@private.me/xbind 1.2.15 → 1.2.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +92 -2
  2. package/dist-standalone/cjs/errors.js +265 -1
  3. package/dist-standalone/cjs/security-policy.js +55 -14
  4. package/dist-standalone/cli/init.js +0 -0
  5. package/dist-standalone/errors.d.ts +4 -0
  6. package/dist-standalone/errors.js +263 -0
  7. package/dist-standalone/security-policy.d.ts +8 -4
  8. package/dist-standalone/security-policy.js +55 -14
  9. package/package.json +14 -13
  10. package/share1.dat +0 -0
package/dist-standalone/errors.js CHANGED
@@ -74,6 +74,13 @@ export class XBindAgentError extends XBindError {
74
74
  this.name = 'XBindAgentError';
75
75
  }
76
76
  }
77
+ /** Billing and payment errors (subscriptions, limits, verification). */
78
+ export class XBindBillingError extends XBindError {
79
+ constructor(code, message) {
80
+ super(code, message, `${DOC_BASE}#billing`);
81
+ this.name = "XBindBillingError";
82
+ }
83
+ }
77
84
  /**
78
85
  * Create detailed error information for a given error code.
79
86
  *
@@ -105,6 +112,9 @@ const ERROR_DETAILS = {
105
112
  suggested_action: 'Verify runtime environment supports Web Crypto API and retry key generation',
106
113
  severity: 'critical',
107
114
  docs: `${DOC_BASE}#identity`,
115
+ aws: 'InternalFailure',
116
+ grpc: 13,
117
+ http: 500,
108
118
  },
109
119
  SIGN_FAILED: {
110
120
  message: 'Signing failed',
@@ -112,6 +122,9 @@ const ERROR_DETAILS = {
112
122
  suggested_action: 'Verify private key is valid and properly imported with extractable flag',
113
123
  severity: 'high',
114
124
  docs: `${DOC_BASE}#identity`,
125
+ aws: 'InternalFailure',
126
+ grpc: 13,
127
+ http: 500,
115
128
  },
116
129
  VERIFY_FAILED: {
117
130
  message: 'Signature verification failed',
@@ -119,6 +132,9 @@ const ERROR_DETAILS = {
119
132
  suggested_action: 'Verify sender public key and message integrity before retrying',
120
133
  severity: 'critical',
121
134
  docs: `${DOC_BASE}#identity`,
135
+ aws: 'InvalidParameterValue',
136
+ grpc: 3,
137
+ http: 400,
122
138
  },
123
139
  INVALID_DID: {
124
140
  message: 'DID format is invalid',
@@ -127,6 +143,9 @@ const ERROR_DETAILS = {
127
143
  suggested_action: 'Use validateDID() helper to verify format before processing',
128
144
  severity: 'high',
129
145
  docs: `${DOC_BASE}#identity`,
146
+ aws: 'InvalidParameterValue',
147
+ grpc: 3,
148
+ http: 400,
130
149
  },
131
150
  INVALID_KEY_LENGTH: {
132
151
  message: 'Key material has incorrect length',
@@ -134,6 +153,9 @@ const ERROR_DETAILS = {
134
153
  suggested_action: 'Verify key is exactly 32 bytes and properly base64-decoded',
135
154
  severity: 'high',
136
155
  docs: `${DOC_BASE}#key-agreement`,
156
+ aws: 'InvalidParameterValue',
157
+ grpc: 3,
158
+ http: 400,
137
159
  },
138
160
  EXPORT_FAILED: {
139
161
  message: 'PKCS8 export failed',
@@ -141,6 +163,9 @@ const ERROR_DETAILS = {
141
163
  suggested_action: 'Create key with extractable:true flag and verify Web Crypto API support',
142
164
  severity: 'medium',
143
165
  docs: `${DOC_BASE}#identity`,
166
+ aws: 'InternalFailure',
167
+ grpc: 13,
168
+ http: 500,
144
169
  },
145
170
  IMPORT_FAILED: {
146
171
  message: 'PKCS8 import failed',
@@ -148,6 +173,9 @@ const ERROR_DETAILS = {
148
173
  suggested_action: 'Validate PKCS8 format and verify key data is not corrupted',
149
174
  severity: 'high',
150
175
  docs: `${DOC_BASE}#identity`,
176
