npm - @private.me/xbind - Versions diffs - 1.2.0 - Mend

@private.me/xbind 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/AGENTS.md +778 -0
package/LICENSE.md +27 -0
package/README.md +400 -0
package/dist-standalone/_deps/crypto/base64.d.ts +29 -0
package/dist-standalone/_deps/crypto/base64.js +97 -0
package/dist-standalone/_deps/crypto/cjs/base64.js +103 -0
package/dist-standalone/_deps/crypto/cjs/errors.js +119 -0
package/dist-standalone/_deps/crypto/cjs/hmac.js +71 -0
package/dist-standalone/_deps/crypto/cjs/index.js +86 -0
package/dist-standalone/_deps/crypto/cjs/padding.js +57 -0
package/dist-standalone/_deps/crypto/cjs/share-header.js +68 -0
package/dist-standalone/_deps/crypto/cjs/shares.js +152 -0
package/dist-standalone/_deps/crypto/cjs/tlv.js +199 -0
package/dist-standalone/_deps/crypto/cjs/uuid.js +61 -0
package/dist-standalone/_deps/crypto/cjs/verify.js +24 -0
package/dist-standalone/_deps/crypto/cjs/xorida.js +221 -0
package/dist-standalone/_deps/crypto/errors.d.ts +51 -0
package/dist-standalone/_deps/crypto/errors.js +109 -0
package/dist-standalone/_deps/crypto/hmac.d.ts +39 -0
package/dist-standalone/_deps/crypto/hmac.js +66 -0
package/dist-standalone/_deps/crypto/index.d.ts +20 -0
package/dist-standalone/_deps/crypto/index.js +45 -0
package/dist-standalone/_deps/crypto/padding.d.ts +19 -0
package/dist-standalone/_deps/crypto/padding.js +53 -0
package/dist-standalone/_deps/crypto/share-header.d.ts +44 -0
package/dist-standalone/_deps/crypto/share-header.js +63 -0
package/dist-standalone/_deps/crypto/shares.d.ts +27 -0
package/dist-standalone/_deps/crypto/shares.js +148 -0
package/dist-standalone/_deps/crypto/tlv.d.ts +26 -0
package/dist-standalone/_deps/crypto/tlv.js +195 -0
package/dist-standalone/_deps/crypto/uuid.d.ts +22 -0
package/dist-standalone/_deps/crypto/uuid.js +56 -0
package/dist-standalone/_deps/crypto/verify.d.ts +15 -0
package/dist-standalone/_deps/crypto/verify.js +15 -0
package/dist-standalone/_deps/crypto/xorida.d.ts +44 -0
package/dist-standalone/_deps/crypto/xorida.js +215 -0
package/dist-standalone/_deps/mldsa-wasm/LICENSE +24 -0
package/dist-standalone/_deps/mldsa-wasm/dist/mldsa.js +1920 -0
package/dist-standalone/_deps/mldsa-wasm/package.json +46 -0
package/dist-standalone/_deps/mldsa-wasm/types/mldsa.d.ts +30 -0
package/dist-standalone/_deps/shared/cjs/errors.js +582 -0
package/dist-standalone/_deps/shared/cjs/index.js +492 -0
package/dist-standalone/_deps/shared/cjs/package.json +1 -0
package/dist-standalone/_deps/shared/cjs/types.js +403 -0
package/dist-standalone/_deps/shared/errors.d.ts +48 -0
package/dist-standalone/_deps/shared/errors.d.ts.map +1 -0
package/dist-standalone/_deps/shared/errors.js +192 -0
package/dist-standalone/_deps/shared/errors.js.map +1 -0
package/dist-standalone/_deps/shared/index.d.ts +4 -0
package/dist-standalone/_deps/shared/index.d.ts.map +1 -0
package/dist-standalone/_deps/shared/index.js +78 -0
package/dist-standalone/_deps/shared/index.js.map +1 -0
package/dist-standalone/_deps/shared/types.d.ts +1097 -0
package/dist-standalone/_deps/shared/types.d.ts.map +1 -0
package/dist-standalone/_deps/shared/types.js +89 -0
package/dist-standalone/_deps/shared/types.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/errors.d.ts +115 -0
package/dist-standalone/_deps/ux-helpers/cjs/errors.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/errors.js +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/errors.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/index.d.ts +13 -0
package/dist-standalone/_deps/ux-helpers/cjs/index.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/index.js +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/index.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/package.json +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/pagination.d.ts +39 -0
package/dist-standalone/_deps/ux-helpers/cjs/pagination.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/pagination.js +83 -0
package/dist-standalone/_deps/ux-helpers/cjs/pagination.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/progress.d.ts +99 -0
package/dist-standalone/_deps/ux-helpers/cjs/progress.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/progress.js +143 -0
package/dist-standalone/_deps/ux-helpers/cjs/progress.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/search.d.ts +32 -0
package/dist-standalone/_deps/ux-helpers/cjs/search.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/search.js +119 -0
package/dist-standalone/_deps/ux-helpers/cjs/search.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/types.d.ts +109 -0
package/dist-standalone/_deps/ux-helpers/cjs/types.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/types.js +8 -0
package/dist-standalone/_deps/ux-helpers/cjs/types.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/errors.d.ts +115 -0
package/dist-standalone/_deps/ux-helpers/errors.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/errors.js +253 -0
