npm - @private.me/xbind - Versions diffs - 1.2.0 - Mend

@private.me/xbind 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/AGENTS.md +778 -0
package/LICENSE.md +27 -0
package/README.md +400 -0
package/dist-standalone/_deps/crypto/base64.d.ts +29 -0
package/dist-standalone/_deps/crypto/base64.js +97 -0
package/dist-standalone/_deps/crypto/cjs/base64.js +103 -0
package/dist-standalone/_deps/crypto/cjs/errors.js +119 -0
package/dist-standalone/_deps/crypto/cjs/hmac.js +71 -0
package/dist-standalone/_deps/crypto/cjs/index.js +86 -0
package/dist-standalone/_deps/crypto/cjs/padding.js +57 -0
package/dist-standalone/_deps/crypto/cjs/share-header.js +68 -0
package/dist-standalone/_deps/crypto/cjs/shares.js +152 -0
package/dist-standalone/_deps/crypto/cjs/tlv.js +199 -0
package/dist-standalone/_deps/crypto/cjs/uuid.js +61 -0
package/dist-standalone/_deps/crypto/cjs/verify.js +24 -0
package/dist-standalone/_deps/crypto/cjs/xorida.js +221 -0
package/dist-standalone/_deps/crypto/errors.d.ts +51 -0
package/dist-standalone/_deps/crypto/errors.js +109 -0
package/dist-standalone/_deps/crypto/hmac.d.ts +39 -0
package/dist-standalone/_deps/crypto/hmac.js +66 -0
package/dist-standalone/_deps/crypto/index.d.ts +20 -0
package/dist-standalone/_deps/crypto/index.js +45 -0
package/dist-standalone/_deps/crypto/padding.d.ts +19 -0
package/dist-standalone/_deps/crypto/padding.js +53 -0
package/dist-standalone/_deps/crypto/share-header.d.ts +44 -0
package/dist-standalone/_deps/crypto/share-header.js +63 -0
package/dist-standalone/_deps/crypto/shares.d.ts +27 -0
package/dist-standalone/_deps/crypto/shares.js +148 -0
package/dist-standalone/_deps/crypto/tlv.d.ts +26 -0
package/dist-standalone/_deps/crypto/tlv.js +195 -0
package/dist-standalone/_deps/crypto/uuid.d.ts +22 -0
package/dist-standalone/_deps/crypto/uuid.js +56 -0
package/dist-standalone/_deps/crypto/verify.d.ts +15 -0
package/dist-standalone/_deps/crypto/verify.js +15 -0
package/dist-standalone/_deps/crypto/xorida.d.ts +44 -0
package/dist-standalone/_deps/crypto/xorida.js +215 -0
package/dist-standalone/_deps/mldsa-wasm/LICENSE +24 -0
package/dist-standalone/_deps/mldsa-wasm/dist/mldsa.js +1920 -0
package/dist-standalone/_deps/mldsa-wasm/package.json +46 -0
package/dist-standalone/_deps/mldsa-wasm/types/mldsa.d.ts +30 -0
package/dist-standalone/_deps/shared/cjs/errors.js +582 -0
package/dist-standalone/_deps/shared/cjs/index.js +492 -0
package/dist-standalone/_deps/shared/cjs/package.json +1 -0
package/dist-standalone/_deps/shared/cjs/types.js +403 -0
package/dist-standalone/_deps/shared/errors.d.ts +48 -0
package/dist-standalone/_deps/shared/errors.d.ts.map +1 -0
package/dist-standalone/_deps/shared/errors.js +192 -0
package/dist-standalone/_deps/shared/errors.js.map +1 -0
package/dist-standalone/_deps/shared/index.d.ts +4 -0
package/dist-standalone/_deps/shared/index.d.ts.map +1 -0
package/dist-standalone/_deps/shared/index.js +78 -0
package/dist-standalone/_deps/shared/index.js.map +1 -0
package/dist-standalone/_deps/shared/types.d.ts +1097 -0
package/dist-standalone/_deps/shared/types.d.ts.map +1 -0
package/dist-standalone/_deps/shared/types.js +89 -0
package/dist-standalone/_deps/shared/types.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/errors.d.ts +115 -0
package/dist-standalone/_deps/ux-helpers/cjs/errors.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/errors.js +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/errors.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/index.d.ts +13 -0