+ aws: 'InvalidParameterValue',
177
+ grpc: 3,
178
+ http: 400,
151
179
  },
152
180
  // Envelope
153
181
  INVALID_VERSION: {
@@ -157,6 +185,9 @@ const ERROR_DETAILS = {
157
185
  suggested_action: 'Update SDK or request sender to use compatible version (v1-v4)',
158
186
  severity: 'high',
159
187
  docs: `${DOC_BASE}#envelope`,
188
+ aws: 'ValidationException',
189
+ grpc: 3,
190
+ http: 400,
160
191
  },
161
192
  INVALID_ALG: {
162
193
  message: 'Unknown encryption algorithm',
@@ -165,6 +196,9 @@ const ERROR_DETAILS = {
165
196
  suggested_action: 'Verify sender uses AES-256-GCM algorithm',
166
197
  severity: 'high',
167
198
  docs: `${DOC_BASE}#envelope`,
199
+ aws: 'ValidationException',
200
+ grpc: 3,
201
+ http: 400,
168
202
  },
169
203
  INVALID_NONCE: {
170
204
  message: 'Nonce is missing or invalid',
@@ -173,6 +207,9 @@ const ERROR_DETAILS = {
173
207
  suggested_action: 'Verify nonce is 12 bytes and properly base64-encoded',
174
208
  severity: 'critical',
175
209
  docs: `${DOC_BASE}#envelope`,
210
+ aws: 'ValidationException',
211
+ grpc: 3,
212
+ http: 400,
176
213
  },
177
214
  INVALID_FIELDS: {
178
215
  message: 'Required envelope fields are missing',
@@ -180,6 +217,9 @@ const ERROR_DETAILS = {
180
217
  suggested_action: 'Validate all required envelope fields are present',
181
218
  severity: 'high',
182
219
  docs: `${DOC_BASE}#envelope`,
220
+ aws: 'ValidationException',
221
+ grpc: 3,
222
+ http: 400,
183
223
  },
184
224
  ENCRYPT_FAILED: {
185
225
  message: 'AES-256-GCM encryption failed',
@@ -187,6 +227,9 @@ const ERROR_DETAILS = {
187
227
  suggested_action: 'Verify key is 32 bytes and nonce is 12 bytes before encryption',
188
228
  severity: 'high',
189
229
  docs: `${DOC_BASE}#envelope`,
230
+ aws: 'InternalFailure',
231
+ grpc: 13,
232
+ http: 500,
190
233
  },
191
234
  DECRYPT_FAILED: {
192
235
  message: 'Decryption failed',
@@ -194,6 +237,9 @@ const ERROR_DETAILS = {
194
237
  suggested_action: 'Verify correct key and check ciphertext integrity',
195
238
  severity: 'critical',
196
239
  docs: `${DOC_BASE}#envelope`,
240
+ aws: 'InternalFailure',
241
+ grpc: 13,
242
+ http: 500,
197
243
  },
198
244
  PARSE_FAILED: {
199
245
  message: 'Envelope deserialization failed',
@@ -201,6 +247,9 @@ const ERROR_DETAILS = {
201
247
  suggested_action: 'Validate JSON structure and check for data corruption',
202
248
  severity: 'high',
203
249
  docs: `${DOC_BASE}#envelope`,
250
+ aws: 'ValidationException',
251
+ grpc: 3,
252
+ http: 400,
204
253
  },
205
254
  // Transport
206
255
  SEND_FAILED: {
@@ -209,6 +258,9 @@ const ERROR_DETAILS = {
209
258
  suggested_action: 'Check network connectivity and retry with exponential backoff',
210
259
  severity: 'high',
211
260
  docs: `${DOC_BASE}#transport`,
261
+ aws: 'ServiceUnavailable',
262
+ grpc: 14,
263
+ http: 503,
212
264
  },
213
265
  NETWORK_ERROR: {
214
266
  message: 'Network request failed',
@@ -216,6 +268,9 @@ const ERROR_DETAILS = {
216
268
  suggested_action: 'Verify internet connection and implement exponential backoff retry',
217
269
  severity: 'high',
218
270
  docs: `${DOC_BASE}#transport`,
271
+ aws: 'ServiceUnavailable',
272
+ grpc: 14,
273
+ http: 503,
219
274
  },
220
275
  RECIPIENT_UNREACHABLE: {
221
276
  message: 'Recipient is unreachable',
@@ -224,6 +279,9 @@ const ERROR_DETAILS = {
224
279
  suggested_action: 'Verify recipient is registered with xBind and online',
225
280