package/dist-standalone/_deps/ux-helpers/errors.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/index.d.ts +13 -0
package/dist-standalone/_deps/ux-helpers/index.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/index.js +16 -0
package/dist-standalone/_deps/ux-helpers/index.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/pagination.d.ts +39 -0
package/dist-standalone/_deps/ux-helpers/pagination.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/pagination.js +79 -0
package/dist-standalone/_deps/ux-helpers/pagination.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/progress.d.ts +99 -0
package/dist-standalone/_deps/ux-helpers/progress.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/progress.js +138 -0
package/dist-standalone/_deps/ux-helpers/progress.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/search.d.ts +32 -0
package/dist-standalone/_deps/ux-helpers/search.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/search.js +116 -0
package/dist-standalone/_deps/ux-helpers/search.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/types.d.ts +109 -0
package/dist-standalone/_deps/ux-helpers/types.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/types.js +7 -0
package/dist-standalone/_deps/ux-helpers/types.js.map +1 -0
package/dist-standalone/_deps/xchange/auto-accept.d.ts +127 -0
package/dist-standalone/_deps/xchange/auto-accept.js +1 -0
package/dist-standalone/_deps/xchange/cjs/auto-accept.js +1 -0
package/dist-standalone/_deps/xchange/cjs/errors.js +1 -0
package/dist-standalone/_deps/xchange/cjs/index.js +1 -0
package/dist-standalone/_deps/xchange/cjs/invite-client.js +1 -0
package/dist-standalone/_deps/xchange/cjs/lazy-init.js +1 -0
package/dist-standalone/_deps/xchange/cjs/package.json +1 -0
package/dist-standalone/_deps/xchange/cjs/trust-integration.js +1 -0
package/dist-standalone/_deps/xchange/cjs/xchange.js +1 -0
package/dist-standalone/_deps/xchange/errors.d.ts +69 -0
package/dist-standalone/_deps/xchange/errors.js +1 -0
package/dist-standalone/_deps/xchange/index.d.ts +15 -0
package/dist-standalone/_deps/xchange/index.js +1 -0
package/dist-standalone/_deps/xchange/invite-client.d.ts +178 -0
package/dist-standalone/_deps/xchange/invite-client.js +1 -0
package/dist-standalone/_deps/xchange/lazy-init.d.ts +176 -0
package/dist-standalone/_deps/xchange/lazy-init.js +1 -0
package/dist-standalone/_deps/xchange/trust-integration.d.ts +102 -0
package/dist-standalone/_deps/xchange/trust-integration.js +1 -0
package/dist-standalone/_deps/xchange/xchange.d.ts +60 -0
package/dist-standalone/_deps/xchange/xchange.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/discovery.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/errors.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/index.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/package.json +1 -0
package/dist-standalone/_deps/xregistry/cjs/registry.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/schema.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/types.js +1 -0
package/dist-standalone/_deps/xregistry/discovery.d.ts +126 -0
package/dist-standalone/_deps/xregistry/discovery.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/discovery.js +1 -0
package/dist-standalone/_deps/xregistry/discovery.js.map +1 -0
package/dist-standalone/_deps/xregistry/errors.d.ts +41 -0
package/dist-standalone/_deps/xregistry/errors.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/errors.js +1 -0
package/dist-standalone/_deps/xregistry/errors.js.map +1 -0
package/dist-standalone/_deps/xregistry/index.d.ts +8 -0
package/dist-standalone/_deps/xregistry/index.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/index.js +1 -0
package/dist-standalone/_deps/xregistry/index.js.map +1 -0
package/dist-standalone/_deps/xregistry/registry.d.ts +85 -0
package/dist-standalone/_deps/xregistry/registry.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/registry.js +1 -0
package/dist-standalone/_deps/xregistry/registry.js.map +1 -0
package/dist-standalone/_deps/xregistry/schema.d.ts +81 -0
package/dist-standalone/_deps/xregistry/schema.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/schema.js +1 -0
package/dist-standalone/_deps/xregistry/schema.js.map +1 -0
package/dist-standalone/_deps/xregistry/types.d.ts +95 -0
package/dist-standalone/_deps/xregistry/types.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/types.js +1 -0
package/dist-standalone/_deps/xregistry/types.js.map +1 -0
package/dist-standalone/agent-call.d.ts +286 -0
package/dist-standalone/agent-call.js +642 -0
package/dist-standalone/agent-sdk.d.ts +207 -0
package/dist-standalone/agent-sdk.js +328 -0
package/dist-standalone/agent.d.ts +670 -0
package/dist-standalone/agent.js +1529 -0
package/dist-standalone/approval.d.ts +145 -0
package/dist-standalone/approval.js +193 -0
package/dist-standalone/auth.d.ts +75 -0
package/dist-standalone/auth.js +219 -0
package/dist-standalone/auto-accept.d.ts +102 -0
package/dist-standalone/auto-accept.js +229 -0
