@private.me/xbind 1.3.0 → 2.3.4

package/dist-standalone/trust-registry.js

@@ -1,702 +1 @@
-import { ok, err } from"./_deps/shared/index.js";
-import * as fs from 'node:fs/promises';
-import * as path from 'node:path';
-/* ── Memory Implementation ── */
-/**
- * In-memory trust registry for development and testing.
- */
-export class MemoryTrustRegistry {
-    entries = new Map();
-    async register(did, publicKey, name, scopes, x25519PublicKey, mlKemPublicKey, mlDsaPublicKey, xchange, receiveScopes) {
-        if (this.entries.has(did))
-            return err('ALREADY_REGISTERED');
-        this.entries.set(did, {
-            did,
-            publicKey,
-            name,
-            scopes: new Set(scopes ?? []),
-            receiveScopes: receiveScopes ? new Set(receiveScopes) : undefined,
-            revoked: false,
-            rotation_sequence: 1, // Initial sequence starts at 1
-            x25519PublicKey,
-            mlKemPublicKey,
-            mlDsaPublicKey,
-            xchange,
-        });
-        return ok(undefined);
-    }
-    async resolve(did) {
-        const entry = this.entries.get(did);
-        if (!entry)
-            return err('NOT_FOUND');
-        if (entry.revoked)
-            return err('REVOKED');
-        return ok(entry.publicKey);
-    }
-    async hasScope(did, scope) {
-        const entry = this.entries.get(did);
-        if (!entry || entry.revoked)
-            return false;
-        return entry.scopes.has(scope);
-    }
-    async hasReceiveScope(did, scope) {
-        const entry = this.entries.get(did);
-        if (!entry || entry.revoked)
-            return false;
-        // Undefined = accept all scopes (backward compatibility)
-        if (!entry.receiveScopes)
-            return true;
-        return entry.receiveScopes.has(scope);
-    }
-    async revoke(did) {
-        const entry = this.entries.get(did);
-        if (!entry)
-            return err('NOT_FOUND');
-        this.entries.set(did, { ...entry, revoked: true });
-        return ok(undefined);
-    }
-    async getEntry(did) {
-        const entry = this.entries.get(did);
-        if (!entry)
-            return err('NOT_FOUND');
-        return ok(entry);
-    }
-    async updateScopes(did, scopes) {
-        const entry = this.entries.get(did);
-        if (!entry)
-            return err('NOT_FOUND');
-        if (entry.revoked)
-            return err('REVOKED');
-        this.entries.set(did, { ...entry, scopes: new Set(scopes) });
-        return ok(undefined);
-    }
-    /** Number of entries (for testing). */
-    get size() {
-        return this.entries.size;
-    }
-}
-/**
- * HTTP-backed trust registry for production use.
- * Delegates to a remote atelier.xail.io service.
- */
-export class HttpTrustRegistry {
-    baseUrl;
-    fetchFn;
-    cacheTtlMs;
-    cacheFailureMode;
-    enablePush;
-    bloomFilterSize;
-    bloomFilterFpr;
-    resolveCache = new Map();
-    entryCache = new Map();
-    constructor(opts) {
-        this.baseUrl = opts.baseUrl.replace(/\/$/, '');
-        this.fetchFn = opts.fetch ?? globalThis.fetch.bind(globalThis);
-        this.cacheTtlMs = opts.cacheTtlMs ?? 30_000;
-        this.cacheFailureMode = opts.cacheFailureMode ?? 'fail-secure';
-        this.enablePush = opts.enablePush ?? false;
-        this.bloomFilterSize = opts.bloomFilterSize ?? 10_000;
-        this.bloomFilterFpr = opts.bloomFilterFpr ?? 0.01;
-    }
-    /** Clear all cached entries. Call after registration or revocation. */
-    clearCache() {
-        this.resolveCache.clear();
-        this.entryCache.clear();
-    }
-    async register(did, publicKey, name, scopes, x25519PublicKey, mlKemPublicKey, mlDsaPublicKey, xchange, receiveScopes) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/register`, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({
-                    did,
-                    publicKey: Array.from(publicKey),
-                    name,
-                    scopes: scopes ?? [],
-                    ...(receiveScopes
-                        ? { receiveScopes }
-                        : {}),
-                    ...(x25519PublicKey
-                        ? { x25519PublicKey: Array.from(x25519PublicKey) }
-                        : {}),
-                    ...(mlKemPublicKey
-                        ? { mlKemPublicKey: Array.from(mlKemPublicKey) }
-                        : {}),
-                    ...(mlDsaPublicKey
-                        ? { mlDsaPublicKey: Array.from(mlDsaPublicKey) }
-                        : {}),
-                    ...(xchange !== undefined
-                        ? { xchange }
-                        : {}),
-                }),
-            });
-            if (res.status === 409)
-                return err('ALREADY_REGISTERED');
-            if (!res.ok)
-                return err('NETWORK_ERROR');
-            return ok(undefined);
-        }
-        catch {
-            return err('NETWORK_ERROR');
-        }
-    }
-    async resolve(did) {
-        // Check cache first
-        if (this.cacheTtlMs > 0) {
-            const cached = this.resolveCache.get(did);
-            if (cached && cached.expiry > Date.now())
-                return cached.value;
-        }
-        let result;
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/resolve/${encodeURIComponent(did)}`);
