@private.me/xbind 3.0.0 → 3.0.2

package/dist-standalone/cjs/runtime/react-native.js

@@ -1 +1,394 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.BufferPolyfill=exports.AsyncStorageAdapter=void 0,exports.detectCrypto=detectCrypto,exports.getRandomBytes=getRandomBytes,exports.sha256=sha256,exports.isReactNative=isReactNative,exports.detectPlatform=detectPlatform,exports.initializeReactNative=initializeReactNative;const shared_1=require("../../_deps/shared/index.js");class AsyncStorageAdapter{storage;prefix;debug;constructor(t){this.storage=t.storage,this.prefix=t.storagePrefix||"@xbind:",this.debug=t.debug||!1}async get(t){try{const e=this.prefix+t,r=await this.storage.getItem(e);return this.debug&&console.log(`[AsyncStorage] GET ${e}:`,r?"found":"not found"),(0,shared_1.ok)(r)}catch(t){return(0,shared_1.err)(new Error(`AsyncStorage get failed: ${t}`))}}async set(t,e){try{const r=this.prefix+t;return await this.storage.setItem(r,e),this.debug&&console.log(`[AsyncStorage] SET ${r}:`,e.length,"bytes"),(0,shared_1.ok)(void 0)}catch(t){return(0,shared_1.err)(new Error(`AsyncStorage set failed: ${t}`))}}async remove(t){try{const e=this.prefix+t;return await this.storage.removeItem(e),this.debug&&console.log(`[AsyncStorage] REMOVE ${e}`),(0,shared_1.ok)(void 0)}catch(t){return(0,shared_1.err)(new Error(`AsyncStorage remove failed: ${t}`))}}async keys(){try{const t=(await this.storage.getAllKeys()).filter(t=>t.startsWith(this.prefix)).map(t=>t.substring(this.prefix.length));return this.debug&&console.log("[AsyncStorage] KEYS:",t.length,"items"),(0,shared_1.ok)(t)}catch(t){return(0,shared_1.err)(new Error(`AsyncStorage keys failed: ${t}`))}}async multiGet(t){try{const e=t.map(t=>this.prefix+t),r=(await this.storage.multiGet(e)).map(([t,e])=>[t.substring(this.prefix.length),e]);return this.debug&&console.log("[AsyncStorage] MULTI_GET:",t.length,"keys"),(0,shared_1.ok)(r)}catch(t){return(0,shared_1.err)(new Error(`AsyncStorage multiGet failed: ${t}`))}}async multiSet(t){try{const e=t.map(([t,e])=>[this.prefix+t,e]);return await this.storage.multiSet(e),this.debug&&console.log("[AsyncStorage] MULTI_SET:",t.length,"pairs"),(0,shared_1.ok)(void 0)}catch(t){return(0,shared_1.err)(new Error(`AsyncStorage multiSet failed: ${t}`))}}async clear(){try{const t=await this.keys();if(!t.ok)return(0,shared_1.err)(t.error);const e=t.value.map(t=>this.prefix+t);return e.length>0&&await this.storage.multiRemove(e),this.debug&&console.log("[AsyncStorage] CLEAR:",e.length,"items removed"),(0,shared_1.ok)(void 0)}catch(t){return(0,shared_1.err)(new Error(`AsyncStorage clear failed: ${t}`))}}}function detectCrypto(){if("undefined"!=typeof global&&global.crypto)return global.crypto;try{return require("react-native-quick-crypto")}catch{}try{const t=require("expo-crypto");return{getRandomValues:e=>{const r=t.getRandomBytes(e.length);e.set(r)}}}catch{}return null}function getRandomBytes(t,e){const r=e||detectCrypto();if(!r)throw new Error("No crypto implementation available. Install react-native-quick-crypto or expo-crypto.");const o=new Uint8Array(t);return r.getRandomValues(o),o}async function sha256(t,e){const r=e||detectCrypto();if(!r?.subtle)throw new Error("No SubtleCrypto implementation available. Install react-native-quick-crypto.");const o=new Uint8Array(t).buffer,a=await r.subtle.digest("SHA-256",o);return new Uint8Array(a)}exports.AsyncStorageAdapter=AsyncStorageAdapter;class BufferPolyfill{static isBuffer(t){return t instanceof Uint8Array}static from(t,e){if("string"==typeof t){if("base64"===e)return this.fromBase64(t);if("hex"===e)return this.fromHex(t);return(new TextEncoder).encode(t)}return Array.isArray(t),new Uint8Array(t)}static toString(t,e){if("base64"===e)return this.toBase64(t);if("hex"===e)return this.toHex(t);return(new TextDecoder).decode(t)}static concat(t){const e=t.reduce((t,e)=>t+e.length,0),r=new Uint8Array(e);let o=0;for(const e of t)r.set(e,o),o+=e.length;return r}static alloc(t,e){const r=new Uint8Array(t);return void 0!