@private.me/xbind 1.3.0 → 2.3.4

package/dist-standalone/cjs/backup-config.js

@@ -1,207 +1 @@
-"use strict";
-/**
- * XorIDA Backup Configuration for Key Splitting
- *
- * Provides default backup configuration (k=2, n=3) and utilities for
- * splitting cryptographic keys across multiple shares using information-
- * theoretic threshold secret sharing.
- *
- * @module backup-config
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DEFAULT_BACKUP_CONFIG = void 0;
-exports.validateBackupConfig = validateBackupConfig;
-exports.splitKeyWithBackup = splitKeyWithBackup;
-exports.reconstructKeyFromBackup = reconstructKeyFromBackup;
-const shared_1 = require("../_deps/shared/index.js");
-const crypto_1 = require("../_deps/crypto/index.js");
-/* ── Constants ── */
-/**
- * Default backup configuration: 2-of-3 threshold sharing.
- *
- * - 3 shares generated
- * - Any 2 shares can reconstruct the key
- * - Lose 1 share and still recover (fault tolerance)
- * - Information-theoretic security (each share reveals zero information)
- */
-exports.DEFAULT_BACKUP_CONFIG = {
-    threshold: 2,
-    totalShares: 3,
-};
-/* ── Validation ── */
-/**
- * Validate backup configuration parameters.
- *
- * Rules:
- * - threshold must be >= 2 (single share = no threshold)
- * - totalShares must be >= threshold
- * - totalShares must be <= 255 (XorIDA limit)
- *
- * @param config - Backup configuration to validate.
- * @returns Ok if valid, error otherwise.
- */
-function validateBackupConfig(config) {
-    if (config.threshold < 2) {
-        return (0, shared_1.err)('INVALID_CONFIG');
-    }
-    if (config.totalShares < config.threshold) {
-        return (0, shared_1.err)('INVALID_CONFIG');
-    }
-    if (config.totalShares > 255) {
-        return (0, shared_1.err)('INVALID_CONFIG');
-    }
-    return (0, shared_1.ok)(undefined);
-}
-/* ── Key Splitting ── */
-/**
- * Split a cryptographic key into backup shares using XorIDA.
- *
- * The key is padded, split via information-theoretic threshold sharing,
- * and returned as BackupShare objects with HMAC integrity protection.
- *
- * Any `threshold` shares can reconstruct the original key. Each share
- * reveals zero information about the key (information-theoretic security).
- *
- * @param key - The key to split (32 or 64 bytes typical).
- * @param config - Backup configuration (defaults to 2-of-3).
- * @returns Array of backup shares or error.
- *
- * @example
- * ```typescript
- * import { splitKeyWithBackup, DEFAULT_BACKUP_CONFIG } from '@private.me/xbind';
- *
- * const key = crypto.getRandomValues(new Uint8Array(32));
- *
- * // Use defaults (2-of-3)
- * const shares = await splitKeyWithBackup(key);
- *
- * // Custom config (3-of-5)
- * const shares2 = await splitKeyWithBackup(key, {
- *   threshold: 3,
- *   totalShares: 5
- * });
- *
- * if (shares.ok) {
- *   // Store shares in separate locations
- *   shares.value.forEach((share, i) => {
- *     storeShare(`backup-${i}.json`, JSON.stringify(share));
- *   });
- * }
- * ```
- */
-async function splitKeyWithBackup(key, config = exports.DEFAULT_BACKUP_CONFIG) {
-    const validation = validateBackupConfig(config);
-    if (!validation.ok)
-        return validation;
-    if (key.length === 0) {
-        return (0, shared_1.err)('INVALID_KEY_LENGTH');
-    }
-    const n = config.totalShares;
-    const k = config.threshold;
-    const p = (0, crypto_1.nextOddPrime)(n);
-    const blockSize = p - 1;
-    // Pad to block size
-    const padded = (0, crypto_1.pkcs7Pad)(key, blockSize);
-    // Generate HMAC for integrity verification
-    const { key: hmacKey, signature: hmacSig } = await (0, crypto_1.generateHMAC)(padded);
-    const hmacKeyB64 = (0, crypto_1.toBase64)(hmacKey);
-    const hmacSigB64 = (0, crypto_1.toBase64)(hmacSig);
-    // Split via XorIDA
-    let shareArrays;
-    try {
-        shareArrays = (0, crypto_1.splitXorIDA)(padded, n, k);
-    }
-    catch {
-        return (0, shared_1.err)('SPLIT_FAILED');
-    }
-    // Package as BackupShare objects
-    const shares = shareArrays.map((data, index) => ({
-        index,
-        data: (0, crypto_1.toBase64)(data),
-        total: n,
-        threshold: k,
-        hmacKey: hmacKeyB64,
-        hmacSig: hmacSigB64,
-    }));
-    return (0, shared_1.ok)(shares);
-}
-/* ── Key Reconstruction ── */
-/**
- * Reconstruct a cryptographic key from backup shares.
- *
- * Requires at least `threshold` shares. Verifies HMAC before returning
- * the reconstructed key to prevent tampering.
- *
- * @param shares - Backup shares (must be >= threshold).
- * @returns Reconstructed key or error.