package/dist-standalone/_deps/ux-helpers/cjs/index.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/index.js +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/index.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/package.json +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/pagination.d.ts +39 -0
package/dist-standalone/_deps/ux-helpers/cjs/pagination.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/pagination.js +83 -0
package/dist-standalone/_deps/ux-helpers/cjs/pagination.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/progress.d.ts +99 -0
package/dist-standalone/_deps/ux-helpers/cjs/progress.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/progress.js +143 -0
package/dist-standalone/_deps/ux-helpers/cjs/progress.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/search.d.ts +32 -0
package/dist-standalone/_deps/ux-helpers/cjs/search.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/search.js +119 -0
package/dist-standalone/_deps/ux-helpers/cjs/search.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/types.d.ts +109 -0
package/dist-standalone/_deps/ux-helpers/cjs/types.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/cjs/types.js +8 -0
package/dist-standalone/_deps/ux-helpers/cjs/types.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/errors.d.ts +115 -0
package/dist-standalone/_deps/ux-helpers/errors.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/errors.js +253 -0
package/dist-standalone/_deps/ux-helpers/errors.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/index.d.ts +13 -0
package/dist-standalone/_deps/ux-helpers/index.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/index.js +16 -0
package/dist-standalone/_deps/ux-helpers/index.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/pagination.d.ts +39 -0
package/dist-standalone/_deps/ux-helpers/pagination.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/pagination.js +79 -0
package/dist-standalone/_deps/ux-helpers/pagination.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/progress.d.ts +99 -0
package/dist-standalone/_deps/ux-helpers/progress.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/progress.js +138 -0
package/dist-standalone/_deps/ux-helpers/progress.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/search.d.ts +32 -0
package/dist-standalone/_deps/ux-helpers/search.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/search.js +116 -0
package/dist-standalone/_deps/ux-helpers/search.js.map +1 -0
package/dist-standalone/_deps/ux-helpers/types.d.ts +109 -0
package/dist-standalone/_deps/ux-helpers/types.d.ts.map +1 -0
package/dist-standalone/_deps/ux-helpers/types.js +7 -0
package/dist-standalone/_deps/ux-helpers/types.js.map +1 -0
package/dist-standalone/_deps/xchange/auto-accept.d.ts +127 -0
package/dist-standalone/_deps/xchange/auto-accept.js +1 -0
package/dist-standalone/_deps/xchange/cjs/auto-accept.js +1 -0
package/dist-standalone/_deps/xchange/cjs/errors.js +1 -0
package/dist-standalone/_deps/xchange/cjs/index.js +1 -0
package/dist-standalone/_deps/xchange/cjs/invite-client.js +1 -0
package/dist-standalone/_deps/xchange/cjs/lazy-init.js +1 -0
package/dist-standalone/_deps/xchange/cjs/package.json +1 -0
package/dist-standalone/_deps/xchange/cjs/trust-integration.js +1 -0
package/dist-standalone/_deps/xchange/cjs/xchange.js +1 -0
package/dist-standalone/_deps/xchange/errors.d.ts +69 -0
package/dist-standalone/_deps/xchange/errors.js +1 -0
package/dist-standalone/_deps/xchange/index.d.ts +15 -0
package/dist-standalone/_deps/xchange/index.js +1 -0
package/dist-standalone/_deps/xchange/invite-client.d.ts +178 -0
package/dist-standalone/_deps/xchange/invite-client.js +1 -0