==e&&r.fill(e),r}static fromBase64(t){const e=atob(t),r=new Uint8Array(e.length);for(let t=0;t<e.length;t++)r[t]=e.charCodeAt(t);return r}static toBase64(t){let e="";for(let r=0;r<t.length;r++){const o=t[r];void 0!==o&&(e+=String.fromCharCode(o))}return btoa(e)}static fromHex(t){const e=new Uint8Array(t.length/2);for(let r=0;r<e.length;r++)e[r]=parseInt(t.substr(2*r,2),16);return e}static toHex(t){return Array.from(t).map(t=>t.toString(16).padStart(2,"0")).join("")}}function isReactNative(){return"undefined"!=typeof navigator&&"ReactNative"===navigator.product}function detectPlatform(){if("undefined"==typeof navigator)return"unknown";const t=navigator.userAgent||"";return/iPhone|iPad|iPod/.test(t)?"ios":/Android/.test(t)?"android":"unknown"}function initializeReactNative(t){try{if(!t.storage)return(0,shared_1.err)(new Error("AsyncStorage is required for React Native runtime"));const e=t.crypto||detectCrypto();return e?(global.crypto||(global.crypto=e),global.Buffer||(global.Buffer=BufferPolyfill),t.debug&&console.log("[xBind] React Native runtime initialized:",{platform:detectPlatform(),crypto:e.subtle?"full":"basic",storage:"AsyncStorage",prefix:t.storagePrefix||"@xbind:"}),(0,shared_1.ok)(void 0)):(0,shared_1.err)(new Error("No crypto implementation found. Install react-native-quick-crypto or expo-crypto."))}catch(t){return(0,shared_1.err)(new Error(`React Native initialization failed: ${t}`))}}exports.BufferPolyfill=BufferPolyfill,exports.default={AsyncStorageAdapter:AsyncStorageAdapter,detectCrypto:detectCrypto,getRandomBytes:getRandomBytes,sha256:sha256,BufferPolyfill:BufferPolyfill,isReactNative:isReactNative,detectPlatform:detectPlatform,initializeReactNative:initializeReactNative};
+"use strict";
+/**
+ * React Native Runtime Support for xBind
+ *
+ * Provides compatibility layer for React Native environments:
+ * - Polyfills for missing Node.js APIs
+ * - AsyncStorage adapter for persistence
+ * - Native crypto module integration
+ * - Cross-platform crypto primitives
+ *
+ * @module runtime/react-native
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BufferPolyfill = exports.AsyncStorageAdapter = void 0;
+exports.detectCrypto = detectCrypto;
+exports.getRandomBytes = getRandomBytes;
+exports.sha256 = sha256;
+exports.isReactNative = isReactNative;
+exports.detectPlatform = detectPlatform;
+exports.initializeReactNative = initializeReactNative;
+const shared_1 = require("../../_deps/shared/index.js");
+/* ── Storage Adapter ── */
+/**
+ * AsyncStorage adapter for xBind persistence
+ *
+ * Provides cross-platform storage for:
+ * - Agent identities (Ed25519/X25519 keys)
+ * - Nonce store (replay protection)
+ * - Trust registry cache
+ * - Connection metadata
+ */
+class AsyncStorageAdapter {
+    storage;
+    prefix;
+    debug;
+    constructor(config) {
+        this.storage = config.storage;
+        this.prefix = config.storagePrefix || '@xbind:';
+        this.debug = config.debug || false;
+    }
+    /**
+     * Get value by key
+     */
+    async get(key) {
+        try {
+            const prefixedKey = this.prefix + key;
+            const value = await this.storage.getItem(prefixedKey);
+            if (this.debug) {
+                console.log(`[AsyncStorage] GET ${prefixedKey}:`, value ? 'found' : 'not found');
+            }
+            return (0, shared_1.ok)(value);
+        }
+        catch (error) {
+            return (0, shared_1.err)(new Error(`AsyncStorage get failed: ${error}`));
+        }
+    }
+    /**
+     * Set key-value pair
+     */
+    async set(key, value) {
+        try {
+            const prefixedKey = this.prefix + key;
+            await this.storage.setItem(prefixedKey, value);
+            if (this.debug) {
+                console.log(`[AsyncStorage] SET ${prefixedKey}:`, value.length, 'bytes');