package/dist-standalone/backup-config.d.ts +150 -0
package/dist-standalone/backup-config.js +201 -0
package/dist-standalone/checkpoint.d.ts +125 -0
package/dist-standalone/checkpoint.js +186 -0
package/dist-standalone/cjs/agent-call.js +651 -0
package/dist-standalone/cjs/agent-sdk.js +332 -0
package/dist-standalone/cjs/agent.js +1566 -0
package/dist-standalone/cjs/approval.js +199 -0
package/dist-standalone/cjs/auth.js +225 -0
package/dist-standalone/cjs/auto-accept.js +233 -0
package/dist-standalone/cjs/backup-config.js +207 -0
package/dist-standalone/cjs/checkpoint.js +193 -0
package/dist-standalone/cjs/cli/init.js +487 -0
package/dist-standalone/cjs/connect.js +312 -0
package/dist-standalone/cjs/did-document.js +101 -0
package/dist-standalone/cjs/did-privateme.js +130 -0
package/dist-standalone/cjs/did-web.js +201 -0
package/dist-standalone/cjs/discovery.js +462 -0
package/dist-standalone/cjs/dual-mode.js +251 -0
package/dist-standalone/cjs/email-templates.js +313 -0
package/dist-standalone/cjs/email-transport.js +239 -0
package/dist-standalone/cjs/envelope.js +510 -0
package/dist-standalone/cjs/errors.js +562 -0
package/dist-standalone/cjs/gateway-state.js +55 -0
package/dist-standalone/cjs/gateway-transport.js +120 -0
package/dist-standalone/cjs/guardrails.js +223 -0
package/dist-standalone/cjs/http-compat.js +272 -0
package/dist-standalone/cjs/identity.js +541 -0
package/dist-standalone/cjs/index.js +224 -0
package/dist-standalone/cjs/invitation.js +421 -0
package/dist-standalone/cjs/invite.js +328 -0
package/dist-standalone/cjs/key-agreement.js +246 -0
package/dist-standalone/cjs/lazy-init.js +300 -0
package/dist-standalone/cjs/mdns-discovery.js +202 -0
package/dist-standalone/cjs/nonce-store.js +66 -0
package/dist-standalone/cjs/package.json +3 -0
package/dist-standalone/cjs/pairing-manager.js +223 -0
package/dist-standalone/cjs/policy.js +320 -0
package/dist-standalone/cjs/redis-nonce-store.js +76 -0
package/dist-standalone/cjs/registry-middleware.js +50 -0
package/dist-standalone/cjs/retry-transport.js +102 -0
package/dist-standalone/cjs/security-policy.js +204 -0
package/dist-standalone/cjs/split-channel.js +177 -0
package/dist-standalone/cjs/subscription-proof.js +230 -0
package/dist-standalone/cjs/succession.js +148 -0
package/dist-standalone/cjs/transport.js +63 -0
package/dist-standalone/cjs/trust-registry.js +742 -0
package/dist-standalone/cjs/verify.js +25 -0
package/dist-standalone/cjs/xfetch.js +252 -0
package/dist-standalone/cli/init.d.ts +63 -0
package/dist-standalone/cli/init.js +450 -0
package/dist-standalone/connect.d.ts +143 -0
package/dist-standalone/connect.js +274 -0
package/dist-standalone/did-document.d.ts +65 -0
package/dist-standalone/did-document.js +96 -0
package/dist-standalone/did-privateme.d.ts +70 -0
package/dist-standalone/did-privateme.js +121 -0
package/dist-standalone/did-web.d.ts +73 -0
package/dist-standalone/did-web.js +196 -0
package/dist-standalone/discovery.d.ts +176 -0
package/dist-standalone/discovery.js +458 -0
package/dist-standalone/dual-mode.d.ts +145 -0
package/dist-standalone/dual-mode.js +247 -0
package/dist-standalone/email-templates.d.ts +41 -0
package/dist-standalone/email-templates.js +309 -0
package/dist-standalone/email-transport.d.ts +139 -0
package/dist-standalone/email-transport.js +232 -0
package/dist-standalone/envelope.d.ts +288 -0
package/dist-standalone/envelope.js +497 -0
package/dist-standalone/errors.d.ts +74 -0
package/dist-standalone/errors.js +548 -0
package/dist-standalone/gateway-state.d.ts +32 -0
package/dist-standalone/gateway-state.js +51 -0
package/dist-standalone/gateway-transport.d.ts +59 -0
package/dist-standalone/gateway-transport.js +116 -0
package/dist-standalone/guardrails.d.ts +136 -0
package/dist-standalone/guardrails.js +216 -0
package/dist-standalone/http-compat.d.ts +150 -0
package/dist-standalone/http-compat.js +267 -0
package/dist-standalone/identity.d.ts +176 -0
package/dist-standalone/identity.js +516 -0
package/dist-standalone/index.d.ts +83 -0
package/dist-standalone/index.js +51 -0
package/dist-standalone/invitation.d.ts +211 -0
package/dist-standalone/invitation.js +415 -0
package/dist-standalone/invite.d.ts +192 -0
package/dist-standalone/invite.js +324 -0
package/dist-standalone/key-agreement.d.ts +122 -0
package/dist-standalone/key-agreement.js +236 -0
package/dist-standalone/lazy-init.d.ts +167 -0
package/dist-standalone/lazy-init.js +295 -0
package/dist-standalone/mdns-discovery.d.ts +117 -0
package/dist-standalone/mdns-discovery.js +195 -0
package/dist-standalone/nonce-store.d.ts +39 -0
package/dist-standalone/nonce-store.js +62 -0
package/dist-standalone/package.json +11 -0
package/dist-standalone/pairing-manager.d.ts +147 -0
package/dist-standalone/pairing-manager.js +219 -0
package/dist-standalone/policy.d.ts +150 -0
package/dist-standalone/policy.js +315 -0
package/dist-standalone/redis-nonce-store.d.ts +93 -0
package/dist-standalone/redis-nonce-store.js +72 -0