package/dist-standalone/_deps/xchange/lazy-init.d.ts +176 -0
package/dist-standalone/_deps/xchange/lazy-init.js +1 -0
package/dist-standalone/_deps/xchange/trust-integration.d.ts +102 -0
package/dist-standalone/_deps/xchange/trust-integration.js +1 -0
package/dist-standalone/_deps/xchange/xchange.d.ts +60 -0
package/dist-standalone/_deps/xchange/xchange.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/discovery.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/errors.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/index.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/package.json +1 -0
package/dist-standalone/_deps/xregistry/cjs/registry.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/schema.js +1 -0
package/dist-standalone/_deps/xregistry/cjs/types.js +1 -0
package/dist-standalone/_deps/xregistry/discovery.d.ts +126 -0
package/dist-standalone/_deps/xregistry/discovery.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/discovery.js +1 -0
package/dist-standalone/_deps/xregistry/discovery.js.map +1 -0
package/dist-standalone/_deps/xregistry/errors.d.ts +41 -0
package/dist-standalone/_deps/xregistry/errors.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/errors.js +1 -0
package/dist-standalone/_deps/xregistry/errors.js.map +1 -0
package/dist-standalone/_deps/xregistry/index.d.ts +8 -0
package/dist-standalone/_deps/xregistry/index.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/index.js +1 -0
package/dist-standalone/_deps/xregistry/index.js.map +1 -0
package/dist-standalone/_deps/xregistry/registry.d.ts +85 -0
package/dist-standalone/_deps/xregistry/registry.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/registry.js +1 -0
package/dist-standalone/_deps/xregistry/registry.js.map +1 -0
package/dist-standalone/_deps/xregistry/schema.d.ts +81 -0
package/dist-standalone/_deps/xregistry/schema.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/schema.js +1 -0
package/dist-standalone/_deps/xregistry/schema.js.map +1 -0
package/dist-standalone/_deps/xregistry/types.d.ts +95 -0
package/dist-standalone/_deps/xregistry/types.d.ts.map +1 -0
package/dist-standalone/_deps/xregistry/types.js +1 -0
package/dist-standalone/_deps/xregistry/types.js.map +1 -0
package/dist-standalone/agent-call.d.ts +286 -0
package/dist-standalone/agent-call.js +642 -0
package/dist-standalone/agent-sdk.d.ts +207 -0
package/dist-standalone/agent-sdk.js +328 -0
package/dist-standalone/agent.d.ts +670 -0
package/dist-standalone/agent.js +1529 -0
package/dist-standalone/approval.d.ts +145 -0
package/dist-standalone/approval.js +193 -0
package/dist-standalone/auth.d.ts +75 -0
package/dist-standalone/auth.js +219 -0
package/dist-standalone/auto-accept.d.ts +102 -0
package/dist-standalone/auto-accept.js +229 -0
package/dist-standalone/backup-config.d.ts +150 -0
package/dist-standalone/backup-config.js +201 -0
package/dist-standalone/checkpoint.d.ts +125 -0
package/dist-standalone/checkpoint.js +186 -0
package/dist-standalone/cjs/agent-call.js +651 -0
package/dist-standalone/cjs/agent-sdk.js +332 -0
package/dist-standalone/cjs/agent.js +1566 -0
package/dist-standalone/cjs/approval.js +199 -0
package/dist-standalone/cjs/auth.js +225 -0
package/dist-standalone/cjs/auto-accept.js +233 -0
package/dist-standalone/cjs/backup-config.js +207 -0
package/dist-standalone/cjs/checkpoint.js +193 -0
package/dist-standalone/cjs/cli/init.js +487 -0
package/dist-standalone/cjs/connect.js +312 -0
package/dist-standalone/cjs/did-document.js +101 -0
package/dist-standalone/cjs/did-privateme.js +130 -0