- *
- * @example
- * ```typescript
- * import { reconstructKeyFromBackup } from '@private.me/xbind';
- *
- * // Load shares from storage
- * const share0 = JSON.parse(loadShare('backup-0.json'));
- * const share1 = JSON.parse(loadShare('backup-1.json'));
- *
- * // Reconstruct from any 2 shares (threshold=2)
- * const key = await reconstructKeyFromBackup([share0, share1]);
- *
- * if (key.ok) {
- *   // Use reconstructed key
- *   const agent = await Agent.fromSeed(key.value, opts);
- * } else {
- *   console.error('Reconstruction failed:', key.error);
- * }
- * ```
- */
-async function reconstructKeyFromBackup(shares) {
-    if (shares.length === 0) {
-        return (0, shared_1.err)('INSUFFICIENT_SHARES');
-    }
-    const threshold = shares[0].threshold;
-    const total = shares[0].total;
-    if (shares.length < threshold) {
-        return (0, shared_1.err)('INSUFFICIENT_SHARES');
-    }
-    // Use first `threshold` shares
-    const usedShares = shares.slice(0, threshold);
-    // Decode share data
-    let shareData;
-    try {
-        shareData = usedShares.map((s) => (0, crypto_1.fromBase64)(s.data));
-    }
-    catch {
-        return (0, shared_1.err)('INVALID_SHARE_DATA');
-    }
-    const indices = usedShares.map((s) => s.index);
-    // Reconstruct padded key
-    let padded;
-    try {
-        padded = (0, crypto_1.reconstructXorIDA)(shareData, indices, total, threshold);
-    }
-    catch {
-        return (0, shared_1.err)('RECONSTRUCT_FAILED');
-    }
-    // Verify HMAC
-    let hmacKey;
-    let hmacSig;
-    try {
-        hmacKey = (0, crypto_1.fromBase64)(usedShares[0].hmacKey);
-        hmacSig = (0, crypto_1.fromBase64)(usedShares[0].hmacSig);
-    }
-    catch {
-        return (0, shared_1.err)('INVALID_SHARE_DATA');
-    }
-    const hmacValid = await (0, crypto_1.verifyHMAC)(hmacKey, padded, hmacSig);
-    if (!hmacValid) {
-        return (0, shared_1.err)('HMAC_VERIFICATION_FAILED');
-    }
-    // Unpad to recover original key
-    const p = (0, crypto_1.nextOddPrime)(total);
-    const blockSize = p - 1;
-    const unpadResult = (0, crypto_1.pkcs7Unpad)(padded, blockSize);
-    if (!unpadResult.ok) {
-        return (0, shared_1.err)('RECONSTRUCT_FAILED');
-    }
-    return (0, shared_1.ok)(unpadResult.value);
-}
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.DEFAULT_BACKUP_CONFIG=void 0,exports.validateBackupConfig=validateBackupConfig,exports.splitKeyWithBackup=splitKeyWithBackup,exports.reconstructKeyFromBackup=reconstructKeyFromBackup;const shared_1=require("../_deps/shared/index.js"),crypto_utils_js_1=require("./crypto-utils.js");function validateBackupConfig(t){return t.threshold<2||t.totalShares<t.threshold||t.totalShares>255?(0,shared_1.err)("INVALID_CONFIG"):(0,shared_1.ok)(void 0)}async function splitKeyWithBackup(t,r=exports.DEFAULT_BACKUP_CONFIG){const e=validateBackupConfig(r);if(!e.ok)return e;if(0===t.length)return(0,shared_1.err)("INVALID_KEY_LENGTH");const s=r.totalShares,_=r.threshold,a=(0,crypto_utils_js_1.nextOddPrime)(s)-1,o=(0,crypto_utils_js_1.pkcs7Pad)(t,a),{key:c,signature:i}=await(0,crypto_utils_js_1.generateHMAC)(o),u=(0,crypto_utils_js_1.toBase64)(c),n=(0,crypto_utils_js_1.toBase64)(i);let l;try{l=(0,crypto_utils_js_1.splitXorIDA)(o,s,_)}catch{return(0,shared_1.err)("SPLIT_FAILED")}const h=l.map((t,r)=>({index:r,data:(0,crypto_utils_js_1.toBase64)(t),total:s,threshold:_,hmacKey:u,hmacSig:n}));return(0,shared_1.ok)(h)}async function reconstructKeyFromBackup(t){if(0===t.length)return(0,shared_1.err)("INSUFFICIENT_SHARES");const r=t[0].threshold,e=t[0].total;if(t.length<r)return(0,shared_1.err)("INSUFFICIENT_SHARES");const s=t.slice(0,r);let _;try{_=s.map(t=>(0,crypto_utils_js_1.fromBase64)(t.data))}catch{return(0,shared_1.err)("INVALID_SHARE_DATA")}const a=s.map(t=>t.index);let o,c,i;try{o=(0,crypto_utils_js_1.reconstructXorIDA)(_,a,e,r)}catch{return(0,shared_1.err)("RECONSTRUCT_FAILED")}try{c=(0,crypto_utils_js_1.fromBase64)(s[0].hmacKey),i=(0,crypto_utils_js_1.fromBase64)(s[0].hmacSig)}catch{return(0,shared_1.err)("INVALID_SHARE_DATA")}if(!await(0,crypto_utils_js_1.verifyHMAC)(c,o,i))return(0,shared_1.err)("HMAC_VERIFICATION_FAILED");const u=(0,crypto_utils_js_1.nextOddPrime)(e)-1,n=(0,crypto_utils_js_1.pkcs7Unpad)(o,u);return n.ok?(0,shared_1.ok)(n.value):(0,shared_1.err)("RECONSTRUCT_FAILED")}exports.DEFAULT_BACKUP_CONFIG={threshold:2,totalShares:3};