package/dist-standalone/registry-middleware.d.ts +38 -0
package/dist-standalone/registry-middleware.js +47 -0
package/dist-standalone/retry-transport.d.ts +76 -0
package/dist-standalone/retry-transport.js +98 -0
package/dist-standalone/security-policy.d.ts +146 -0
package/dist-standalone/security-policy.js +198 -0
package/dist-standalone/split-channel.d.ts +69 -0
package/dist-standalone/split-channel.js +171 -0
package/dist-standalone/subscription-proof.d.ts +103 -0
package/dist-standalone/subscription-proof.js +224 -0
package/dist-standalone/succession.d.ts +57 -0
package/dist-standalone/succession.js +142 -0
package/dist-standalone/transport.d.ts +50 -0
package/dist-standalone/transport.js +59 -0
package/dist-standalone/trust-registry.d.ts +286 -0
package/dist-standalone/trust-registry.js +702 -0
package/dist-standalone/verify.d.ts +16 -0
package/dist-standalone/verify.js +16 -0
package/dist-standalone/xfetch.d.ts +129 -0
package/dist-standalone/xfetch.js +247 -0
package/llms.txt +800 -0
package/package.json +79 -0
package/share1.dat +0 -0

package/dist-standalone/cjs/approval.js ADDED Viewed

@@ -0,0 +1,199 @@
+"use strict";
+/**
+ * @module approval
+ * OAuth-style approval flow for agents
+ *
+ * Enterprise agents require explicit user consent before performing
+ * sensitive operations. This module implements OAuth-style consent
+ * screens and approval tokens.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApprovalFlow = exports.CLIApprovalPresenter = exports.ApprovalError = exports.ApprovalErrorCode = void 0;
+const shared_1 = require("../_deps/shared/index.js");
+/**
+ * Approval error codes
+ */
+var ApprovalErrorCode;
+(function (ApprovalErrorCode) {
+    ApprovalErrorCode["USER_DENIED"] = "APPROVAL_USER_DENIED";
+    ApprovalErrorCode["TIMEOUT"] = "APPROVAL_TIMEOUT";
+    ApprovalErrorCode["INVALID_DURATION"] = "APPROVAL_INVALID_DURATION";
+    ApprovalErrorCode["SIGNATURE_FAILED"] = "APPROVAL_SIGNATURE_FAILED";
+    ApprovalErrorCode["TOKEN_EXPIRED"] = "APPROVAL_TOKEN_EXPIRED";
+    ApprovalErrorCode["TOKEN_REVOKED"] = "APPROVAL_TOKEN_REVOKED";
+    ApprovalErrorCode["INVALID_TOKEN"] = "APPROVAL_INVALID_TOKEN";
+})(ApprovalErrorCode || (exports.ApprovalErrorCode = ApprovalErrorCode = {}));
+/**
+ * Approval error
+ */
+class ApprovalError extends Error {
+    code;
+    details;
+    constructor(code, message, details) {
+        super(message);
+        this.code = code;
+        this.details = details;
+        this.name = 'ApprovalError';
+    }
+}
+exports.ApprovalError = ApprovalError;
+/**
+ * CLI approval presenter (prints to console, reads stdin)
+ * This is a legitimate CLI interface - console output is intentional
+ */
+class CLIApprovalPresenter {
+    /* eslint-disable no-console */
+    async present(options) {
+        console.log('\n=== AGENT APPROVAL REQUEST ===');
+        console.log(`Agent: ${options.agentDid}`);
+        console.log(`Duration: ${options.duration}`);
+        console.log('\nRequested Scopes:');
+        for (const scope of options.scopes) {
+            console.log(`  - ${scope}`);
+        }
+        if (options.limits) {
+            console.log('\nPolicy Limits:');
+            if (options.limits.amountPerTxn) {
+                console.log(`  - Max per transaction: $${options.limits.amountPerTxn.toLocaleString()}`);
+            }
+            if (options.limits.dailyAmount) {
+                console.log(`  - Daily limit: $${options.limits.dailyAmount.toLocaleString()}`);
+            }
+            if (options.limits.callsPerMinute) {
+                console.log(`  - Rate limit: ${options.limits.callsPerMinute} calls/minute`);
+            }
+        }
+        if (options.description) {
+            console.log(`\nDescription: ${options.description}`);
+        }
+        console.log('\n[This is a mock presenter - auto-approving for development]');
+        console.log('In production, this would prompt for user input.\n');
+        // Auto-approve for development (production would prompt for y/n)
+        return (0, shared_1.ok)({
+            approved: true,
+        });
+    }
+}
+exports.CLIApprovalPresenter = CLIApprovalPresenter;
+/**
+ * Approval flow coordinator
+ *
+ * Orchestrates the consent flow: present to user → sign token → track expiry
+ */
+class ApprovalFlow {
+    presenter;
+    tokens = new Map();
+    constructor(options = {}) {
+        this.presenter = options.presenter ?? new CLIApprovalPresenter();
+    }
+    /**
+     * Request approval from user
+     *
+     * @param options - Approval request options
+     * @returns Approval result with token (if approved)
+     */
+    async requestApproval(options) {
+        // Validate duration
+        const durationMs = this.parseDuration(options.duration);
+        if (durationMs <= 0) {
+            return (0, shared_1.err)(new ApprovalError(ApprovalErrorCode.INVALID_DURATION, `Invalid duration: ${options.duration}`));
+        }
+        // Present to user