package/dist-standalone/cjs/did-web.js +201 -0
package/dist-standalone/cjs/discovery.js +462 -0
package/dist-standalone/cjs/dual-mode.js +251 -0
package/dist-standalone/cjs/email-templates.js +313 -0
package/dist-standalone/cjs/email-transport.js +239 -0
package/dist-standalone/cjs/envelope.js +510 -0
package/dist-standalone/cjs/errors.js +562 -0
package/dist-standalone/cjs/gateway-state.js +55 -0
package/dist-standalone/cjs/gateway-transport.js +120 -0
package/dist-standalone/cjs/guardrails.js +223 -0
package/dist-standalone/cjs/http-compat.js +272 -0
package/dist-standalone/cjs/identity.js +541 -0
package/dist-standalone/cjs/index.js +224 -0
package/dist-standalone/cjs/invitation.js +421 -0
package/dist-standalone/cjs/invite.js +328 -0
package/dist-standalone/cjs/key-agreement.js +246 -0
package/dist-standalone/cjs/lazy-init.js +300 -0
package/dist-standalone/cjs/mdns-discovery.js +202 -0
package/dist-standalone/cjs/nonce-store.js +66 -0
package/dist-standalone/cjs/package.json +3 -0
package/dist-standalone/cjs/pairing-manager.js +223 -0
package/dist-standalone/cjs/policy.js +320 -0
package/dist-standalone/cjs/redis-nonce-store.js +76 -0
package/dist-standalone/cjs/registry-middleware.js +50 -0
package/dist-standalone/cjs/retry-transport.js +102 -0
package/dist-standalone/cjs/security-policy.js +204 -0
package/dist-standalone/cjs/split-channel.js +177 -0
package/dist-standalone/cjs/subscription-proof.js +230 -0
package/dist-standalone/cjs/succession.js +148 -0
package/dist-standalone/cjs/transport.js +63 -0
package/dist-standalone/cjs/trust-registry.js +742 -0
package/dist-standalone/cjs/verify.js +25 -0
package/dist-standalone/cjs/xfetch.js +252 -0
package/dist-standalone/cli/init.d.ts +63 -0
package/dist-standalone/cli/init.js +450 -0
package/dist-standalone/connect.d.ts +143 -0
package/dist-standalone/connect.js +274 -0
package/dist-standalone/did-document.d.ts +65 -0
package/dist-standalone/did-document.js +96 -0
package/dist-standalone/did-privateme.d.ts +70 -0
package/dist-standalone/did-privateme.js +121 -0
package/dist-standalone/did-web.d.ts +73 -0
package/dist-standalone/did-web.js +196 -0
package/dist-standalone/discovery.d.ts +176 -0
package/dist-standalone/discovery.js +458 -0
package/dist-standalone/dual-mode.d.ts +145 -0
package/dist-standalone/dual-mode.js +247 -0
package/dist-standalone/email-templates.d.ts +41 -0
package/dist-standalone/email-templates.js +309 -0
package/dist-standalone/email-transport.d.ts +139 -0
package/dist-standalone/email-transport.js +232 -0
package/dist-standalone/envelope.d.ts +288 -0
package/dist-standalone/envelope.js +497 -0
package/dist-standalone/errors.d.ts +74 -0
package/dist-standalone/errors.js +548 -0
package/dist-standalone/gateway-state.d.ts +32 -0
package/dist-standalone/gateway-state.js +51 -0
package/dist-standalone/gateway-transport.d.ts +59 -0
package/dist-standalone/gateway-transport.js +116 -0
package/dist-standalone/guardrails.d.ts +136 -0
package/dist-standalone/guardrails.js +216 -0
package/dist-standalone/http-compat.d.ts +150 -0
package/dist-standalone/http-compat.js +267 -0
package/dist-standalone/identity.d.ts +176 -0
package/dist-standalone/identity.js +516 -0
package/dist-standalone/index.d.ts +83 -0
package/dist-standalone/index.js +51 -0
package/dist-standalone/invitation.d.ts +211 -0
package/dist-standalone/invitation.js +415 -0
package/dist-standalone/invite.d.ts +192 -0
package/dist-standalone/invite.js +324 -0
package/dist-standalone/key-agreement.d.ts +122 -0
package/dist-standalone/key-agreement.js +236 -0
package/dist-standalone/lazy-init.d.ts +167 -0