package/dist-standalone/cjs/backup.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.exportBackup=exportBackup,exports.importBackup=importBackup;const shared_1=require("../_deps/shared/index.js"),crypto_utils_js_1=require("./crypto-utils.js"),identity_js_1=require("./identity.js"),PBKDF2_ITERATIONS=31e4,SALT_LENGTH=16,IV_LENGTH=12,KEY_LENGTH=32;function toArrayBuffer(e){const t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}async function deriveKey(e,t){try{if(t.length!==SALT_LENGTH)return(0,shared_1.err)("INVALID_BACKUP");const r=await crypto.subtle.importKey("raw",(new TextEncoder).encode(e),"PBKDF2",!1,["deriveBits"]),s=new Uint8Array(await crypto.subtle.deriveBits({name:"PBKDF2",hash:"SHA-256",salt:toArrayBuffer(t),iterations:31e4},r,256)),a=await crypto.subtle.importKey("raw",toArrayBuffer(s),{name:"AES-GCM"},!1,["encrypt","decrypt"]);return(0,shared_1.ok)(a)}catch{return(0,shared_1.err)("PBKDF2_FAILED")}}async function serializeIdentity(e){try{const t=await(0,identity_js_1.exportPKCS8)(e.privateKey);if(!t.ok)return(0,shared_1.err)("EXPORT_FAILED");const r=await(0,identity_js_1.exportX25519PKCS8)(e.x25519PrivateKey);if(!r.ok)return(0,shared_1.err)("EXPORT_FAILED");const s=(0,identity_js_1.exportMlKemSecretKey)(e),a=(0,identity_js_1.exportMlKemPublicKey)(e),o=(0,identity_js_1.exportMlDsaSecretKey)(e),i=(0,identity_js_1.exportMlDsaPublicKey)(e),_=e.rotatedKeys?await Promise.all(e.rotatedKeys.map(async e=>{const t=await(0,identity_js_1.exportX25519PKCS8)(e.x25519PrivateKey);if(!t.ok)throw new Error("Failed to export rotated X25519 key");return{rotatedAt:e.rotatedAt,x25519Pkcs8:(0,crypto_utils_js_1.toBase64)(t.value),...e.mlKemSecretKey?{mlKemSecretKey:(0,crypto_utils_js_1.toBase64)(e.mlKemSecretKey)}:{}}})):void 0;return(0,shared_1.ok)({did:e.did,rawPublicKey:(0,crypto_utils_js_1.toBase64)(e.rawPublicKey),ed25519Pkcs8:(0,crypto_utils_js_1.toBase64)(t.value),x25519Pkcs8:(0,crypto_utils_js_1.toBase64)(r.value),...s?{mlKemSecretKey:(0,crypto_utils_js_1.toBase64)(s)}:{},...a?{mlKemPublicKey:(0,crypto_utils_js_1.toBase64)(a)}:{},...o?{mlDsaSecretKey:(0,crypto_utils_js_1.toBase64)(o)}:{},...i?{mlDsaPublicKey:(0,crypto_utils_js_1.toBase64)(i)}:{},..._?{rotatedKeys:_}:{},exportedAt:Date.now()})}catch{return(0,shared_1.err)("EXPORT_FAILED")}}async function exportBackup(e,t){try{const r=await serializeIdentity(e);if(!r.ok)return r;const s=crypto.getRandomValues(new Uint8Array(SALT_LENGTH)),a=crypto.getRandomValues(new Uint8Array(IV_LENGTH)),o=await deriveKey(t,s);if(!o.ok)return o;const i=JSON.stringify(r.value),_=(new TextEncoder).encode(i),c=await crypto.subtle.encrypt({name:"AES-GCM",iv:toArrayBuffer(a)},o.value,_),n=new Uint8Array(c);if(n.length<16)return(0,shared_1.err)("ENCRYPTION_FAILED");const y=n.length-16,u=n.slice(0,y),l=n.slice(y);return(0,shared_1.ok)({version:1,salt:(0,crypto_utils_js_1.toBase64)(s),iv:(0,crypto_utils_js_1.toBase64)(a),ciphertext:(0,crypto_utils_js_1.toBase64)(u),tag:(0,crypto_utils_js_1.toBase64)(l)})}catch{return(0,shared_1.err)("ENCRYPTION_FAILED")}}async function importBackup(e,t){try{if(1!==e.version)return(0,shared_1.err)("INVALID_BACKUP");let r,s,a,o;try{r=(0,crypto_utils_js_1.fromBase64)(e.salt),s=(0,crypto_utils_js_1.fromBase64)(e.iv),a=(0,crypto_utils_js_1.fromBase64)(e.ciphertext),o=(0,crypto_utils_js_1.fromBase64)(e.tag)}catch{return(0,shared_1.err)("INVALID_BACKUP")}if(r.length!==SALT_LENGTH||s.length!==IV_LENGTH||16!==o.length)return(0,shared_1.err)("INVALID_BACKUP");const i=await deriveKey(t,r);if(!i.ok)return i;const _=new Uint8Array(a.length+o.length);let c,n,y,u,l,d,p,K;_.set(a),_.set(o,a.length);try{c=await crypto.subtle.decrypt({name:"AES-GCM",iv:toArrayBuffer(s)},i.value,toArrayBuffer(_))}catch(e){return console.warn("[xBind] GCM verification failed:",e),(0,shared_1.err)("INVALID_PASSWORD")}try{const e=(new TextDecoder).decode(c);n=JSON.parse(e)}catch{return(0,shared_1.err)("INVALID_BACKUP")}if(!n.did||!n.ed25519Pkcs8||!n.x25519Pkcs8)return(0,shared_1.err)("INVALID_BACKUP");try{y=(0,crypto_utils_js_1.fromBase64)(n.ed25519Pkcs8),u=(0,crypto_utils_js_1.fromBase64)(n.x25519Pkcs8),n.mlKemSecretKey&&(l=(0,crypto_utils_js_1.fromBase64)(n.mlKemSecretKey)),n.mlKemPublicKey&&(d=(0,crypto_utils_js_1.fromBase64)(n.mlKemPublicKey)),n.mlDsaSecretKey&&(p=(0,crypto_utils_js_1.fromBase64)(n.mlDsaSecretKey)),n.mlDsaPublicKey&&(K=(0,crypto_utils_js_1.fromBase64)(n.mlDsaPublicKey))}catch{return(0,shared_1.err)("INVALID_BACKUP")}const m=await(0,identity_js_1.importIdentity)(y,u,l,d,p,K);if(!m.ok)return(0,shared_1.err)("IMPORT_FAILED");if(n.rotatedKeys&&n.rotatedKeys.length>0){const e=m.value,t=await Promise.all(n.rotatedKeys.map(async e=>{const t=(0,crypto_utils_js_1.fromBase64)(e.x25519Pkcs8),r=await crypto.subtle.importKey("pkcs8",toArrayBuffer(t),{name:"X25519"},!0,["deriveBits"]),s=e.mlKemSecretKey?(0,crypto_utils_js_1.fromBase64)(e.mlKemSecretKey):void 0;return{rotatedAt:e.rotatedAt,x25519PrivateKey:r,...s?{mlKemSecretKey:s}:{}}}));return(0,shared_1.ok)({...e,rotatedKeys:t})}return m}catch(e){return console.warn("[xBind] Import backup failed:",e),(0,shared_1.err)("DECRYPTION_FAILED")}}

