@private.me/xbind 1.3.5 → 3.0.0

package/dist-standalone/cjs/split-channel.js

@@ -1,177 +1 @@
-"use strict";
-/**
- * XorIDA split-channel bridge for @private.me/xbind.
- *
- * Bridges @private.me/crypto threshold sharing with the agent-sdk
- * TransportEnvelope format. Splits plaintext into n shares with HMAC
- * integrity, each share wrapped in its own envelope for independent routing.
- *
- * Pipeline:
- *   split:  pad -> HMAC -> XorIDA split -> share Uint8Arrays with metadata
- *   reconstruct: collect k shares -> XorIDA reconstruct -> HMAC verify -> unpad
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DEFAULT_SPLIT_CONFIG = void 0;
-exports.splitForChannel = splitForChannel;
-exports.splitForChannelWithGroupId = splitForChannelWithGroupId;
-exports.reconstructFromChannel = reconstructFromChannel;
-const shared_1 = require("../_deps/shared/index.js");
-const crypto_1 = require("../_deps/crypto/index.js");
-/** Default split-channel configuration: 3 shares, threshold 2. */
-exports.DEFAULT_SPLIT_CONFIG = {
-    totalShares: 3,
-    threshold: 2,
-};
-/* ── Split ── */
-/**
- * Split plaintext into n shares via XorIDA with HMAC integrity.
- *
- * Pipeline: pad(PKCS#7) -> HMAC(padded) -> XorIDA split -> ChannelShare[]
- *
- * @param plaintext - Raw plaintext bytes to split
- * @param config - Split configuration (totalShares, threshold)
- * @returns Array of n ChannelShare objects ready for envelope wrapping
- */
-async function splitForChannel(plaintext, config = exports.DEFAULT_SPLIT_CONFIG) {
-    const { totalShares: n, threshold: k } = config;
-    if (n < 2 || k < 2 || k > n) {
-        return (0, shared_1.err)('SPLIT_FAILED:INVALID_PARAMS');
-    }
-    const groupId = (0, crypto_1.generateUUID)();
-    return splitForChannelWithGroupId(plaintext, config, groupId);
-}
-/**
- * Split plaintext with a specific groupId (for testability).
- *
- * @param plaintext - Raw plaintext bytes
- * @param config - Split configuration
- * @param groupId - UUID to use for the share group
- * @returns Array of ChannelShare objects
- */
-async function splitForChannelWithGroupId(plaintext, config, groupId) {
-    const { totalShares: n, threshold: k } = config;
-    if (n < 2 || k < 2 || k > n) {
-        return (0, shared_1.err)('SPLIT_FAILED:INVALID_PARAMS');
-    }
-    const p = (0, crypto_1.nextOddPrime)(n);
-    const blockSize = p - 1;
-    const padded = (0, crypto_1.pkcs7Pad)(plaintext, blockSize);
-    const { key: hmacKey, signature: hmacSig } = await (0, crypto_1.generateHMAC)(padded);
-    let shareArrays;
-    try {
-        shareArrays = (0, crypto_1.splitXorIDA)(padded, n, k);
-    }
-    catch {
-        return (0, shared_1.err)('SPLIT_FAILED');
-    }
-    const hmacKeyB64 = (0, crypto_1.toBase64)(hmacKey);
-    const hmacSigB64 = (0, crypto_1.toBase64)(hmacSig);
-    const shares = shareArrays.map((data, index) => ({
-        data: (0, crypto_1.formatShareHeader)((0, crypto_1.toBase64)(data)),
-        index,
-        total: n,
-        threshold: k,
-        groupId,
-        hmacKey: hmacKeyB64,
-        hmacSig: hmacSigB64,
-    }));
-    return (0, shared_1.ok)(shares);
-}
-/* ── Reconstruct ── */
-/**
- * Reconstruct plaintext from k-of-n shares.
- *
- * Pipeline: validate -> XorIDA reconstruct -> HMAC verify -> unpad -> plaintext
- * HMAC verification happens BEFORE the data is trusted.
- *
- * @param shares - Array of at least k ChannelShare objects
- * @returns Reconstructed plaintext bytes
- */
-async function reconstructFromChannel(shares) {
-    const validationResult = validateShares(shares);
-    if (!validationResult.ok)
-        return validationResult;
-    const { k, n } = validationResult.value;
-    const usedShares = shares.slice(0, k);
-    return reconstructValidated(usedShares, n, k);
-}
-/**
- * Validate share consistency before reconstruction.
- *
- * @param shares - Shares to validate
- * @returns Validated parameters or error
- */
-function validateShares(shares) {
-    if (shares.length === 0) {
-        return (0, shared_1.err)('INSUFFICIENT_SHARES');
-    }
-    const first = shares[0];
-    const k = first.threshold;
-    const n = first.total;
-    if (shares.length < k) {
-        return (0, shared_1.err)('INSUFFICIENT_SHARES');
-    }
-    const indexSet = new Set();
-    for (const share of shares) {
-        if (share.groupId !== first.groupId) {
-            return (0, shared_1.err)('INCONSISTENT_SHARES');
-        }
-        if (share.total !== n || share.threshold !== k) {
-            return (0, shared_1.err)('INCONSISTENT_SHARES');
-        }
-        if (share.index < 0 || share.index >= n) {
-            return (0, shared_1.err)('INVALID_SHARE_DATA');
-        }
-        if (indexSet.has(share.index)) {
-            return (0, shared_1.err)('INVALID_SHARE_DATA');
-        }
-        indexSet.add(share.index);
-    }
-    return (0, shared_1.ok)({ k, n, groupId: first.groupId });
-}
-/**
- * Perform XorIDA reconstruction and HMAC verification.
