standalone/_deps/xchange/trust-integration.js +1 -0
package/dist-standalone/_deps/xchange/xchange.d.ts +60 -0
package/dist-standalone/_deps/xchange/xchange.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/discovery.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/errors.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/index.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/package.json +1 -0
package/dist-standalone/_deps/xregistry/cjs/registry.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/schema.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/types.js +1 -0
package/dist-standalone/_deps/xregistry/discovery.d.ts +126 -0
package/dist-standalone/_deps/xregistry/discovery.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/discovery.js +1 -0
package/dist-standalone/_deps/xregistry/discovery.js.map +1 -0
package/dist-standalone/_deps/xregistry/errors.d.ts +41 -0
package/dist-standalone/_deps/xregistry/errors.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/errors.js +1 -0
package/dist-standalone/_deps/xregistry/errors.js.map +1 -0
package/dist-standalone/_deps/xregistry/index.d.ts +8 -0
package/dist-standalone/_deps/xregistry/index.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/index.js +1 -0
package/dist-standalone/_deps/xregistry/index.js.map +1 -0
package/dist-standalone/_deps/xregistry/registry.d.ts +85 -0
package/dist-standalone/_deps/xregistry/registry.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/registry.js +1 -0
package/dist-standalone/_deps/xregistry/registry.js.map +1 -0
package/dist-standalone/_deps/xregistry/schema.d.ts +81 -0
package/dist-standalone/_deps/xregistry/schema.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/schema.js +1 -0
package/dist-standalone/_deps/xregistry/schema.js.map +1 -0
package/dist-standalone/_deps/xregistry/types.d.ts +95 -0
package/dist-standalone/_deps/xregistry/types.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/types.js +1 -0
package/dist-standalone/_deps/xregistry/types.js.map +1 -0
package/dist-standalone/agent-call.d.ts +286 -0
package/dist-standalone/agent-call.js +642 -0
package/dist-standalone/agent-sdk.d.ts +207 -0
package/dist-standalone/agent-sdk.js +328 -0
package/dist-standalone/agent.d.ts +670 -0
package/dist-standalone/agent.js +1529 -0
package/dist-standalone/approval.d.ts +145 -0
package/dist-standalone/approval.js +193 -0
package/dist-standalone/auth.d.ts +75 -0
package/dist-standalone/auth.js +219 -0
package/dist-standalone/auto-accept.d.ts +102 -0
package/dist-standalone/auto-accept.js +229 -0
package/dist-standalone/backup-config.d.ts +150 -0
package/dist-standalone/backup-config.js +201 -0
package/dist-standalone/checkpoint.d.ts +125 -0
package/dist-standalone/checkpoint.js +186 -0
package/dist-standalone/cjs/agent-call.js +651 -0
package/dist-standalone/cjs/agent-sdk.js +332 -0
package/dist-standalone/cjs/agent.js +1566 -0
package/dist-standalone/cjs/approval.js +199 -0
package/dist-standalone/cjs/auth.js +225 -0
package/dist-standalone/cjs/auto-accept.js +233 -0
package/dist-standalone/cjs/backup-config.js +207 -0
package/dist-standalone/cjs/checkpoint.js +193 -0
package/dist-standalone/cjs/cli/init.js +487 -0
package/dist-standalone/cjs/connect.js +312 -0
package/dist-standalone/cjs/did-document.js +101 -0
package/dist-standalone/cjs/did-privateme.js +130 -0
package/dist-standalone/cjs/did-web.js +201 -0
package/dist-standalone/cjs/discovery.js +462 -0
package/dist-standalone/cjs/dual-mode.js +251 -0
package/dist-standalone/cjs/email-templates.js +313 -0
package/dist-standalone/cjs/email-transport.js +239 -0
package/dist-standalone/cjs/envelope.js +510 -0
package/dist-standalone/cjs/errors.js +562 -0
package/dist-standalone/cjs/gateway-state.js +55 -0
package/dist-standalone/cjs/gateway-transport.js +120 -0