package/dist-standalone/cjs/batch-operations.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.BatchOperationError=void 0,exports.batchSend=batchSend,exports.batchReceive=batchReceive,exports.batchRegistryOps=batchRegistryOps,exports.batchResolve=batchResolve,exports.batchGetEntries=batchGetEntries;const shared_1=require("../_deps/shared/index.js"),ux_helpers_1=require("../_deps/ux-helpers/index.js");class BatchOperationError extends Error{summary;constructor(e,t){super(e),this.summary=t,this.name="BatchOperationError"}}async function batchSend(e,t){const r=new ux_helpers_1.ProgressReporter(t.onProgress),n=Date.now(),{messages:s,strategy:o="parallel",concurrency:a=10,continueOnError:c=!0}=t;r.start(`Sending ${s.length} messages (${o} mode)...`);const i=[];if("sequential"===o)for(let t=0;t<s.length;t++){const n=s[t],o=Date.now();r.update(`Sending message ${t+1}/${s.length}...`,t/s.length*100);const a=await e.send(n),u=Date.now()-o;if(i.push({index:t,result:a,durationMs:u}),!c&&!a.ok)break}else if("failfast"===o){const t=s.map((t,r)=>{const s=Date.now();return e.send(t).then(e=>{const t=Date.now()-s;if(!e.ok)throw new BatchOperationError(`Batch send failed at index ${r}: ${e.error}`,createSummary(i,Date.now()-n));return{index:r,result:e,durationMs:t}})});try{const e=await Promise.all(t);i.push(...e)}catch(e){if(e instanceof BatchOperationError)throw e;throw new BatchOperationError("Batch send failed",createSummary(i,Date.now()-n))}}else{const t=chunkArray(s,a);for(let n=0;n<t.length;n++){const s=t[n],o=n*a;r.update(`Processing chunk ${n+1}/${t.length}...`,n/t.length*100);const c=await Promise.all(s.map(async(t,r)=>{const n=o+r,s=Date.now();return{index:n,result:await e.send(t),durationMs:Date.now()-s}}));i.push(...c)}}return r.complete(),createSummary(i,Date.now()-n)}async function batchReceive(e,t){const r=new ux_helpers_1.ProgressReporter(t.onProgress),n=Date.now(),{envelopes:s,receiveOptions:o,strategy:a="parallel",concurrency:c=10,continueOnError:i=!0}=t;r.start(`Receiving ${s.length} envelopes (${a} mode)...`);const u=[];if("sequential"===a)for(let t=0;t<s.length;t++){const n=s[t],a=Date.now();r.update(`Receiving envelope ${t+1}/${s.length}...`,t/s.length*100);const c=await e.receive(n,o),l=Date.now()-a;if(u.push({index:t,result:c,durationMs:l}),!i&&!c.ok)break}else{const t=chunkArray(s,c);for(let n=0;n<t.length;n++){const s=t[n],a=n*c;r.update(`Processing chunk ${n+1}/${t.length}...`,n/t.length*100);const i=await Promise.all(s.map(async(t,r)=>{const n=a+r,s=Date.now();return{index:n,result:await e.receive(t,o),durationMs:Date.now()-s}}));u.push(...i)}}return r.complete(),createSummary(u,Date.now()-n)}async function batchRegistryOps(e,t){const r=new ux_helpers_1.ProgressReporter(t.onProgress),n=Date.now(),{operations:s,atomic:o=!1,strategy:a="parallel",concurrency:c=5}=t;r.start(`Executing ${s.length} registry operations (${o?"atomic":"best-effort"} mode)...`);const i=[];if(o&&r.update("Warning: Atomic mode not fully implemented - using best-effort",10),"sequential"===a)for(let t=0;t<s.length;t++){const n=s[t],a=Date.now();r.update(`Operation ${t+1}/${s.length}: ${n.type} ${n.did}`,t/s.length*100);const c=await executeRegistryOperation(e,n),u=Date.now()-a;if(i.push({index:t,result:c,durationMs:u}),o&&!c.ok)break}else{const t=chunkArray(s,c);for(let n=0;n<t.length;n++){const s=t[n],a=n*c;r.update(`Processing chunk ${n+1}/${t.length}...`,n/t.length*100);const u=await Promise.all(s.map(async(t,r)=>{const n=a+r,s=Date.now();return{index:n,result:await executeRegistryOperation(e,t),durationMs:Date.now()-s}}));if(i.push(...u),o&&u.some(e=>!e.result.ok))break}}return r.complete(),createSummary(i,Date.now()-n)}async function batchResolve(e,t,r){const n=new ux_helpers_1.ProgressReporter(r?.onProgress),s=Date.now(),o=r?.concurrency??10;n.start(`Resolving ${t.length} DIDs...`);const a=[],c=chunkArray(t,o);for(let t=0;t<c.length;t++){const r=c[t],s=t*o;n.update(`Resolving chunk ${t+1}/${c.length}...`,t/c.length*100);const i=await Promise.all(r.map(async(t,r)=>{const n=s+r,o=Date.now();return{index:n,result:await e.resolve(t),durationMs:Date.now()-o}}));a.push(...i)}return n.complete(),createSummary(a,Date.now()-s)}async function batchGetEntries(e,t,r){const n=new ux_helpers_1.ProgressReporter(r?.onProgress),s=Date.now(),o=r?.concurrency??10;n.start(`Fetching ${t.length} registry entries...`);const a=[],c=chunkArray(t,o);for(let t=0;t<c.length;t++){const r=c[t],s=t*o;n.update(`Fetching chunk ${t+1}/${c.length}...`,t/c.length*100);const i=await Promise.all(r.map(async(t,r)=>{const n=s+r,o=Date.now();return{index:n,result:await e.getEntry(t),durationMs:Date.now()-o}}));a.push(...i)}return n.complete(),createSummary(a,Date.now()-s)}async function executeRegistryOperation(e,t){switch(t.type){case"register":{if(!t.params)return(0,shared_1.err)("INVALID_PARAMS");const{publicKey:r,name:n,scopes:s,x25519PublicKey:o,mlKemPublicKey:a,mlDsaPublicKey:c,xchange:i,receiveScopes:u,sdkVersion:l,minEnvelopeVersion:h,maxEnvelopeVersion:p,ttlMs:g}=t.params;return e.register(t.did,r,n,s,o,a,c,i,u,l,h,p,g)}case"revoke":return e.revoke(t.did);case"updateScopes":return t.newScopes&&"updateScopes"in e&&"function"==typeof e.updateScopes?e.updateScopes(t.did,t.newScopes):(0,shared_1.err)("INVALID_PARAMS");default:return(0,shared_1.err)("INVALID_OPERATION")}}function createSummary(e,t){const r=e.filter(e=>e.result.ok).length,n=e.filter(e=>!e.result.ok).length,s=e.length>0?e.reduce((e,t)=>e+t.durationMs,0)/e.length:0;return{total:e.length,succeeded:r,failed:n,results:e,totalDurationMs:t,avgDurationMs:s}}function chunkArray(e,t){const r=[];for(let n=0;n<e.length;n+=t)r.push(e.slice(n,n+t));return r}exports.BatchOperationError=BatchOperationError;

