@private.me/xbind 3.0.0 → 3.0.2

package/dist-standalone/cjs/split-channel.js

@@ -1 +1,225 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.DEFAULT_SPLIT_CONFIG=void 0,exports.splitForChannel=splitForChannel,exports.splitForChannelWithGroupId=splitForChannelWithGroupId,exports.reconstructFromChannel=reconstructFromChannel;const shared_1=require("../_deps/shared/index.js"),crypto_utils_js_1=require("./crypto-utils.js");async function splitForChannel(r,t=exports.DEFAULT_SPLIT_CONFIG){const{totalShares:e,threshold:s}=t;if(e<2||s<2||s>e)return(0,shared_1.err)("SPLIT_FAILED:INVALID_PARAMS");return splitForChannelWithGroupId(r,t,(0,crypto_utils_js_1.generateUUID)())}async function splitForChannelWithGroupId(r,t,e){const{totalShares:s,threshold:_}=t;if(s<2||_<2||_>s)return(0,shared_1.err)("SPLIT_FAILED:INVALID_PARAMS");const o=(0,crypto_utils_js_1.nextOddPrime)(s)-1,a=(0,crypto_utils_js_1.pkcs7Pad)(r,o),{key:n,signature:i}=await(0,crypto_utils_js_1.generateHMAC)(a);let c;try{c=(0,crypto_utils_js_1.splitXorIDA)(a,s,_)}catch{return(0,shared_1.err)("SPLIT_FAILED")}const u=(0,crypto_utils_js_1.toBase64)(n),l=(0,crypto_utils_js_1.toBase64)(i),d=c.map((r,t)=>({data:(0,crypto_utils_js_1.formatShareHeader)((0,crypto_utils_js_1.toBase64)(r)),index:t,total:s,threshold:_,groupId:e,hmacKey:u,hmacSig:l}));return(0,shared_1.ok)(d)}async function reconstructFromChannel(r){const t=validateShares(r);if(!t.ok)return t;const{k:e,n:s}=t.value;return reconstructValidated(r.slice(0,e),s,e)}function validateShares(r){if(0===r.length)return(0,shared_1.err)("INSUFFICIENT_SHARES");const t=r[0],e=t.threshold,s=t.total;if(r.length<e)return(0,shared_1.err)("INSUFFICIENT_SHARES");const _=new Set;for(const o of r){if(o.groupId!==t.groupId)return(0,shared_1.err)("INCONSISTENT_SHARES");if(o.total!==s||o.threshold!==e)return(0,shared_1.err)("INCONSISTENT_SHARES");if(o.index<0||o.index>=s)return(0,shared_1.err)("INVALID_SHARE_DATA");if(_.has(o.index))return(0,shared_1.err)("INVALID_SHARE_DATA");_.add(o.index)}return(0,shared_1.ok)({k:e,n:s,groupId:t.groupId})}async function reconstructValidated(r,t,e){let s;try{s=r.map(r=>(0,crypto_utils_js_1.fromBase64)((0,crypto_utils_js_1.parseShareHeader)(r.data)))}catch{return(0,shared_1.err)("INVALID_SHARE_DATA:BASE64")}const _=r.map(r=>r.index);let o;try{o=(0,crypto_utils_js_1.reconstructXorIDA)(s,_,t,e)}catch{return(0,shared_1.err)("SPLIT_FAILED:RECONSTRUCT")}const a=r[0];let n,i;try{n=(0,crypto_utils_js_1.fromBase64)(a.hmacKey),i=(0,crypto_utils_js_1.fromBase64)(a.hmacSig)}catch{return(0,shared_1.err)("INVALID_SHARE_DATA:HMAC_DECODE")}if(!await(0,crypto_utils_js_1.verifyHMAC)(n,o,i))return(0,shared_1.err)("HMAC_VERIFICATION_FAILED");const c=(0,crypto_utils_js_1.nextOddPrime)(t)-1,u=(0,crypto_utils_js_1.pkcs7Unpad)(o,c);return u.ok?(0,shared_1.ok)(u.value):(0,shared_1.err)("UNPAD_FAILED")}exports.DEFAULT_SPLIT_CONFIG={totalShares:3,threshold:2};
+"use strict";
+/**
+ * XorIDA split-channel bridge for @private.me/xbind.