package/dist-standalone/cjs/guardrails.js +223 -0
package/dist-standalone/cjs/http-compat.js +272 -0
package/dist-standalone/cjs/identity.js +541 -0
package/dist-standalone/cjs/index.js +224 -0
package/dist-standalone/cjs/invitation.js +421 -0
package/dist-standalone/cjs/invite.js +328 -0
package/dist-standalone/cjs/key-agreement.js +246 -0
package/dist-standalone/cjs/lazy-init.js +300 -0
package/dist-standalone/cjs/mdns-discovery.js +202 -0
package/dist-standalone/cjs/nonce-store.js +66 -0
package/dist-standalone/cjs/package.json +3 -0
package/dist-standalone/cjs/pairing-manager.js +223 -0
package/dist-standalone/cjs/policy.js +320 -0
package/dist-standalone/cjs/redis-nonce-store.js +76 -0
package/dist-standalone/cjs/registry-middleware.js +50 -0
package/dist-standalone/cjs/retry-transport.js +102 -0
package/dist-standalone/cjs/security-policy.js +204 -0
package/dist-standalone/cjs/split-channel.js +177 -0
package/dist-standalone/cjs/subscription-proof.js +230 -0
package/dist-standalone/cjs/succession.js +148 -0
package/dist-standalone/cjs/transport.js +63 -0
package/dist-standalone/cjs/trust-registry.js +742 -0
package/dist-standalone/cjs/verify.js +25 -0
package/dist-standalone/cjs/xfetch.js +252 -0
package/dist-standalone/cli/init.d.ts +63 -0
package/dist-standalone/cli/init.js +450 -0
package/dist-standalone/connect.d.ts +143 -0
package/dist-standalone/connect.js +274 -0
package/dist-standalone/did-document.d.ts +65 -0
package/dist-standalone/did-document.js +96 -0
package/dist-standalone/did-privateme.d.ts +70 -0
package/dist-standalone/did-privateme.js +121 -0
package/dist-standalone/did-web.d.ts +73 -0
package/dist-standalone/did-web.js +196 -0
package/dist-standalone/discovery.d.ts +176 -0
package/dist-standalone/discovery.js +458 -0
package/dist-standalone/dual-mode.d.ts +145 -0
package/dist-standalone/dual-mode.js +247 -0
package/dist-standalone/email-templates.d.ts +41 -0
package/dist-standalone/email-templates.js +309 -0
package/dist-standalone/email-transport.d.ts +139 -0
package/dist-standalone/email-transport.js +232 -0
package/dist-standalone/envelope.d.ts +288 -0
package/dist-standalone/envelope.js +497 -0
package/dist-standalone/errors.d.ts +74 -0
package/dist-standalone/errors.js +548 -0
package/dist-standalone/gateway-state.d.ts +32 -0
package/dist-standalone/gateway-state.js +51 -0
package/dist-standalone/gateway-transport.d.ts +59 -0
package/dist-standalone/gateway-transport.js +116 -0
package/dist-standalone/guardrails.d.ts +136 -0
package/dist-standalone/guardrails.js +216 -0
package/dist-standalone/http-compat.d.ts +150 -0
package/dist-standalone/http-compat.js +267 -0
package/dist-standalone/identity.d.ts +176 -0
package/dist-standalone/identity.js +516 -0
package/dist-standalone/index.d.ts +83 -0
package/dist-standalone/index.js +51 -0
package/dist-standalone/invitation.d.ts +211 -0
package/dist-standalone/invitation.js +415 -0
package/dist-standalone/invite.d.ts +192 -0
package/dist-standalone/invite.js +324 -0
package/dist-standalone/key-agreement.d.ts +122 -0
package/dist-standalone/key-agreement.js +236 -0
package/dist-standalone/lazy-init.d.ts +167 -0
package/dist-standalone/lazy-init.js +295 -0
package/dist-standalone/mdns-discovery.d.ts +117 -0
package/dist-standalone/mdns-discovery.js +195 -0
package/dist-standalone/nonce-store.d.ts +39 -0
package/dist-standalone/nonce-store.js +62 -0
package/dist-standalone/package.json +11 -0
package/dist-standalone/pairing-manager.d.ts +147 -0
package/dist-standalone/pairing-manager.js +219 -0
package/dist-standalone/policy.d.ts +150 -0
package/dist-standalone/policy.js +315 -0
package/dist-standalone/redis-nonce-store.d.ts +93 -0
package/dist-standalone/redis-nonce-store.js +72 -0
package/dist-standalone/registry-middleware.d.ts +38 -0
package/dist-standalone/registry-middleware.js +47 -0