package/dist-standalone/cjs/cancellation.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.CancellationError=void 0,exports.createTimeoutSignal=createTimeoutSignal,exports.combineSignals=combineSignals,exports.onCancellation=onCancellation,exports.throwIfAborted=throwIfAborted,exports.withCancellation=withCancellation,exports.delay=delay,exports.withRetry=withRetry,exports.createCancellationController=createCancellationController,exports.isCancellationError=isCancellationError;const shared_1=require("../_deps/shared/index.js");class CancellationError extends Error{reason;context;constructor(e,r,n){super(e),this.reason=r,this.context=n,this.name="CancellationError"}}function createTimeoutSignal(e,r){const n=new AbortController,t=Date.now(),o=setTimeout(()=>{const t=r?.reason||`Operation timed out after ${e}ms`;n.abort(new CancellationError(t,"timeout",r?.context))},e);return{signal:n.signal,clear:()=>{clearTimeout(o)},remaining:()=>{const r=Date.now()-t;return Math.max(0,e-r)}}}function combineSignals(e){const r=e.filter(e=>e&&!e.aborted);if(0===r.length){const r=e.find(e=>e?.aborted);return r||(new AbortController).signal}if(1===r.length)return r[0];if("function"==typeof AbortSignal.any)return AbortSignal.any(r);const n=new AbortController,t=[];for(const e of r){const r=()=>{n.abort(e.reason),t.forEach(e=>e())};e.addEventListener("abort",r,{once:!0}),t.push(()=>{e.removeEventListener("abort",r)})}return n.signal}function onCancellation(e,r){e.aborted?Promise.resolve().then(()=>r()).catch(()=>{}):e.addEventListener("abort",()=>{Promise.resolve().then(()=>r()).catch(()=>{})},{once:!0})}function throwIfAborted(e,r){if(e?.aborted){const n=e.reason instanceof Error?e.reason.message:String(e.reason||"Operation was cancelled");throw new CancellationError(n,"aborted",r)}}async function withCancellation(e,r){if(!r)try{const r=await e;return(0,shared_1.ok)(r)}catch(e){return(0,shared_1.err)(new CancellationError(e instanceof Error?e.message:String(e),"promise_rejected"))}if(r.aborted){const e=r.reason instanceof Error?r.reason.message:String(r.reason||"Operation was cancelled");return(0,shared_1.err)(new CancellationError(e,"aborted"))}return new Promise(n=>{const t=()=>{const e=r.reason instanceof Error?r.reason.message:String(r.reason||"Operation was cancelled");n((0,shared_1.err)(new CancellationError(e,"aborted")))};r.addEventListener("abort",t,{once:!0}),e.then(e=>{r.removeEventListener("abort",t),n((0,shared_1.ok)(e))}).catch(e=>{r.removeEventListener("abort",t),n((0,shared_1.err)(new CancellationError(e instanceof Error?e.message:String(e),"promise_rejected")))})})}function delay(e,r){return new Promise((n,t)=>{if(r?.aborted){const e=r.reason instanceof Error?r.reason.message:String(r.reason||"Delay cancelled");return void t(new CancellationError(e,"aborted"))}const o=setTimeout(()=>{r&&r.removeEventListener("abort",a),n()},e),a=()=>{clearTimeout(o);const e=r.reason instanceof Error?r.reason.message:String(r.reason||"Delay cancelled");t(new CancellationError(e,"aborted"))};r&&r.addEventListener("abort",a,{once:!0})})}async function withRetry(e,r){const n=r?.maxAttempts??3,t=r?.initialDelay??1e3,o=r?.multiplier??2,a=r?.signal,i=r?.shouldRetry??(()=>!0);let s,l=t;for(let r=1;r<=n;r++){if(a?.aborted){const e=a.reason instanceof Error?a.reason.message:String(a.reason||"Operation was cancelled");return(0,shared_1.err)(new CancellationError(e,"aborted",{attempt:r}))}try{const r=await e();return(0,shared_1.ok)(r)}catch(e){if(s=e instanceof Error?e:new Error(String(e)),r>=n||!i(e,r))break;try{await delay(l,a),l*=o}catch(e){if(e instanceof CancellationError)return(0,shared_1.err)(e);throw e}}}return(0,shared_1.err)(s||new Error("Operation failed after retries"))}function createCancellationController(){const e=new AbortController;let r;return{signal:e.signal,get isCancelled(){return e.signal.aborted},get reason(){return r},cancel(n){r=n||"Operation cancelled",e.abort(new CancellationError(r,"manual"))},throwIfCancelled(r){throwIfAborted(e.signal,r)}}}function isCancellationError(e){return e instanceof CancellationError||e instanceof Error&&"AbortError"===e.name||e instanceof Error&&"CancellationError"===e.name}exports.CancellationError=CancellationError;

package/dist-standalone/cjs/checkpoint.js

@@ -1,193 +1 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createCheckpoint = createCheckpoint;
-exports.verifyCheckpoint = verifyCheckpoint;
-exports.isCacheStale = isCacheStale;
-exports.encodeCheckpoint = encodeCheckpoint;
-exports.decodeCheckpoint = decodeCheckpoint;
-const shared_1 = require("../_deps/shared/index.js");
-const identity_js_1 = require("./identity.js");
-/* ── Checkpoint Creation (Gateway-side) ── */
-/**
- * Create a signed checkpoint for a DID (gateway-side operation).