+ *
+ * Bridges @private.me/crypto threshold sharing with the agent-sdk
+ * TransportEnvelope format. Splits plaintext into n shares with HMAC
+ * integrity, each share wrapped in its own envelope for independent routing.
+ *
+ * Pipeline:
+ *   split:  pad -> HMAC -> XorIDA split -> share Uint8Arrays with metadata
+ *   reconstruct: collect k shares -> XorIDA reconstruct -> HMAC verify -> unpad
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_SPLIT_CONFIG = void 0;
+exports.splitForChannel = splitForChannel;
+exports.splitForChannelWithGroupId = splitForChannelWithGroupId;
+exports.reconstructFromChannel = reconstructFromChannel;
+const shared_1 = require("../_deps/shared/index.js");
+const crypto_utils_js_1 = require("./crypto-utils.js");
+/** Default split-channel configuration: 3 shares, threshold 2. */
+exports.DEFAULT_SPLIT_CONFIG = {
+    totalShares: 3,
+    threshold: 2,
+};
+/* ── Split ── */
+/**
+ * Split plaintext into n shares via XorIDA with HMAC integrity.
+ *
+ * Pipeline: pad(PKCS#7) -> HMAC(padded) -> XorIDA split -> ChannelShare[]
+ *
+ * Information-theoretic security: Any k shares can reconstruct the plaintext,
+ * but k-1 shares reveal ZERO information (proven secure).
+ *
+ * @param plaintext - Raw plaintext bytes to split
+ * @param config - Split configuration (totalShares, threshold)
+ * @returns Array of n ChannelShare objects ready for envelope wrapping
+ *
+ * @example
+ * ```typescript
+ * import { splitForChannel, DEFAULT_SPLIT_CONFIG } from '@private.me/xbind';
+ *
+ * const plaintext = new TextEncoder().encode('Sensitive data');
+ *
+ * // Default: 3 shares, need 2 to reconstruct
+ * const shares = await splitForChannel(plaintext);
+ * if (!shares.ok) throw new Error(shares.error);
+ *
+ * console.log('Created shares:', shares.value.length);
+ * // Send each share through different channels (email, SMS, push)
+ * shares.value.forEach((share, i) => {
+ *   console.log(`Share ${i}: ${share.groupId}`);
+ * });
+ *
+ * // Custom configuration: 5 shares, need 3
+ * const customShares = await splitForChannel(plaintext, {
+ *   totalShares: 5,
+ *   threshold: 3
+ * });
+ * ```
+ */
+async function splitForChannel(plaintext, config = exports.DEFAULT_SPLIT_CONFIG) {
+    const { totalShares: n, threshold: k } = config;
+    if (n < 2 || k < 2 || k > n) {
+        return (0, shared_1.err)('SPLIT_FAILED:INVALID_PARAMS');
+    }
+    const groupId = (0, crypto_utils_js_1.generateUUID)();
+    return splitForChannelWithGroupId(plaintext, config, groupId);
+}
+/**
+ * Split plaintext with a specific groupId (for testability).
+ *
+ * @param plaintext - Raw plaintext bytes
+ * @param config - Split configuration
+ * @param groupId - UUID to use for the share group
+ * @returns Array of ChannelShare objects
+ */
+async function splitForChannelWithGroupId(plaintext, config, groupId) {
+    const { totalShares: n, threshold: k } = config;
+    if (n < 2 || k < 2 || k > n) {
+        return (0, shared_1.err)('SPLIT_FAILED:INVALID_PARAMS');
+    }
+    const p = (0, crypto_utils_js_1.nextOddPrime)(n);
+    const blockSize = p - 1;
+    const padded = (0, crypto_utils_js_1.pkcs7Pad)(plaintext, blockSize);
+    const { key: hmacKey, signature: hmacSig } = await (0, crypto_utils_js_1.generateHMAC)(padded);
+    let shareArrays;
+    try {
+        shareArrays = (0, crypto_utils_js_1.splitXorIDA)(padded, n, k);
+    }
+    catch {
+        return (0, shared_1.err)('SPLIT_FAILED');
+    }
+    const hmacKeyB64 = (0, crypto_utils_js_1.toBase64)(hmacKey);
+    const hmacSigB64 = (0, crypto_utils_js_1.toBase64)(hmacSig);
+    const shares = shareArrays.map((data, index) => ({
+        data: (0, crypto_utils_js_1.formatShareHeader)((0, crypto_utils_js_1.toBase64)(data)),
+        index,
+        total: n,
+        threshold: k,
+        groupId,
+        hmacKey: hmacKeyB64,
+        hmacSig: hmacSigB64,
+    }));
+    return (0, shared_1.ok)(shares);
+}
+/* ── Reconstruct ── */
+/**
+ * Reconstruct plaintext from k-of-n shares.