package/dist-standalone/retry-transport.d.ts +76 -0
package/dist-standalone/retry-transport.js +98 -0
package/dist-standalone/security-policy.d.ts +146 -0
package/dist-standalone/security-policy.js +198 -0
package/dist-standalone/split-channel.d.ts +69 -0
package/dist-standalone/split-channel.js +171 -0
package/dist-standalone/subscription-proof.d.ts +103 -0
package/dist-standalone/subscription-proof.js +224 -0
package/dist-standalone/succession.d.ts +57 -0
package/dist-standalone/succession.js +142 -0
package/dist-standalone/transport.d.ts +50 -0
package/dist-standalone/transport.js +59 -0
package/dist-standalone/trust-registry.d.ts +286 -0
package/dist-standalone/trust-registry.js +702 -0
package/dist-standalone/verify.d.ts +16 -0
package/dist-standalone/verify.js +16 -0
package/dist-standalone/xfetch.d.ts +129 -0
package/dist-standalone/xfetch.js +247 -0
package/llms.txt +800 -0
package/package.json +79 -0
package/share1.dat +0 -0

package/dist-standalone/approval.d.ts ADDED Viewed

@@ -0,0 +1,145 @@
+/**
+ * @module approval
+ * OAuth-style approval flow for agents
+ *
+ * Enterprise agents require explicit user consent before performing
+ * sensitive operations. This module implements OAuth-style consent
+ * screens and approval tokens.
+ */
+import type { Result } from '@private.me/shared';
+import type { PolicyConstraints } from './agent-call.js';
+/**
+ * Approval request options
+ */
+export interface ApprovalOptions {
+    /** Agent DID requesting approval */
+    readonly agentDid: string;
+    /** Scopes being requested (e.g., ["payments:createCharge", "invoices:create"]) */
+    readonly scopes: string[];
+    /** Policy limits to enforce */
+    readonly limits: PolicyConstraints['limits'];
+    /** Duration of approval (ISO 8601 duration or ms) */
+    readonly duration: string | number;
+    /** Human-readable description of what the agent will do */
+    readonly description?: string;
+    /** Metadata for audit logging */
+    readonly metadata?: Record<string, unknown>;
+}
+/**
+ * Approval token (returned after user consent)
+ */
+export interface ApprovalToken {
+    /** Unique approval ID */
+    readonly id: string;
+    /** Agent DID this approval is for */
+    readonly agentDid: string;
+    /** Granted scopes */
+    readonly scopes: string[];
+    /** Granted limits */
+    readonly limits: PolicyConstraints['limits'];
+    /** Expiration timestamp (ms since epoch) */
+    readonly expiresAt: number;
+    /** When this approval was created */
+    readonly createdAt: number;
+    /** Whether this approval is still valid */
+    readonly valid: boolean;
+    /** JWT-style signature (Ed25519) */
+    readonly signature: string;
+}
+/**
+ * Approval result
+ */
+export interface ApprovalResult {
+    /** Whether user approved */
+    readonly approved: boolean;
+    /** Approval token (if approved) */
+    readonly token?: ApprovalToken;
+    /** Reason for denial (if not approved) */
+    readonly reason?: string;
+}
+/**
+ * Approval error codes
+ */
+export declare enum ApprovalErrorCode {
+    USER_DENIED = "APPROVAL_USER_DENIED",
+    TIMEOUT = "APPROVAL_TIMEOUT",
+    INVALID_DURATION = "APPROVAL_INVALID_DURATION",
+    SIGNATURE_FAILED = "APPROVAL_SIGNATURE_FAILED",
+    TOKEN_EXPIRED = "APPROVAL_TOKEN_EXPIRED",
+    TOKEN_REVOKED = "APPROVAL_TOKEN_REVOKED",
+    INVALID_TOKEN = "APPROVAL_INVALID_TOKEN"
+}
+/**
+ * Approval error
+ */
+export declare class ApprovalError extends Error {
+    readonly code: ApprovalErrorCode;
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(code: ApprovalErrorCode, message: string, details?: Record<string, unknown> | undefined);
+}
+/**
+ * Approval presenter (UI abstraction)
+ *
+ * Implementations display consent screen to user and return their decision.