+        const result = await this.presenter.present(options);
+        if (!result.ok)
+            return result;
+        if (!result.value.approved) {
+            return (0, shared_1.ok)({
+                approved: false,
+                reason: result.value.reason ?? 'User denied approval',
+            });
+        }
+        // Generate approval token
+        const now = Date.now();
+        const token = {
+            id: this.generateTokenId(),
+            agentDid: options.agentDid,
+            scopes: options.scopes,
+            limits: options.limits,
+            expiresAt: now + durationMs,
+            createdAt: now,
+            valid: true,
+            signature: await this.signToken(options.agentDid, options.scopes, now + durationMs),
+        };
+        // Store token
+        this.tokens.set(token.id, token);
+        return (0, shared_1.ok)({
+            approved: true,
+            token,
+        });
+    }
+    /**
+     * Verify an approval token
+     *
+     * @param tokenId - Token ID to verify
+     * @returns Token if valid, error otherwise
+     */
+    verifyToken(tokenId) {
+        const token = this.tokens.get(tokenId);
+        if (!token) {
+            return (0, shared_1.err)(new ApprovalError(ApprovalErrorCode.INVALID_TOKEN, `Token ${tokenId} not found`));
+        }
+        if (!token.valid) {
+            return (0, shared_1.err)(new ApprovalError(ApprovalErrorCode.TOKEN_REVOKED, `Token ${tokenId} has been revoked`));
+        }
+        if (Date.now() > token.expiresAt) {
+            return (0, shared_1.err)(new ApprovalError(ApprovalErrorCode.TOKEN_EXPIRED, `Token ${tokenId} expired at ${new Date(token.expiresAt).toISOString()}`));
+        }
+        return (0, shared_1.ok)(token);
+    }
+    /**
+     * Revoke an approval token
+     *
+     * @param tokenId - Token ID to revoke
+     */
+    revokeToken(tokenId) {
+        const token = this.tokens.get(tokenId);
+        if (token) {
+            this.tokens.set(tokenId, { ...token, valid: false });
+        }
+    }
+    /**
+     * Parse duration string to milliseconds
+     */
+    parseDuration(duration) {
+        if (typeof duration === 'number')
+            return duration;
+        // Parse ISO 8601 duration or simple format
+        const matches = duration.match(/^(\d+)([smhd])$/);
+        if (!matches)
+            return -1;
+        const value = parseInt(matches[1] ?? '0', 10);
+        const unit = matches[2];
+        switch (unit) {
+            case 's': return value * 1000;
+            case 'm': return value * 60 * 1000;
+            case 'h': return value * 60 * 60 * 1000;
+            case 'd': return value * 24 * 60 * 60 * 1000;
+            default: return -1;
+        }
+    }
+    /**
+     * Generate a unique token ID
+     */
+    generateTokenId() {
+        const randomBytes = new Uint8Array(12);
+        crypto.getRandomValues(randomBytes);
+        const randomString = Array.from(randomBytes, b => b.toString(16).padStart(2, '0')).join('');
+        return `appr_${Date.now()}_${randomString}`;
+    }
+    /**
+     * Sign an approval token (stub - production would use Ed25519)
+     */
+    async signToken(agentDid, scopes, expiresAt) {
+        // Production would use Ed25519 signature over JSON.stringify({ agentDid, scopes, expiresAt })
+        // For now, return a mock signature
+        const payload = JSON.stringify({ agentDid, scopes, expiresAt });
+        return btoa(payload).substring(0, 32);
+    }
+}
+exports.ApprovalFlow = ApprovalFlow;

package/dist-standalone/cjs/auth.js ADDED Viewed

@@ -0,0 +1,225 @@
+"use strict";
+/**
+ * Xlock auth challenge module for Agent SDK.
+ *
+ * Provides requestAuth(), respondToChallenge(), and onChallenge()
+ * functions that work with an Agent instance and the XBind gateway.
+ *
+ * These functions are also re-exported as thin methods on the Agent class.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requestAuth = requestAuth;
+exports.respondToChallenge = respondToChallenge;
+exports.onChallenge = onChallenge;
+exports.generateRegistrationQR = generateRegistrationQR;
+const shared_1 = require("../_deps/shared/index.js");
+const envelope_js_1 = require("./envelope.js");
+/** Default poll interval for challenge status. */
+const DEFAULT_POLL_INTERVAL_MS = 2_000;
+/** Default TTL for challenges (5 minutes). */
+const DEFAULT_TTL_MS = 5 * 60 * 1000;
+/** Max poll iterations (TTL / pollInterval + safety margin). */
+const MAX_POLL_ITERATIONS = 200;
+/**
+ * Create an auth challenge and poll until the user responds.
+ *
+ * Sends a challenge via the XBind gateway, then polls the status
+ * endpoint until the challenge is approved, denied, or expires.
+ *
+ * @param agent - The Agent requesting authorization.
+ * @param request - Auth request details (recipient DID, action, metadata).
+ * @param gateway - Gateway connection options.
+ * @returns Auth result (approved/denied) or error.