- *
- * Gateway signs the DID state snapshot using its ML-DSA-65 private key.
- * Clients verify this signature using the gateway's published public key.
- *
- * @param subject - DID being checkpointed
- * @param publicKey - Current public key bytes
- * @param revoked - Current revocation status
- * @param rotationSequence - Current rotation sequence counter
- * @param gatewayPrivateKey - Gateway's ML-DSA-65 secret key (32-byte seed or 4032-byte expanded)
- * @returns Signed checkpoint or error
- *
- * @example
- * ```typescript
- * const checkpoint = await createCheckpoint(
- *   'did:key:z6Mk...',
- *   publicKeyBytes,
- *   false,
- *   5,
- *   gatewaySecretKey
- * );
- * if (checkpoint.ok) {
- *   // Send checkpoint to client for staleness detection
- *   sendToClient(checkpoint.value);
- * }
- * ```
- */
-async function createCheckpoint(subject, publicKey, revoked, rotationSequence, gatewayPrivateKey) {
-    const timestamp = Date.now();
-    // Construct canonical message to sign
-    const publicKeyB64 = Buffer.from(publicKey).toString('base64');
-    const message = `DIDStateCheckpoint||1.0||${subject}||${publicKeyB64}||${revoked}||${rotationSequence}||${timestamp}`;
-    const messageBytes = new TextEncoder().encode(message);
-    // Sign using gateway's ML-DSA-65 key
-    const sigResult = await (0, identity_js_1.signMlDsa65)(gatewayPrivateKey, messageBytes);
-    if (!sigResult.ok) {
-        return (0, shared_1.err)('SIGN_FAILED');
-    }
-    return (0, shared_1.ok)({
-        type: 'DIDStateCheckpoint',
-        version: '1.0',
-        subject,
-        current_public_key: publicKeyB64,
-        revoked,
-        rotation_sequence: rotationSequence,
-        timestamp,
-        checkpoint_signature_algorithm: 'ML-DSA-65',
-        checkpoint_signature: Buffer.from(sigResult.value).toString('base64')
-    });
-}
-/* ── Checkpoint Verification (Client-side) ── */
-/**
- * Verify a checkpoint signature (client-side operation).
- *
- * Clients MUST verify checkpoint signatures before trusting the state.
- * Uses gateway's published ML-DSA-65 public key to verify signature.
- *
- * @param checkpoint - Checkpoint to verify
- * @param gatewayPublicKey - Gateway's ML-DSA-65 public key (1952 bytes)
- * @returns true if signature valid, false if invalid, error if verification fails
- *
- * @example
- * ```typescript
- * const valid = await verifyCheckpoint(checkpoint, gatewayPubKey);
- * if (valid.ok && valid.value) {
- *   // Checkpoint is authentic - safe to use for staleness detection
- *   if (isCacheStale(localCache, checkpoint)) {
- *     // Refresh local cache
- *   }
- * }
- * ```
- */
-async function verifyCheckpoint(checkpoint, gatewayPublicKey) {
-    // Validate checkpoint format
-    if (checkpoint.type !== 'DIDStateCheckpoint') {
-        return (0, shared_1.err)('INVALID_FORMAT');
-    }
-    if (checkpoint.version !== '1.0') {
-        return (0, shared_1.err)('INVALID_FORMAT');
-    }
-    if (!checkpoint.subject || !checkpoint.current_public_key) {
-        return (0, shared_1.err)('INVALID_FORMAT');
-    }
-    if (typeof checkpoint.rotation_sequence !== 'number' || checkpoint.rotation_sequence < 0) {
-        return (0, shared_1.err)('INVALID_FORMAT');
-    }
-    if (typeof checkpoint.timestamp !== 'number' || checkpoint.timestamp <= 0) {
-        return (0, shared_1.err)('INVALID_TIMESTAMP');
-    }
-    if (checkpoint.checkpoint_signature_algorithm !== 'ML-DSA-65') {
-        return (0, shared_1.err)('INVALID_FORMAT');
-    }
-    // Reconstruct canonical message
-    const message = `DIDStateCheckpoint||1.0||${checkpoint.subject}||${checkpoint.current_public_key}||${checkpoint.revoked}||${checkpoint.rotation_sequence}||${checkpoint.timestamp}`;
-    const messageBytes = new TextEncoder().encode(message);
-    // Decode signature
-    let signature;
-    try {
-        signature = Buffer.from(checkpoint.checkpoint_signature, 'base64');
-    }
-    catch {
-        return (0, shared_1.err)('INVALID_SIGNATURE');
-    }
-    // Verify signature using gateway public key
-    const verifyResult = await (0, identity_js_1.verifyMlDsa65)(gatewayPublicKey, signature, messageBytes);
-    if (!verifyResult.ok) {
-        return (0, shared_1.err)('VERIFY_FAILED');
-    }
-    return (0, shared_1.ok)(verifyResult.value);
-}
-/* ── Staleness Detection ── */
-/**
- * Detect if local cache is stale compared to gateway checkpoint.