+            }
+            return (0, shared_1.ok)(undefined);
+        }
+        catch (error) {
+            return (0, shared_1.err)(new Error(`AsyncStorage set failed: ${error}`));
+        }
+    }
+    /**
+     * Remove key
+     */
+    async remove(key) {
+        try {
+            const prefixedKey = this.prefix + key;
+            await this.storage.removeItem(prefixedKey);
+            if (this.debug) {
+                console.log(`[AsyncStorage] REMOVE ${prefixedKey}`);
+            }
+            return (0, shared_1.ok)(undefined);
+        }
+        catch (error) {
+            return (0, shared_1.err)(new Error(`AsyncStorage remove failed: ${error}`));
+        }
+    }
+    /**
+     * Get all keys with prefix
+     */
+    async keys() {
+        try {
+            const allKeys = await this.storage.getAllKeys();
+            const filteredKeys = allKeys
+                .filter(key => key.startsWith(this.prefix))
+                .map(key => key.substring(this.prefix.length));
+            if (this.debug) {
+                console.log(`[AsyncStorage] KEYS:`, filteredKeys.length, 'items');
+            }
+            return (0, shared_1.ok)(filteredKeys);
+        }
+        catch (error) {
+            return (0, shared_1.err)(new Error(`AsyncStorage keys failed: ${error}`));
+        }
+    }
+    /**
+     * Get multiple keys (batch operation)
+     */
+    async multiGet(keys) {
+        try {
+            const prefixedKeys = keys.map(key => this.prefix + key);
+            const results = await this.storage.multiGet(prefixedKeys);
+            // Remove prefix from results
+            const unprefixedResults = results.map(([key, value]) => [
+                key.substring(this.prefix.length),
+                value
+            ]);
+            if (this.debug) {
+                console.log(`[AsyncStorage] MULTI_GET:`, keys.length, 'keys');
+            }
+            return (0, shared_1.ok)(unprefixedResults);
+        }
+        catch (error) {
+            return (0, shared_1.err)(new Error(`AsyncStorage multiGet failed: ${error}`));
+        }
+    }
+    /**
+     * Set multiple key-value pairs (batch operation)
+     */
+    async multiSet(pairs) {
+        try {
+            const prefixedPairs = pairs.map(([key, value]) => [
+                this.prefix + key,
+                value
+            ]);
+            await this.storage.multiSet(prefixedPairs);
+            if (this.debug) {
+                console.log(`[AsyncStorage] MULTI_SET:`, pairs.length, 'pairs');
+            }
+            return (0, shared_1.ok)(undefined);
+        }
+        catch (error) {
+            return (0, shared_1.err)(new Error(`AsyncStorage multiSet failed: ${error}`));
+        }
+    }
+    /**
+     * Clear all xBind data
+     */
+    async clear() {
+        try {
+            const keysResult = await this.keys();
+            if (!keysResult.ok) {
+                return (0, shared_1.err)(keysResult.error);
+            }
+            const prefixedKeys = keysResult.value.map((key) => this.prefix + key);
+            if (prefixedKeys.length > 0) {
+                await this.storage.multiRemove(prefixedKeys);
+            }
+            if (this.debug) {
+                console.log(`[AsyncStorage] CLEAR:`, prefixedKeys.length, 'items removed');
+            }
+            return (0, shared_1.ok)(undefined);
+        }
+        catch (error) {
+            return (0, shared_1.err)(new Error(`AsyncStorage clear failed: ${error}`));
+        }
+    }
+}
+exports.AsyncStorageAdapter = AsyncStorageAdapter;
+/* ── Crypto Polyfills ── */
+/**
+ * Detect available crypto implementation
+ */
+function detectCrypto() {
+    // Check for global crypto (React Native 0.63+)
+    if (typeof global !== 'undefined' && global.crypto) {
+        return global.crypto;
+    }
+    // Check for react-native-quick-crypto