+ */
+async function requestAuth(agent, request, gateway) {
+    const ttlMs = request.ttlMs ?? DEFAULT_TTL_MS;
+    const pollIntervalMs = request.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS;
+    // Build the challenge payload
+    const payload = {
+        recipientDid: request.to,
+        action: request.action,
+        metadata: request.metadata ?? {},
+        ttlMs,
+    };
+    // Create a signed envelope wrapping the challenge request
+    const envelopeResult = await (0, envelope_js_1.createSignedEnvelope)({
+        senderDid: agent.did,
+        recipientDid: request.to,
+        scope: 'xlock:challenge',
+        plaintext: new TextEncoder().encode(JSON.stringify(payload)),
+        privateKey: agent.identity.privateKey,
+    });
+    if (!envelopeResult.ok) {
+        return (0, shared_1.err)('INVALID_REQUEST');
+    }
+    // POST to gateway
+    let challengeId;
+    let expiresAt;
+    try {
+        const response = await fetch(`${gateway.gatewayUrl}/gateway/auth/challenge`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify(envelopeResult.value),
+        });
+        if (response.status === 429)
+            return (0, shared_1.err)('RATE_LIMITED');
+        if (!response.ok) {
+            const body = await response.json().catch(() => null);
+            const code = body
+                ?.error?.code;
+            return (0, shared_1.err)(code ?? 'INVALID_REQUEST');
+        }
+        const data = await response.json();
+        challengeId = data.challengeId;
+        expiresAt = data.expiresAt;
+    }
+    catch {
+        return (0, shared_1.err)('INVALID_REQUEST');
+    }
+    // Poll for status
+    return pollChallengeStatus(challengeId, expiresAt, pollIntervalMs, gateway);
+}
+/**
+ * Respond to an incoming auth challenge (approve or deny).
+ *
+ * Sends a signed response envelope to the gateway.
+ *
+ * @param agent - The Agent responding to the challenge.
+ * @param challengeId - The challenge ID to respond to.
+ * @param approved - Whether the user approved the challenge.
+ * @param gateway - Gateway connection options.
+ * @returns Success or error.
+ */
+async function respondToChallenge(agent, challengeId, approved, gateway) {
+    const payload = {
+        challengeId,
+        approved,
+        timestamp: Date.now(),
+    };
+    // Create a signed envelope for the response
+    const envelopeResult = await (0, envelope_js_1.createSignedEnvelope)({
+        senderDid: agent.did,
+        recipientDid: agent.did, // Self-addressed (gateway verifies recipient match)
+        scope: 'xlock:respond',
+        plaintext: new TextEncoder().encode(JSON.stringify(payload)),
+        privateKey: agent.identity.privateKey,
+    });
+    if (!envelopeResult.ok) {
+        return (0, shared_1.err)('INVALID_REQUEST');
+    }
+    try {
+        const response = await fetch(`${gateway.gatewayUrl}/gateway/auth/respond`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                ...envelopeResult.value,
+                // Include response fields at top level for the server
+                challengeId,
+                approved,
+                responseEnvelope: envelopeResult.value,
+            }),
+        });
+        if (!response.ok) {
+            const body = await response.json().catch(() => null);
+            const code = body
+                ?.error?.code;
+            return (0, shared_1.err)(code ?? 'INVALID_REQUEST');
+        }
+        return (0, shared_1.ok)(undefined);
+    }
+    catch {
+        return (0, shared_1.err)('INVALID_REQUEST');
+    }
+}
+/**
+ * Register a callback for incoming auth challenges via WebSocket.
+ *
+ * The callback fires when an `auth:challenge` message arrives
+ * over the gateway WebSocket connection.
+ *
+ * @param ws - The WebSocket connection to the gateway.
+ * @param callback - Handler for incoming challenges.
+ * @returns Cleanup function to unregister the listener.
+ */
+function onChallenge(ws, callback) {
+    const handler = (event) => {
+        try {
+            const msg = JSON.parse(event.data);
+            if (msg.type === 'auth:challenge' && msg.data) {
+                callback(msg.data);
+            }
+        }
+        catch {
+            // Skip non-JSON messages
+        }
+    };
+    ws.addEventListener('message', handler);
+    return () => ws.removeEventListener('message', handler);
+}
+/**
+ * Generate a registration QR code URI for TOTP migration.
+ *
+ * Creates a `xlock://register` URI that replaces `otpauth://` for
+ * asymmetric DID-based registration.
+ *
+ * @param options - Registration options.
+ * @returns The registration URI string.
+ */
+function generateRegistrationQR(options) {
+    const params = new URLSearchParams({
+        app: options.appName,
+        did: options.appDid,
+        registry: options.registryUrl,
+        callback: options.callbackUrl,
+    });
+    if (options.appIcon)
+        params.set('icon', options.appIcon);
+    return `xlock://register?${params.toString()}`;
+}
+/** Poll the gateway for challenge status until resolved or expired. */
+async function pollChallengeStatus(challengeId, expiresAt, pollIntervalMs, gateway) {
+    for (let i = 0; i < MAX_POLL_ITERATIONS; i++) {
+        if (Date.now() > expiresAt) {
+            return (0, shared_1.err)('CHALLENGE_EXPIRED');
+        }
+        await sleep(pollIntervalMs);
+        try {
+            const response = await fetch(`${gateway.gatewayUrl}/gateway/auth/status/${challengeId}`, {
+                headers: { Authorization: `Bearer ${gateway.accessToken}` },
+            });
+            if (!response.ok) {
+                if (response.status === 404)
+                    return (0, shared_1.err)('CHALLENGE_NOT_FOUND');
+                continue; // Retry on transient errors
+            }
+            const data = await response.json();
+            if (data.status === 'approved') {
+                return (0, shared_1.ok)({
+                    challengeId: data.challengeId,
+                    approved: true,
+                    respondedAt: data.respondedAt,
+                    envelope: data.envelope,
+                });
+            }
+            if (data.status === 'denied') {
+                return (0, shared_1.ok)({
+                    challengeId: data.challengeId,
+                    approved: false,
+                    respondedAt: data.respondedAt,
+                });
+            }
+            if (data.status === 'expired') {
+                return (0, shared_1.err)('CHALLENGE_EXPIRED');
+            }
+            // Still pending — continue polling
+        }
+        catch {
+            // Network error — continue polling
+        }
+    }
+    return (0, shared_1.err)('CHALLENGE_TIMEOUT');
+}
+/** Promise-based sleep. */
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}

package/dist-standalone/cjs/auto-accept.js ADDED Viewed

@@ -0,0 +1,233 @@
+"use strict";
+/**
+ * @module auto-accept
+ * Auto-accept invite on first SDK call for zero-click onboarding.