+ * This allows different UIs (CLI, web, mobile) to plug in.
+ */
+export interface ApprovalPresenter {
+    /**
+     * Present approval request to user
+     *
+     * @param options - Approval options
+     * @returns User's decision
+     */
+    present(options: ApprovalOptions): Promise<Result<ApprovalResult, ApprovalError>>;
+}
+/**
+ * CLI approval presenter (prints to console, reads stdin)
+ * This is a legitimate CLI interface - console output is intentional
+ */
+export declare class CLIApprovalPresenter implements ApprovalPresenter {
+    present(options: ApprovalOptions): Promise<Result<ApprovalResult, ApprovalError>>;
+}
+/**
+ * Approval flow coordinator
+ *
+ * Orchestrates the consent flow: present to user → sign token → track expiry
+ */
+export declare class ApprovalFlow {
+    private readonly presenter;
+    private readonly tokens;
+    constructor(options?: {
+        readonly presenter?: ApprovalPresenter;
+    });
+    /**
+     * Request approval from user
+     *
+     * @param options - Approval request options
+     * @returns Approval result with token (if approved)
+     */
+    requestApproval(options: ApprovalOptions): Promise<Result<ApprovalResult, ApprovalError>>;
+    /**
+     * Verify an approval token
+     *
+     * @param tokenId - Token ID to verify
+     * @returns Token if valid, error otherwise
+     */
+    verifyToken(tokenId: string): Result<ApprovalToken, ApprovalError>;
+    /**
+     * Revoke an approval token
+     *
+     * @param tokenId - Token ID to revoke
+     */
+    revokeToken(tokenId: string): void;
+    /**
+     * Parse duration string to milliseconds
+     */
+    private parseDuration;
+    /**
+     * Generate a unique token ID
+     */
+    private generateTokenId;
+    /**
+     * Sign an approval token (stub - production would use Ed25519)
+     */
+    private signToken;
+}

package/dist-standalone/approval.js ADDED Viewed

@@ -0,0 +1,193 @@
+/**
+ * @module approval
+ * OAuth-style approval flow for agents
+ *
+ * Enterprise agents require explicit user consent before performing
+ * sensitive operations. This module implements OAuth-style consent
+ * screens and approval tokens.
+ */
+import { ok, err } from"./_deps/shared/index.js";
+/**
+ * Approval error codes
+ */
+export var ApprovalErrorCode;
+(function (ApprovalErrorCode) {
+    ApprovalErrorCode["USER_DENIED"] = "APPROVAL_USER_DENIED";
+    ApprovalErrorCode["TIMEOUT"] = "APPROVAL_TIMEOUT";
+    ApprovalErrorCode["INVALID_DURATION"] = "APPROVAL_INVALID_DURATION";
+    ApprovalErrorCode["SIGNATURE_FAILED"] = "APPROVAL_SIGNATURE_FAILED";
+    ApprovalErrorCode["TOKEN_EXPIRED"] = "APPROVAL_TOKEN_EXPIRED";
+    ApprovalErrorCode["TOKEN_REVOKED"] = "APPROVAL_TOKEN_REVOKED";
+    ApprovalErrorCode["INVALID_TOKEN"] = "APPROVAL_INVALID_TOKEN";
+})(ApprovalErrorCode || (ApprovalErrorCode = {}));
+/**
+ * Approval error
+ */
+export class ApprovalError extends Error {
+    code;
+    details;
+    constructor(code, message, details) {
+        super(message);
+        this.code = code;
+        this.details = details;
+        this.name = 'ApprovalError';
+    }
+}
+/**
+ * CLI approval presenter (prints to console, reads stdin)
+ * This is a legitimate CLI interface - console output is intentional
+ */
+export class CLIApprovalPresenter {
+    /* eslint-disable no-console */
+    async present(options) {
+        console.log('\n=== AGENT APPROVAL REQUEST ===');
+        console.log(`Agent: ${options.agentDid}`);
+        console.log(`Duration: ${options.duration}`);
+        console.log('\nRequested Scopes:');
+        for (const scope of options.scopes) {
+            console.log(`  - ${scope}`);
+        }
+        if (options.limits) {
+            console.log('\nPolicy Limits:');