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-var-requires
+        const quickCrypto = require('react-native-quick-crypto');
+        return quickCrypto;
+    }
+    catch {
+        // Not available
+    }
+    // Check for expo-crypto
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-var-requires
+        const expoCrypto = require('expo-crypto');
+        return {
+            getRandomValues: (array) => {
+                const bytes = expoCrypto.getRandomBytes(array.length);
+                array.set(bytes);
+            }
+        };
+    }
+    catch {
+        // Not available
+    }
+    return null;
+}
+/**
+ * Get random bytes (cross-platform)
+ */
+function getRandomBytes(length, crypto) {
+    const cryptoImpl = crypto || detectCrypto();
+    if (!cryptoImpl) {
+        throw new Error('No crypto implementation available. Install react-native-quick-crypto or expo-crypto.');
+    }
+    const array = new Uint8Array(length);
+    cryptoImpl.getRandomValues(array);
+    return array;
+}
+/**
+ * SHA-256 hash (cross-platform)
+ */
+async function sha256(data, crypto) {
+    const cryptoImpl = crypto || detectCrypto();
+    if (!cryptoImpl?.subtle) {
+        throw new Error('No SubtleCrypto implementation available. Install react-native-quick-crypto.');
+    }
+    // SAFETY: Create clean ArrayBuffer for Web Crypto API compatibility
+    const cleanBuffer = new Uint8Array(data).buffer;
+    const hash = await cryptoImpl.subtle.digest('SHA-256', cleanBuffer);
+    return new Uint8Array(hash);
+}
+/* ── Buffer Polyfill ── */
+/**
+ * Buffer polyfill for React Native
+ *
+ * Uses global Buffer if available, otherwise provides minimal implementation
+ */
+class BufferPolyfill {
+    static isBuffer(obj) {
+        return obj instanceof Uint8Array;
+    }
+    static from(data, encoding) {
+        if (typeof data === 'string') {
+            if (encoding === 'base64') {
+                return this.fromBase64(data);
+            }
+            else if (encoding === 'hex') {
+                return this.fromHex(data);
+            }
+            else {
+                // Default to UTF-8
+                const encoder = new TextEncoder();
+                return encoder.encode(data);
+            }
+        }
+        if (Array.isArray(data)) {
+            return new Uint8Array(data);
+        }
+        return new Uint8Array(data);
+    }
+    static toString(buffer, encoding) {
+        if (encoding === 'base64') {
+            return this.toBase64(buffer);
+        }
+        else if (encoding === 'hex') {
+            return this.toHex(buffer);
+        }
+        else {
+            // Default to UTF-8
+            const decoder = new TextDecoder();
+            return decoder.decode(buffer);
+        }
+    }
+    static concat(buffers) {
+        const totalLength = buffers.reduce((sum, buf) => sum + buf.length, 0);
+        const result = new Uint8Array(totalLength);
+        let offset = 0;
+        for (const buf of buffers) {
+            result.set(buf, offset);
+            offset += buf.length;
+        }
+        return result;
+    }
+    static alloc(size, fill) {
+        const buffer = new Uint8Array(size);
+        if (fill !== undefined) {
+            buffer.fill(fill);
+        }
+        return buffer;
+    }
+    static fromBase64(str) {
+        const binaryString = atob(str);
+        const bytes = new Uint8Array(binaryString.length);
+        for (let i = 0; i < binaryString.length; i++) {
+            bytes[i] = binaryString.charCodeAt(i);
+        }
+        return bytes;
+    }
+    static toBase64(buffer) {
+        let binaryString = '';
+        for (let i = 0; i < buffer.length; i++) {
+            const byte = buffer[i];
+            if (byte !== undefined) {
+                binaryString += String.fromCharCode(byte);
+            }
+        }
+        return btoa(binaryString);
+    }