-            if (res.status === 404)
-                result = err('NOT_FOUND');
-            else if (res.status === 410)
-                result = err('REVOKED');
-            else if (!res.ok)
-                result = err('NETWORK_ERROR');
-            else {
-                const data = (await res.json());
-                result = ok(new Uint8Array(data.publicKey));
-            }
-        }
-        catch {
-            // Network failure - apply cache failure mode
-            const staleCache = this.resolveCache.get(did);
-            if (this.cacheFailureMode === 'fail-secure') {
-                // Fail-secure: reject on cache refresh failure (default)
-                result = err('NETWORK_ERROR');
-            }
-            else {
-                // Fail-open: accept stale cache if available
-                if (staleCache) {
-                    // Return stale cached value
-                    return staleCache.value;
-                }
-                result = err('NETWORK_ERROR');
-            }
-        }
-        // Update cache with fresh result (only if cache enabled)
-        if (this.cacheTtlMs > 0) {
-            this.resolveCache.set(did, { value: result, expiry: Date.now() + this.cacheTtlMs });
-        }
-        return result;
-    }
-    async hasScope(did, scope) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/scope/${encodeURIComponent(did)}/${encodeURIComponent(scope)}`);
-            return res.ok;
-        }
-        catch {
-            return false;
-        }
-    }
-    async hasReceiveScope(did, scope) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/receive-scope/${encodeURIComponent(did)}/${encodeURIComponent(scope)}`);
-            return res.ok;
-        }
-        catch {
-            return false;
-        }
-    }
-    async revoke(did) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/revoke/${encodeURIComponent(did)}`, { method: 'POST' });
-            if (res.status === 404)
-                return err('NOT_FOUND');
-            if (!res.ok)
-                return err('NETWORK_ERROR');
-            return ok(undefined);
-        }
-        catch {
-            return err('NETWORK_ERROR');
-        }
-    }
-    async getEntry(did) {
-        if (this.cacheTtlMs > 0) {
-            const cached = this.entryCache.get(did);
-            if (cached && cached.expiry > Date.now())
-                return cached.value;
-        }
-        let result;
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/entry/${encodeURIComponent(did)}`);
-            if (res.status === 404)
-                result = err('NOT_FOUND');
-            else if (!res.ok)
-                result = err('NETWORK_ERROR');
-            else {
-                const data = (await res.json());
-                result = ok({
-                    did: data.did,
-                    publicKey: new Uint8Array(data.publicKey),
-                    name: data.name,
-                    scopes: new Set(data.scopes),
-                    receiveScopes: data.receiveScopes ? new Set(data.receiveScopes) : undefined,
-                    revoked: data.revoked,
-                    rotation_sequence: data.rotation_sequence ?? 1,
-                    x25519PublicKey: data.x25519PublicKey
-                        ? new Uint8Array(data.x25519PublicKey)
-                        : undefined,
-                    mlKemPublicKey: data.mlKemPublicKey
-                        ? new Uint8Array(data.mlKemPublicKey)
-                        : undefined,
-                    mlDsaPublicKey: data.mlDsaPublicKey
-                        ? new Uint8Array(data.mlDsaPublicKey)
-                        : undefined,
-                    xchange: data.xchange,
-                });
-            }
-        }
-        catch {
-            result = err('NETWORK_ERROR');
-        }
-        if (this.cacheTtlMs > 0) {
-            this.entryCache.set(did, { value: result, expiry: Date.now() + this.cacheTtlMs });
-        }
-        return result;
-    }
-    /**
-     * Rotate a DID to a new public key with cryptographic proof.
-     *
-     * Sends rotation request to gateway and invalidates local cache.
-     *
-     * @param did - DID being rotated (old key)
-     * @param newPublicKey - New public key bytes
-     * @param proof - Succession announcement (dual signatures from old and new keys)
-     * @param rotationSequence - Monotonically increasing sequence number (prevents rollback)
-     */
-    async rotate(did, newPublicKey, proof, rotationSequence) {
-        const res = await this.fetchFn(`${this.baseUrl}/registry/rotate`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-                did,
-                newPublicKey: Array.from(newPublicKey),
-                proof: Array.from(proof),
-                rotationSequence,
-            }),
-        });
-        if (!res.ok) {
-            throw new Error(`Key rotation failed: ${res.status} ${res.statusText}`);
-        }
-        // Invalidate cache for this DID
-        this.resolveCache.delete(did);
-        this.entryCache.delete(did);
-    }
-    /**
-     * Subscribe to real-time trust events (revocation, key rotation).
-     *
-     * Creates a bloom filter from DIDs and connects WebSocket to gateway.
-     * Events matching subscribed DIDs trigger the callback and invalidate cache.