+            if (options.limits.amountPerTxn) {
+                console.log(`  - Max per transaction: $${options.limits.amountPerTxn.toLocaleString()}`);
+            }
+            if (options.limits.dailyAmount) {
+                console.log(`  - Daily limit: $${options.limits.dailyAmount.toLocaleString()}`);
+            }
+            if (options.limits.callsPerMinute) {
+                console.log(`  - Rate limit: ${options.limits.callsPerMinute} calls/minute`);
+            }
+        }
+        if (options.description) {
+            console.log(`\nDescription: ${options.description}`);
+        }
+        console.log('\n[This is a mock presenter - auto-approving for development]');
+        console.log('In production, this would prompt for user input.\n');
+        // Auto-approve for development (production would prompt for y/n)
+        return ok({
+            approved: true,
+        });
+    }
+}
+/**
+ * Approval flow coordinator
+ *
+ * Orchestrates the consent flow: present to user → sign token → track expiry
+ */
+export class ApprovalFlow {
+    presenter;
+    tokens = new Map();
+    constructor(options = {}) {
+        this.presenter = options.presenter ?? new CLIApprovalPresenter();
+    }
+    /**
+     * Request approval from user
+     *
+     * @param options - Approval request options
+     * @returns Approval result with token (if approved)
+     */
+    async requestApproval(options) {
+        // Validate duration
+        const durationMs = this.parseDuration(options.duration);
+        if (durationMs <= 0) {
+            return err(new ApprovalError(ApprovalErrorCode.INVALID_DURATION, `Invalid duration: ${options.duration}`));
+        }
+        // Present to user
+        const result = await this.presenter.present(options);
+        if (!result.ok)
+            return result;
+        if (!result.value.approved) {
+            return ok({
+                approved: false,
+                reason: result.value.reason ?? 'User denied approval',
+            });
+        }
+        // Generate approval token
+        const now = Date.now();
+        const token = {
+            id: this.generateTokenId(),
+            agentDid: options.agentDid,
+            scopes: options.scopes,
+            limits: options.limits,
+            expiresAt: now + durationMs,
+            createdAt: now,
+            valid: true,
+            signature: await this.signToken(options.agentDid, options.scopes, now + durationMs),
+        };
+        // Store token
+        this.tokens.set(token.id, token);
+        return ok({
+            approved: true,
+            token,
+        });
+    }
+    /**
+     * Verify an approval token
+     *
+     * @param tokenId - Token ID to verify
+     * @returns Token if valid, error otherwise
+     */
+    verifyToken(tokenId) {
+        const token = this.tokens.get(tokenId);
+        if (!token) {
+            return err(new ApprovalError(ApprovalErrorCode.INVALID_TOKEN, `Token ${tokenId} not found`));
+        }
+        if (!token.valid) {
+            return err(new ApprovalError(ApprovalErrorCode.TOKEN_REVOKED, `Token ${tokenId} has been revoked`));
+        }
+        if (Date.now() > token.expiresAt) {
+            return err(new ApprovalError(ApprovalErrorCode.TOKEN_EXPIRED, `Token ${tokenId} expired at ${new Date(token.expiresAt).toISOString()}`));
+        }
+        return ok(token);
+    }
+    /**
+     * Revoke an approval token
+     *
+     * @param tokenId - Token ID to revoke
+     */
+    revokeToken(tokenId) {
+        const token = this.tokens.get(tokenId);
+        if (token) {
+            this.tokens.set(tokenId, { ...token, valid: false });
+        }
+    }
+    /**
+     * Parse duration string to milliseconds