+    static fromHex(str) {
+        const bytes = new Uint8Array(str.length / 2);
+        for (let i = 0; i < bytes.length; i++) {
+            bytes[i] = parseInt(str.substr(i * 2, 2), 16);
+        }
+        return bytes;
+    }
+    static toHex(buffer) {
+        return Array.from(buffer)
+            .map(b => b.toString(16).padStart(2, '0'))
+            .join('');
+    }
+}
+exports.BufferPolyfill = BufferPolyfill;
+/* ── Platform Detection ── */
+/**
+ * Detect React Native runtime
+ */
+function isReactNative() {
+    return (typeof navigator !== 'undefined' &&
+        navigator.product === 'ReactNative');
+}
+/**
+ * Detect platform (iOS/Android)
+ */
+function detectPlatform() {
+    if (typeof navigator === 'undefined') {
+        return 'unknown';
+    }
+    const userAgent = navigator.userAgent || '';
+    if (/iPhone|iPad|iPod/.test(userAgent)) {
+        return 'ios';
+    }
+    if (/Android/.test(userAgent)) {
+        return 'android';
+    }
+    return 'unknown';
+}
+/* ── Module Initialization ── */
+/**
+ * Initialize React Native runtime environment
+ *
+ * Sets up polyfills and validates required dependencies
+ */
+function initializeReactNative(config) {
+    try {
+        // Validate storage
+        if (!config.storage) {
+            return (0, shared_1.err)(new Error('AsyncStorage is required for React Native runtime'));
+        }
+        // Validate crypto
+        const crypto = config.crypto || detectCrypto();
+        if (!crypto) {
+            return (0, shared_1.err)(new Error('No crypto implementation found. Install react-native-quick-crypto or expo-crypto.'));
+        }
+        // Ensure global.crypto is available
+        if (!global.crypto) {
+            global.crypto = crypto;
+        }
+        // Ensure global.Buffer is available
+        if (!global.Buffer) {
+            global.Buffer = BufferPolyfill;
+        }
+        if (config.debug) {
+            console.log('[xBind] React Native runtime initialized:', {
+                platform: detectPlatform(),
+                crypto: !!crypto.subtle ? 'full' : 'basic',
+                storage: 'AsyncStorage',
+                prefix: config.storagePrefix || '@xbind:'
+            });
+        }
+        return (0, shared_1.ok)(undefined);
+    }
+    catch (error) {
+        return (0, shared_1.err)(new Error(`React Native initialization failed: ${error}`));
+    }
+}
+/* ── Exports ── */
+exports.default = {
+    AsyncStorageAdapter,
+    detectCrypto,
+    getRandomBytes,
+    sha256,
+    BufferPolyfill,
+    isReactNative,
+    detectPlatform,
+    initializeReactNative
+};

package/dist-standalone/cjs/security-policy.js

@@ -1 +1,245 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.DefaultSecurityPolicy=void 0,exports.describeSecurityMode=describeSecurityMode,exports.describeSecurityModeStructured=describeSecurityModeStructured;class DefaultSecurityPolicy{options;constructor(e={}){this.options=e}classify(e){const{action:r,params:t,securityOverride:s}=e,i=this.options.highValueThreshold??1e5,a=this.options.criticalValueThreshold??1e6;if("critical"===s)return{mode:{type:"split",shares:5,threshold:3},reason:"User requested critical security level (5 shares, 3-of-5 threshold)",wasOverridden:!0};if("high"===s)return{mode:{type:"split",shares:3,threshold:2},reason:"User requested high security level (3 shares, 2-of-3 threshold)",wasOverridden:!0};if("standard"===s)return{mode:{type:"standard"},reason:"User requested standard security level (encrypted transport)",wasOverridden:!0};const o="string"==typeof t.risk?t.risk.toLowerCase():void 0;if(o){if("critical"===o||"high"===o)return{mode:{type:"split",shares:5,threshold:3},reason:`Explicit risk tag "${o}" requires 3-of-5 threshold`,wasOverridden:!1};if("medium"===o)return{mode:{type:"split",shares:3,threshold:2},reason:'Explicit risk tag "medium" requires 2-of-3 