-     *
-     * @param dids - Array of DIDs to monitor
-     * @param callback - Function called when trust events occur
-     * @returns Unsubscribe function to stop watching
-     *
-     * @throws Error if push notifications not enabled (enablePush: true)
-     */
-    async subscribe(dids, callback) {
-        if (!this.enablePush) {
-            throw new Error('Push notifications not enabled (set enablePush: true in HttpTrustRegistryOptions)');
-        }
-        // Simple bloom filter: hash each DID to track subscriptions
-        // Production implementation would use full bloom filter library
-        const bloomSet = new Set(dids.map(did => this.hashDid(did)));
-        // Convert HTTP URL to WebSocket URL
-        const wsUrl = this.baseUrl.replace(/^http/, 'ws') + '/trust/events';
-        // SAFETY: WebSocket is a standard browser/Node.js API
-        const ws = new globalThis.WebSocket(wsUrl);
-        ws.addEventListener('open', () => {
-            // Send subscription with bloom filter
-            ws.send(JSON.stringify({
-                type: 'subscribe',
-                dids: dids, // Simple implementation sends full DID list
-                bloomSize: this.bloomFilterSize,
-                bloomFpr: this.bloomFilterFpr,
-            }));
-        });
-        ws.addEventListener('message', (event) => {
-            try {
-                const trustEvent = JSON.parse(event.data);
-                // Check if event DID matches our subscription
-                const eventHash = this.hashDid(trustEvent.did);
-                if (bloomSet.has(eventHash)) {
-                    // Invalidate cache for this DID
-                    if (trustEvent.type === 'revocation' || trustEvent.type === 'succession') {
-                        this.resolveCache.delete(trustEvent.did);
-                        this.entryCache.delete(trustEvent.did);
-                    }
-                    // Notify callback
-                    callback(trustEvent);
-                }
-            }
-            catch (error) {
-                // Ignore malformed events
-                console.warn('Failed to parse trust event:', error);
-            }
-        });
-        ws.addEventListener('error', (error) => {
-            console.error('WebSocket error:', error);
-        });
-        // Return unsubscribe function
-        return () => {
-            if (ws.readyState === globalThis.WebSocket.OPEN) {
-                ws.close();
-            }
-        };
-    }
-    /**
-     * Simple hash function for bloom filter (DID → number).
-     * Production implementation would use proper bloom filter hashing.
-     */
-    hashDid(did) {
-        let hash = 0;
-        for (let i = 0; i < did.length; i++) {
-            hash = ((hash << 5) - hash) + did.charCodeAt(i);
-            hash = hash & hash; // Convert to 32-bit integer
-        }
-        return hash;
-    }
-    /**
-     * Resume subscriptions on this gateway using proofs from another gateway.
-     *
-     * Allows clients to migrate between gateways without re-subscribing.
-     * Validates proofs and restores subscription state.
-     *
-     * @param proofs - Array of subscription proofs from previous gateway.
-     * @returns Success or error.
-     *
-     * @example
-     * ```typescript
-     * const registry = new HttpTrustRegistry({ baseUrl: 'https://atelier2.xail.io' });
-     * const result = await registry.resumeSubscriptions([proof1, proof2]);
-     * ```
-     */
-    async resumeSubscriptions(proofs) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/trust/resume-batch`, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ proofs }),
-            });
-            if (!res.ok)
-                return err('NETWORK_ERROR');
-            return ok(undefined);
-        }
-        catch {
-            return err('NETWORK_ERROR');
-        }
-    }
-    /**
-     * Fetch signed checkpoint for a DID (freshness primitive).
-     *
-     * Checkpoints provide cryptographic proof of DID state at a specific timestamp.
-     * Clients verify checkpoint signature and compare rotation_sequence to detect staleness.
-     *
-     * @param did - DID to fetch checkpoint for
-     * @returns Signed checkpoint or error
-     *
-     * @example
-     * ```typescript
-     * const checkpoint = await registry.fetchCheckpoint('did:key:z6Mk...');
-     * if (checkpoint.ok) {
-     *   const verified = await verifyCheckpoint(checkpoint.value, gatewayPubKey);
-     *   if (verified.ok && verified.value) {
-     *     // Use checkpoint for staleness detection
-     *     if (isCacheStale(localCache, checkpoint.value)) {
-     *       // Refresh cache
-     *     }
-     *   }
-     * }
-     * ```
-     */
-    async fetchCheckpoint(did) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/checkpoint/${encodeURIComponent(did)}`);
-            if (res.status === 404)
-                return err('NOT_FOUND');
-            if (!res.ok)
-                return err('NETWORK_ERROR');
-            const checkpoint = (await res.json());
-            return ok(checkpoint);
-        }
-        catch {
-            return err('NETWORK_ERROR');
-        }
-    }
-    async updateScopes(did, scopes) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/${encodeURIComponent(did)}/scopes`, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ scopes }),
-            });
-            if (res.status === 404)
-                return err('NOT_FOUND');
-            if (res.status === 410)
-                return err('REVOKED');
-            if (!res.ok)
-                return err('NETWORK_ERROR');
-            // Clear cache for this DID
-            this.resolveCache.delete(did);
-            this.entryCache.delete(did);
-            return ok(undefined);
-        }
-        catch {
-            return err('NETWORK_ERROR');
-        }
-    }
-}
-/**
- * File-based trust registry using JSONL append-only log.
- * Replays all entries on initialization, keeps in-memory Map for fast access.
- * Suitable for production deployments with local persistence.