+ *
+ * Enables services to accept invites automatically without explicit
+ * accept commands. Invite code comes from environment variable.
+ *
+ * @example
+ * ```ts
+ * // Environment: XBIND_INVITE_CODE=XBD-abc123, XBIND_AUTO_ACCEPT=true
+ *
+ * // Auto-accept happens on first Agent method call:
+ * const agent = Agent.lazy({ name: 'my-service' });
+ * await agent.send({ to: partnerDid, payload: data, scope: 'test' });
+ * // ↑ Invite auto-accepted before send()
+ * ```
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AutoAcceptErrorCode = void 0;
+exports.autoAcceptInvite = autoAcceptInvite;
+const shared_1 = require("../_deps/shared/index.js");
+const invite_js_1 = require("./invite.js");
+const trust_registry_js_1 = require("./trust-registry.js");
+const crypto_1 = require("../_deps/crypto/index.js");
+const identity_js_1 = require("./identity.js");
+/**
+ * Auto-accept error codes.
+ */
+var AutoAcceptErrorCode;
+(function (AutoAcceptErrorCode) {
+    AutoAcceptErrorCode["NO_INVITE_CODE"] = "AUTO_ACCEPT_NO_INVITE_CODE";
+    AutoAcceptErrorCode["DISABLED"] = "AUTO_ACCEPT_DISABLED";
+    AutoAcceptErrorCode["INVITE_FAILED"] = "AUTO_ACCEPT_INVITE_FAILED";
+    AutoAcceptErrorCode["REGISTRY_SETUP_FAILED"] = "AUTO_ACCEPT_REGISTRY_SETUP_FAILED";
+})(AutoAcceptErrorCode || (exports.AutoAcceptErrorCode = AutoAcceptErrorCode = {}));
+/**
+ * Auto-accept an invite on first SDK call.
+ *
+ * Reads invite code from config or environment variable `XBIND_INVITE_CODE`.
+ * If `XBIND_AUTO_ACCEPT` is false, returns error with code DISABLED.
+ *
+ * When successful:
+ * 1. Fetches invite details from invite server
+ * 2. Adds inviter to trust registry
+ * 3. Auto-detects registry endpoint from invite metadata (if present)
+ * 4. Marks invite as accepted
+ *
+ * This is called internally by `Agent.lazy()` before the first send/receive.
+ *
+ * @param config - Auto-accept configuration
+ * @param acceptorInfo - Acceptor service info (DID, endpoint, publicKey)
+ * @returns Accept details or error
+ *
+ * @example
+ * ```ts
+ * // Manual usage (typically called internally by Agent.lazy):
+ * const result = await autoAcceptInvite(
+ *   { inviteCode: 'XBD-abc123' },
+ *   {
+ *     name: 'my-service',
+ *     did: 'did:key:z6Mk...',
+ *     endpoint: 'https://my-service.com',
+ *     publicKey: '...',
+ *   }
+ * );
+ *
+ * if (result.ok) {
+ *   console.log('Auto-accepted invite from:', result.value.from.name);
+ * }
+ * ```
+ */
+async function autoAcceptInvite(config, acceptorInfo) {
+    // Step 1: Check if auto-accept is enabled
+    const autoAcceptEnabled = config.enabled ?? getEnvFlag('XBIND_AUTO_ACCEPT', true);
+    if (!autoAcceptEnabled) {
+        return (0, shared_1.err)({
+            code: AutoAcceptErrorCode.DISABLED,
+            message: 'Auto-accept is disabled',
+            hint: 'Set XBIND_AUTO_ACCEPT=true or pass { enabled: true } in config',
+        });
+    }
+    // Step 2: Get invite code
+    const inviteCode = config.inviteCode ?? getEnv('XBIND_INVITE_CODE');
+    if (!inviteCode) {
+        return (0, shared_1.err)({
+            code: AutoAcceptErrorCode.NO_INVITE_CODE,
+            message: 'No invite code provided',
+            hint: 'Set XBIND_INVITE_CODE environment variable or pass inviteCode in config',
+        });
+    }
+    // Step 3: Fetch invite details
+    const inviteService = new invite_js_1.InviteService({
+        inviteApiUrl: config.inviteApiUrl ?? getEnv('XBIND_INVITE_API_URL') ?? 'https://xbind.to',
+    });
+    const inviteUrl = normalizeInviteCode(inviteCode);
+    const inviteResult = await inviteService.get(inviteUrl);
+    if (!inviteResult.ok) {
+        return (0, shared_1.err)({
+            code: AutoAcceptErrorCode.INVITE_FAILED,
+            message: `Failed to fetch invite: ${inviteResult.error.message}`,
+            hint: inviteResult.error.hint,
+            cause: inviteResult.error,
+        });
+    }
+    const invite = inviteResult.value;
+    // Step 4: Add inviter to trust registry
+    const registry = config.registry ?? await autoConfigureRegistry(invite);
+    try {
+        // Import public key from base64
+        const publicKeyBytes = (0, crypto_1.fromBase64)(invite.from.publicKey);
+        const publicKeyResult = await (0, identity_js_1.importPublicKey)(publicKeyBytes);
+        if (!publicKeyResult.ok) {
+            return (0, shared_1.err)({
+                code: AutoAcceptErrorCode.REGISTRY_SETUP_FAILED,