threshold',wasOverridden:!1};if("low"===o)return{mode:{type:"split",shares:2,threshold:2},reason:'Explicit risk tag "low" requires 2-of-2 threshold',wasOverridden:!1}}if(("transfer"===r||"execute"===r)&&"number"==typeof t.amount){const e="string"==typeof t.currency?t.currency.toUpperCase():"USD";if(["USD","EUR","GBP"].includes(e)){if(t.amount>=a)return{mode:{type:"split",shares:5,threshold:3},reason:`Critical-value transfer (${e} ${t.amount.toLocaleString()}) requires 3-of-5 threshold`,wasOverridden:!1};if(t.amount>=i)return{mode:{type:"split",shares:3,threshold:2},reason:`High-value transfer (${e} ${t.amount.toLocaleString()}) requires 2-of-3 threshold`,wasOverridden:!1}}}return!0===t.crossEntity?{mode:{type:"split",shares:3,threshold:2},reason:"Cross-organization communication requires multi-party approval (2 of 3)",wasOverridden:!1}:e.scope.includes("admin")||e.scope.includes("custody")||e.scope.includes("settlement")?{mode:{type:"split",shares:3,threshold:2},reason:`Sensitive scope "${e.scope}" requires multi-party approval (2 of 3)`,wasOverridden:!1}:this.options.enableXchange&&!0===t.xchange?{mode:{type:"xchange"},reason:"Xchange mode enabled for performance (~180x faster)",wasOverridden:!1}:{mode:{type:"standard"},reason:"Standard encrypted transport (hybrid post-quantum)",wasOverridden:!1}}}function describeSecurityMode(e){switch(e.type){case"standard":return"Standard (encrypted)";case"split":return`Multi-party approval (${e.threshold} of ${e.shares})`;case"xchange":return"Xchange (fast mode)"}}function describeSecurityModeStructured(e){let r,t,s,i,a;switch(e.type){case"standard":r="standard",t="Security Level: Standard\nMode: Encrypted transport (hybrid post-quantum)",s="standard | encrypted",i="**Security Level:** Standard\n\n**Mode:** Encrypted transport (hybrid post-quantum)";break;case"split":r=e.shares>=5?"critical":"high",a={total:e.shares,threshold:e.threshold},t=`Security Level: ${"critical"===r?"Critical":"High"}\nMode: Split-channel (XorIDA)\nShares: ${e.shares} total, ${e.threshold} required`,s=`${r} | split | ${e.threshold}-of-${e.shares}`,i=`**Security Level:** ${"critical"===r?"Critical":"High"}\n\n**Mode:** Split-channel (XorIDA)\n\n**Shares:** ${e.shares} total, ${e.threshold} required`;break;case"xchange":r="performance",t="Security Level: Performance\nMode: Xchange (single IT layer, ~180x faster)",s="performance | xchange",i="**Security Level:** Performance\n\n**Mode:** Xchange (single IT layer, ~180x faster)"}const o={type:e.type,level:r};a&&(o.shares=a);const n=JSON.stringify(o);return{type:e.type,level:r,shares:a,formats:{multiline:t,singleline:s,json:n,markdown:i}}}exports.DefaultSecurityPolicy=DefaultSecurityPolicy;
+"use strict";
+/**
+ * Security policy interface for automatic risk-based Xorida activation.
+ *
+ * Determines when to apply information-theoretic security (XorIDA split-channel)
+ * vs standard encrypted transport based on action semantics and parameters.
+ *
+ * Design principle: Security should be invisible to users. The policy classifies
+ * risk automatically so developers don't need to understand threshold cryptography.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultSecurityPolicy = void 0;
+exports.describeSecurityMode = describeSecurityMode;
+exports.describeSecurityModeStructured = describeSecurityModeStructured;
+/**
+ * Default security policy for basic XBind.
+ *
+ * Rules:
+ * - Explicit risk tags: low → 2-of-2, medium → 2-of-3, high/critical → 3-of-5
+ * - Fiat transfers: USD/EUR/GBP >$100k → 2-of-3, >$1M → 3-of-5
+ * - Crypto transfers: Require explicit risk tag (no numeric auto-detection)
+ * - Sensitive scopes: custody/admin/settlement → 2-of-3
+ * - Cross-entity communication: 2-of-3
+ * - Explicit 'high' override: 2-of-3, 'critical' override: 3-of-5
+ * - Everything else: Standard encrypted transport (V3 hybrid PQ)
+ *
+ * Enterprise and Government variants extend this with custom rules.