  severity: 'medium',
226
281
  docs: `${DOC_BASE}#transport`,
282
+ aws: 'ServiceUnavailable',
283
+ grpc: 14,
284
+ http: 503,
227
285
  },
228
286
  TIMEOUT: {
229
287
  message: 'Transport operation timed out',
@@ -231,6 +289,9 @@ const ERROR_DETAILS = {
231
289
  suggested_action: 'Increase timeout threshold and check network latency',
232
290
  severity: 'medium',
233
291
  docs: `${DOC_BASE}#transport`,
292
+ aws: 'RequestTimeout',
293
+ grpc: 4,
294
+ http: 408,
234
295
  },
235
296
  // Registry
236
297
  NOT_FOUND: {
@@ -240,6 +301,9 @@ const ERROR_DETAILS = {
240
301
  suggested_action: 'Ask recipient to register with xBind',
241
302
  severity: 'medium',
242
303
  docs: `${DOC_BASE}#registry`,
304
+ aws: 'ResourceNotFoundException',
305
+ grpc: 5,
306
+ http: 404,
243
307
  },
244
308
  ALREADY_REGISTERED: {
245
309
  message: 'Agent is already registered',
@@ -247,6 +311,9 @@ const ERROR_DETAILS = {
247
311
  suggested_action: 'Use updateAgent() instead of registerAgent()',
248
312
  severity: 'low',
249
313
  docs: `${DOC_BASE}#registry`,
314
+ aws: 'ResourceAlreadyExists',
315
+ grpc: 6,
316
+ http: 409,
250
317
  },
251
318
  REVOKED: {
252
319
  message: 'Agent has been revoked from the registry',
@@ -254,6 +321,9 @@ const ERROR_DETAILS = {
254
321
  suggested_action: 'Contact registry administrator to resolve revocation',
255
322
  severity: 'high',
256
323
  docs: `${DOC_BASE}#registry`,
324
+ aws: 'AccessDenied',
325
+ grpc: 7,
326
+ http: 403,
257
327
  },
258
328
  // Key agreement
259
329
  DERIVE_FAILED: {
@@ -262,6 +332,9 @@ const ERROR_DETAILS = {
262
332
  suggested_action: 'Verify peer public key is valid X25519 and not corrupted',
263
333
  severity: 'high',
264
334
  docs: `${DOC_BASE}#key-agreement`,
335
+ aws: 'InternalFailure',
336
+ grpc: 13,
337
+ http: 500,
265
338
  },
266
339
  KEM_ENCAPSULATE_FAILED: {
267
340
  message: 'ML-KEM-768 encapsulation failed',
@@ -269,6 +342,9 @@ const ERROR_DETAILS = {
269
342
  suggested_action: 'Verify recipient ML-KEM-768 public key and post-quantum support',
270
343
  severity: 'high',
271
344
  docs: `${DOC_BASE}#key-agreement`,
345
+ aws: 'InternalFailure',
346
+ grpc: 13,
347
+ http: 500,
272
348
  },
273
349
  KEM_DECAPSULATE_FAILED: {
274
350
  message: 'ML-KEM-768 decapsulation failed',
@@ -276,6 +352,9 @@ const ERROR_DETAILS = {
276
352
  suggested_action: 'Verify ciphertext integrity and ML-KEM secret key',
277
353
  severity: 'high',
278
354
  docs: `${DOC_BASE}#key-agreement`,
355
+ aws: 'InternalFailure',
356
+ grpc: 13,
357
+ http: 500,
279
358
  },
280
359
  HKDF_FAILED: {
281
360
  message: 'HKDF key derivation failed',
@@ -283,6 +362,9 @@ const ERROR_DETAILS = {
283
362
  suggested_action: 'Verify shared secrets are valid and SHA-256 is available',
284
363
  severity: 'high',
285
364
  docs: `${DOC_BASE}#key-agreement`,
365
+ aws: 'InternalFailure',
366
+ grpc: 13,
367
+ http: 500,
286
368
  },
287
369
  MLKEM_NOT_AVAILABLE: {
288
370
  message: 'ML-KEM-768 key not available',
@@ -297,6 +379,9 @@ const ERROR_DETAILS = {
297
379
  suggested_action: 'Verify ML-DSA-65 secret key and post-quantum support',
298
380
  severity: 'high',
299
381
  docs: `${DOC_BASE}#identity`,
382
+ aws: 'InternalFailure',
383
+ grpc: 13,
384
+ http: 500,
300
385
  },
301
386
  PQ_VERIFY_FAILED: {
302
387
  message: 'ML-DSA-65 verification failed',
@@ -304,6 +389,9 @@ const ERROR_DETAILS = {
304
389
