@private.me/xbind 1.2.0

package/dist-standalone/cjs/trust-registry.js

@@ -0,0 +1,742 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FileTrustRegistry = exports.HttpTrustRegistry = exports.MemoryTrustRegistry = void 0;
+exports.createEnterpriseTrustRegistry = createEnterpriseTrustRegistry;
+const shared_1 = require("../_deps/shared/index.js");
+const fs = __importStar(require("node:fs/promises"));
+const path = __importStar(require("node:path"));
+/* ── Memory Implementation ── */
+/**
+ * In-memory trust registry for development and testing.
+ */
+class MemoryTrustRegistry {
+    entries = new Map();
+    async register(did, publicKey, name, scopes, x25519PublicKey, mlKemPublicKey, mlDsaPublicKey, xchange, receiveScopes) {
+        if (this.entries.has(did))
+            return (0, shared_1.err)('ALREADY_REGISTERED');
+        this.entries.set(did, {
+            did,
+            publicKey,
+            name,
+            scopes: new Set(scopes ?? []),
+            receiveScopes: receiveScopes ? new Set(receiveScopes) : undefined,
+            revoked: false,
+            rotation_sequence: 1, // Initial sequence starts at 1
+            x25519PublicKey,
+            mlKemPublicKey,
+            mlDsaPublicKey,
+            xchange,
+        });
+        return (0, shared_1.ok)(undefined);
+    }
+    async resolve(did) {
+        const entry = this.entries.get(did);
+        if (!entry)
+            return (0, shared_1.err)('NOT_FOUND');
+        if (entry.revoked)
+            return (0, shared_1.err)('REVOKED');
+        return (0, shared_1.ok)(entry.publicKey);
+    }
+    async hasScope(did, scope) {
+        const entry = this.entries.get(did);
+        if (!entry || entry.revoked)
+            return false;
+        return entry.scopes.has(scope);
+    }
+    async hasReceiveScope(did, scope) {
+        const entry = this.entries.get(did);
+        if (!entry || entry.revoked)
+            return false;
+        // Undefined = accept all scopes (backward compatibility)
+        if (!entry.receiveScopes)
+            return true;
+        return entry.receiveScopes.has(scope);
+    }
+    async revoke(did) {
+        const entry = this.entries.get(did);
+        if (!entry)
+            return (0, shared_1.err)('NOT_FOUND');
+        this.entries.set(did, { ...entry, revoked: true });
+        return (0, shared_1.ok)(undefined);
+    }
+    async getEntry(did) {
+        const entry = this.entries.get(did);
+        if (!entry)
+            return (0, shared_1.err)('NOT_FOUND');
+        return (0, shared_1.ok)(entry);
+    }
+    async updateScopes(did, scopes) {
+        const entry = this.entries.get(did);
+        if (!entry)
+            return (0, shared_1.err)('NOT_FOUND');
+        if (entry.revoked)
+            return (0, shared_1.err)('REVOKED');
+        this.entries.set(did, { ...entry, scopes: new Set(scopes) });
+        return (0, shared_1.ok)(undefined);
+    }
+    /** Number of entries (for testing). */
+    get size() {
+        return this.entries.size;
+    }
+}
+exports.MemoryTrustRegistry = MemoryTrustRegistry;
+/**
+ * HTTP-backed trust registry for production use.
+ * Delegates to a remote atelier.xail.io service.