+ *
+ * Pipeline: validate -> XorIDA reconstruct -> HMAC verify -> unpad -> plaintext
+ * HMAC verification happens BEFORE the data is trusted.
+ *
+ * @param shares - Array of at least k ChannelShare objects (must have same groupId)
+ * @returns Reconstructed plaintext bytes
+ *
+ * @example
+ * ```typescript
+ * import { reconstructFromChannel, type ChannelShare } from '@private.me/xbind';
+ *
+ * // Collect shares from different channels
+ * const receivedShares: ChannelShare[] = [
+ *   emailShare,   // Received via email
+ *   smsShare,     // Received via SMS
+ *   // Only need 2 shares (threshold = 2)
+ * ];
+ *
+ * // Reconstruct original message
+ * const plaintext = await reconstructFromChannel(receivedShares);
+ * if (!plaintext.ok) {
+ *   console.error('Reconstruction failed:', plaintext.error);
+ *   return;
+ * }
+ *
+ * const message = new TextDecoder().decode(plaintext.value);
+ * console.log('Reconstructed message:', message);
+ * ```
+ */
+async function reconstructFromChannel(shares) {
+    const validationResult = validateShares(shares);
+    if (!validationResult.ok)
+        return validationResult;
+    const { k, n } = validationResult.value;
+    const usedShares = shares.slice(0, k);
+    return reconstructValidated(usedShares, n, k);
+}
+/**
+ * Validate share consistency before reconstruction.
+ *
+ * @param shares - Shares to validate
+ * @returns Validated parameters or error
+ */
+function validateShares(shares) {
+    if (shares.length === 0) {
+        return (0, shared_1.err)('INSUFFICIENT_SHARES');
+    }
+    const first = shares[0];
+    const k = first.threshold;
+    const n = first.total;
+    if (shares.length < k) {
+        return (0, shared_1.err)('INSUFFICIENT_SHARES');
+    }
+    const indexSet = new Set();
+    for (const share of shares) {
+        if (share.groupId !== first.groupId) {
+            return (0, shared_1.err)('INCONSISTENT_SHARES');
+        }
+        if (share.total !== n || share.threshold !== k) {
+            return (0, shared_1.err)('INCONSISTENT_SHARES');
+        }
+        if (share.index < 0 || share.index >= n) {
+            return (0, shared_1.err)('INVALID_SHARE_DATA');
+        }
+        if (indexSet.has(share.index)) {
+            return (0, shared_1.err)('INVALID_SHARE_DATA');
+        }
+        indexSet.add(share.index);
+    }
+    return (0, shared_1.ok)({ k, n, groupId: first.groupId });
+}
+/**
+ * Perform XorIDA reconstruction and HMAC verification.