- *
- * @param usedShares - Exactly k validated shares
- * @param n - Total shares
- * @param k - Threshold
- * @returns Reconstructed plaintext
- */
-async function reconstructValidated(usedShares, n, k) {
-    let shareData;
-    try {
-        shareData = usedShares.map((s) => (0, crypto_1.fromBase64)((0, crypto_1.parseShareHeader)(s.data)));
-    }
-    catch {
-        return (0, shared_1.err)('INVALID_SHARE_DATA:BASE64');
-    }
-    const indices = usedShares.map((s) => s.index);
-    let padded;
-    try {
-        padded = (0, crypto_1.reconstructXorIDA)(shareData, indices, n, k);
-    }
-    catch {
-        return (0, shared_1.err)('SPLIT_FAILED:RECONSTRUCT');
-    }
-    const first = usedShares[0];
-    let hmacKey;
-    let hmacSig;
-    try {
-        hmacKey = (0, crypto_1.fromBase64)(first.hmacKey);
-        hmacSig = (0, crypto_1.fromBase64)(first.hmacSig);
-    }
-    catch {
-        return (0, shared_1.err)('INVALID_SHARE_DATA:HMAC_DECODE');
-    }
-    const hmacValid = await (0, crypto_1.verifyHMAC)(hmacKey, padded, hmacSig);
-    if (!hmacValid) {
-        return (0, shared_1.err)('HMAC_VERIFICATION_FAILED');
-    }
-    const p = (0, crypto_1.nextOddPrime)(n);
-    const blockSize = p - 1;
-    const unpadResult = (0, crypto_1.pkcs7Unpad)(padded, blockSize);
-    if (!unpadResult.ok) {
-        return (0, shared_1.err)('UNPAD_FAILED');
-    }
-    return (0, shared_1.ok)(unpadResult.value);
-}
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.DEFAULT_SPLIT_CONFIG=void 0,exports.splitForChannel=splitForChannel,exports.splitForChannelWithGroupId=splitForChannelWithGroupId,exports.reconstructFromChannel=reconstructFromChannel;const shared_1=require("../_deps/shared/index.js"),crypto_utils_js_1=require("./crypto-utils.js");async function splitForChannel(r,t=exports.DEFAULT_SPLIT_CONFIG){const{totalShares:e,threshold:s}=t;if(e<2||s<2||s>e)return(0,shared_1.err)("SPLIT_FAILED:INVALID_PARAMS");return splitForChannelWithGroupId(r,t,(0,crypto_utils_js_1.generateUUID)())}async function splitForChannelWithGroupId(r,t,e){const{totalShares:s,threshold:_}=t;if(s<2||_<2||_>s)return(0,shared_1.err)("SPLIT_FAILED:INVALID_PARAMS");const o=(0,crypto_utils_js_1.nextOddPrime)(s)-1,a=(0,crypto_utils_js_1.pkcs7Pad)(r,o),{key:n,signature:i}=await(0,crypto_utils_js_1.generateHMAC)(a);let c;try{c=(0,crypto_utils_js_1.splitXorIDA)(a,s,_)}catch{return(0,shared_1.err)("SPLIT_FAILED")}const u=(0,crypto_utils_js_1.toBase64)(n),l=(0,crypto_utils_js_1.toBase64)(i),d=c.map((r,t)=>({data:(0,crypto_utils_js_1.formatShareHeader)((0,crypto_utils_js_1.toBase64)(r)),index:t,total:s,threshold:_,groupId:e,hmacKey:u,hmacSig:l}));return(0,shared_1.ok)(d)}async function reconstructFromChannel(r){const t=validateShares(r);if(!t.ok)return t;const{k:e,n:s}=t.value;return reconstructValidated(r.slice(0,e),s,e)}function validateShares(r){if(0===r.length)return(0,shared_1.err)("INSUFFICIENT_SHARES");const t=r[0],e=t.threshold,s=t.total;if(r.length<e)return(0,shared_1.err)("INSUFFICIENT_SHARES");const _=new Set;for(const o of r){if(o.groupId!==t.groupId)return(0,shared_1.err)("INCONSISTENT_SHARES");if(o.total!==s||o.threshold!==e)return(0,shared_1.err)("INCONSISTENT_SHARES");if(o.index<0||o.index>=s)return(0,shared_1.err)("INVALID_SHARE_DATA");if(_.has(o.index))return(0,shared_1.err)("INVALID_SHARE_DATA");_.add(o.index)}return(0,shared_1.ok)({k:e,n:s,groupId:t.groupId})}async function reconstructValidated(r,t,e){let s;try{s=r.map(r=>(0,crypto_utils_js_1.fromBase64)((0,crypto_utils_js_1.parseShareHeader)(r.data)))}catch{return(0,shared_1.err)("INVALID_SHARE_DATA:BASE64")}const _=r.map(r=>r.index);let o;try{o=(0,crypto_utils_js_1.reconstructXorIDA)(s,_,t,e)}catch{return(0,shared_1.err)("SPLIT_FAILED:RECONSTRUCT")}const a=r[0];let n,i;try{n=(0,crypto_utils_js_1.fromBase64)(a.hmacKey),i=(0,crypto_utils_js_1.fromBase64)(a.hmacSig)}catch{return(0,shared_1.err)("INVALID_SHARE_DATA:HMAC_DECODE")}if(!await(0,crypto_utils_js_1.verifyHMAC)(n,o,i))return(0,shared_1.err)("HMAC_VERIFICATION_FAILED");const c=(0,crypto_utils_js_1.nextOddPrime)(t)-1,u=(0,crypto_utils_js_1.pkcs7Unpad)(o,c);return u.ok?(0,shared_1.ok)(u.value):(0,shared_1.err)("UNPAD_FAILED")}exports.DEFAULT_SPLIT_CONFIG={totalShares:3,threshold:2};

package/dist-standalone/cjs/subscription-proof.js

@@ -1,230 +1 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createSubscriptionProof = createSubscriptionProof;
-exports.verifySubscriptionProof = verifySubscriptionProof;
-exports.resumeSubscription = resumeSubscription;
-exports.hashBloomFilter = hashBloomFilter;
-const shared_1 = require("../_deps/shared/index.js");
-const identity_js_1 = require("./identity.js");
-/* ── Internal Helpers ── */
-/**
- * Compute SHA-256 hash of a Uint8Array.
- *
- * @param data - Data to hash.
- * @returns Hex-encoded SHA-256 hash.
- */
-async function sha256Hash(data) {
-    try {
-        // SAFETY: Creating fresh copy ensures proper ArrayBuffer type (not SharedArrayBuffer)
-        const buffer = new Uint8Array(data);
-        const hashBuffer = await crypto.subtle.digest('SHA-256', buffer);
-        const hashArray = Array.from(new Uint8Array(hashBuffer));
-        const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
-        return (0, shared_1.ok)(hashHex);
-    }
-    catch {
-        return (0, shared_1.err)('HASH_FAILED');
-    }
-}
-/**
- * Serialize subscription proof data for signing (canonical format).
- *
- * Format: type|version|peer_did|bloom_filter_hash|asserted_at|expires_at
- *
- * @param proof - Subscription proof (without signature).
- * @returns Canonical byte representation.
- */
-function serializeForSigning(proof) {
-    const canonical = `${proof.type}|${proof.version}|${proof.peer_did}|${proof.bloom_filter_hash}|${proof.asserted_at}|${proof.expires_at}`;
-    return new TextEncoder().encode(canonical);
-}
-/**
- * Base64 encode (standard, not URL-safe).