  suggested_action: 'Verify signer public key and signature format',
305
390
  severity: 'high',
306
391
  docs: `${DOC_BASE}#identity`,
392
+ aws: 'InvalidParameterValue',
393
+ grpc: 3,
394
+ http: 400,
307
395
  },
308
396
  // Split-channel
309
397
  SPLIT_FAILED: {
@@ -312,6 +400,9 @@ const ERROR_DETAILS = {
312
400
  suggested_action: 'Verify threshold parameters and payload size',
313
401
  severity: 'high',
314
402
  docs: `${DOC_BASE}#split-channel`,
403
+ aws: 'InternalFailure',
404
+ grpc: 13,
405
+ http: 500,
315
406
  },
316
407
  INSUFFICIENT_SHARES: {
317
408
  message: 'Not enough shares to reconstruct',
@@ -319,6 +410,9 @@ const ERROR_DETAILS = {
319
410
  suggested_action: 'Collect more shares to meet threshold requirement',
320
411
  severity: 'high',
321
412
  docs: `${DOC_BASE}#split-channel`,
413
+ aws: 'ValidationException',
414
+ grpc: 3,
415
+ http: 400,
322
416
  },
323
417
  INCONSISTENT_SHARES: {
324
418
  message: 'Shares have mismatched group IDs or lengths',
@@ -326,6 +420,9 @@ const ERROR_DETAILS = {
326
420
  suggested_action: 'Verify all shares are from the same split operation',
327
421
  severity: 'high',
328
422
  docs: `${DOC_BASE}#split-channel`,
423
+ aws: 'ValidationException',
424
+ grpc: 3,
425
+ http: 400,
329
426
  },
330
427
  HMAC_VERIFICATION_FAILED: {
331
428
  message: 'Share HMAC check failed',
@@ -333,6 +430,9 @@ const ERROR_DETAILS = {
333
430
  suggested_action: 'Request fresh share from sender',
334
431
  severity: 'critical',
335
432
  docs: `${DOC_BASE}#split-channel`,
433
+ aws: 'UnauthorizedOperation',
434
+ grpc: 16,
435
+ http: 401,
336
436
  },
337
437
  UNPAD_FAILED: {
338
438
  message: 'Padding removal failed after reconstruction',
@@ -340,6 +440,9 @@ const ERROR_DETAILS = {
340
440
  suggested_action: 'Verify reconstruction succeeded and data is valid UTF-8',
341
441
  severity: 'high',
342
442
  docs: `${DOC_BASE}#split-channel`,
443
+ aws: 'InternalFailure',
444
+ grpc: 13,
445
+ http: 500,
343
446
  },
344
447
  INVALID_SHARE_DATA: {
345
448
  message: 'Share data is malformed',
@@ -347,6 +450,9 @@ const ERROR_DETAILS = {
347
450
  suggested_action: 'Verify share is valid base64 and request correctly-formatted share',
348
451
  severity: 'high',
349
452
  docs: `${DOC_BASE}#split-channel`,
453
+ aws: 'ValidationException',
454
+ grpc: 3,
455
+ http: 400,
350
456
  },
351
457
  // Xchange
352
458
  XCHANGE_KEYGEN_FAILED: {
@@ -355,6 +461,9 @@ const ERROR_DETAILS = {
355
461
  suggested_action: 'Verify Web Crypto API available and retry',
356
462
  severity: 'high',
357
463
  docs: `${DOC_BASE}#xchange`,
464
+ aws: 'InternalFailure',
465
+ grpc: 13,
466
+ http: 500,
358
467
  },
359
468
  XCHANGE_ENCRYPT_FAILED: {
360
469
  message: 'Xchange bundle encryption failed',
@@ -362,6 +471,9 @@ const ERROR_DETAILS = {
362
471
  suggested_action: 'Verify payload size and encryption key length',
363
472
  severity: 'high',
364
473
  docs: `${DOC_BASE}#xchange`,
474
+ aws: 'InternalFailure',
475
+ grpc: 13,
476
+ http: 500,
365
477
  },
366
478
  XCHANGE_DECRYPT_FAILED: {
367
479
  message: 'Xchange bundle decryption failed',
@@ -369,6 +481,9 @@ const ERROR_DETAILS = {
369
481
  suggested_action: 'Verify reconstruction completed and decryption key is correct',
370
482
  severity: 'high',
371
483
  docs: `${DOC_BASE}#xchange`,
484
+ aws: 'InternalFailure',
485
+ grpc: 13,
486
+ http: 500,
372
487
  },
373
488
  INVALID_BUNDLE: {
374
489