+ */
+class HttpTrustRegistry {
+    baseUrl;
+    fetchFn;
+    cacheTtlMs;
+    cacheFailureMode;
+    enablePush;
+    bloomFilterSize;
+    bloomFilterFpr;
+    resolveCache = new Map();
+    entryCache = new Map();
+    constructor(opts) {
+        this.baseUrl = opts.baseUrl.replace(/\/$/, '');
+        this.fetchFn = opts.fetch ?? globalThis.fetch.bind(globalThis);
+        this.cacheTtlMs = opts.cacheTtlMs ?? 30_000;
+        this.cacheFailureMode = opts.cacheFailureMode ?? 'fail-secure';
+        this.enablePush = opts.enablePush ?? false;
+        this.bloomFilterSize = opts.bloomFilterSize ?? 10_000;
+        this.bloomFilterFpr = opts.bloomFilterFpr ?? 0.01;
+    }
+    /** Clear all cached entries. Call after registration or revocation. */
+    clearCache() {
+        this.resolveCache.clear();
+        this.entryCache.clear();
+    }
+    async register(did, publicKey, name, scopes, x25519PublicKey, mlKemPublicKey, mlDsaPublicKey, xchange, receiveScopes) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/register`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    did,
+                    publicKey: Array.from(publicKey),
+                    name,
+                    scopes: scopes ?? [],
+                    ...(receiveScopes
+                        ? { receiveScopes }
+                        : {}),
+                    ...(x25519PublicKey
+                        ? { x25519PublicKey: Array.from(x25519PublicKey) }
+                        : {}),
+                    ...(mlKemPublicKey
+                        ? { mlKemPublicKey: Array.from(mlKemPublicKey) }
+                        : {}),
+                    ...(mlDsaPublicKey
+                        ? { mlDsaPublicKey: Array.from(mlDsaPublicKey) }
+                        : {}),
+                    ...(xchange !== undefined
+                        ? { xchange }
+                        : {}),
+                }),
+            });
+            if (res.status === 409)
+                return (0, shared_1.err)('ALREADY_REGISTERED');
+            if (!res.ok)
+                return (0, shared_1.err)('NETWORK_ERROR');
+            return (0, shared_1.ok)(undefined);
+        }
+        catch {
+            return (0, shared_1.err)('NETWORK_ERROR');
+        }
+    }
+    async resolve(did) {
+        // Check cache first
+        if (this.cacheTtlMs > 0) {
+            const cached = this.resolveCache.get(did);
+            if (cached && cached.expiry > Date.now())
+                return cached.value;
+        }
+        let result;
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/resolve/${encodeURIComponent(did)}`);
+            if (res.status === 404)
+                result = (0, shared_1.err)('NOT_FOUND');
+            else if (res.status === 410)
+                result = (0, shared_1.err)('REVOKED');
+            else if (!res.ok)
+                result = (0, shared_1.err)('NETWORK_ERROR');
+            else {
+                const data = (await res.json());
+                result = (0, shared_1.ok)(new Uint8Array(data.publicKey));
+            }
+        }
+        catch {
+            // Network failure - apply cache failure mode
+            const staleCache = this.resolveCache.get(did);
+            if (this.cacheFailureMode === 'fail-secure') {
+                // Fail-secure: reject on cache refresh failure (default)
+                result = (0, shared_1.err)('NETWORK_ERROR');
+            }
+            else {
+                // Fail-open: accept stale cache if available
+                if (staleCache) {
+                    // Return stale cached value
+                    return staleCache.value;
+                }
+                result = (0, shared_1.err)('NETWORK_ERROR');
+            }
+        }
+        // Update cache with fresh result (only if cache enabled)
+        if (this.cacheTtlMs > 0) {
+            this.resolveCache.set(did, { value: result, expiry: Date.now() + this.cacheTtlMs });
+        }
+        return result;
+    }
+    async hasScope(did, scope) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/scope/${encodeURIComponent(did)}/${encodeURIComponent(scope)}`);
+            return res.ok;
+        }
+        catch {
+            return false;
+        }
+    }
+    async hasReceiveScope(did, scope) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/receive-scope/${encodeURIComponent(did)}/${encodeURIComponent(scope)}`);
+            return res.ok;
+        }
+        catch {
+            return false;
+        }
+    }
+    async revoke(did) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/revoke/${encodeURIComponent(did)}`, { method: 'POST' });
+            if (res.status === 404)
+                return (0, shared_1.err)('NOT_FOUND');
+            if (!res.ok)
+                return (0, shared_1.err)('NETWORK_ERROR');
+            return (0, shared_1.ok)(undefined);
+        }
+        catch {
+            return (0, shared_1.err)('NETWORK_ERROR');
+        }
+    }
+    async getEntry(did) {
+        if (this.cacheTtlMs > 0) {
+            const cached = this.entryCache.get(did);
+            if (cached && cached.expiry > Date.now())
+                return cached.value;
+        }
+        let result;
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/entry/${encodeURIComponent(did)}`);
+            if (res.status === 404)
+                result = (0, shared_1.err)('NOT_FOUND');
+            else if (!res.ok)
+                result = (0, shared_1.err)('NETWORK_ERROR');
+            else {
+                const data = (await res.json());
+                result = (0, shared_1.ok)({
+                    did: data.did,
+                    publicKey: new Uint8Array(data.publicKey),
+                    name: data.name,
+                    scopes: new Set(data.scopes),
+                    receiveScopes: data.receiveScopes ? new Set(data.receiveScopes) : undefined,
+                    revoked: data.revoked,
+                    rotation_sequence: data.rotation_sequence ?? 1,
+                    x25519PublicKey: data.x25519PublicKey
+                        ? new Uint8Array(data.x25519PublicKey)
+                        : undefined,
+                    mlKemPublicKey: data.mlKemPublicKey
+                        ? new Uint8Array(data.mlKemPublicKey)
+                        : undefined,
+                    mlDsaPublicKey: data.mlDsaPublicKey
+                        ? new Uint8Array(data.mlDsaPublicKey)
+                        : undefined,
+                    xchange: data.xchange,
+                });
+            }
+        }
+        catch {
+            result = (0, shared_1.err)('NETWORK_ERROR');
+        }
+        if (this.cacheTtlMs > 0) {
+            this.entryCache.set(did, { value: result, expiry: Date.now() + this.cacheTtlMs });
+        }
+        return result;
+    }
+    /**
+     * Rotate a DID to a new public key with cryptographic proof.