- */
-function toBase64(data) {
-    // Use Buffer in Node.js, btoa in browser
-    if (typeof Buffer !== 'undefined') {
-        return Buffer.from(data).toString('base64');
-    }
-    // SAFETY: btoa is standard in browsers
-    return globalThis.btoa(String.fromCharCode(...data));
-}
-/**
- * Base64 decode (standard, not URL-safe).
- */
-function fromBase64(data) {
-    // Use Buffer in Node.js, atob in browser
-    if (typeof Buffer !== 'undefined') {
-        return new Uint8Array(Buffer.from(data, 'base64'));
-    }
-    // SAFETY: atob is standard in browsers
-    const binary = globalThis.atob(data);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
-    }
-    return bytes;
-}
-/* ── Public API ── */
-/**
- * Create a subscription proof (client-side).
- *
- * Signs a bloom filter hash with the peer's ML-DSA-65 private key, creating
- * a portable proof that can be used to resume subscriptions on a new gateway.
- *
- * @param peerDid - Subscriber's DID (must match the private key).
- * @param bloomFilterHash - SHA-256 hash of the bloom filter (hex string).
- * @param privateKey - 32-byte ML-DSA-65 secret key seed.
- * @param expiresAt - Optional expiration timestamp (ms). Default: 30 days from now.
- * @returns Subscription proof with ML-DSA-65 signature.
- *
- * @example
- * ```typescript
- * const proof = await createSubscriptionProof(
- *   'did:key:z6Mk...',
- *   'a1b2c3...',
- *   mlDsaPrivateKey,
- *   Date.now() + 30 * 24 * 60 * 60 * 1000
- * );
- * ```
- */
-async function createSubscriptionProof(peerDid, bloomFilterHash, privateKey, expiresAt) {
-    const assertedAt = Date.now();
-    const expiresAtFinal = expiresAt ?? (assertedAt + 30 * 24 * 60 * 60 * 1000); // 30 days default
-    // Build proof without signature
-    const proofWithoutSig = {
-        type: 'SubscriptionProof',
-        version: '1.0',
-        peer_did: peerDid,
-        bloom_filter_hash: bloomFilterHash,
-        asserted_at: assertedAt,
-        expires_at: expiresAtFinal,
-    };
-    // Serialize and sign
-    const dataToSign = serializeForSigning(proofWithoutSig);
-    const signatureResult = await (0, identity_js_1.signMlDsa65)(privateKey, dataToSign);
-    if (!signatureResult.ok) {
-        return (0, shared_1.err)('SIGNATURE_VERIFICATION_FAILED');
-    }
-    const signature = signatureResult.value;
-    if (signature.length !== identity_js_1.ML_DSA65_SIG_BYTES) {
-        return (0, shared_1.err)('SIGNATURE_VERIFICATION_FAILED');
-    }
-    // Build final proof
-    const proof = {
-        ...proofWithoutSig,
-        peer_signature_algorithm: 'ML-DSA-65',
-        peer_signature: toBase64(signature),
-    };
-    return (0, shared_1.ok)(proof);
-}
-/**
- * Verify a subscription proof (gateway-side).
- *
- * Validates the ML-DSA-65 signature and checks expiration.
- *
- * @param proof - Subscription proof to verify.
- * @param peerPublicKey - 1952-byte ML-DSA-65 public key of the subscriber.
- * @returns true if valid, false if invalid or expired.
- *
- * @example
- * ```typescript
- * const isValid = await verifySubscriptionProof(proof, mlDsaPublicKey);
- * if (isValid.ok && isValid.value) {
- *   // Resume subscription
- * }
- * ```
- */
-async function verifySubscriptionProof(proof, peerPublicKey) {
-    // Check proof version
-    if (proof.version !== '1.0' || proof.type !== 'SubscriptionProof') {
-        return (0, shared_1.ok)(false);
-    }
-    // Check expiration
-    if (Date.now() > proof.expires_at) {
-        return (0, shared_1.err)('EXPIRED');
-    }
-    // Check signature algorithm
-    if (proof.peer_signature_algorithm !== 'ML-DSA-65') {
-        return (0, shared_1.ok)(false);
-    }
-    // Decode signature
-    let signature;
-    try {
-        signature = fromBase64(proof.peer_signature);
-    }
-    catch {
-        return (0, shared_1.ok)(false);
-    }
-    if (signature.length !== identity_js_1.ML_DSA65_SIG_BYTES) {
-        return (0, shared_1.ok)(false);
-    }
-    // Reconstruct signed data
-    const proofWithoutSig = {
-        type: proof.type,
-        version: proof.version,
-        peer_did: proof.peer_did,
-        bloom_filter_hash: proof.bloom_filter_hash,
-        asserted_at: proof.asserted_at,
-        expires_at: proof.expires_at,
-    };
-    const dataToVerify = serializeForSigning(proofWithoutSig);
-    // Verify signature
-    const verifyResult = await (0, identity_js_1.verifyMlDsa65)(peerPublicKey, signature, dataToVerify);
-    if (!verifyResult.ok) {
-        return (0, shared_1.err)('SIGNATURE_VERIFICATION_FAILED');
-    }
-    return (0, shared_1.ok)(verifyResult.value);
-}
-/**
- * Resume subscription on a new gateway using a proof.
- *
- * Presents the subscription proof to the new gateway, allowing the client
- * to resume receiving trust events without re-subscribing.
- *
- * @param proof - Valid subscription proof.
- * @param newGatewayUrl - Base URL of the new gateway (e.g., https://atelier2.xail.io).
- * @returns Success or network error.
- *
- * @example
- * ```typescript
- * const result = await resumeSubscription(proof, 'https://atelier2.xail.io');
- * if (result.ok) {
- *   console.log('Subscription resumed on new gateway');
- * }
- * ```
- */
-async function resumeSubscription(proof, newGatewayUrl) {
-    try {
-        const baseUrl = newGatewayUrl.replace(/\/$/, '');
-        const response = await fetch(`${baseUrl}/trust/resume`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify(proof),
-        });
-        if (!response.ok) {
-            return (0, shared_1.err)('NETWORK_ERROR');
-        }
-        return (0, shared_1.ok)(undefined);
-    }
-    catch {
-        return (0, shared_1.err)('NETWORK_ERROR');
-    }
-}
-/**
- * Compute SHA-256 hash of a bloom filter for proof creation.
- *
- * @param bloomFilter - Bloom filter bytes.
- * @returns Hex-encoded SHA-256 hash.