- *
- * Cache is stale if:
- * 1. Checkpoint rotation_sequence > local rotationSequence (key rotated)
- * 2. Checkpoint revoked !== local revoked (revocation status changed)
- * 3. Checkpoint public key !== local publicKey (state drift)
- *
- * @param localCache - Local cache entry for DID
- * @param checkpoint - Verified checkpoint from gateway
- * @returns true if cache needs refresh, false if cache is current
- *
- * @example
- * ```typescript
- * if (isCacheStale(localCache, checkpoint)) {
- *   // Local cache is outdated - fetch fresh state from gateway
- *   const freshState = await registry.getEntry(did);
- * }
- * ```
- */
-function isCacheStale(localCache, checkpoint) {
-    // Sequence number mismatch indicates key rotation
-    if (checkpoint.rotation_sequence > localCache.rotationSequence) {
-        return true;
-    }
-    // Revocation status changed
-    if (checkpoint.revoked !== localCache.revoked) {
-        return true;
-    }
-    // Public key mismatch indicates state drift
-    const checkpointPubKey = Buffer.from(checkpoint.current_public_key, 'base64');
-    if (!Buffer.from(localCache.publicKey).equals(checkpointPubKey)) {
-        return true;
-    }
-    return false;
-}
-/* ── Encoding/Decoding ── */
-/**
- * Encode checkpoint to JSON string for wire transport.
- *
- * @param checkpoint - Checkpoint to encode
- * @returns JSON string
- */
-function encodeCheckpoint(checkpoint) {
-    return JSON.stringify(checkpoint);
-}
-/**
- * Decode checkpoint from JSON string.
- *
- * @param encoded - JSON string
- * @returns Parsed checkpoint or error
- */
-function decodeCheckpoint(encoded) {
-    try {
-        const parsed = JSON.parse(encoded);
-        // Basic validation
-        if (parsed.type !== 'DIDStateCheckpoint') {
-            return (0, shared_1.err)('INVALID_FORMAT');
-        }
-        if (parsed.version !== '1.0') {
-            return (0, shared_1.err)('INVALID_FORMAT');
-        }
-        if (!parsed.subject || !parsed.current_public_key || !parsed.checkpoint_signature) {
-            return (0, shared_1.err)('INVALID_FORMAT');
-        }
-        return (0, shared_1.ok)(parsed);
-    }
-    catch {
-        return (0, shared_1.err)('INVALID_FORMAT');
-    }
-}
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.createCheckpoint=createCheckpoint,exports.verifyCheckpoint=verifyCheckpoint,exports.isCacheStale=isCacheStale,exports.encodeCheckpoint=encodeCheckpoint,exports.decodeCheckpoint=decodeCheckpoint;const shared_1=require("../_deps/shared/index.js"),identity_js_1=require("./identity.js");async function createCheckpoint(e,r,t,n,i){const o=Date.now(),c=Buffer.from(r).toString("base64"),s=`DIDStateCheckpoint||1.0||${e}||${c}||${t}||${n}||${o}`,a=(new TextEncoder).encode(s),u=await(0,identity_js_1.signMlDsa65)(i,a);return u.ok?(0,shared_1.ok)({type:"DIDStateCheckpoint",version:"1.0",subject:e,current_public_key:c,revoked:t,rotation_sequence:n,timestamp:o,checkpoint_signature_algorithm:"ML-DSA-65",checkpoint_signature:Buffer.from(u.value).toString("base64")}):(0,shared_1.err)("SIGN_FAILED")}async function verifyCheckpoint(e,r){if("DIDStateCheckpoint"!==e.type)return(0,shared_1.err)("INVALID_FORMAT");if("1.0"!==e.version)return(0,shared_1.err)("INVALID_FORMAT");if(!e.subject||!e.current_public_key)return(0,shared_1.err)("INVALID_FORMAT");if("number"!=typeof e.rotation_sequence||e.rotation_sequence<0)return(0,shared_1.err)("INVALID_FORMAT");if("number"!=typeof e.timestamp||e.timestamp<=0)return(0,shared_1.err)("INVALID_TIMESTAMP");if("ML-DSA-65"!==e.checkpoint_signature_algorithm)return(0,shared_1.err)("INVALID_FORMAT");const t=`DIDStateCheckpoint||1.0||${e.subject}||${e.current_public_key}||${e.revoked}||${e.rotation_sequence}||${e.timestamp}`,n=(new TextEncoder).encode(t);let i;try{i=Buffer.from(e.checkpoint_signature,"base64")}catch{return(0,shared_1.err)("INVALID_SIGNATURE")}const o=await(0,identity_js_1.verifyMlDsa65)(r,i,n);return o.ok?(0,shared_1.ok)(o.value):(0,shared_1.err)("VERIFY_FAILED")}function isCacheStale(e,r){if(r.rotation_sequence>e.rotationSequence)return!0;if(r.revoked!==e.revoked)return!0;const t=Buffer.from(r.current_public_key,"base64");return!Buffer.from(e.publicKey).equals(t)}function encodeCheckpoint(e){return JSON.stringify(e)}function decodeCheckpoint(e){try{const r=JSON.parse(e);return"DIDStateCheckpoint"!==r.type||"1.0"!==r.version?(0,shared_1.err)("INVALID_FORMAT"):r.subject&&r.current_public_key&&r.checkpoint_signature?(0,shared_1.ok)(r):(0,shared_1.err)("INVALID_FORMAT")}catch{return(0,shared_1.err)("INVALID_FORMAT")}}