+ *
+ * @param usedShares - Exactly k validated shares
+ * @param n - Total shares
+ * @param k - Threshold
+ * @returns Reconstructed plaintext
+ */
+async function reconstructValidated(usedShares, n, k) {
+    let shareData;
+    try {
+        shareData = usedShares.map((s) => (0, crypto_utils_js_1.fromBase64)((0, crypto_utils_js_1.parseShareHeader)(s.data)));
+    }
+    catch {
+        return (0, shared_1.err)('INVALID_SHARE_DATA:BASE64');
+    }
+    const indices = usedShares.map((s) => s.index);
+    let padded;
+    try {
+        padded = (0, crypto_utils_js_1.reconstructXorIDA)(shareData, indices, n, k);
+    }
+    catch {
+        return (0, shared_1.err)('SPLIT_FAILED:RECONSTRUCT');
+    }
+    const first = usedShares[0];
+    let hmacKey;
+    let hmacSig;
+    try {
+        hmacKey = (0, crypto_utils_js_1.fromBase64)(first.hmacKey);
+        hmacSig = (0, crypto_utils_js_1.fromBase64)(first.hmacSig);
+    }
+    catch {
+        return (0, shared_1.err)('INVALID_SHARE_DATA:HMAC_DECODE');
+    }
+    const hmacValid = await (0, crypto_utils_js_1.verifyHMAC)(hmacKey, padded, hmacSig);
+    if (!hmacValid) {
+        return (0, shared_1.err)('HMAC_VERIFICATION_FAILED');
+    }
+    const p = (0, crypto_utils_js_1.nextOddPrime)(n);
+    const blockSize = p - 1;
+    const unpadResult = (0, crypto_utils_js_1.pkcs7Unpad)(padded, blockSize);
+    if (!unpadResult.ok) {
+        return (0, shared_1.err)('UNPAD_FAILED');
+    }
+    return (0, shared_1.ok)(unpadResult.value);
+}

package/dist-standalone/cjs/subscription-proof.js

@@ -1 +1,230 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.createSubscriptionProof=createSubscriptionProof,exports.verifySubscriptionProof=verifySubscriptionProof,exports.resumeSubscription=resumeSubscription,exports.hashBloomFilter=hashBloomFilter;const shared_1=require("../_deps/shared/index.js"),identity_js_1=require("./identity.js");async function sha256Hash(e){try{const r=new Uint8Array(e),t=await crypto.subtle.digest("SHA-256",r),i=Array.from(new Uint8Array(t)).map(e=>e.toString(16).padStart(2,"0")).join("");return(0,shared_1.ok)(i)}catch{return(0,shared_1.err)("HASH_FAILED")}}function serializeForSigning(e){const r=`${e.type}|${e.version}|${e.peer_did}|${e.bloom_filter_hash}|${e.asserted_at}|${e.expires_at}`;return(new TextEncoder).encode(r)}function toBase64(e){return"undefined"!=typeof Buffer?Buffer.from(e).toString("base64"):globalThis.btoa(String.fromCharCode(...e))}function fromBase64(e){if("undefined"!=typeof Buffer)return new Uint8Array(Buffer.from(e,"base64"));const r=globalThis.atob(e),t=new Uint8Array(r.length);for(let e=0;e<r.length;e++)t[e]=r.charCodeAt(e);return t}async function createSubscriptionProof(e,r,t,i){const o=Date.now(),s={type:"SubscriptionProof",version:"1.0",peer_did:e,bloom_filter_hash:r,asserted_at:o,expires_at:i??o+2592e6},n=serializeForSigning(s),a=await(0,identity_js_1.signMlDsa65)(t,n);if(!a.ok)return(0,shared_1.err)("SIGNATURE_VERIFICATION_FAILED");const _=a.value;if(_.length!==identity_js_1.ML_DSA65_SIG_BYTES)return(0,shared_1.err)("SIGNATURE_VERIFICATION_FAILED");const u={...s,peer_signature_algorithm:"ML-DSA-65",peer_signature:toBase64(_)};return(0,shared_1.ok)(u)}async function verifySubscriptionProof(e,r){if("1.0"!==e.version||"SubscriptionProof"!==e.type)return(0,shared_1.ok)(!1);if(Date.now()>e.expires_at)return(0,shared_1.err)("EXPIRED");if("ML-DSA-65"!==e.peer_signature_algorithm)return(0,shared_1.ok)(!1);let t;try{t=fromBase64(e.peer_signature)}catch{return(0,shared_1.ok)(!1)}if(t.length!==identity_js_1.ML_DSA65_SIG_BYTES)return(0,shared_1.ok)(!1);const i=serializeForSigning({type:e.type,version:e.version,peer_did:e.peer_did,bloom_filter_hash:e.bloom_filter_hash,asserted_at:e.asserted_at,expires_at:e.expires_at}),o=await(0,identity_js_1.verifyMlDsa65)(r,t,i);return o.ok?(0,shared_1.ok)(o.value):(0,shared_1.err)("SIGNATURE_VERIFICATION_FAILED")}async function resumeSubscription(e,r){try{const t=r.replace(/\/$/,"");return(await fetch(`${t}/trust/resume`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)})).ok?(0,shared_1.ok)(void 0):(0,shared_1.err)("NETWORK_ERROR")}catch{return(0,shared_1.err)("NETWORK_ERROR")}}async function hashBloomFilter(e){return sha256Hash(e)}
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSubscriptionProof = createSubscriptionProof;
+exports.verifySubscriptionProof = verifySubscriptionProof;
+exports.resumeSubscription = resumeSubscription;
+exports.hashBloomFilter = hashBloomFilter;
+const shared_1 = require("../_deps/shared/index.js");
+const identity_js_1 = require("./identity.js");
+/* ── Internal Helpers ── */
+/**
+ * Compute SHA-256 hash of a Uint8Array.