- */
-export class FileTrustRegistry {
-    path;
-    entries = new Map();
-    initialized = false;
-    constructor(opts) {
-        this.path = opts.path;
-    }
-    /** Initialize by replaying JSONL log. Called automatically on first operation. */
-    async init() {
-        if (this.initialized)
-            return;
-        try {
-            // Ensure directory exists
-            await fs.mkdir(path.dirname(this.path), { recursive: true });
-            // Read and replay JSONL file
-            const content = await fs.readFile(this.path, 'utf-8').catch(() => '');
-            const lines = content.split('\n').filter((line) => line.trim());
-            for (const line of lines) {
-                const record = JSON.parse(line);
-                if (record.type === 'register' && record.publicKey && record.name) {
-                    this.entries.set(record.did, {
-                        did: record.did,
-                        publicKey: new Uint8Array(record.publicKey),
-                        name: record.name,
-                        scopes: new Set(record.scopes ?? []),
-                        receiveScopes: record.receiveScopes ? new Set(record.receiveScopes) : undefined,
-                        revoked: false,
-                        rotation_sequence: record.rotation_sequence ?? 1,
-                        x25519PublicKey: record.x25519PublicKey
-                            ? new Uint8Array(record.x25519PublicKey)
-                            : undefined,
-                        mlKemPublicKey: record.mlKemPublicKey
-                            ? new Uint8Array(record.mlKemPublicKey)
-                            : undefined,
-                        mlDsaPublicKey: record.mlDsaPublicKey
-                            ? new Uint8Array(record.mlDsaPublicKey)
-                            : undefined,
-                        xchange: record.xchange,
-                    });
-                }
-                else if (record.type === 'revoke') {
-                    const entry = this.entries.get(record.did);
-                    if (entry) {
-                        this.entries.set(record.did, { ...entry, revoked: true });
-                    }
-                }
-                else if (record.type === 'update-scopes') {
-                    const entry = this.entries.get(record.did);
-                    if (entry) {
-                        this.entries.set(record.did, { ...entry, scopes: new Set(record.scopes ?? []) });
-                    }
-                }
-                else if (record.type === 'rotate' && record.publicKey && record.rotation_sequence) {
-                    const entry = this.entries.get(record.did);
-                    if (entry) {
-                        // Only apply rotation if sequence is greater (prevents replaying stale rotations)
-                        if (record.rotation_sequence > entry.rotation_sequence) {
-                            this.entries.set(record.did, {
-                                ...entry,
-                                publicKey: new Uint8Array(record.publicKey),
-                                rotation_sequence: record.rotation_sequence,
-                            });
-                        }
-                    }
-                }
-            }
-        }
-        catch (error) {
-            // If file doesn't exist yet, that's OK - it will be created on first write
-        }
-        this.initialized = true;
-    }
-    /** Append record to JSONL file. */
-    async append(record) {
-        await fs.appendFile(this.path, JSON.stringify(record) + '\n', 'utf-8');
-    }
-    async register(did, publicKey, name, scopes, x25519PublicKey, mlKemPublicKey, mlDsaPublicKey, xchange, receiveScopes) {
-        await this.init();
-        if (this.entries.has(did))
-            return err('ALREADY_REGISTERED');
-        const entry = {
-            did,
-            publicKey,
-            name,
-            scopes: new Set(scopes ?? []),
-            receiveScopes: receiveScopes ? new Set(receiveScopes) : undefined,
-            revoked: false,
-            rotation_sequence: 1, // Initial sequence starts at 1
-            x25519PublicKey,
-            mlKemPublicKey,
-            mlDsaPublicKey,
-            xchange,
-        };
-        this.entries.set(did, entry);
-        // Append to JSONL
-        await this.append({
-            type: 'register',
-            did,
-            publicKey: Array.from(publicKey),
-            name,
-            scopes: scopes ?? [],
-            rotation_sequence: 1,
-            ...(receiveScopes ? { receiveScopes } : {}),
-            ...(x25519PublicKey ? { x25519PublicKey: Array.from(x25519PublicKey) } : {}),
-            ...(mlKemPublicKey ? { mlKemPublicKey: Array.from(mlKemPublicKey) } : {}),
-            ...(mlDsaPublicKey ? { mlDsaPublicKey: Array.from(mlDsaPublicKey) } : {}),
-            ...(xchange !== undefined ? { xchange } : {}),
-        });
-        return ok(undefined);
-    }
-    async resolve(did) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry)
-            return err('NOT_FOUND');
-        if (entry.revoked)
-            return err('REVOKED');
-        return ok(entry.publicKey);
-    }
-    async hasScope(did, scope) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry || entry.revoked)
-            return false;
-        return entry.scopes.has(scope);
-    }
-    async hasReceiveScope(did, scope) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry || entry.revoked)
-            return false;
-        // Undefined = accept all scopes (backward compatibility)
-        if (!entry.receiveScopes)
-            return true;
-        return entry.receiveScopes.has(scope);
-    }
-    async revoke(did) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry)
-            return err('NOT_FOUND');
-        this.entries.set(did, { ...entry, revoked: true });
-        await this.append({ type: 'revoke', did });
-        return ok(undefined);
-    }
-    async getEntry(did) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry)
-            return err('NOT_FOUND');
-        return ok(entry);
-    }
-    async updateScopes(did, scopes) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry)
-            return err('NOT_FOUND');
-        if (entry.revoked)
-            return err('REVOKED');
-        this.entries.set(did, { ...entry, scopes: new Set(scopes) });
-        await this.append({ type: 'update-scopes', did, scopes });
-        return ok(undefined);
-    }
-    /**
-     * Rotate a DID to a new public key with rollback protection.