package/dist-standalone/lazy-init.js +295 -0
package/dist-standalone/mdns-discovery.d.ts +117 -0
package/dist-standalone/mdns-discovery.js +195 -0
package/dist-standalone/nonce-store.d.ts +39 -0
package/dist-standalone/nonce-store.js +62 -0
package/dist-standalone/package.json +11 -0
package/dist-standalone/pairing-manager.d.ts +147 -0
package/dist-standalone/pairing-manager.js +219 -0
package/dist-standalone/policy.d.ts +150 -0
package/dist-standalone/policy.js +315 -0
package/dist-standalone/redis-nonce-store.d.ts +93 -0
package/dist-standalone/redis-nonce-store.js +72 -0
package/dist-standalone/registry-middleware.d.ts +38 -0
package/dist-standalone/registry-middleware.js +47 -0
package/dist-standalone/retry-transport.d.ts +76 -0
package/dist-standalone/retry-transport.js +98 -0
package/dist-standalone/security-policy.d.ts +146 -0
package/dist-standalone/security-policy.js +198 -0
package/dist-standalone/split-channel.d.ts +69 -0
package/dist-standalone/split-channel.js +171 -0
package/dist-standalone/subscription-proof.d.ts +103 -0
package/dist-standalone/subscription-proof.js +224 -0
package/dist-standalone/succession.d.ts +57 -0
package/dist-standalone/succession.js +142 -0
package/dist-standalone/transport.d.ts +50 -0
package/dist-standalone/transport.js +59 -0
package/dist-standalone/trust-registry.d.ts +286 -0
package/dist-standalone/trust-registry.js +702 -0
package/dist-standalone/verify.d.ts +16 -0
package/dist-standalone/verify.js +16 -0
package/dist-standalone/xfetch.d.ts +129 -0
package/dist-standalone/xfetch.js +247 -0
package/llms.txt +800 -0
package/package.json +79 -0
package/share1.dat +0 -0

package/dist-standalone/trust-registry.d.ts ADDED Viewed

@@ -0,0 +1,286 @@
+import type { Result } from '@private.me/shared';
+import type { DIDStateCheckpoint } from './checkpoint.js';
+/** Trust registry error codes. */
+export type RegistryError = 'NOT_FOUND' | 'ALREADY_REGISTERED' | 'REVOKED' | 'NETWORK_ERROR';
+/** Metadata stored for a registered DID. */
+export interface RegistryEntry {
+    readonly did: string;
+    readonly publicKey: Uint8Array;
+    readonly name: string;
+    readonly scopes: ReadonlySet<string>;
+    /** Scopes this agent accepts for incoming messages. Undefined = accept all. */
+    readonly receiveScopes?: ReadonlySet<string>;
+    readonly revoked: boolean;
+    /** Optional X25519 public key for ECDH forward secrecy. */
+    readonly x25519PublicKey?: Uint8Array;
+    /** Optional ML-KEM-768 public key for hybrid post-quantum KEM (1184 bytes). */
+    readonly mlKemPublicKey?: Uint8Array;
+    /** Optional ML-DSA-65 public key for hybrid post-quantum signatures (1952 bytes). */
+    readonly mlDsaPublicKey?: Uint8Array;
+    /** Whether this agent supports Xchange (XorIDA key transport). */
+    readonly xchange?: boolean;
+    /** Current rotation sequence for this DID (prevents rollback attacks). */
+    readonly rotation_sequence: number;
+}
+/** Trust event types for real-time registry updates. */
+export interface TrustEvent {
+    /** Event type: 'revocation' (DID revoked) or 'succession' (key rotated). */
+    readonly type: 'revocation' | 'succession';
+    /** DID that triggered the event. */
+    readonly did: string;
+    /** Unix timestamp (milliseconds) when the event occurred. */
+    readonly timestamp: number;
+    /** Cryptographic proof for succession events (e.g., signature from old key). */
+    readonly proof?: Uint8Array;
+}
+/**
+ * Trust registry for DID registration, resolution, and scope validation.
+ *
+ * MemoryTrustRegistry for development, HttpTrustRegistry for production.