- *
- * @example
- * ```typescript
- * const hash = await hashBloomFilter(bloomFilterBytes);
- * if (hash.ok) {
- *   const proof = await createSubscriptionProof(did, hash.value, privateKey);
- * }
- * ```
- */
-async function hashBloomFilter(bloomFilter) {
-    return sha256Hash(bloomFilter);
-}
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.createSubscriptionProof=createSubscriptionProof,exports.verifySubscriptionProof=verifySubscriptionProof,exports.resumeSubscription=resumeSubscription,exports.hashBloomFilter=hashBloomFilter;const shared_1=require("../_deps/shared/index.js"),identity_js_1=require("./identity.js");async function sha256Hash(e){try{const r=new Uint8Array(e),t=await crypto.subtle.digest("SHA-256",r),i=Array.from(new Uint8Array(t)).map(e=>e.toString(16).padStart(2,"0")).join("");return(0,shared_1.ok)(i)}catch{return(0,shared_1.err)("HASH_FAILED")}}function serializeForSigning(e){const r=`${e.type}|${e.version}|${e.peer_did}|${e.bloom_filter_hash}|${e.asserted_at}|${e.expires_at}`;return(new TextEncoder).encode(r)}function toBase64(e){return"undefined"!=typeof Buffer?Buffer.from(e).toString("base64"):globalThis.btoa(String.fromCharCode(...e))}function fromBase64(e){if("undefined"!=typeof Buffer)return new Uint8Array(Buffer.from(e,"base64"));const r=globalThis.atob(e),t=new Uint8Array(r.length);for(let e=0;e<r.length;e++)t[e]=r.charCodeAt(e);return t}async function createSubscriptionProof(e,r,t,i){const o=Date.now(),s={type:"SubscriptionProof",version:"1.0",peer_did:e,bloom_filter_hash:r,asserted_at:o,expires_at:i??o+2592e6},n=serializeForSigning(s),a=await(0,identity_js_1.signMlDsa65)(t,n);if(!a.ok)return(0,shared_1.err)("SIGNATURE_VERIFICATION_FAILED");const _=a.value;if(_.length!==identity_js_1.ML_DSA65_SIG_BYTES)return(0,shared_1.err)("SIGNATURE_VERIFICATION_FAILED");const u={...s,peer_signature_algorithm:"ML-DSA-65",peer_signature:toBase64(_)};return(0,shared_1.ok)(u)}async function verifySubscriptionProof(e,r){if("1.0"!==e.version||"SubscriptionProof"!==e.type)return(0,shared_1.ok)(!1);if(Date.now()>e.expires_at)return(0,shared_1.err)("EXPIRED");if("ML-DSA-65"!==e.peer_signature_algorithm)return(0,shared_1.ok)(!1);let t;try{t=fromBase64(e.peer_signature)}catch{return(0,shared_1.ok)(!1)}if(t.length!==identity_js_1.ML_DSA65_SIG_BYTES)return(0,shared_1.ok)(!1);const i=serializeForSigning({type:e.type,version:e.version,peer_did:e.peer_did,bloom_filter_hash:e.bloom_filter_hash,asserted_at:e.asserted_at,expires_at:e.expires_at}),o=await(0,identity_js_1.verifyMlDsa65)(r,t,i);return o.ok?(0,shared_1.ok)(o.value):(0,shared_1.err)("SIGNATURE_VERIFICATION_FAILED")}async function resumeSubscription(e,r){try{const t=r.replace(/\/$/,"");return(await fetch(`${t}/trust/resume`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)})).ok?(0,shared_1.ok)(void 0):(0,shared_1.err)("NETWORK_ERROR")}catch{return(0,shared_1.err)("NETWORK_ERROR")}}async function hashBloomFilter(e){return sha256Hash(e)}

package/dist-standalone/cjs/succession.js

@@ -1,148 +1 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createSuccession = createSuccession;
-exports.verifySuccession = verifySuccession;
-exports.encodeSuccession = encodeSuccession;
-exports.decodeSuccession = decodeSuccession;
-const identity_js_1 = require("./identity.js");
-const shared_1 = require("../_deps/shared/index.js");
-/**
- * Create DID succession announcement with dual signatures.
- *
- * Format: did:key:OLD||did:key:NEW||sequence||effective_at||expires_at||grace_period||timestamp||sig_OLD||sig_NEW
- * Both old and new keys must sign to prove possession.
- *
- * @param oldDid - DID being rotated (old key)
- * @param oldPrivateKey - ML-DSA-65 secret key (32-byte seed) for old DID
- * @param newDid - DID replacing old DID
- * @param newPrivateKey - ML-DSA-65 secret key (32-byte seed) for new DID
- * @param rotationSequence - Monotonically increasing sequence number
- * @param gracePeriodMs - Overlap window in milliseconds (default: 7 days)
- * @returns Succession announcement with dual signatures or error
- */
-async function createSuccession(oldDid, oldPrivateKey, newDid, newPrivateKey, rotationSequence, gracePeriodMs = 7 * 24 * 60 * 60 * 1000 // 7 days default
-) {
-    const timestamp = Date.now();
-    const effective_at = timestamp;
-    const expires_at = timestamp + 30 * 24 * 60 * 60 * 1000; // 30 days proof validity
-    const message = `${oldDid}||${newDid}||${rotationSequence}||${effective_at}||${expires_at}||${gracePeriodMs}||${timestamp}`;
-    const messageBytes = new TextEncoder().encode(message);
-    const oldSigResult = await (0, identity_js_1.signMlDsa65)(oldPrivateKey, messageBytes);
-    if (!oldSigResult.ok) {
-        return (0, shared_1.err)('SIGN_FAILED');
-    }
-    const newSigResult = await (0, identity_js_1.signMlDsa65)(newPrivateKey, messageBytes);
-    if (!newSigResult.ok) {
-        return (0, shared_1.err)('SIGN_FAILED');
-    }
-    return (0, shared_1.ok)({
-        oldDid,
-        newDid,
-        rotation_sequence: rotationSequence,
-        effective_at,
-        expires_at,
-        grace_period_ms: gracePeriodMs,
-        timestamp,
-        oldSignature: oldSigResult.value,
-        newSignature: newSigResult.value
-    });
-}
-/**
- * Verify succession announcement dual signatures.
- *
- * Both old and new keys must have valid signatures.
- * Also checks sequence monotonicity (new sequence must be greater than current).