-     *
-     * Validates that rotationSequence is greater than current sequence to prevent
-     * rollback attacks. Appends rotation event to JSONL and updates in-memory state.
-     *
-     * @param did - DID being rotated
-     * @param newPublicKey - New public key bytes
-     * @param proof - Cryptographic proof (e.g., signature from old key)
-     * @param rotationSequence - Monotonically increasing sequence number
-     * @throws Error if DID not found or sequence validation fails
-     */
-    async rotate(did, newPublicKey, proof, rotationSequence) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry) {
-            throw new Error(`DID not found: ${did}`);
-        }
-        // Rollback protection: new sequence must be greater than current
-        if (rotationSequence <= entry.rotation_sequence) {
-            throw new Error(`Rotation sequence ${rotationSequence} must be > current ${entry.rotation_sequence} (rollback attack prevented)`);
-        }
-        // Append rotation event to JSONL
-        await this.append({
-            type: 'rotate',
-            did,
-            publicKey: Array.from(newPublicKey),
-            proof: Array.from(proof),
-            rotation_sequence: rotationSequence,
-            timestamp: Date.now(),
-        });
-        // Update in-memory entry
-        this.entries.set(did, {
-            ...entry,
-            publicKey: newPublicKey,
-            rotation_sequence: rotationSequence,
-        });
-    }
-    /** Number of entries (for testing). */
-    get size() {
-        return this.entries.size;
-    }
-}
-/* ── Enterprise Factory ── */
-/**
- * Create an enterprise trust registry with optional pre-population.
- * Suitable for corporate deployments with centralized trust management.
- *
- * @example
- * ```typescript
- * const registry = await TrustRegistry.enterprise({
- *   storage: 'file',
- *   path: '/opt/corp/trust.jsonl',
- *   preload: [
- *     { did: 'did:web:corp.example.com', publicKey: ..., name: 'Corporate Gateway' }
- *   ]
- * });
- * ```
- */
-export async function createEnterpriseTrustRegistry(opts) {
-    let registry;
-    if (opts.storage === 'file') {
-        if (!opts.path)
-            throw new Error('FileTrustRegistry requires path option');
-        registry = new FileTrustRegistry({ path: opts.path });
-    }
-    else if (opts.storage === 'http') {
-        if (!opts.baseUrl)
-            throw new Error('HttpTrustRegistry requires baseUrl option');
-        registry = new HttpTrustRegistry({ baseUrl: opts.baseUrl });
-    }
-    else {
-        registry = new MemoryTrustRegistry();
-    }
-    // Pre-populate if requested
-    if (opts.preload) {
-        for (const entry of opts.preload) {
-            await registry.register(entry.did, entry.publicKey, entry.name, entry.scopes, entry.x25519PublicKey, entry.mlKemPublicKey, entry.mlDsaPublicKey, entry.xchange, entry.receiveScopes);
-        }
-    }
-    return registry;
-}
+import{ok,err}from"./_deps/shared/index.js";import*as fs from"node:fs/promises";import*as path from"node:path";function isExpired(e){return!!e.expiresAt&&Date.now()>e.expiresAt}export class RegistrationRateLimiter{perIPTimestamps=new Map;globalTimestamps=[];perIPLimit;globalLimit;windowMs;cleanupInterval=null;constructor(e=10,t=1e3,i=36e5){this.perIPLimit=e,this.globalLimit=t,this.windowMs=i,this.cleanupInterval=setInterval(()=>this.cleanup(),3e5)}checkLimit(e){const t=Date.now()-this.windowMs;if((this.perIPTimestamps.get(e)||[]).filter(e=>e>t).length>=this.perIPLimit)return!1;return!