+ *
+ * @param data - Data to hash.
+ * @returns Hex-encoded SHA-256 hash.
+ */
+async function sha256Hash(data) {
+    try {
+        // SAFETY: Creating fresh copy ensures proper ArrayBuffer type (not SharedArrayBuffer)
+        const buffer = new Uint8Array(data);
+        const hashBuffer = await crypto.subtle.digest('SHA-256', buffer);
+        const hashArray = Array.from(new Uint8Array(hashBuffer));
+        const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+        return (0, shared_1.ok)(hashHex);
+    }
+    catch {
+        return (0, shared_1.err)('HASH_FAILED');
+    }
+}
+/**
+ * Serialize subscription proof data for signing (canonical format).
+ *
+ * Format: type|version|peer_did|bloom_filter_hash|asserted_at|expires_at
+ *
+ * @param proof - Subscription proof (without signature).
+ * @returns Canonical byte representation.
+ */
+function serializeForSigning(proof) {
+    const canonical = `${proof.type}|${proof.version}|${proof.peer_did}|${proof.bloom_filter_hash}|${proof.asserted_at}|${proof.expires_at}`;
+    return new TextEncoder().encode(canonical);
+}
+/**
+ * Base64 encode (standard, not URL-safe).
+ */
+function toBase64(data) {
+    // Use Buffer in Node.js, btoa in browser
+    if (typeof Buffer !== 'undefined') {
+        return Buffer.from(data).toString('base64');
+    }
+    // SAFETY: btoa is standard in browsers
+    return globalThis.btoa(String.fromCharCode(...data));
+}
+/**
+ * Base64 decode (standard, not URL-safe).
+ */
+function fromBase64(data) {
+    // Use Buffer in Node.js, atob in browser
+    if (typeof Buffer !== 'undefined') {
+        return new Uint8Array(Buffer.from(data, 'base64'));
+    }
+    // SAFETY: atob is standard in browsers
+    const binary = globalThis.atob(data);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+/* ── Public API ── */
+/**
+ * Create a subscription proof (client-side).
+ *
+ * Signs a bloom filter hash with the peer's ML-DSA-65 private key, creating
+ * a portable proof that can be used to resume subscriptions on a new gateway.
+ *
+ * @param peerDid - Subscriber's DID (must match the private key).
+ * @param bloomFilterHash - SHA-256 hash of the bloom filter (hex string).
+ * @param privateKey - 32-byte ML-DSA-65 secret key seed.
+ * @param expiresAt - Optional expiration timestamp (ms). Default: 30 days from now.
+ * @returns Subscription proof with ML-DSA-65 signature.