+ */
+class DefaultSecurityPolicy {
+    options;
+    /**
+     * Create a default security policy.
+     *
+     * @param options - Optional configuration
+     * @param options.highValueThreshold - Amount threshold for high security (default: 100000)
+     * @param options.criticalValueThreshold - Amount threshold for critical security (default: 1000000)
+     * @param options.enableXchange - Allow Xchange mode for performance (default: false)
+     */
+    constructor(options = {}) {
+        this.options = options;
+    }
+    classify(context) {
+        const { action, params, securityOverride } = context;
+        const highThreshold = this.options.highValueThreshold ?? 100_000;
+        const criticalThreshold = this.options.criticalValueThreshold ?? 1_000_000;
+        // Explicit override: critical
+        if (securityOverride === 'critical') {
+            return {
+                mode: { type: 'split', shares: 5, threshold: 3 },
+                reason: 'User requested critical security level (5 shares, 3-of-5 threshold)',
+                wasOverridden: true,
+            };
+        }
+        // Explicit override: high
+        if (securityOverride === 'high') {
+            return {
+                mode: { type: 'split', shares: 3, threshold: 2 },
+                reason: 'User requested high security level (3 shares, 2-of-3 threshold)',
+                wasOverridden: true,
+            };
+        }
+        // Explicit override: standard
+        if (securityOverride === 'standard') {
+            return {
+                mode: { type: 'standard' },
+                reason: 'User requested standard security level (encrypted transport)',
+                wasOverridden: true,
+            };
+        }
+        // Risk tag detection (preferred for crypto: BTC, ETH, etc.)
+        const riskTag = typeof params.risk === 'string' ? params.risk.toLowerCase() : undefined;
+        if (riskTag) {
+            if (riskTag === 'critical' || riskTag === 'high') {
+                return {
+                    mode: { type: 'split', shares: 5, threshold: 3 },
+                    reason: `Explicit risk tag "${riskTag}" requires 3-of-5 threshold`,
+                    wasOverridden: false,
+                };
+            }
+            else if (riskTag === 'medium') {
+                return {
+                    mode: { type: 'split', shares: 3, threshold: 2 },
+                    reason: `Explicit risk tag "medium" requires 2-of-3 threshold`,
+                    wasOverridden: false,
+                };
+            }
+            else if (riskTag === 'low') {
+                return {
+                    mode: { type: 'split', shares: 2, threshold: 2 },
+                    reason: `Explicit risk tag "low" requires 2-of-2 threshold`,
+                    wasOverridden: false,
+                };
+            }
+        }
+        // Numeric thresholds ONLY for fiat currencies (USD, EUR, GBP)
+        // Crypto (BTC, ETH) should use risk tags instead
+        if ((action === 'transfer' || action === 'execute') && typeof params.amount === 'number') {
+            const currency = typeof params.currency === 'string' ? params.currency.toUpperCase() : 'USD';
+            const isFiat = ['USD', 'EUR', 'GBP'].includes(currency);
+            if (isFiat) {
+                if (params.amount >= criticalThreshold) {
+                    return {
+                        mode: { type: 'split', shares: 5, threshold: 3 },
+                        reason: `Critical-value transfer (${currency} ${params.amount.toLocaleString()}) requires 3-of-5 threshold`,
+                        wasOverridden: false,
+                    };
+                }
+                else if (params.amount >= highThreshold) {
+                    return {
+                        mode: { type: 'split', shares: 3, threshold: 2 },
+                        reason: `High-value transfer (${currency} ${params.amount.toLocaleString()}) requires 2-of-3 threshold`,
+                        wasOverridden: false,
+                    };
+                }
+            }
+        }
+        // Auto-detection: Cross-entity communication
+        if (params.crossEntity === true) {
+            return {
+                mode: { type: 'split', shares: 3, threshold: 2 },
+                reason: 'Cross-organization communication requires multi-party approval (2 of 3)',
+                wasOverridden: false,
+            };
+        }
+        // Auto-detection: Sensitive scopes
+        if (context.scope.includes('admin') ||
+            context.scope.includes('custody') ||
+            context.scope.includes('settlement')) {
+            return {
+                mode: { type: 'split', shares: 3, threshold: 2 },
+                reason: `Sensitive scope "${context.scope}" requires multi-party approval (2 of 3)`,
+                wasOverridden: false,
+            };
+        }
+        // Xchange mode: opt-in performance mode (if enabled)
+        if (this.options.enableXchange && params.xchange === true) {
+            return {
+                mode: { type: 'xchange' },
+                reason: 'Xchange mode enabled for performance (~180x faster)',
+                wasOverridden: false,
+            };
+        }
+        // Default: Standard encrypted transport
+        return {
+            mode: { type: 'standard' },
+            reason: 'Standard encrypted transport (hybrid post-quantum)',
+            wasOverridden: false,
+        };
+    }
+}
+exports.DefaultSecurityPolicy = DefaultSecurityPolicy;
+/**
+ * Get a human-readable security mode description.