(this.globalTimestamps.filter(e=>e>t).length>=this.globalLimit)}recordRegistration(e){const t=Date.now(),i=this.perIPTimestamps.get(e)||[];i.push(t),this.perIPTimestamps.set(e,i),this.globalTimestamps.push(t)}getRemainingForIP(e){const t=Date.now()-this.windowMs,i=(this.perIPTimestamps.get(e)||[]).filter(e=>e>t);return Math.max(0,this.perIPLimit-i.length)}getRemainingGlobal(){const e=Date.now()-this.windowMs,t=this.globalTimestamps.filter(t=>t>e);return Math.max(0,this.globalLimit-t.length)}getResetTimeForIP(e){const t=this.perIPTimestamps.get(e)||[];if(0===t.length)return null;const i=t[0];return i?i+this.windowMs:null}cleanup(){const e=Date.now()-this.windowMs;for(const[t,i]of this.perIPTimestamps.entries()){const s=i.filter(t=>t>e);0===s.length?this.perIPTimestamps.delete(t):this.perIPTimestamps.set(t,s)}const t=this.globalTimestamps.filter(t=>t>e);this.globalTimestamps.length=0,this.globalTimestamps.push(...t)}destroy(){this.cleanupInterval&&(clearInterval(this.cleanupInterval),this.cleanupInterval=null)}reset(){this.perIPTimestamps.clear(),this.globalTimestamps.length=0}}export class MemoryTrustRegistry{entries=new Map;rateLimiter;constructor(e){e?.enableRateLimiting&&(this.rateLimiter=e.rateLimiter||new RegistrationRateLimiter)}async register(e,t,i,s,r,n,o,a,c,l,h,p,u,d){if(this.rateLimiter&&d&&!this.rateLimiter.checkLimit(d))return err("RATE_LIMIT_EXCEEDED");if(this.entries.has(e))return err("ALREADY_REGISTERED");const y=u?Date.now()+u:void 0;return this.entries.set(e,{did:e,publicKey:t,name:i,scopes:new Set(s??[]),receiveScopes:c?new Set(c):void 0,revoked:!1,rotation_sequence:1,x25519PublicKey:r,mlKemPublicKey:n,mlDsaPublicKey:o,xchange:a,sdkVersion:l,minEnvelopeVersion:h,maxEnvelopeVersion:p,expiresAt:y}),this.rateLimiter&&d&&this.rateLimiter.recordRegistration(d),ok(void 0)}async resolve(e){const t=this.entries.get(e);return t?isExpired(t)?err("EXPIRED"):t.revoked?err("REVOKED"):ok(t.publicKey):err("NOT_FOUND")}async hasScope(e,t){const i=this.entries.get(e);return!(!i||isExpired(i)||i.revoked)&&i.scopes.has(t)}async hasReceiveScope(e,t){const i=this.entries.get(e);return!(!i||isExpired(i)||i.revoked)&&(!i.receiveScopes||i.receiveScopes.has(t))}async revoke(e){const t=this.entries.get(e);return t?(this.entries.set(e,{...t,revoked:!0}),ok(void 0)):err("NOT_FOUND")}async getEntry(e){const t=this.entries.get(e);return t?isExpired(t)?err("EXPIRED"):ok(t):err("NOT_FOUND")}async updateScopes(e,t){const i=this.entries.get(e);return i?isExpired(i)?err("EXPIRED"):i.revoked?err("REVOKED"):(this.entries.set(e,{...i,scopes:new Set(t)}),ok(void 0)):err("NOT_FOUND")}async cleanup(){let e=0;const t=Date.now();for(const[i,s]of this.entries)s.expiresAt&&t>s.expiresAt&&(this.entries.delete(i),e++);return e}get size(){return this.entries.size}}export class HttpTrustRegistry{baseUrl;fetchFn;cacheTtlMs;cacheFailureMode;enablePush;bloomFilterSize;bloomFilterFpr;resolveCache=new Map;entryCache=new Map;constructor(e){this.baseUrl=e.baseUrl.replace(/\/$/,""),this.fetchFn=e.fetch??globalThis.fetch.bind(globalThis),this.cacheTtlMs=e.cacheTtlMs??3e4,this.cacheFailureMode=e.cacheFailureMode??"fail-secure",this.enablePush=e.enablePush??!1,this.bloomFilterSize=e.bloomFilterSize??1e4,this.bloomFilterFpr=e.bloomFilterFpr??.01}clearCache(){this.resolveCache.clear(),this.entryCache.clear()}async register(e,t,i,s,r,n,o,a,c,l,h,p,u,d){try{const d=await this.fetchFn(`${this.baseUrl}/registry/register`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({did:e,publicKey:Array.from(t),name:i,scopes:s??[],...c?{receiveScopes:c}:{},...r?{x25519PublicKey:Array.from(r)}:{},...n?{mlKemPublicKey:Array.from(n)}:{},...o?{mlDsaPublicKey:Array.from(o)}:{},...void 0!==a?{xchange:a}:{},...void 0!==l?{sdkVersion:l}:{},...void 0!==h?{minEnvelopeVersion:h}:{},...void 0!==p?{maxEnvelopeVersion:p}:{},...void 0!==u?{ttlMs:u}:{}})});return 409===d.status?err("ALREADY_REGISTERED"):429===d.status?err("RATE_LIMIT_EXCEEDED"):d.ok?ok(void 0):err("NETWORK_ERROR")}catch{return err("NETWORK_ERROR")}}async resolve(e){if(this.cacheTtlMs>0){const t=this.resolveCache.get(e);if(t&&t.expiry>Date.now())return t.value}let t;try{const i=await this.fetchFn(`${this.baseUrl}/registry/resolve/${encodeURIComponent(e)}`);if(404===i.status)t=err("NOT_FOUND");else if(408===i.status)t=err("EXPIRED");else if(410===i.status)t=err("REVOKED");else if(i.ok){const e=await i.json();t=ok(new Uint8Array(e.publicKey))}else t=err("NETWORK_ERROR")}catch{const i=this.resolveCache.get(e);if("fail-secure"===this.cacheFailureMode)t=err("NETWORK_ERROR");else{if(i)return i.value;t=err("NETWORK_ERROR")}}return this.cacheTtlMs>0&&this.resolveCache.set(e,{value:t,expiry:Date.now()+this.cacheTtlMs}),t}async hasScope(e,t){try{return(await