+     *
+     * Sends rotation request to gateway and invalidates local cache.
+     *
+     * @param did - DID being rotated (old key)
+     * @param newPublicKey - New public key bytes
+     * @param proof - Succession announcement (dual signatures from old and new keys)
+     * @param rotationSequence - Monotonically increasing sequence number (prevents rollback)
+     */
+    async rotate(did, newPublicKey, proof, rotationSequence) {
+        const res = await this.fetchFn(`${this.baseUrl}/registry/rotate`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                did,
+                newPublicKey: Array.from(newPublicKey),
+                proof: Array.from(proof),
+                rotationSequence,
+            }),
+        });
+        if (!res.ok) {
+            throw new Error(`Key rotation failed: ${res.status} ${res.statusText}`);
+        }
+        // Invalidate cache for this DID
+        this.resolveCache.delete(did);
+        this.entryCache.delete(did);
+    }
+    /**
+     * Subscribe to real-time trust events (revocation, key rotation).
+     *
+     * Creates a bloom filter from DIDs and connects WebSocket to gateway.
+     * Events matching subscribed DIDs trigger the callback and invalidate cache.
+     *
+     * @param dids - Array of DIDs to monitor
+     * @param callback - Function called when trust events occur
+     * @returns Unsubscribe function to stop watching
+     *
+     * @throws Error if push notifications not enabled (enablePush: true)
+     */
+    async subscribe(dids, callback) {
+        if (!this.enablePush) {
+            throw new Error('Push notifications not enabled (set enablePush: true in HttpTrustRegistryOptions)');
+        }
+        // Simple bloom filter: hash each DID to track subscriptions
+        // Production implementation would use full bloom filter library
+        const bloomSet = new Set(dids.map(did => this.hashDid(did)));
+        // Convert HTTP URL to WebSocket URL
+        const wsUrl = this.baseUrl.replace(/^http/, 'ws') + '/trust/events';
+        // SAFETY: WebSocket is a standard browser/Node.js API
+        const ws = new globalThis.WebSocket(wsUrl);
+        ws.addEventListener('open', () => {
+            // Send subscription with bloom filter
+            ws.send(JSON.stringify({
+                type: 'subscribe',
+                dids: dids, // Simple implementation sends full DID list
+                bloomSize: this.bloomFilterSize,
+                bloomFpr: this.bloomFilterFpr,
+            }));
+        });
+        ws.addEventListener('message', (event) => {
+            try {
+                const trustEvent = JSON.parse(event.data);
+                // Check if event DID matches our subscription
+                const eventHash = this.hashDid(trustEvent.did);
+                if (bloomSet.has(eventHash)) {
+                    // Invalidate cache for this DID
+                    if (trustEvent.type === 'revocation' || trustEvent.type === 'succession') {
+                        this.resolveCache.delete(trustEvent.did);
+                        this.entryCache.delete(trustEvent.did);
+                    }
+                    // Notify callback
+                    callback(trustEvent);
+                }
+            }
+            catch (error) {
+                // Ignore malformed events
+                console.warn('Failed to parse trust event:', error);
+            }
+        });
+        ws.addEventListener('error', (error) => {
+            console.error('WebSocket error:', error);
+        });
+        // Return unsubscribe function
+        return () => {
+            if (ws.readyState === globalThis.WebSocket.OPEN) {
+                ws.close();
+            }
+        };
+    }
+    /**
+     * Simple hash function for bloom filter (DID → number).