- *
- * @param announcement - Succession announcement to verify
- * @param oldPublicKey - ML-DSA-65 public key (1952 bytes) for old DID
- * @param newPublicKey - ML-DSA-65 public key (1952 bytes) for new DID
- * @returns true if both signatures valid, false otherwise
- */
-async function verifySuccession(announcement, oldPublicKey, newPublicKey) {
-    const message = `${announcement.oldDid}||${announcement.newDid}||${announcement.rotation_sequence}||${announcement.effective_at}||${announcement.expires_at}||${announcement.grace_period_ms}||${announcement.timestamp}`;
-    const messageBytes = new TextEncoder().encode(message);
-    const oldValidResult = await (0, identity_js_1.verifyMlDsa65)(oldPublicKey, announcement.oldSignature, messageBytes);
-    if (!oldValidResult.ok) {
-        return (0, shared_1.err)('VERIFY_FAILED');
-    }
-    const newValidResult = await (0, identity_js_1.verifyMlDsa65)(newPublicKey, announcement.newSignature, messageBytes);
-    if (!newValidResult.ok) {
-        return (0, shared_1.err)('VERIFY_FAILED');
-    }
-    const bothValid = oldValidResult.value && newValidResult.value;
-    return (0, shared_1.ok)(bothValid);
-}
-/**
- * Encode succession announcement to wire format.
- *
- * Format: did:key:OLD||did:key:NEW||sequence||effective_at||expires_at||grace_period||timestamp||sig_OLD||sig_NEW
- *
- * @param announcement - Succession announcement to encode
- * @returns Wire format string (base64-encoded signatures)
- */
-function encodeSuccession(announcement) {
-    const parts = [
-        announcement.oldDid,
-        announcement.newDid,
-        announcement.rotation_sequence.toString(),
-        announcement.effective_at.toString(),
-        announcement.expires_at.toString(),
-        announcement.grace_period_ms.toString(),
-        announcement.timestamp.toString(),
-        Buffer.from(announcement.oldSignature).toString('base64'),
-        Buffer.from(announcement.newSignature).toString('base64')
-    ];
-    return parts.join('||');
-}
-/**
- * Decode succession announcement from wire format.
- *
- * @param encoded - Wire format string
- * @returns Parsed succession announcement or error
- */
-function decodeSuccession(encoded) {
-    const parts = encoded.split('||');
-    if (parts.length !== 9) {
-        return (0, shared_1.err)('INVALID_FORMAT');
-    }
-    const oldDid = parts[0];
-    const newDid = parts[1];
-    const sequenceStr = parts[2];
-    const effectiveAtStr = parts[3];
-    const expiresAtStr = parts[4];
-    const gracePeriodStr = parts[5];
-    const timestampStr = parts[6];
-    const oldSigB64 = parts[7];
-    const newSigB64 = parts[8];
-    if (!oldDid || !newDid || !sequenceStr || !effectiveAtStr || !expiresAtStr || !gracePeriodStr || !timestampStr || !oldSigB64 || !newSigB64) {
-        return (0, shared_1.err)('INVALID_FORMAT');
-    }
-    const rotation_sequence = parseInt(sequenceStr, 10);
-    const effective_at = parseInt(effectiveAtStr, 10);
-    const expires_at = parseInt(expiresAtStr, 10);
-    const grace_period_ms = parseInt(gracePeriodStr, 10);
-    const timestamp = parseInt(timestampStr, 10);
-    if (isNaN(rotation_sequence) || rotation_sequence < 0 ||
-        isNaN(effective_at) || effective_at < 0 ||
-        isNaN(expires_at) || expires_at < 0 ||
-        isNaN(grace_period_ms) || grace_period_ms < 0 ||
-        isNaN(timestamp) || timestamp < 0) {
-        return (0, shared_1.err)('INVALID_TIMESTAMP');
-    }
-    try {
-        return (0, shared_1.ok)({
-            oldDid,
-            newDid,
-            rotation_sequence,
-            effective_at,
-            expires_at,
-            grace_period_ms,
-            timestamp,
-            oldSignature: new Uint8Array(Buffer.from(oldSigB64, 'base64')),
-            newSignature: new Uint8Array(Buffer.from(newSigB64, 'base64'))
-        });
-    }
-    catch {
-        return (0, shared_1.err)('INVALID_FORMAT');
-    }
-}
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.createSuccession=createSuccession,exports.verifySuccession=verifySuccession,exports.encodeSuccession=encodeSuccession,exports.decodeSuccession=decodeSuccession;const identity_js_1=require("./identity.js"),shared_1=require("../_deps/shared/index.js");async function createSuccession(e,r,t,n,i,s=6048e5){const o=Date.now(),a=o,c=o+2592e6,d=`${e}||${t}||${i}||${a}||${c}||${s}||${o}`,_=(new TextEncoder).encode(d),u=await(0,identity_js_1.signMlDsa65)(r,_);if(!u.ok)return(0,shared_1.err)("SIGN_FAILED");const f=await(0,identity_js_1.signMlDsa65)(n,_);return f.ok?(0,shared_1.ok)({oldDid:e,newDid:t,rotation_sequence:i,effective_at:a,expires_at:c,grace_period_ms:s,timestamp:o,oldSignature:u.value,newSignature:f.value}):(0,shared_1.err)("SIGN_FAILED")}async function verifySuccession(e,r,t){const n=`${e.oldDid}||${e.newDid}||${e.rotation_sequence}||${e.effective_at}||${e.expires_at}||${e.grace_period_ms}||${e.timestamp}`,i=(new TextEncoder).encode(n),s=await(0,identity_js_1.verifyMlDsa65)(r,e.oldSignature,i);if(!s.ok)return(0,shared_1.err)("VERIFY_FAILED");const o=await(0,identity_js_1.verifyMlDsa65)(t,e.newSignature,i);if(!o.ok)return(0,shared_1.err)("VERIFY_FAILED");const a=s.value&&o.value;return(0,shared_1.ok)(a)}function encodeSuccession(e){return[e.oldDid,e.newDid,e.rotation_sequence.toString(),e.effective_at.toString(),e.expires_at.toString(),e.grace_period_ms.toString(),e.timestamp.toString(),Buffer.from(e.oldSignature).toString("base64"),Buffer.from(e.newSignature).toString("base64")].join("||")}function decodeSuccession(e){const r=e.split("||");if(9!==r.length)return(0,shared_1.err)("INVALID_FORMAT");const t=r[0],n=r[1],i=r[2],s=r[3],o=r[4],a=r[5],c=r[6],d=r[7],_=r[8];if(!(t&&n&&i&&s&&o&&a&&c&&d&&_))return(0,shared_1.err)("INVALID_FORMAT");const u=parseInt(i,10),f=parseInt(s,10),S=parseInt(o,10),p=parseInt(a,10),g=parseInt(c,10);if(isNaN(u)||u<0||isNaN(f)||f<0||isNaN(S)||S<0||isNaN(p)||p<0||isNaN(g)||g<0)return(0,shared_1.err)("INVALID_TIMESTAMP");try{return(0,shared_1.ok)({oldDid:t,newDid:n,rotation_sequence:u,effective_at:f,expires_at:S,grace_period_ms:p,timestamp:g,oldSignature:new Uint8Array(Buffer.from(d,"base64")),newSignature:new Uint8Array(Buffer.from(_,"base64"))})}catch{return(0,shared_1.err)("INVALID_FORMAT")}}