+                message: 'Invalid inviter public key',
+                hint: 'The invite may be corrupted',
+                cause: publicKeyResult.error,
+            });
+        }
+        // Add to registry
+        const addResult = await registry.register(invite.from.did, publicKeyBytes, invite.from.name, invite.permissions, invite.from.x25519PublicKey ? (0, crypto_1.fromBase64)(invite.from.x25519PublicKey) : undefined, invite.from.mlKemPublicKey ? (0, crypto_1.fromBase64)(invite.from.mlKemPublicKey) : undefined, undefined, // mlDsaPublicKey (not in invite yet)
+        false);
+        if (!addResult.ok) {
+            // If already registered, that's OK (idempotent)
+            if (addResult.error !== 'ALREADY_REGISTERED') {
+                return (0, shared_1.err)({
+                    code: AutoAcceptErrorCode.REGISTRY_SETUP_FAILED,
+                    message: `Failed to add inviter to registry: ${addResult.error}`,
+                    cause: addResult.error,
+                });
+            }
+        }
+    }
+    catch (error) {
+        return (0, shared_1.err)({
+            code: AutoAcceptErrorCode.REGISTRY_SETUP_FAILED,
+            message: 'Failed to configure trust registry',
+            cause: error,
+        });
+    }
+    // Step 5: Accept the invite (marks as accepted on server)
+    const acceptResult = await inviteService.accept({ inviteUrl, acceptor: acceptorInfo });
+    if (!acceptResult.ok) {
+        // Non-fatal: invite acceptance is for tracking/notification only
+        // The connection is still established locally via registry add
+    }
+    return (0, shared_1.ok)({
+        invite,
+        from: invite.from,
+        registryUrl: extractRegistryUrl(invite),
+        registryAutoconfigured: config.registry === undefined,
+    });
+}
+/**
+ * Auto-configure trust registry from invite metadata.
+ *
+ * Attempts to extract registry URL from invite. If found, creates HttpTrustRegistry.
+ * Otherwise falls back to MemoryTrustRegistry.
+ *
+ * @param invite - Invite details
+ * @returns Trust registry instance
+ */
+async function autoConfigureRegistry(invite) {
+    const registryUrl = extractRegistryUrl(invite);
+    if (registryUrl) {
+        return new trust_registry_js_1.HttpTrustRegistry({ baseUrl: registryUrl });
+    }
+    return new trust_registry_js_1.MemoryTrustRegistry();
+}
+/**
+ * Extract registry URL from invite metadata.
+ *
+ * Checks for registry URL in invite.from.endpoint or custom metadata fields.
+ *
+ * @param invite - Invite details
+ * @returns Registry URL or undefined
+ */
+function extractRegistryUrl(invite) {
+    // Check if endpoint is a registry URL (heuristic: contains /registry or /trust)
+    if (invite.from.endpoint.includes('/registry') || invite.from.endpoint.includes('/trust')) {
+        return invite.from.endpoint;
+    }
+    // Future: check invite.metadata.registryUrl when invite system adds it
+    return undefined;
+}
+/**
+ * Normalize invite code to full URL.
+ *
+ * If code is already a URL, returns as-is.
+ * If code is short form (e.g., 'XBD-abc123'), converts to https://xbind.to/invite/{code}.
+ *
+ * @param code - Invite code or URL
+ * @returns Full invite URL
+ */
+function normalizeInviteCode(code) {
+    if (code.startsWith('http://') || code.startsWith('https://')) {
+        return code;
+    }
+    // Short form: XBD-abc123 or just abc123
+    const cleanCode = code.replace(/^XBD-/i, '');
+    return `https://xbind.to/invite/${cleanCode}`;
+}
+/**
+ * Get environment variable value.
+ *
+ * @param key - Environment variable name
+ * @param defaultValue - Default value if not set
+ * @returns Environment variable value or default
+ */
+function getEnv(key, defaultValue) {
+    // SAFETY: Check for Node.js environment before accessing process
+    if (typeof process !== 'undefined' && typeof process.env !== 'undefined') {
+        return process.env[key] ?? defaultValue;
+    }
+    return defaultValue;
+}
+/**
+ * Get environment variable as boolean flag.
+ *
+ * Treats 'true', '1', 'yes' as true. Everything else as false.
+ *
+ * @param key - Environment variable name
+ * @param defaultValue - Default value if not set
+ * @returns Boolean flag
+ */
+function getEnvFlag(key, defaultValue) {
+    const value = getEnv(key);
+    if (value === undefined)
+        return defaultValue;
+    const normalized = value.toLowerCase().trim();
+    return normalized === 'true' || normalized === '1' || normalized === 'yes';
+}