+     * Production implementation would use proper bloom filter hashing.
+     */
+    hashDid(did) {
+        let hash = 0;
+        for (let i = 0; i < did.length; i++) {
+            hash = ((hash << 5) - hash) + did.charCodeAt(i);
+            hash = hash & hash; // Convert to 32-bit integer
+        }
+        return hash;
+    }
+    /**
+     * Resume subscriptions on this gateway using proofs from another gateway.
+     *
+     * Allows clients to migrate between gateways without re-subscribing.
+     * Validates proofs and restores subscription state.
+     *
+     * @param proofs - Array of subscription proofs from previous gateway.
+     * @returns Success or error.
+     *
+     * @example
+     * ```typescript
+     * const registry = new HttpTrustRegistry({ baseUrl: 'https://atelier2.xail.io' });
+     * const result = await registry.resumeSubscriptions([proof1, proof2]);
+     * ```
+     */
+    async resumeSubscriptions(proofs) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/trust/resume-batch`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ proofs }),
+            });
+            if (!res.ok)
+                return (0, shared_1.err)('NETWORK_ERROR');
+            return (0, shared_1.ok)(undefined);
+        }
+        catch {
+            return (0, shared_1.err)('NETWORK_ERROR');
+        }
+    }
+    /**
+     * Fetch signed checkpoint for a DID (freshness primitive).
+     *
+     * Checkpoints provide cryptographic proof of DID state at a specific timestamp.
+     * Clients verify checkpoint signature and compare rotation_sequence to detect staleness.
+     *
+     * @param did - DID to fetch checkpoint for
+     * @returns Signed checkpoint or error
+     *
+     * @example
+     * ```typescript
+     * const checkpoint = await registry.fetchCheckpoint('did:key:z6Mk...');
+     * if (checkpoint.ok) {
+     *   const verified = await verifyCheckpoint(checkpoint.value, gatewayPubKey);
+     *   if (verified.ok && verified.value) {
+     *     // Use checkpoint for staleness detection
+     *     if (isCacheStale(localCache, checkpoint.value)) {
+     *       // Refresh cache
+     *     }
+     *   }
+     * }
+     * ```
+     */
+    async fetchCheckpoint(did) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/checkpoint/${encodeURIComponent(did)}`);
+            if (res.status === 404)
+                return (0, shared_1.err)('NOT_FOUND');
+            if (!res.ok)
+                return (0, shared_1.err)('NETWORK_ERROR');
+            const checkpoint = (await res.json());
+            return (0, shared_1.ok)(checkpoint);
+        }
+        catch {
+            return (0, shared_1.err)('NETWORK_ERROR');
+        }
+    }
+    async updateScopes(did, scopes) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/${encodeURIComponent(did)}/scopes`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ scopes }),
+            });
+            if (res.status === 404)
+                return (0, shared_1.err)('NOT_FOUND');
+            if (res.status === 410)
+                return (0, shared_1.err)('REVOKED');
+            if (!res.ok)
+                return (0, shared_1.err)('NETWORK_ERROR');
+            // Clear cache for this DID
+            this.resolveCache.delete(did);
+            this.entryCache.delete(did);
+            return (0, shared_1.ok)(undefined);
+        }
+        catch {
+            return (0, shared_1.err)('NETWORK_ERROR');
+        }
+    }
+}
+exports.HttpTrustRegistry = HttpTrustRegistry;
+/**
+ * File-based trust registry using JSONL append-only log.
+ * Replays all entries on initialization, keeps in-memory Map for fast access.
+ * Suitable for production deployments with local persistence.