+     */
+    parseDuration(duration) {
+        if (typeof duration === 'number')
+            return duration;
+        // Parse ISO 8601 duration or simple format
+        const matches = duration.match(/^(\d+)([smhd])$/);
+        if (!matches)
+            return -1;
+        const value = parseInt(matches[1] ?? '0', 10);
+        const unit = matches[2];
+        switch (unit) {
+            case 's': return value * 1000;
+            case 'm': return value * 60 * 1000;
+            case 'h': return value * 60 * 60 * 1000;
+            case 'd': return value * 24 * 60 * 60 * 1000;
+            default: return -1;
+        }
+    }
+    /**
+     * Generate a unique token ID
+     */
+    generateTokenId() {
+        const randomBytes = new Uint8Array(12);
+        crypto.getRandomValues(randomBytes);
+        const randomString = Array.from(randomBytes, b => b.toString(16).padStart(2, '0')).join('');
+        return `appr_${Date.now()}_${randomString}`;
+    }
+    /**
+     * Sign an approval token (stub - production would use Ed25519)
+     */
+    async signToken(agentDid, scopes, expiresAt) {
+        // Production would use Ed25519 signature over JSON.stringify({ agentDid, scopes, expiresAt })
+        // For now, return a mock signature
+        const payload = JSON.stringify({ agentDid, scopes, expiresAt });
+        return btoa(payload).substring(0, 32);
+    }
+}

package/dist-standalone/auth.d.ts ADDED Viewed

@@ -0,0 +1,75 @@
+/**
+ * Xlock auth challenge module for Agent SDK.
+ *
+ * Provides requestAuth(), respondToChallenge(), and onChallenge()
+ * functions that work with an Agent instance and the XBind gateway.
+ *
+ * These functions are also re-exported as thin methods on the Agent class.
+ */
+import type { Result, AuthRequest, AuthResult, IncomingAuthChallenge, AuthChallengeErrorCode } from '@private.me/shared';
+import type { Agent } from './agent.js';
+/** Options for the gateway connection used by auth functions. */
+export interface AuthGatewayOptions {
+    /** Gateway base URL (e.g. 'https://api.xail.io'). */
+    readonly gatewayUrl: string;
+    /** Bearer token for status polling (HMAC-SHA256 of sender DID). */
+    readonly accessToken: string;
+}
+/**
+ * Create an auth challenge and poll until the user responds.
+ *
+ * Sends a challenge via the XBind gateway, then polls the status
+ * endpoint until the challenge is approved, denied, or expires.
+ *
+ * @param agent - The Agent requesting authorization.
+ * @param request - Auth request details (recipient DID, action, metadata).
+ * @param gateway - Gateway connection options.
+ * @returns Auth result (approved/denied) or error.
+ */
+export declare function requestAuth(agent: Agent, request: AuthRequest, gateway: AuthGatewayOptions): Promise<Result<AuthResult, AuthChallengeErrorCode>>;
+/**
+ * Respond to an incoming auth challenge (approve or deny).
+ *
+ * Sends a signed response envelope to the gateway.
+ *
+ * @param agent - The Agent responding to the challenge.
+ * @param challengeId - The challenge ID to respond to.
+ * @param approved - Whether the user approved the challenge.
+ * @param gateway - Gateway connection options.
+ * @returns Success or error.
+ */
+export declare function respondToChallenge(agent: Agent, challengeId: string, approved: boolean, gateway: AuthGatewayOptions): Promise<Result<void, AuthChallengeErrorCode>>;
+/**
+ * Register a callback for incoming auth challenges via WebSocket.
+ *
+ * The callback fires when an `auth:challenge` message arrives
+ * over the gateway WebSocket connection.
+ *
+ * @param ws - The WebSocket connection to the gateway.
+ * @param callback - Handler for incoming challenges.
+ * @returns Cleanup function to unregister the listener.