+ */
+export interface TrustRegistry {
+    /** Register a DID with its public key, name, and scopes. */
+    register(did: string, publicKey: Uint8Array, name: string, scopes?: string[], x25519PublicKey?: Uint8Array, mlKemPublicKey?: Uint8Array, mlDsaPublicKey?: Uint8Array, xchange?: boolean, receiveScopes?: string[]): Promise<Result<void, RegistryError>>;
+    /** Resolve a DID to its raw public key bytes. */
+    resolve(did: string): Promise<Result<Uint8Array, RegistryError>>;
+    /** Check if a DID has a specific scope permission. */
+    hasScope(did: string, scope: string): Promise<boolean>;
+    /** Check if a DID accepts a specific scope for incoming messages. */
+    hasReceiveScope(did: string, scope: string): Promise<boolean>;
+    /** Revoke a DID immediately. */
+    revoke(did: string): Promise<Result<void, RegistryError>>;
+    /** Get the full registry entry for a DID. */
+    getEntry(did: string): Promise<Result<RegistryEntry, RegistryError>>;
+    /**
+     * Rotate the public key for a DID (key succession).
+     * Optional method - not all implementations support key rotation.
+     *
+     * @param did - DID to update
+     * @param newPublicKey - New public key bytes
+     * @param proof - Cryptographic proof (e.g., signature from old key authorizing rotation)
+     * @param rotationSequence - New rotation sequence number (must be > current)
+     */
+    rotate?(did: string, newPublicKey: Uint8Array, proof: Uint8Array, rotationSequence: number): Promise<void>;
+    /**
+     * Subscribe to real-time trust events (revocations, key rotations).
+     * Optional method - not all implementations support subscriptions.
+     *
+     * @param dids - Array of DIDs to watch
+     * @param callback - Function called when events occur
+     * @returns Unsubscribe function to stop watching
+     */
+    subscribe?(dids: string[], callback: (event: TrustEvent) => void): Promise<() => void>;
+    /**
+     * Update scopes for existing DID without revoking.
+     * @param did - DID to update
+     * @param scopes - New scopes (replaces existing)
+     */
+    updateScopes?(did: string, scopes: string[]): Promise<Result<void, RegistryError>>;
+}
+/**
+ * In-memory trust registry for development and testing.
+ */
+export declare class MemoryTrustRegistry implements TrustRegistry {
+    private readonly entries;
+    register(did: string, publicKey: Uint8Array, name: string, scopes?: string[], x25519PublicKey?: Uint8Array, mlKemPublicKey?: Uint8Array, mlDsaPublicKey?: Uint8Array, xchange?: boolean, receiveScopes?: string[]): Promise<Result<void, RegistryError>>;
+    resolve(did: string): Promise<Result<Uint8Array, RegistryError>>;
+    hasScope(did: string, scope: string): Promise<boolean>;
+    hasReceiveScope(did: string, scope: string): Promise<boolean>;
+    revoke(did: string): Promise<Result<void, RegistryError>>;
+    getEntry(did: string): Promise<Result<RegistryEntry, RegistryError>>;
+    updateScopes(did: string, scopes: string[]): Promise<Result<void, RegistryError>>;
+    /** Number of entries (for testing). */
+    get size(): number;
+}
+/** Options for HttpTrustRegistry. */
+export interface HttpTrustRegistryOptions {
+    /** Base URL of the trust registry server (e.g. https://atelier.xail.io). */
+    readonly baseUrl: string;
+    /** Custom fetch implementation (for testing). */
+    readonly fetch?: typeof globalThis.fetch;
+    /** Cache TTL in ms for resolve/getEntry results. Default: 30000 (30s). Set to 0 to disable. */
+    readonly cacheTtlMs?: number;
+    /** Cache failure behavior. Default: 'fail-secure' */
+    readonly cacheFailureMode?: 'fail-secure' | 'fail-open';
+    /** Enable push notification subscription. Default: false */
+    readonly enablePush?: boolean;
+    /** Bloom filter size for push filtering. Default: 10000 */
+    readonly bloomFilterSize?: number;
+    /** Bloom filter false positive rate. Default: 0.01 */
+    readonly bloomFilterFpr?: number;
+}
+/**
+ * HTTP-backed trust registry for production use.