+ */
+class FileTrustRegistry {
+    path;
+    entries = new Map();
+    initialized = false;
+    constructor(opts) {
+        this.path = opts.path;
+    }
+    /** Initialize by replaying JSONL log. Called automatically on first operation. */
+    async init() {
+        if (this.initialized)
+            return;
+        try {
+            // Ensure directory exists
+            await fs.mkdir(path.dirname(this.path), { recursive: true });
+            // Read and replay JSONL file
+            const content = await fs.readFile(this.path, 'utf-8').catch(() => '');
+            const lines = content.split('\n').filter((line) => line.trim());
+            for (const line of lines) {
+                const record = JSON.parse(line);
+                if (record.type === 'register' && record.publicKey && record.name) {
+                    this.entries.set(record.did, {
+                        did: record.did,
+                        publicKey: new Uint8Array(record.publicKey),
+                        name: record.name,
+                        scopes: new Set(record.scopes ?? []),
+                        receiveScopes: record.receiveScopes ? new Set(record.receiveScopes) : undefined,
+                        revoked: false,
+                        rotation_sequence: record.rotation_sequence ?? 1,
+                        x25519PublicKey: record.x25519PublicKey
+                            ? new Uint8Array(record.x25519PublicKey)
+                            : undefined,
+                        mlKemPublicKey: record.mlKemPublicKey
+                            ? new Uint8Array(record.mlKemPublicKey)
+                            : undefined,
+                        mlDsaPublicKey: record.mlDsaPublicKey
+                            ? new Uint8Array(record.mlDsaPublicKey)
+                            : undefined,
+                        xchange: record.xchange,
+                    });
+                }
+                else if (record.type === 'revoke') {
+                    const entry = this.entries.get(record.did);
+                    if (entry) {
+                        this.entries.set(record.did, { ...entry, revoked: true });
+                    }
+                }
+                else if (record.type === 'update-scopes') {
+                    const entry = this.entries.get(record.did);
+                    if (entry) {
+                        this.entries.set(record.did, { ...entry, scopes: new Set(record.scopes ?? []) });
+                    }
+                }
+                else if (record.type === 'rotate' && record.publicKey && record.rotation_sequence) {
+                    const entry = this.entries.get(record.did);
+                    if (entry) {
+                        // Only apply rotation if sequence is greater (prevents replaying stale rotations)
+                        if (record.rotation_sequence > entry.rotation_sequence) {
+                            this.entries.set(record.did, {
+                                ...entry,
+                                publicKey: new Uint8Array(record.publicKey),
+                                rotation_sequence: record.rotation_sequence,
+                            });
+                        }
+                    }
+                }
+            }
+        }
+        catch (error) {
+            // If file doesn't exist yet, that's OK - it will be created on first write
+        }
+        this.initialized = true;
+    }
+    /** Append record to JSONL file. */
+    async append(record) {
+        await fs.appendFile(this.path, JSON.stringify(record) + '\n', 'utf-8');
+    }
+    async register(did, publicKey, name, scopes, x25519PublicKey, mlKemPublicKey, mlDsaPublicKey, xchange, receiveScopes) {
+        await this.init();
+        if (this.entries.has(did))
+            return (0, shared_1.err)('ALREADY_REGISTERED');
+        const entry = {
+            did,
+            publicKey,
+            name,
+            scopes: new Set(scopes ?? []),
+            receiveScopes: receiveScopes ? new Set(receiveScopes) : undefined,
+            revoked: false,
+            rotation_sequence: 1, // Initial sequence starts at 1
+            x25519PublicKey,
+            mlKemPublicKey,
+            mlDsaPublicKey,
+            xchange,
+        };
+        this.entries.set(did, entry);
+        // Append to JSONL
+        await this.append({
+            type: 'register',
+            did,
+            publicKey: Array.from(publicKey),
+            name,
+            scopes: scopes ?? [],
+            rotation_sequence: 1,
+            ...(receiveScopes ? { receiveScopes } : {}),
+            ...(x25519PublicKey ? { x25519PublicKey: Array.from(x25519PublicKey) } : {}),
+            ...(mlKemPublicKey ? { mlKemPublicKey: Array.from(mlKemPublicKey) } : {}),
+            ...(mlDsaPublicKey ? { mlDsaPublicKey: Array.from(mlDsaPublicKey) } : {}),