package/dist-standalone/cjs/timeouts.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.globalTimeoutConfig=exports.OperationTimeoutController=exports.TimeoutConfig=exports.DEFAULT_TIMEOUTS=exports.TimeoutError=void 0,exports.createTimeoutController=createTimeoutController,exports.withTimeout=withTimeout,exports.withTimeoutResult=withTimeoutResult,exports.createOperationTimeoutSignal=createOperationTimeoutSignal,exports.createOperationTimeout=createOperationTimeout,exports.isTimeoutError=isTimeoutError,exports.getTimeoutFromError=getTimeoutFromError,exports.createTimeoutConfigFromEnv=createTimeoutConfigFromEnv;const shared_1=require("../_deps/shared/index.js");class TimeoutError extends Error{code="TIMEOUT";operation;timeoutMs;timestamp;constructor(t,e){super(`Operation '${t}' timed out after ${e}ms. Actions: (1) Check network connectivity, (2) Increase timeout threshold, (3) Verify service availability, (4) Implement retry with exponential backoff.`),this.name="TimeoutError",this.operation=t,this.timeoutMs=e,this.timestamp=Date.now()}static withContext(t,e,r){const o=new TimeoutError(t,e);return r&&Object.assign(o,{context:r}),o}}exports.TimeoutError=TimeoutError,exports.DEFAULT_TIMEOUTS={registry:1e4,gateway:15e3,transport:3e4,default:3e4};class TimeoutConfig{registry;gateway;transport;default;constructor(t={}){this.registry=t.registry??exports.DEFAULT_TIMEOUTS.registry,this.gateway=t.gateway??exports.DEFAULT_TIMEOUTS.gateway,this.transport=t.transport??exports.DEFAULT_TIMEOUTS.transport,this.default=t.default??exports.DEFAULT_TIMEOUTS.default,this.validateTimeout("registry",this.registry),this.validateTimeout("gateway",this.gateway),this.validateTimeout("transport",this.transport),this.validateTimeout("default",this.default)}getRegistry(t){return t??this.registry}getGateway(t){return t??this.gateway}getTransport(t){return t??this.transport}getDefault(t){return t??this.default}get(t,e){switch(t){case"registry":return this.getRegistry(e);case"gateway":return this.getGateway(e);case"transport":return this.getTransport(e);case"default":return this.getDefault(e)}}with(t){return new TimeoutConfig({registry:t.registry??this.registry,gateway:t.gateway??this.gateway,transport:t.transport??this.transport,default:t.default??this.default})}validateTimeout(t,e){if(!Number.isFinite(e)||e<=0)throw new Error(`Invalid timeout for '${t}': ${e}. Must be positive finite number.`);e>3e5&&console.warn(`[xbind:timeout] Large timeout for '${t}': ${e}ms. Consider reducing to avoid indefinite hangs.`)}toJSON(){return{registry:this.registry,gateway:this.gateway,transport:this.transport,default:this.default}}}exports.TimeoutConfig=TimeoutConfig;class OperationTimeoutController{signal;timeoutMs;operation;controller;timer;timedOut=!1;constructor(t,e="operation"){this.controller=new AbortController,this.signal=this.controller.signal,this.timeoutMs=t,this.operation=e,this.timer=setTimeout(()=>{this.timedOut=!0,this.controller.abort()},t)}cancel(){clearTimeout(this.timer),this.controller.signal.aborted||this.controller.abort()}clear(){clearTimeout(this.timer)}didTimeout(){return this.timedOut}getTimeoutError(){return this.timedOut?new TimeoutError(this.operation,this.timeoutMs):null}}function createTimeoutController(t,e="operation"){return new OperationTimeoutController(t,e)}async function withTimeout(t,e,r="operation"){const o=createTimeoutController(e,r);try{const i=await Promise.race([t(),new Promise((t,i)=>{o.signal.addEventListener("abort",()=>{i(new TimeoutError(r,e))})})]);return o.clear(),i}catch(t){throw o.clear(),t}}async function withTimeoutResult(t,e,r="operation"){try{const o=await withTimeout(t,e,r);return(0,shared_1.ok)(o)}catch(t){if(t instanceof TimeoutError)return(0,shared_1.err)("TIMEOUT");throw t}}function createOperationTimeoutSignal(t,e="operation"){return createTimeoutController(t,e).signal}function createOperationTimeout(t,e,r,o){return createTimeoutController(t.get(e,o),r)}function isTimeoutError(t){return t instanceof TimeoutError}function getTimeoutFromError(t){return isTimeoutError(t)?t.timeoutMs:void 0}function createTimeoutConfigFromEnv(){const t={},e=process.env.XBIND_TIMEOUT_REGISTRY;if(e){const r=parseInt(e,10);isNaN(r)||(t.registry=r)}const r=process.env.XBIND_TIMEOUT_GATEWAY;if(r){const e=parseInt(r,10);isNaN(e)||(t.gateway=e)}const o=process.env.XBIND_TIMEOUT_TRANSPORT;if(o){const e=parseInt(o,10);isNaN(e)||(t.transport=e)}const i=process.env.XBIND_TIMEOUT_DEFAULT;if(i){const e=parseInt(i,10);isNaN(e)||(t.default=e)}return new TimeoutConfig(t)}exports.OperationTimeoutController=OperationTimeoutController,exports.globalTimeoutConfig=createTimeoutConfigFromEnv();

package/dist-standalone/cjs/trace-context.js

@@ -0,0 +1 @@