  message: 'Xchange bundle is malformed',
@@ -376,6 +491,9 @@ const ERROR_DETAILS = {
376
491
  suggested_action: 'Verify bundle size and request correctly-formed bundle',
377
492
  severity: 'high',
378
493
  docs: `${DOC_BASE}#xchange`,
494
+ aws: 'ValidationException',
495
+ grpc: 3,
496
+ http: 400,
379
497
  },
380
498
  // Agent (high-level)
381
499
  IDENTITY_FAILED: {
@@ -384,6 +502,9 @@ const ERROR_DETAILS = {
384
502
  suggested_action: 'Verify Web Crypto API available and retry agent initialization',
385
503
  severity: 'critical',
386
504
  docs: `${DOC_BASE}#agent`,
505
+ aws: 'InternalFailure',
506
+ grpc: 13,
507
+ http: 500,
387
508
  },
388
509
  REGISTRATION_FAILED: {
389
510
  message: 'Agent registration with trust registry failed',
@@ -391,6 +512,9 @@ const ERROR_DETAILS = {
391
512
  suggested_action: 'Verify registry URL and auth token, then retry with exponential backoff',
392
513
  severity: 'high',
393
514
  docs: `${DOC_BASE}#agent`,
515
+ aws: 'ServiceUnavailable',
516
+ grpc: 14,
517
+ http: 503,
394
518
  },
395
519
  RECIPIENT_NOT_FOUND: {
396
520
  message: 'Recipient agent not found in registry',
@@ -399,6 +523,9 @@ const ERROR_DETAILS = {
399
523
  suggested_action: 'Ask recipient to register with xBind',
400
524
  severity: 'medium',
401
525
  docs: `${DOC_BASE}#agent`,
526
+ aws: 'ResourceNotFoundException',
527
+ grpc: 5,
528
+ http: 404,
402
529
  },
403
530
  RECIPIENT_REVOKED: {
404
531
  message: 'Recipient agent has been revoked',
@@ -407,6 +534,9 @@ const ERROR_DETAILS = {
407
534
  suggested_action: 'Inform recipient to contact registry administrator',
408
535
  severity: 'high',
409
536
  docs: `${DOC_BASE}#agent`,
537
+ aws: 'AccessDenied',
538
+ grpc: 7,
539
+ http: 403,
410
540
  },
411
541
  KEY_AGREEMENT_FAILED: {
412
542
  message: 'ECDH key agreement with recipient failed',
@@ -414,6 +544,9 @@ const ERROR_DETAILS = {
414
544
  suggested_action: 'Request fresh key from recipient',
415
545
  severity: 'high',
416
546
  docs: `${DOC_BASE}#agent`,
547
+ aws: 'InternalFailure',
548
+ grpc: 13,
549
+ http: 500,
417
550
  },
418
551
  ENVELOPE_FAILED: {
419
552
  message: 'Envelope creation failed',
@@ -421,6 +554,9 @@ const ERROR_DETAILS = {
421
554
  suggested_action: 'Verify payload size and recipient DID',
422
555
  severity: 'high',
423
556
  docs: `${DOC_BASE}#agent`,
557
+ aws: 'InternalFailure',
558
+ grpc: 13,
559
+ http: 500,
424
560
  },
425
561
  VERIFICATION_FAILED: {
426
562
  message: 'Incoming envelope verification failed',
@@ -428,6 +564,9 @@ const ERROR_DETAILS = {
428
564
  suggested_action: 'Verify sender is in trust registry and not revoked',
429
565
  severity: 'critical',
430
566
  docs: `${DOC_BASE}#agent`,
567
+ aws: 'UnauthorizedOperation',
568
+ grpc: 16,
569
+ http: 401,
431
570
  },
432
571
  REPLAY_DETECTED: {
433
572
  message: 'Duplicate nonce detected — possible replay attack',
@@ -435,6 +574,9 @@ const ERROR_DETAILS = {
435
574
  suggested_action: 'DISCARD MESSAGE and alert user to potential replay attack',
436
575
  severity: 'critical',
437
576
  docs: `${DOC_BASE}#agent`,
577
+ aws: 'AccessDenied',
578
+ grpc: 7,
579
+ http: 403,
438
580
  },
439
581
  SCOPE_DENIED: {
440
582
  message: 'Sender does not have permission for the requested scope',
@@ -443,6 +585,9 @@ const ERROR_DETAILS = {
443
585
  suggested_action: 'Contact registry admin to grant permission',
444
586
  severity: 'medium',
445
587