+            ...(xchange !== undefined ? { xchange } : {}),
+        });
+        return (0, shared_1.ok)(undefined);
+    }
+    async resolve(did) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry)
+            return (0, shared_1.err)('NOT_FOUND');
+        if (entry.revoked)
+            return (0, shared_1.err)('REVOKED');
+        return (0, shared_1.ok)(entry.publicKey);
+    }
+    async hasScope(did, scope) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry || entry.revoked)
+            return false;
+        return entry.scopes.has(scope);
+    }
+    async hasReceiveScope(did, scope) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry || entry.revoked)
+            return false;
+        // Undefined = accept all scopes (backward compatibility)
+        if (!entry.receiveScopes)
+            return true;
+        return entry.receiveScopes.has(scope);
+    }
+    async revoke(did) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry)
+            return (0, shared_1.err)('NOT_FOUND');
+        this.entries.set(did, { ...entry, revoked: true });
+        await this.append({ type: 'revoke', did });
+        return (0, shared_1.ok)(undefined);
+    }
+    async getEntry(did) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry)
+            return (0, shared_1.err)('NOT_FOUND');
+        return (0, shared_1.ok)(entry);
+    }
+    async updateScopes(did, scopes) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry)
+            return (0, shared_1.err)('NOT_FOUND');
+        if (entry.revoked)
+            return (0, shared_1.err)('REVOKED');
+        this.entries.set(did, { ...entry, scopes: new Set(scopes) });
+        await this.append({ type: 'update-scopes', did, scopes });
+        return (0, shared_1.ok)(undefined);
+    }
+    /**
+     * Rotate a DID to a new public key with rollback protection.
+     *
+     * Validates that rotationSequence is greater than current sequence to prevent
+     * rollback attacks. Appends rotation event to JSONL and updates in-memory state.
+     *
+     * @param did - DID being rotated
+     * @param newPublicKey - New public key bytes
+     * @param proof - Cryptographic proof (e.g., signature from old key)
+     * @param rotationSequence - Monotonically increasing sequence number
+     * @throws Error if DID not found or sequence validation fails
+     */
+    async rotate(did, newPublicKey, proof, rotationSequence) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry) {
+            throw new Error(`DID not found: ${did}`);
+        }
+        // Rollback protection: new sequence must be greater than current
+        if (rotationSequence <= entry.rotation_sequence) {
+            throw new Error(`Rotation sequence ${rotationSequence} must be > current ${entry.rotation_sequence} (rollback attack prevented)`);
+        }
+        // Append rotation event to JSONL
+        await this.append({
+            type: 'rotate',
+            did,
+            publicKey: Array.from(newPublicKey),
+            proof: Array.from(proof),
+            rotation_sequence: rotationSequence,
+            timestamp: Date.now(),
+        });
+        // Update in-memory entry
+        this.entries.set(did, {
+            ...entry,
+            publicKey: newPublicKey,
+            rotation_sequence: rotationSequence,
+        });
+    }
+    /** Number of entries (for testing). */
+    get size() {
+        return this.entries.size;
+    }
+}
+exports.FileTrustRegistry = FileTrustRegistry;
+/* ── Enterprise Factory ── */
+/**
+ * Create an enterprise trust registry with optional pre-population.
+ * Suitable for corporate deployments with centralized trust management.
+ *
+ * @example
+ * ```typescript
+ * const registry = await TrustRegistry.enterprise({
+ *   storage: 'file',
+ *   path: '/opt/corp/trust.jsonl',
+ *   preload: [
+ *     { did: 'did:web:corp.example.com', publicKey: ..., name: 'Corporate Gateway' }
+ *   ]
+ * });
+ * ```
+ */
+async function createEnterpriseTrustRegistry(opts) {
+    let registry;
+    if (opts.storage === 'file') {
+        if (!opts.path)
+            throw new Error('FileTrustRegistry requires path option');
+        registry = new FileTrustRegistry({ path: opts.path });
+    }
+    else if (opts.storage === 'http') {
+        if (!opts.baseUrl)
+            throw new Error('HttpTrustRegistry requires baseUrl option');
+        registry = new HttpTrustRegistry({ baseUrl: opts.baseUrl });
+    }
+    else {
+        registry = new MemoryTrustRegistry();
+    }
+    // Pre-populate if requested
+    if (opts.preload) {
+        for (const entry of opts.preload) {
+            await registry.register(entry.did, entry.publicKey, entry.name, entry.scopes, entry.x25519PublicKey, entry.mlKemPublicKey, entry.mlDsaPublicKey, entry.xchange, entry.receiveScopes);
+        }
+    }
+    return registry;
+}