+ *
+ * Used for logging and user feedback.
+ *
+ * @param mode - Security mode
+ * @returns User-friendly description
+ *
+ * @deprecated Use describeSecurityModeStructured() for new code. This function remains for backward compatibility.
+ */
+function describeSecurityMode(mode) {
+    switch (mode.type) {
+        case 'standard':
+            return 'Standard (encrypted)';
+        case 'split':
+            return `Multi-party approval (${mode.threshold} of ${mode.shares})`;
+        case 'xchange':
+            return 'Xchange (fast mode)';
+    }
+}
+/**
+ * Get a structured security mode description with multiple formats.
+ *
+ * Returns an object with the security classification and formatted descriptions
+ * optimized for different use cases (display, logging, APIs, docs).
+ *
+ * @param mode - Security mode
+ * @returns Security mode description with formats
+ *
+ * @example
+ * ```typescript
+ * const mode: SecurityMode = { type: 'split', shares: 3, threshold: 2 };
+ * const description = describeSecurityModeStructured(mode);
+ *
+ * console.log(description.formats.singleline);
+ * // "high | split | 2-of-3"
+ *
+ * console.log(description.formats.multiline);
+ * // "Security Level: High
+ * //  Mode: Split-channel (XorIDA)
+ * //  Shares: 3 total, 2 required"
+ *
+ * console.log(description.shares);
+ * // { total: 3, threshold: 2 }
+ * ```
+ */
+function describeSecurityModeStructured(mode) {
+    let level;
+    let multiline;
+    let singleline;
+    let markdown;
+    let shares;
+    switch (mode.type) {
+        case 'standard':
+            level = 'standard';
+            multiline = 'Security Level: Standard\nMode: Encrypted transport (hybrid post-quantum)';
+            singleline = 'standard | encrypted';
+            markdown = '**Security Level:** Standard\n\n**Mode:** Encrypted transport (hybrid post-quantum)';
+            break;
+        case 'split':
+            // Classify split mode as high or critical based on threshold
+            level = mode.shares >= 5 ? 'critical' : 'high';
+            shares = { total: mode.shares, threshold: mode.threshold };
+            multiline = `Security Level: ${level === 'critical' ? 'Critical' : 'High'}\nMode: Split-channel (XorIDA)\nShares: ${mode.shares} total, ${mode.threshold} required`;
+            singleline = `${level} | split | ${mode.threshold}-of-${mode.shares}`;
+            markdown = `**Security Level:** ${level === 'critical' ? 'Critical' : 'High'}\n\n**Mode:** Split-channel (XorIDA)\n\n**Shares:** ${mode.shares} total, ${mode.threshold} required`;
+            break;
+        case 'xchange':
+            level = 'performance';
+            multiline = 'Security Level: Performance\nMode: Xchange (single IT layer, ~180x faster)';
+            singleline = 'performance | xchange';
+            markdown = '**Security Level:** Performance\n\n**Mode:** Xchange (single IT layer, ~180x faster)';
+            break;
+    }
+    const jsonObj = {
+        type: mode.type,
+        level,
+    };
+    if (shares) {
+        jsonObj.shares = shares;
+    }
+    const json = JSON.stringify(jsonObj);
+    return {
+        type: mode.type,
+        level,
+        shares,
+        formats: {
+            multiline,
+            singleline,
+            json,
+            markdown,
+        },
+    };
+}