this.fetchFn(`${this.baseUrl}/registry/scope/${encodeURIComponent(e)}/${encodeURIComponent(t)}`)).ok}catch{return!1}}async hasReceiveScope(e,t){try{return(await this.fetchFn(`${this.baseUrl}/registry/receive-scope/${encodeURIComponent(e)}/${encodeURIComponent(t)}`)).ok}catch{return!1}}async revoke(e){try{const t=await this.fetchFn(`${this.baseUrl}/registry/revoke/${encodeURIComponent(e)}`,{method:"POST"});return 404===t.status?err("NOT_FOUND"):t.ok?ok(void 0):err("NETWORK_ERROR")}catch{return err("NETWORK_ERROR")}}async getEntry(e){if(this.cacheTtlMs>0){const t=this.entryCache.get(e);if(t&&t.expiry>Date.now())return t.value}let t;try{const i=await this.fetchFn(`${this.baseUrl}/registry/entry/${encodeURIComponent(e)}`);if(404===i.status)t=err("NOT_FOUND");else if(408===i.status)t=err("EXPIRED");else if(i.ok){const e=await i.json();t=ok({did:e.did,publicKey:new Uint8Array(e.publicKey),name:e.name,scopes:new Set(e.scopes),receiveScopes:e.receiveScopes?new Set(e.receiveScopes):void 0,revoked:e.revoked,rotation_sequence:e.rotation_sequence??1,x25519PublicKey:e.x25519PublicKey?new Uint8Array(e.x25519PublicKey):void 0,mlKemPublicKey:e.mlKemPublicKey?new Uint8Array(e.mlKemPublicKey):void 0,mlDsaPublicKey:e.mlDsaPublicKey?new Uint8Array(e.mlDsaPublicKey):void 0,xchange:e.xchange,sdkVersion:e.sdkVersion,minEnvelopeVersion:e.minEnvelopeVersion,maxEnvelopeVersion:e.maxEnvelopeVersion,expiresAt:e.expiresAt})}else t=err("NETWORK_ERROR")}catch{t=err("NETWORK_ERROR")}return this.cacheTtlMs>0&&this.entryCache.set(e,{value:t,expiry:Date.now()+this.cacheTtlMs}),t}async rotate(e,t,i,s){const r=await this.fetchFn(`${this.baseUrl}/registry/rotate`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({did:e,newPublicKey:Array.from(t),proof:Array.from(i),rotationSequence:s})});if(!r.ok)throw new Error(`Key rotation failed: ${r.status} ${r.statusText}`);this.resolveCache.delete(e),this.entryCache.delete(e)}async subscribe(e,t){if(!this.enablePush)throw new Error("Push notifications not enabled (set enablePush: true in HttpTrustRegistryOptions)");const i=new Set(e.map(e=>this.hashDid(e))),s=this.baseUrl.replace(/^http/,"ws")+"/trust/events",r=new globalThis.WebSocket(s);return r.addEventListener("open",()=>{r.send(JSON.stringify({type:"subscribe",dids:e,bloomSize:this.bloomFilterSize,bloomFpr:this.bloomFilterFpr}))}),r.addEventListener("message",e=>{try{const s=JSON.parse(e.data),r=this.hashDid(s.did);i.has(r)&&("revocation"!==s.type&&"succession"!==s.type||(this.resolveCache.delete(s.did),this.entryCache.delete(s.did)),t(s))}catch(e){console.warn("Failed to parse trust event:",e)}}),r.addEventListener("error",e=>{console.error("WebSocket error:",e)}),()=>{r.readyState===globalThis.WebSocket.OPEN&&r.close()}}hashDid(e){let t=0;for(let i=0;i<e.length;i++)t=(t<<5)-t+e.charCodeAt(i),t&=t;return t}async resumeSubscriptions(e){try{return(await this.fetchFn(`${this.baseUrl}/trust/resume-batch`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({proofs:e})})).ok?ok(void 0):err("NETWORK_ERROR")}catch{return err("NETWORK_ERROR")}}async fetchCheckpoint(e){try{const t=await this.fetchFn(`${this.baseUrl}/registry/checkpoint/${encodeURIComponent(e)}`);if(404===t.status)return err("NOT_FOUND");if(!t.ok)return err("NETWORK_ERROR");const i=await t.json();return ok(i)}catch{return err("NETWORK_ERROR")}}async updateScopes(e,t){try{const i=await this.fetchFn(`${this.baseUrl}/registry/${encodeURIComponent(e)}/scopes`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({scopes:t})});return 404===i.status?err("NOT_FOUND"):410===i.status?err("REVOKED"):i.ok?(this.resolveCache.delete(e),this.entryCache.delete(e),ok(void 0)):err("NETWORK_ERROR")}catch{return err("NETWORK_ERROR")}}}export class FileTrustRegistry{path;entries=new Map;initialized=!1;constructor(e){this.path=e.path}async init(){if(!this.initialized){try{await fs.mkdir(path.dirname(this.path),{recursive:!0});const e=(await fs.readFile(this.path,"utf-8").catch(()=>"")).split("\n").filter(e=>e.trim());for(const t of e){const e=JSON.parse(t);if("register"===e.type&&e.publicKey&&e.name)this.entries.set(e.did,{did:e.did,publicKey:new Uint8Array(e.publicKey),name:e.name,scopes:new Set(e.scopes??