+"use strict";var TraceFlags;Object.defineProperty(exports,"__esModule",{value:!0}),exports.TraceContext=exports.TraceFlags=exports.TRACE_VERSION=exports.TRACESTATE_HEADER=exports.TRACEPARENT_HEADER=void 0,exports.generateTraceId=generateTraceId,exports.generateSpanId=generateSpanId,exports.validateTraceId=validateTraceId,exports.validateSpanId=validateSpanId,exports.parseTraceparent=parseTraceparent,exports.parseTracestate=parseTracestate,exports.TRACEPARENT_HEADER="traceparent",exports.TRACESTATE_HEADER="tracestate",exports.TRACE_VERSION="00",function(t){t[t.NONE=0]="NONE",t[t.SAMPLED=1]="SAMPLED"}(TraceFlags||(exports.TraceFlags=TraceFlags={}));class TraceContext{version;traceId;parentId;traceFlags;traceState;constructor(t,e,r=TraceFlags.SAMPLED,a=[]){if(!validateTraceId(t))throw new Error(`Invalid trace ID: ${t}. Must be 32 hex characters.`);if(!validateSpanId(e))throw new Error(`Invalid parent ID: ${e}. Must be 16 hex characters.`);if(r<0||r>255)throw new Error(`Invalid trace flags: ${r}. Must be 0-255.`);this.version=exports.TRACE_VERSION,this.traceId=t,this.parentId=e,this.traceFlags=r,this.traceState=a}static create(t=!0){const e=generateTraceId(),r=generateSpanId(),a=t?TraceFlags.SAMPLED:TraceFlags.NONE;return new TraceContext(e,r,a)}static extract(t){const e=t instanceof Headers?t.get(exports.TRACEPARENT_HEADER):t[exports.TRACEPARENT_HEADER];if(!e)return null;const r=parseTraceparent(e);if(!r)return null;const a=t instanceof Headers?t.get(exports.TRACESTATE_HEADER):t[exports.TRACESTATE_HEADER],n=a?parseTracestate(a):[];return new TraceContext(r.traceId,r.parentId,r.traceFlags,n)}inject(t){const e=this.toTraceparent();return t instanceof Headers?(t.set(exports.TRACEPARENT_HEADER,e),this.traceState.length>0&&t.set(exports.TRACESTATE_HEADER,this.toTracestate())):(t[exports.TRACEPARENT_HEADER]=e,this.traceState.length>0&&(t[exports.TRACESTATE_HEADER]=this.toTracestate())),t}createChild(t){const e=generateSpanId(),r=void 0!==t?t?TraceFlags.SAMPLED:TraceFlags.NONE:this.traceFlags;return new TraceContext(this.traceId,e,r,this.traceState)}toTraceparent(){const t=this.traceFlags.toString(16).padStart(2,"0");return`${this.version}-${this.traceId}-${this.parentId}-${t}`}toTracestate(){return this.traceState.map(({key:t,value:e})=>`${t}=${e}`).join(",")}isSampled(){return(this.traceFlags&TraceFlags.SAMPLED)===TraceFlags.SAMPLED}withTracestate(t,e){const r=this.traceState.filter(e=>e.key!==t);return r.unshift({key:t,value:e}),new TraceContext(this.traceId,this.parentId,this.traceFlags,r)}getTracestate(t){const e=this.traceState.find(e=>e.key===t);return e?.value}toObject(){return{version:this.version,traceId:this.traceId,parentId:this.parentId,traceFlags:this.traceFlags,traceState:[...this.traceState],sampled:this.isSampled()}}}function generateTraceId(){return generateRandomHex(32)}function generateSpanId(){return generateRandomHex(16)}function validateTraceId(t){return"string"==typeof t&&(32===t.length&&(!!/^[a-f0-9]{32}$/.test(t)&&"00000000000000000000000000000000"!==t))}function validateSpanId(t){return"string"==typeof t&&(16===t.length&&(!!/^[a-f0-9]{16}$/.test(t)&&"0000000000000000"!==t))}function parseTraceparent(t){if("string"!=typeof t)return null;const e=t.split("-");if(4!==e.length)return null;const[r,a,n,s]=e;if("00"!==r)return null;if(!validateTraceId(a??""))return null;if(!validateSpanId(n??""))return null;if(!s||2!==s.length)return null;if(!/^[a-f0-9]{2}$/.test(s))return null;return{version:r??"00",traceId:a??"",parentId:n??"",traceFlags:parseInt(s,16)}}function parseTracestate(t){if(!t)return[];const e=[],r=t.split(",");for(const t of r){const r=t.trim(),a=r.indexOf("=");if(-1===a)continue;const n=r.substring(0,a).trim(),s=r.substring(a+1).trim();n&&s&&e.push({key:n,value:s})}return e}function generateRandomHex(t){const e=Math.ceil(t/2);if("undefined"!=typeof crypto&&crypto.getRandomValues){const r=new Uint8Array(e);return crypto.getRandomValues(r),Array.from(r).map(t=>t.toString(16).padStart(2,"0")).join("").substring(0,t)}try{return require("node:crypto").randomBytes(e).toString("hex").substring(0,t)}catch{throw new Error("Cryptographic random generation unavailable. Install crypto polyfill or use environment with crypto support.")}}exports.TraceContext=TraceContext;

package/dist-standalone/cjs/trace-spans.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.SpanRecorder=exports.TraceSpan=exports.SpanKind=exports.SpanStatusCode=void 0,exports.measureAsync=measureAsync,exports.measureSync=measureSync;const trace_context_js_1=require("./trace-context.js");var SpanStatusCode,SpanKind;!function(t){t[t.OK=0]="OK",t[t.ERROR=1]="ERROR",t[t.UNSET=2]="UNSET"}(SpanStatusCode||(exports.SpanStatusCode=SpanStatusCode={})),function(t){t[t.INTERNAL=0]="INTERNAL",t[t.SERVER=1]="SERVER",t[t.CLIENT=2]="CLIENT",t[t.PRODUCER=3]="PRODUCER",t[t.CONSUMER=4]="CONSUMER"}(SpanKind||(exports.SpanKind=SpanKind={}));class TraceSpan{spanId;traceContext;name;kind;parentSpanId;startTime;endTime;status;attributes;events;ended;constructor(t,e,n={}){this.spanId=(0,trace_context_js_1.generateSpanId)(),this.traceContext=e,this.name=t,this.kind=n.kind??SpanKind.INTERNAL,this.parentSpanId=n.parentSpanId,this.startTime=Date.now(),this.status={code:SpanStatusCode.UNSET},this.attributes=n.attributes??{},this.events=[],this.ended=!1}setAttribute(t,e){if(this.ended)throw new Error("Cannot set attribute on ended span");return this.attributes[t]=e,this}setAttributes(t){if(this.ended)throw new Error("Cannot set attributes on ended span");return Object.assign(this.attributes,t),this}addEvent(t,e){if(this.ended)throw new Error("Cannot add event to ended span");return this.events.push({name:t,timestamp:Date.now(),attributes:e}),this}setStatus(t,e){if(this.ended)throw new Error("Cannot set status on ended span");return this.status={code:t,message:e},this}recordException(t){if(this.ended)throw new Error("Cannot record exception on ended span");this.setStatus(SpanStatusCode.ERROR);const e={};return t instanceof Error?