+ * Delegates to a remote atelier.xail.io service.
+ */
+export declare class HttpTrustRegistry implements TrustRegistry {
+    private readonly baseUrl;
+    private readonly fetchFn;
+    private readonly cacheTtlMs;
+    private readonly cacheFailureMode;
+    private readonly enablePush;
+    private readonly bloomFilterSize;
+    private readonly bloomFilterFpr;
+    private readonly resolveCache;
+    private readonly entryCache;
+    constructor(opts: HttpTrustRegistryOptions);
+    /** Clear all cached entries. Call after registration or revocation. */
+    clearCache(): void;
+    register(did: string, publicKey: Uint8Array, name: string, scopes?: string[], x25519PublicKey?: Uint8Array, mlKemPublicKey?: Uint8Array, mlDsaPublicKey?: Uint8Array, xchange?: boolean, receiveScopes?: string[]): Promise<Result<void, RegistryError>>;
+    resolve(did: string): Promise<Result<Uint8Array, RegistryError>>;
+    hasScope(did: string, scope: string): Promise<boolean>;
+    hasReceiveScope(did: string, scope: string): Promise<boolean>;
+    revoke(did: string): Promise<Result<void, RegistryError>>;
+    getEntry(did: string): Promise<Result<RegistryEntry, RegistryError>>;
+    /**
+     * Rotate a DID to a new public key with cryptographic proof.
+     *
+     * Sends rotation request to gateway and invalidates local cache.
+     *
+     * @param did - DID being rotated (old key)
+     * @param newPublicKey - New public key bytes
+     * @param proof - Succession announcement (dual signatures from old and new keys)
+     * @param rotationSequence - Monotonically increasing sequence number (prevents rollback)
+     */
+    rotate(did: string, newPublicKey: Uint8Array, proof: Uint8Array, rotationSequence: number): Promise<void>;
+    /**
+     * Subscribe to real-time trust events (revocation, key rotation).
+     *
+     * Creates a bloom filter from DIDs and connects WebSocket to gateway.
+     * Events matching subscribed DIDs trigger the callback and invalidate cache.
+     *
+     * @param dids - Array of DIDs to monitor
+     * @param callback - Function called when trust events occur
+     * @returns Unsubscribe function to stop watching
+     *
+     * @throws Error if push notifications not enabled (enablePush: true)
+     */
+    subscribe(dids: string[], callback: (event: TrustEvent) => void): Promise<() => void>;
+    /**
+     * Simple hash function for bloom filter (DID → number).
+     * Production implementation would use proper bloom filter hashing.
+     */
+    private hashDid;
+    /**
+     * Resume subscriptions on this gateway using proofs from another gateway.
+     *
+     * Allows clients to migrate between gateways without re-subscribing.
+     * Validates proofs and restores subscription state.
+     *
+     * @param proofs - Array of subscription proofs from previous gateway.
+     * @returns Success or error.
+     *
+     * @example
+     * ```typescript
+     * const registry = new HttpTrustRegistry({ baseUrl: 'https://atelier2.xail.io' });
+     * const result = await registry.resumeSubscriptions([proof1, proof2]);
+     * ```
+     */
+    resumeSubscriptions(proofs: Array<{
+        peer_did: string;
+        bloom_filter_hash: string;
+        peer_signature: string;
+    }>): Promise<Result<void, RegistryError>>;
+    /**
+     * Fetch signed checkpoint for a DID (freshness primitive).
+     *
+     * Checkpoints provide cryptographic proof of DID state at a specific timestamp.
+     * Clients verify checkpoint signature and compare rotation_sequence to detect staleness.