  docs: `${DOC_BASE}#agent`,
588
+ aws: 'AccessDenied',
589
+ grpc: 7,
590
+ http: 403,
446
591
  },
447
592
  RECEIVER_SCOPE_DENIED: {
448
593
  message: 'Recipient does not accept messages with this scope',
@@ -451,6 +596,9 @@ const ERROR_DETAILS = {
451
596
  suggested_action: 'Ask recipient to enable scope in settings',
452
597
  severity: 'medium',
453
598
  docs: `${DOC_BASE}#agent`,
599
+ aws: 'AccessDenied',
600
+ grpc: 7,
601
+ http: 403,
454
602
  },
455
603
  TIMESTAMP_EXPIRED: {
456
604
  message: 'Envelope timestamp is outside the allowed window',
@@ -458,6 +606,110 @@ const ERROR_DETAILS = {
458
606
  suggested_action: 'Synchronize system clocks using NTP',
459
607
  severity: 'medium',
460
608
  docs: `${DOC_BASE}#agent`,
609
+ aws: 'RequestExpired',
610
+ grpc: 9,
611
+ http: 412,
612
+ },
613
+ INCOMPATIBLE_VERSION: {
614
+ message: 'Client version is incompatible with server',
615
+ hint: 'Actions: (1) Update xBind SDK to latest version, (2) Check minimum supported version in docs, (3) Verify server API version requirements, (4) Contact support if upgrade not possible',
616
+ suggested_action: 'Update xBind SDK to latest version',
617
+ severity: 'high',
618
+ docs: `${DOC_BASE}#agent`,
619
+ aws: 'ValidationException',
620
+ grpc: 3,
621
+ http: 400,
622
+ },
623
+ FEATURE_NOT_SUPPORTED: {
624
+ message: 'Requested feature is not supported',
625
+ hint: 'Actions: (1) Check feature availability in current plan, (2) Verify SDK version supports feature, (3) Review feature documentation, (4) Consider upgrading plan or SDK version',
626
+ suggested_action: 'Check feature availability in current plan or SDK version',
627
+ severity: 'medium',
628
+ docs: `${DOC_BASE}#agent`,
629
+ aws: 'ValidationException',
630
+ grpc: 12,
631
+ http: 501,
632
+ },
633
+ QUOTA_EXCEEDED: {
634
+ message: 'Operation quota exceeded',
635
+ hint: 'Actions: (1) Check current usage against plan limits, (2) Implement rate limiting and backoff, (3) Upgrade to higher tier plan, (4) Wait for quota reset period',
636
+ suggested_action: 'Implement rate limiting or upgrade plan',
637
+ severity: 'medium',
638
+ docs: `${DOC_BASE}#agent`,
639
+ aws: 'ThrottlingException',
640
+ grpc: 8,
641
+ http: 429,
642
+ },
643
+ ACCOUNT_SUSPENDED: {
644
+ message: 'Account has been suspended',
645
+ hint: 'Actions: (1) Contact support to determine suspension reason, (2) Review terms of service compliance, (3) Resolve any payment or policy issues, (4) Request account reactivation',
646
+ suggested_action: 'Contact support to resolve suspension',
647
+ severity: 'critical',
648
+ docs: `${DOC_BASE}#agent`,
649
+ aws: 'AccessDeniedException',
650
+ grpc: 7,
651
+ http: 403,
652
+ },
653
+ ACCOUNT_NOT_FOUND: {
654
+ message: 'Account does not exist',
655
+ hint: 'Actions: (1) Verify account identifier is correct, (2) Check if account was deleted, (3) Confirm registration completed successfully, (4) Create new account if needed',
656
+ suggested_action: 'Verify account identifier or create new account',
657
+ severity: 'high',
658
+ docs: `${DOC_BASE}#agent`,
659
+ aws: 'ResourceNotFoundException',
660
+ grpc: 5,
661
+ http: 404,
662
+ },
663
+ // Billing & Payment
664
+ BILLING_FAILURE: {
665
+ message: 'Billing operation failed',
666
+ hint: 'Actions: (1) Verify payment method is valid and not expired, (2) Check Stripe account status, (3) Review billing logs for specific error, (4) Contact support if issue persists',