[]),receiveScopes:e.receiveScopes?new Set(e.receiveScopes):void 0,revoked:!1,rotation_sequence:e.rotation_sequence??1,x25519PublicKey:e.x25519PublicKey?new Uint8Array(e.x25519PublicKey):void 0,mlKemPublicKey:e.mlKemPublicKey?new Uint8Array(e.mlKemPublicKey):void 0,mlDsaPublicKey:e.mlDsaPublicKey?new Uint8Array(e.mlDsaPublicKey):void 0,xchange:e.xchange,sdkVersion:e.sdkVersion,minEnvelopeVersion:e.minEnvelopeVersion,maxEnvelopeVersion:e.maxEnvelopeVersion,expiresAt:e.expiresAt});else if("revoke"===e.type){const t=this.entries.get(e.did);t&&this.entries.set(e.did,{...t,revoked:!0})}else if("update-scopes"===e.type){const t=this.entries.get(e.did);t&&this.entries.set(e.did,{...t,scopes:new Set(e.scopes??[])})}else if("rotate"===e.type&&e.publicKey&&e.rotation_sequence){const t=this.entries.get(e.did);t&&e.rotation_sequence>t.rotation_sequence&&this.entries.set(e.did,{...t,publicKey:new Uint8Array(e.publicKey),rotation_sequence:e.rotation_sequence})}}}catch(e){}this.initialized=!0}}async append(e){await fs.appendFile(this.path,JSON.stringify(e)+"\n","utf-8")}async register(e,t,i,s,r,n,o,a,c,l,h,p,u,d){if(await this.init(),this.entries.has(e))return err("ALREADY_REGISTERED");const y=u?Date.now()+u:void 0,m={did:e,publicKey:t,name:i,scopes:new Set(s??[]),receiveScopes:c?new Set(c):void 0,revoked:!1,rotation_sequence:1,x25519PublicKey:r,mlKemPublicKey:n,mlDsaPublicKey:o,xchange:a,sdkVersion:l,minEnvelopeVersion:h,maxEnvelopeVersion:p,expiresAt:y};return this.entries.set(e,m),await this.append({type:"register",did:e,publicKey:Array.from(t),name:i,scopes:s??[],rotation_sequence:1,...c?{receiveScopes:c}:{},...r?{x25519PublicKey:Array.from(r)}:{},...n?{mlKemPublicKey:Array.from(n)}:{},...o?{mlDsaPublicKey:Array.from(o)}:{},...void 0!==a?{xchange:a}:{},...void 0!==l?{sdkVersion:l}:{},...void 0!==h?{minEnvelopeVersion:h}:{},...void 0!==p?{maxEnvelopeVersion:p}:{},...void 0!==y?{expiresAt:y}:{}}),ok(void 0)}async resolve(e){await this.init();const t=this.entries.get(e);return t?isExpired(t)?err("EXPIRED"):t.revoked?err("REVOKED"):ok(t.publicKey):err("NOT_FOUND")}async hasScope(e,t){await this.init();const i=this.entries.get(e);return!(!i||isExpired(i)||i.revoked)&&i.scopes.has(t)}async hasReceiveScope(e,t){await this.init();const i=this.entries.get(e);return!(!i||isExpired(i)||i.revoked)&&(!i.receiveScopes||i.receiveScopes.has(t))}async revoke(e){await this.init();const t=this.entries.get(e);return t?(this.entries.set(e,{...t,revoked:!0}),await this.append({type:"revoke",did:e}),ok(void 0)):err("NOT_FOUND")}async getEntry(e){await this.init();const t=this.entries.get(e);return t?isExpired(t)?err("EXPIRED"):ok(t):err("NOT_FOUND")}async updateScopes(e,t){await this.init();const i=this.entries.get(e);return i?isExpired(i)?err("EXPIRED"):i.revoked?err("REVOKED"):(this.entries.set(e,{...i,scopes:new Set(t)}),await this.append({type:"update-scopes",did:e,scopes:t}),ok(void 0)):err("NOT_FOUND")}async cleanup(){await this.init();let e=0;const t=Date.now();for(const[i,s]of this.entries)s.expiresAt&&t>s.expiresAt&&(this.entries.delete(i),e++);return e}async rotate(e,t,i,s){await this.init();const r=this.entries.get(e);if(!r)throw new Error(`DID not found: ${e}`);if(s<=r.rotation_sequence)throw new Error(`Rotation sequence ${s} must be > current ${r.rotation_sequence} (rollback attack prevented)`);await this.append({type:"rotate",did:e,publicKey:Array.from(t),proof:Array.from(i),rotation_sequence:s,timestamp:Date.now()}),this.entries.set(e,{...r,publicKey:t,rotation_sequence:s})}get size(){return this.entries.size}}export async function createEnterpriseTrustRegistry(e){let t;if("file"===e.storage){if(!e.path)throw new Error("FileTrustRegistry requires path option");t=new FileTrustRegistry({path:e.path})}else if("http"===e.storage){if(!e.baseUrl)throw new Error("HttpTrustRegistry requires baseUrl option");t=new HttpTrustRegistry({baseUrl:e.baseUrl})}else t=new MemoryTrustRegistry;if(e.preload)for(const i of e.preload)await t.register(i.did,i.publicKey,i.name,i.scopes,i.x25519PublicKey,i.mlKemPublicKey,i.mlDsaPublicKey,i.xchange,i.receiveScopes,i.sdkVersion,i.minEnvelopeVersion,i.maxEnvelopeVersion);return t}