+     *
+     * @param did - DID to fetch checkpoint for
+     * @returns Signed checkpoint or error
+     *
+     * @example
+     * ```typescript
+     * const checkpoint = await registry.fetchCheckpoint('did:key:z6Mk...');
+     * if (checkpoint.ok) {
+     *   const verified = await verifyCheckpoint(checkpoint.value, gatewayPubKey);
+     *   if (verified.ok && verified.value) {
+     *     // Use checkpoint for staleness detection
+     *     if (isCacheStale(localCache, checkpoint.value)) {
+     *       // Refresh cache
+     *     }
+     *   }
+     * }
+     * ```
+     */
+    fetchCheckpoint(did: string): Promise<Result<DIDStateCheckpoint, RegistryError>>;
+    updateScopes(did: string, scopes: string[]): Promise<Result<void, RegistryError>>;
+}
+/** Options for FileTrustRegistry. */
+export interface FileTrustRegistryOptions {
+    /** Path to JSONL file for persistent storage. */
+    readonly path: string;
+}
+/**
+ * File-based trust registry using JSONL append-only log.
+ * Replays all entries on initialization, keeps in-memory Map for fast access.
+ * Suitable for production deployments with local persistence.
+ */
+export declare class FileTrustRegistry implements TrustRegistry {
+    private readonly path;
+    private readonly entries;
+    private initialized;
+    constructor(opts: FileTrustRegistryOptions);
+    /** Initialize by replaying JSONL log. Called automatically on first operation. */
+    private init;
+    /** Append record to JSONL file. */
+    private append;
+    register(did: string, publicKey: Uint8Array, name: string, scopes?: string[], x25519PublicKey?: Uint8Array, mlKemPublicKey?: Uint8Array, mlDsaPublicKey?: Uint8Array, xchange?: boolean, receiveScopes?: string[]): Promise<Result<void, RegistryError>>;
+    resolve(did: string): Promise<Result<Uint8Array, RegistryError>>;
+    hasScope(did: string, scope: string): Promise<boolean>;
+    hasReceiveScope(did: string, scope: string): Promise<boolean>;
+    revoke(did: string): Promise<Result<void, RegistryError>>;
+    getEntry(did: string): Promise<Result<RegistryEntry, RegistryError>>;
+    updateScopes(did: string, scopes: string[]): Promise<Result<void, RegistryError>>;
+    /**
+     * Rotate a DID to a new public key with rollback protection.
+     *
+     * Validates that rotationSequence is greater than current sequence to prevent
+     * rollback attacks. Appends rotation event to JSONL and updates in-memory state.
+     *
+     * @param did - DID being rotated
+     * @param newPublicKey - New public key bytes
+     * @param proof - Cryptographic proof (e.g., signature from old key)
+     * @param rotationSequence - Monotonically increasing sequence number
+     * @throws Error if DID not found or sequence validation fails
+     */
+    rotate(did: string, newPublicKey: Uint8Array, proof: Uint8Array, rotationSequence: number): Promise<void>;
+    /** Number of entries (for testing). */
+    get size(): number;
+}
+/**
+ * Create an enterprise trust registry with optional pre-population.
+ * Suitable for corporate deployments with centralized trust management.
+ *
+ * @example
+ * ```typescript
+ * const registry = await TrustRegistry.enterprise({
+ *   storage: 'file',
+ *   path: '/opt/corp/trust.jsonl',
+ *   preload: [
+ *     { did: 'did:web:corp.example.com', publicKey: ..., name: 'Corporate Gateway' }
+ *   ]
+ * });
+ * ```
+ */
+export declare function createEnterpriseTrustRegistry(opts: {
+    /** Storage backend: 'memory', 'file', or 'http'. */
+    readonly storage: 'memory' | 'file' | 'http';
+    /** File path (required if storage='file'). */
+    readonly path?: string;
+    /** HTTP base URL (required if storage='http'). */
+    readonly baseUrl?: string;
+    /** Pre-populate with these entries. */
+    readonly preload?: Array<{
+        did: string;
+        publicKey: Uint8Array;
+        name: string;
+        scopes?: string[];
+        receiveScopes?: string[];
+        x25519PublicKey?: Uint8Array;
+        mlKemPublicKey?: Uint8Array;
+        mlDsaPublicKey?: Uint8Array;
+        xchange?: boolean;
+    }>;
+}): Promise<TrustRegistry>;