667
+ suggested_action: 'Verify payment method and check billing logs',
668
+ severity: 'high',
669
+ docs: `${DOC_BASE}#billing`,
670
+ aws: 'RequestLimitExceeded',
671
+ grpc: 8,
672
+ http: 402,
673
+ },
674
+ PAYMENT_REQUIRED: {
675
+ message: 'Payment required to access this resource',
676
+ hint: 'Actions: (1) Add payment method in account settings, (2) Subscribe to appropriate tier, (3) Verify billing information is current, (4) Check account status',
677
+ suggested_action: 'Add payment method and subscribe to access this resource',
678
+ severity: 'medium',
679
+ docs: `${DOC_BASE}#billing`,
680
+ aws: 'AccessDenied',
681
+ grpc: 7,
682
+ http: 402,
683
+ },
684
+ SUBSCRIPTION_REQUIRED: {
685
+ message: 'Valid subscription required',
686
+ hint: 'Actions: (1) Subscribe to a paid tier in account settings, (2) Verify subscription is active and not expired, (3) Check billing status, (4) Review subscription features',
687
+ suggested_action: 'Subscribe to a paid tier to access this feature',
688
+ severity: 'medium',
689
+ docs: `${DOC_BASE}#billing`,
690
+ aws: 'AccessDenied',
691
+ grpc: 7,
692
+ http: 403,
693
+ },
694
+ TIER_LIMIT_EXCEEDED: {
695
+ message: 'Current tier usage limit exceeded',
696
+ hint: 'Actions: (1) Upgrade to higher tier for increased limits, (2) Check current usage vs tier limits, (3) Wait for limit reset (typically monthly), (4) Review tier comparison chart',
697
+ suggested_action: 'Upgrade to higher tier or wait for limit reset',
698
+ severity: 'medium',
699
+ docs: `${DOC_BASE}#billing`,
700
+ aws: 'RequestLimitExceeded',
701
+ grpc: 8,
702
+ http: 403,
703
+ },
704
+ VERIFICATION_REQUIRED: {
705
+ message: 'Account verification required',
706
+ hint: 'Actions: (1) Complete email verification, (2) Verify payment method, (3) Complete identity verification if required, (4) Check account verification status in settings',
707
+ suggested_action: 'Complete account verification steps in settings',
708
+ severity: 'high',
709
+ docs: `${DOC_BASE}#billing`,
710
+ aws: 'AccessDenied',
711
+ grpc: 7,
712
+ http: 403,
461
713
  },
462
714
  };
463
715
  /** Error messages keyed by code. Includes what happened and what to do next. */
@@ -519,6 +771,17 @@ const ERROR_MESSAGES = {
519
771
  SCOPE_DENIED: [XBindAgentError, 'Sender does not have permission for the requested scope. Actions: (1) Check sender scope in registry, (2) Contact admin to grant, (3) Verify scope value.'],
520
772
  RECEIVER_SCOPE_DENIED: [XBindAgentError, 'Recipient does not accept messages with this scope. Actions: (1) Check recipient receive scope settings, (2) Ask to enable scope, (3) Verify registry entry.'],
521
773
  TIMESTAMP_EXPIRED: [XBindAgentError, 'Envelope timestamp is outside the allowed window. Actions: (1) Synchronize system clocks (NTP), (2) Check time difference, (3) Verify no time drift.'],
774
+ INCOMPATIBLE_VERSION: [XBindAgentError, 'Client version is incompatible with server. Actions: (1) Update xBind SDK to latest version, (2) Check minimum supported version, (3) Contact support if upgrade not possible.'],
775
+ FEATURE_NOT_SUPPORTED: [XBindAgentError, 'Requested feature is not supported. Actions: (1) Check feature availability in plan, (2) Verify SDK version, (3) Consider upgrading plan.'],
776
+ QUOTA_EXCEEDED: [XBindAgentError, 'Operation quota exceeded. Actions: (1) Check usage against plan limits, (2) Implement rate limiting, (3) Upgrade plan, (4) Wait for quota reset.'],