+ */
+export declare function onChallenge(ws: {
+    addEventListener: (type: string, handler: (event: {
+        data: string;
+    }) => void) => void;
+    removeEventListener: (type: string, handler: (event: {
+        data: string;
+    }) => void) => void;
+}, callback: (challenge: IncomingAuthChallenge) => void): () => void;
+/**
+ * Generate a registration QR code URI for TOTP migration.
+ *
+ * Creates a `xlock://register` URI that replaces `otpauth://` for
+ * asymmetric DID-based registration.
+ *
+ * @param options - Registration options.
+ * @returns The registration URI string.
+ */
+export declare function generateRegistrationQR(options: {
+    readonly appName: string;
+    readonly appDid: string;
+    readonly registryUrl: string;
+    readonly callbackUrl: string;
+    readonly appIcon?: string;
+}): string;

package/dist-standalone/auth.js ADDED Viewed

@@ -0,0 +1,219 @@
+/**
+ * Xlock auth challenge module for Agent SDK.
+ *
+ * Provides requestAuth(), respondToChallenge(), and onChallenge()
+ * functions that work with an Agent instance and the XBind gateway.
+ *
+ * These functions are also re-exported as thin methods on the Agent class.
+ */
+import { ok, err } from"./_deps/shared/index.js";
+import { createSignedEnvelope } from './envelope.js';
+/** Default poll interval for challenge status. */
+const DEFAULT_POLL_INTERVAL_MS = 2_000;
+/** Default TTL for challenges (5 minutes). */
+const DEFAULT_TTL_MS = 5 * 60 * 1000;
+/** Max poll iterations (TTL / pollInterval + safety margin). */
+const MAX_POLL_ITERATIONS = 200;
+/**
+ * Create an auth challenge and poll until the user responds.
+ *
+ * Sends a challenge via the XBind gateway, then polls the status
+ * endpoint until the challenge is approved, denied, or expires.
+ *
+ * @param agent - The Agent requesting authorization.
+ * @param request - Auth request details (recipient DID, action, metadata).
+ * @param gateway - Gateway connection options.
+ * @returns Auth result (approved/denied) or error.
+ */
+export async function requestAuth(agent, request, gateway) {
+    const ttlMs = request.ttlMs ?? DEFAULT_TTL_MS;
+    const pollIntervalMs = request.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS;
+    // Build the challenge payload
+    const payload = {
+        recipientDid: request.to,
+        action: request.action,
+        metadata: request.metadata ?? {},
+        ttlMs,
+    };
+    // Create a signed envelope wrapping the challenge request
+    const envelopeResult = await createSignedEnvelope({
+        senderDid: agent.did,
+        recipientDid: request.to,
+        scope: 'xlock:challenge',
+        plaintext: new TextEncoder().encode(JSON.stringify(payload)),
+        privateKey: agent.identity.privateKey,
+    });
+    if (!envelopeResult.ok) {
+        return err('INVALID_REQUEST');
+    }
+    // POST to gateway
+    let challengeId;
+    let expiresAt;
+    try {
+        const response = await fetch(`${gateway.gatewayUrl}/gateway/auth/challenge`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify(envelopeResult.value),
+        });
+        if (response.status === 429)
+            return err('RATE_LIMITED');
+        if (!response.ok) {
+            const body = await response.json().catch(() => null);
+            const code = body
+                ?.error?.code;
+            return err(code ?? 'INVALID_REQUEST');
+        }
+        const data = await response.json();
+        challengeId = data.challengeId;
+        expiresAt = data.expiresAt;
+    }
+    catch {
+        return err('INVALID_REQUEST');
+    }
+    // Poll for status
+    return pollChallengeStatus(challengeId, expiresAt, pollIntervalMs, gateway);
+}
+/**
+ * Respond to an incoming auth challenge (approve or deny).
+ *
+ * Sends a signed response envelope to the gateway.
+ *
+ * @param agent - The Agent responding to the challenge.
+ * @param challengeId - The challenge ID to respond to.
+ * @param approved - Whether the user approved the challenge.
+ * @param gateway - Gateway connection options.
+ * @returns Success or error.