(e["exception.type"]=t.name,e["exception.message"]=t.message,t.stack&&(e["exception.stacktrace"]=t.stack)):e["exception.message"]=String(t),this.addEvent("exception",e),this}end(t){this.ended||(this.endTime=t??Date.now(),this.ended=!0,this.status.code===SpanStatusCode.UNSET&&(this.status={code:SpanStatusCode.OK}))}isEnded(){return this.ended}getDuration(){return this.ended&&this.endTime?this.endTime-this.startTime:null}toData(){if(!this.ended||!this.endTime)throw new Error("Cannot export data from active span. Call end() first.");return{spanId:this.spanId,traceId:this.traceContext.traceId,parentSpanId:this.parentSpanId,name:this.name,kind:this.kind,startTime:this.startTime,endTime:this.endTime,duration:this.endTime-this.startTime,status:{...this.status},attributes:{...this.attributes},events:this.events.map(t=>({name:t.name,timestamp:t.timestamp,attributes:t.attributes?{...t.attributes}:void 0}))}}createChild(t,e={}){return new TraceSpan(t,this.traceContext,{...e,parentSpanId:this.spanId})}}exports.TraceSpan=TraceSpan;class SpanRecorder{activeSpans;completedSpans;maxSpans;rootContext;constructor(t={}){this.activeSpans=new Map,this.completedSpans=[],this.maxSpans=t.maxSpans??1e3,this.rootContext=t.traceContext}startSpan(t,e={}){const n=e.traceContext??e.parentSpan?.traceContext??this.rootContext??trace_context_js_1.TraceContext.create(),s=new TraceSpan(t,n,{kind:e.kind,attributes:e.attributes,parentSpanId:e.parentSpan?.spanId});this.activeSpans.set(s.spanId,s);const a=setTimeout(()=>{s.isEnded()||(s.setStatus(SpanStatusCode.ERROR,"Span not ended (auto-ended by recorder)"),this.endSpan(s))},6e4),r=s.end.bind(s);return s.end=t=>{clearTimeout(a),r(t),this.endSpan(s)},s}endSpan(t){t.isEnded()||t.end(),this.activeSpans.delete(t.spanId);const e=t.toData();this.completedSpans.push(e),this.completedSpans.length>this.maxSpans&&this.completedSpans.shift()}getCompletedSpans(){return[...this.completedSpans]}getActiveSpans(){return Array.from(this.activeSpans.values())}clearCompletedSpans(){this.completedSpans=[]}getSpanCount(){return{active:this.activeSpans.size,completed:this.completedSpans.length}}findSpansByTraceId(t){return this.completedSpans.filter(e=>e.traceId===t)}buildTraceTree(t){const e=this.findSpansByTraceId(t);if(0===e.length)return null;const n=e.find(t=>!t.parentSpanId);return n?buildSpanTreeNode(n,e):null}}function buildSpanTreeNode(t,e){const n=e.filter(e=>e.parentSpanId===t.spanId).map(t=>buildSpanTreeNode(t,e));return{span:t,children:n}}async function measureAsync(t,e,n,s){const a=t.startSpan(e,s);try{const t=await n();return a.setStatus(SpanStatusCode.OK),t}catch(t){throw a.recordException(t),t}finally{a.end()}}function measureSync(t,e,n,s){const a=t.startSpan(e,s);try{const t=n();return a.setStatus(SpanStatusCode.OK),t}catch(t){throw a.recordException(t),t}finally{a.end()}}exports.SpanRecorder=SpanRecorder;

package/dist-standalone/cjs/transport.js

@@ -1,63 +1 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.HttpsTransportAdapter = void 0;
-const shared_1 = require("../_deps/shared/index.js");
-/**
- * HTTPS transport adapter — sends envelopes as JSON POST requests.
- *
- * Recipient URL resolved as: baseUrl/deliver/{recipientDid}
- * This is the SDK's default transport for server-to-server delivery.
- */
-class HttpsTransportAdapter {
-    baseUrl;
-    timeoutMs;
-    fetchFn;
-    handlers = [];
-    constructor(opts) {
-        this.baseUrl = opts.baseUrl.replace(/\/$/, '');
-        this.timeoutMs = opts.timeoutMs ?? 10_000;
-        this.fetchFn = opts.fetch ?? globalThis.fetch.bind(globalThis);
-    }
-    async send(envelope, recipientDid) {
-        const url = `${this.baseUrl}/deliver/${encodeURIComponent(recipientDid)}`;
-        try {
-            const controller = new AbortController();
-            const timer = setTimeout(() => controller.abort(), this.timeoutMs);
-            const response = await this.fetchFn(url, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify(envelope),
-                signal: controller.signal,
-            });
-            clearTimeout(timer);
-            if (!response.ok) {
-                return (0, shared_1.err)(response.status === 404
-                    ? 'RECIPIENT_UNREACHABLE'
-                    : 'SEND_FAILED');
-            }
-            return (0, shared_1.ok)(undefined);
-        }
-        catch (e) {
-            if (e instanceof DOMException && e.name === 'AbortError') {
-                return (0, shared_1.err)('TIMEOUT');
-            }
-            return (0, shared_1.err)('NETWORK_ERROR');
-        }
-    }
-    onReceive(handler) {
-        this.handlers.push(handler);
-    }
-    /**
-     * Dispatch a received envelope to all handlers.
-     * Called by the server when an incoming POST is received.
-     */
-    dispatch(envelope) {
-        for (const handler of this.handlers) {
-            handler(envelope);
-        }
-    }
-    dispose() {
-        this.handlers = [];
-    }
-}
-exports.HttpsTransportAdapter = HttpsTransportAdapter;
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.HttpsTransportAdapter=void 0;const shared_1=require("../_deps/shared/index.js");class HttpsTransportAdapter{baseUrl;timeoutMs;fetchFn;handlers=[];constructor(e){this.baseUrl=e.baseUrl.replace(/\/$/,""),this.timeoutMs=e.timeoutMs??1e4,this.fetchFn=e.fetch??globalThis.fetch.bind(globalThis)}async send(e,t){const s=`${this.baseUrl}/deliver/${encodeURIComponent(t)}`;try{const t=new AbortController,r=setTimeout(()=>t.abort(),this.timeoutMs),o=await this.fetchFn(s,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e),signal:t.signal});return clearTimeout(r),o.ok?(0,shared_1.ok)(void 0):(0,shared_1.err)(404===o.status?"RECIPIENT_UNREACHABLE":"SEND_FAILED")}catch(e){return e instanceof DOMException&&"AbortError"===e.name?(0,shared_1.err)("TIMEOUT"):(0,shared_1.err)("NETWORK_ERROR")}}onReceive(e){this.handlers.push(e)}dispatch(e){for(const t of this.handlers)t(e)}dispose(){this.handlers=[]}}exports.HttpsTransportAdapter=HttpsTransportAdapter;