777
+ ACCOUNT_SUSPENDED: [XBindAgentError, 'Account has been suspended. Actions: (1) Contact support for suspension reason, (2) Review terms compliance, (3) Resolve payment/policy issues.'],
778
+ ACCOUNT_NOT_FOUND: [XBindAgentError, 'Account does not exist. Actions: (1) Verify account identifier, (2) Check if account was deleted, (3) Create new account if needed.'],
779
+ // Billing & Payment
780
+ BILLING_FAILURE: [XBindBillingError, 'Billing operation failed. Actions: (1) Verify payment method is valid and not expired, (2) Check Stripe account status, (3) Review billing logs, (4) Contact support if issue persists.'],
781
+ PAYMENT_REQUIRED: [XBindBillingError, 'Payment required to access this resource. Actions: (1) Add payment method in account settings, (2) Subscribe to appropriate tier, (3) Verify billing information is current.'],
782
+ SUBSCRIPTION_REQUIRED: [XBindBillingError, 'Valid subscription required. Actions: (1) Subscribe to a paid tier in account settings, (2) Verify subscription is active and not expired, (3) Check billing status.'],
783
+ TIER_LIMIT_EXCEEDED: [XBindBillingError, 'Current tier usage limit exceeded. Actions: (1) Upgrade to higher tier for increased limits, (2) Check current usage vs tier limits, (3) Wait for limit reset (typically monthly).'],
784
+ VERIFICATION_REQUIRED: [XBindBillingError, 'Account verification required. Actions: (1) Complete email verification, (2) Verify payment method, (3) Complete identity verification if required, (4) Check account verification status in settings.'],
522
785
  };
523
786
  /**
524
787
  * Convert a string error code to a typed XBindError instance.
package/dist-standalone/security-policy.d.ts CHANGED
@@ -62,10 +62,12 @@ export interface SecurityPolicy {
62
62
  * Default security policy for basic XBind.
63
63
  *
64
64
  * Rules:
65
- * - Transfers over $100,000: High security (3 shares, 2-of-3 threshold)
66
- * - Cross-entity communication: High security (3 shares, 2-of-3 threshold)
67
- * - Explicit 'high' override: High security (3 shares, 2-of-3 threshold)
68
- * - Explicit 'critical' override: Critical security (5 shares, 3-of-5 threshold)
65
+ * - Explicit risk tags: low 2-of-2, medium → 2-of-3, high/critical → 3-of-5
66
+ * - Fiat transfers: USD/EUR/GBP >$100k 2-of-3, >$1M → 3-of-5
67
+ * - Crypto transfers: Require explicit risk tag (no numeric auto-detection)
68
+ * - Sensitive scopes: custody/admin/settlement 2-of-3
69
+ * - Cross-entity communication: 2-of-3
70
+ * - Explicit 'high' override: 2-of-3, 'critical' override: 3-of-5
69
71
  * - Everything else: Standard encrypted transport (V3 hybrid PQ)
70
72
  *
71
73
  * Enterprise and Government variants extend this with custom rules.
@@ -77,10 +79,12 @@ export declare class DefaultSecurityPolicy implements SecurityPolicy {
77
79
  *
78
80
  * @param options - Optional configuration
79
81
  * @param options.highValueThreshold - Amount threshold for high security (default: 100000)
82
+ * @param options.criticalValueThreshold - Amount threshold for critical security (default: 1000000)
80
83
  * @param options.enableXchange - Allow Xchange mode for performance (default: false)
81
84
  */
82
85
  constructor(options?: {
83
86
  readonly highValueThreshold?: number;
87
+ readonly criticalValueThreshold?: number;
84
88
  readonly enableXchange?: boolean;
85
89
  });
86
90
  classify(context: SecurityContext): SecurityDecision;