+ */
+export async function respondToChallenge(agent, challengeId, approved, gateway) {
+    const payload = {
+        challengeId,
+        approved,
+        timestamp: Date.now(),
+    };
+    // Create a signed envelope for the response
+    const envelopeResult = await createSignedEnvelope({
+        senderDid: agent.did,
+        recipientDid: agent.did, // Self-addressed (gateway verifies recipient match)
+        scope: 'xlock:respond',
+        plaintext: new TextEncoder().encode(JSON.stringify(payload)),
+        privateKey: agent.identity.privateKey,
+    });
+    if (!envelopeResult.ok) {
+        return err('INVALID_REQUEST');
+    }
+    try {
+        const response = await fetch(`${gateway.gatewayUrl}/gateway/auth/respond`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                ...envelopeResult.value,
+                // Include response fields at top level for the server
+                challengeId,
+                approved,
+                responseEnvelope: envelopeResult.value,
+            }),
+        });
+        if (!response.ok) {
+            const body = await response.json().catch(() => null);
+            const code = body
+                ?.error?.code;
+            return err(code ?? 'INVALID_REQUEST');
+        }
+        return ok(undefined);
+    }
+    catch {
+        return err('INVALID_REQUEST');
+    }
+}
+/**
+ * Register a callback for incoming auth challenges via WebSocket.
+ *
+ * The callback fires when an `auth:challenge` message arrives
+ * over the gateway WebSocket connection.
+ *
+ * @param ws - The WebSocket connection to the gateway.
+ * @param callback - Handler for incoming challenges.
+ * @returns Cleanup function to unregister the listener.
+ */
+export function onChallenge(ws, callback) {
+    const handler = (event) => {
+        try {
+            const msg = JSON.parse(event.data);
+            if (msg.type === 'auth:challenge' && msg.data) {
+                callback(msg.data);
+            }
+        }
+        catch {
+            // Skip non-JSON messages
+        }
+    };
+    ws.addEventListener('message', handler);
+    return () => ws.removeEventListener('message', handler);
+}
+/**
+ * Generate a registration QR code URI for TOTP migration.
+ *
+ * Creates a `xlock://register` URI that replaces `otpauth://` for
+ * asymmetric DID-based registration.
+ *
+ * @param options - Registration options.
+ * @returns The registration URI string.
+ */
+export function generateRegistrationQR(options) {
+    const params = new URLSearchParams({
+        app: options.appName,
+        did: options.appDid,
+        registry: options.registryUrl,
+        callback: options.callbackUrl,
+    });
+    if (options.appIcon)
+        params.set('icon', options.appIcon);
+    return `xlock://register?${params.toString()}`;
+}
+/** Poll the gateway for challenge status until resolved or expired. */
+async function pollChallengeStatus(challengeId, expiresAt, pollIntervalMs, gateway) {
+    for (let i = 0; i < MAX_POLL_ITERATIONS; i++) {
+        if (Date.now() > expiresAt) {
+            return err('CHALLENGE_EXPIRED');
+        }
+        await sleep(pollIntervalMs);
+        try {
+            const response = await fetch(`${gateway.gatewayUrl}/gateway/auth/status/${challengeId}`, {
+                headers: { Authorization: `Bearer ${gateway.accessToken}` },
+            });
+            if (!response.ok) {
+                if (response.status === 404)
+                    return err('CHALLENGE_NOT_FOUND');
+                continue; // Retry on transient errors
+            }
+            const data = await response.json();
+            if (data.status === 'approved') {
+                return ok({
+                    challengeId: data.challengeId,
+                    approved: true,
+                    respondedAt: data.respondedAt,
+                    envelope: data.envelope,
+                });
+            }
+            if (data.status === 'denied') {
+                return ok({
+                    challengeId: data.challengeId,
+                    approved: false,
+                    respondedAt: data.respondedAt,
+                });
+            }
+            if (data.status === 'expired') {
+                return err('CHALLENGE_EXPIRED');
+            }
+            // Still pending — continue polling
+        }
+        catch {
+            // Network error — continue polling
+        }
+    }
+    return err('CHALLENGE_TIMEOUT');
+}
+/** Promise-based sleep. */
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}