package/dist-standalone/cjs/circuit-breaker.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.CircuitBreakerManager=exports.CircuitBreaker=void 0,exports.createRegistryCircuitBreaker=createRegistryCircuitBreaker,exports.createGatewayCircuitBreaker=createGatewayCircuitBreaker,exports.createS3CircuitBreaker=createS3CircuitBreaker;const shared_1=require("../_deps/shared/index.js");class CircuitBreaker{state="CLOSED";consecutiveFailures=0;consecutiveSuccesses=0;successCount=0;failureCount=0;rejectedCount=0;lastOpenedAt;lastClosedAt;recoveryTimer;failureThreshold;recoveryTimeout;halfOpenMaxCalls;successThreshold;name;onStateChange;onOpen;onClose;onHalfOpen;constructor(e={}){this.failureThreshold=e.failureThreshold??5,this.recoveryTimeout=e.recoveryTimeout??6e4,this.halfOpenMaxCalls=e.halfOpenMaxCalls??3,this.successThreshold=e.successThreshold??2,this.name=e.name??"default",this.onStateChange=e.onStateChange,this.onOpen=e.onOpen,this.onClose=e.onClose,this.onHalfOpen=e.onHalfOpen}async execute(e){if("OPEN"===this.state)return this.rejectedCount++,(0,shared_1.err)("CIRCUIT_OPEN");if("HALF_OPEN"===this.state){if(this.consecutiveSuccesses+(this.consecutiveFailures>0?1:0)>=this.halfOpenMaxCalls)return this.rejectedCount++,(0,shared_1.err)("HALF_OPEN_LIMIT_EXCEEDED")}try{const t=await e();return this.onSuccess(),(0,shared_1.ok)(t)}catch(e){return this.onFailure(e),(0,shared_1.err)("EXECUTION_FAILED")}}getMetrics(){return{state:this.state,successCount:this.successCount,failureCount:this.failureCount,rejectedCount:this.rejectedCount,consecutiveFailures:this.consecutiveFailures,consecutiveSuccesses:this.consecutiveSuccesses,lastOpenedAt:this.lastOpenedAt,lastClosedAt:this.lastClosedAt,name:this.name}}getState(){return this.state}reset(){this.clearRecoveryTimer(),this.transitionTo("CLOSED","manual reset"),this.consecutiveFailures=0,this.consecutiveSuccesses=0}forceOpen(e="manual intervention"){this.transitionTo("OPEN",e),this.scheduleRecovery()}dispose(){this.clearRecoveryTimer()}onSuccess(){this.successCount++,this.consecutiveFailures=0,"HALF_OPEN"===this.state&&(this.consecutiveSuccesses++,this.consecutiveSuccesses>=this.successThreshold&&(this.transitionTo("CLOSED",`${this.consecutiveSuccesses} consecutive successes`),this.consecutiveSuccesses=0))}onFailure(e){if(this.failureCount++,this.consecutiveFailures++,this.consecutiveSuccesses=0,"CLOSED"===this.state&&this.consecutiveFailures>=this.failureThreshold){const e=`${this.consecutiveFailures} consecutive failures`;this.transitionTo("OPEN",e),this.scheduleRecovery()}"HALF_OPEN"===this.state&&(this.transitionTo("OPEN","failure in HALF_OPEN state"),this.scheduleRecovery())}transitionTo(e,t){const s=this.state;s!==e&&(this.state=e,"OPEN"===e?(this.lastOpenedAt=Date.now(),this.onOpen?.(t)):"CLOSED"===e?(this.lastClosedAt=Date.now(),this.onClose?.()):"HALF_OPEN"===e&&this.onHalfOpen?.(),this.onStateChange?.(s,e,t))}scheduleRecovery(){this.clearRecoveryTimer(),this.recoveryTimer=setTimeout(()=>{"OPEN"===this.state&&this.transitionTo("HALF_OPEN","recovery timeout elapsed")},this.recoveryTimeout),this.recoveryTimer.unref&&this.recoveryTimer.unref()}clearRecoveryTimer(){this.recoveryTimer&&(clearTimeout(this.recoveryTimer),this.recoveryTimer=void 0)}}function createRegistryCircuitBreaker(e={}){return new CircuitBreaker({name:"registry",failureThreshold:10,recoveryTimeout:12e4,halfOpenMaxCalls:5,successThreshold:3,...e})}function createGatewayCircuitBreaker(e={}){return new CircuitBreaker({name:"gateway",failureThreshold:5,recoveryTimeout:6e4,halfOpenMaxCalls:3,successThreshold:2,...e})}function createS3CircuitBreaker(e={}){return new CircuitBreaker({name:"s3",failureThreshold:3,recoveryTimeout:3e4,halfOpenMaxCalls:2,successThreshold:2,...e})}exports.CircuitBreaker=CircuitBreaker;class CircuitBreakerManager{breakers=new Map;constructor(){this.breakers.set("registry",createRegistryCircuitBreaker()),this.breakers.set("gateway",createGatewayCircuitBreaker()),this.breakers.set("s3",createS3CircuitBreaker())}async executeRegistry(e){const t=this.breakers.get("registry");return t?t.execute(e):(0,shared_1.err)("Circuit breaker not found: registry")}async executeGateway(e){const t=this.breakers.get("gateway");return t?t.execute(e):(0,shared_1.err)("Circuit breaker not found: gateway")}async executeS3(e){const t=this.breakers.get("s3");return t?t.execute(e):(0,shared_1.err)("Circuit breaker not found: s3")}getMetrics(e){return this.breakers.get(e)?.getMetrics()}getAllMetrics(){const e={};for(const[t,s]of this.breakers.entries())e[t]=s.getMetrics();return e}getOrCreate(e,t){let s=this.breakers.get(e);return s||(s=new CircuitBreaker({...t,name:e}),this.breakers.set(e,s)),s}resetAll(){for(const e of this.breakers.values())e.reset()}dispose(){for(const e of this.breakers.values())e.dispose();this.breakers.clear()}}exports.CircuitBreakerManager=CircuitBreakerManager;