+ *
+ * @example
+ * ```typescript
+ * const proof = await createSubscriptionProof(
+ *   'did:key:z6Mk...',
+ *   'a1b2c3...',
+ *   mlDsaPrivateKey,
+ *   Date.now() + 30 * 24 * 60 * 60 * 1000
+ * );
+ * ```
+ */
+async function createSubscriptionProof(peerDid, bloomFilterHash, privateKey, expiresAt) {
+    const assertedAt = Date.now();
+    const expiresAtFinal = expiresAt ?? (assertedAt + 30 * 24 * 60 * 60 * 1000); // 30 days default
+    // Build proof without signature
+    const proofWithoutSig = {
+        type: 'SubscriptionProof',
+        version: '1.0',
+        peer_did: peerDid,
+        bloom_filter_hash: bloomFilterHash,
+        asserted_at: assertedAt,
+        expires_at: expiresAtFinal,
+    };
+    // Serialize and sign
+    const dataToSign = serializeForSigning(proofWithoutSig);
+    const signatureResult = await (0, identity_js_1.signMlDsa65)(privateKey, dataToSign);
+    if (!signatureResult.ok) {
+        return (0, shared_1.err)('SIGNATURE_VERIFICATION_FAILED');
+    }
+    const signature = signatureResult.value;
+    if (signature.length !== identity_js_1.ML_DSA65_SIG_BYTES) {
+        return (0, shared_1.err)('SIGNATURE_VERIFICATION_FAILED');
+    }
+    // Build final proof
+    const proof = {
+        ...proofWithoutSig,
+        peer_signature_algorithm: 'ML-DSA-65',
+        peer_signature: toBase64(signature),
+    };
+    return (0, shared_1.ok)(proof);
+}
+/**
+ * Verify a subscription proof (gateway-side).
+ *
+ * Validates the ML-DSA-65 signature and checks expiration.
+ *
+ * @param proof - Subscription proof to verify.
+ * @param peerPublicKey - 1952-byte ML-DSA-65 public key of the subscriber.
+ * @returns true if valid, false if invalid or expired.
+ *
+ * @example
+ * ```typescript
+ * const isValid = await verifySubscriptionProof(proof, mlDsaPublicKey);
+ * if (isValid.ok && isValid.value) {
+ *   // Resume subscription
+ * }
+ * ```
+ */
+async function verifySubscriptionProof(proof, peerPublicKey) {
+    // Check proof version
+    if (proof.version !== '1.0' || proof.type !== 'SubscriptionProof') {
+        return (0, shared_1.ok)(false);
+    }
+    // Check expiration
+    if (Date.now() > proof.expires_at) {
+        return (0, shared_1.err)('EXPIRED');
+    }
+    // Check signature algorithm
+    if (proof.peer_signature_algorithm !== 'ML-DSA-65') {
+        return (0, shared_1.ok)(false);
+    }
+    // Decode signature
+    let signature;
+    try {
+        signature = fromBase64(proof.peer_signature);
+    }
+    catch {
+        return (0, shared_1.ok)(false);
+    }
+    if (signature.length !== identity_js_1.ML_DSA65_SIG_BYTES) {
+        return (0, shared_1.ok)(false);
+    }
+    // Reconstruct signed data
+    const proofWithoutSig = {
+        type: proof.type,
+        version: proof.version,
+        peer_did: proof.peer_did,
+        bloom_filter_hash: proof.bloom_filter_hash,
+        asserted_at: proof.asserted_at,
+        expires_at: proof.expires_at,
+    };
+    const dataToVerify = serializeForSigning(proofWithoutSig);
+    // Verify signature
+    const verifyResult = await (0, identity_js_1.verifyMlDsa65)(peerPublicKey, signature, dataToVerify);
+    if (!verifyResult.ok) {
+        return (0, shared_1.err)('SIGNATURE_VERIFICATION_FAILED');
+    }
+    return (0, shared_1.ok)(verifyResult.value);
+}
+/**
+ * Resume subscription on a new gateway using a proof.
+ *
+ * Presents the subscription proof to the new gateway, allowing the client
+ * to resume receiving trust events without re-subscribing.
+ *
+ * @param proof - Valid subscription proof.
+ * @param newGatewayUrl - Base URL of the new gateway (e.g., https://atelier2.xail.io).
+ * @returns Success or network error.
+ *
+ * @example
+ * ```typescript
+ * const result = await resumeSubscription(proof, 'https://atelier2.xail.io');
+ * if (result.ok) {
+ *   console.log('Subscription resumed on new gateway');
+ * }
+ * ```
+ */
+async function resumeSubscription(proof, newGatewayUrl) {
+    try {
+        const baseUrl = newGatewayUrl.replace(/\/$/, '');
+        const response = await fetch(`${baseUrl}/trust/resume`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify(proof),
+        });
+        if (!response.ok) {
+            return (0, shared_1.err)('NETWORK_ERROR');
+        }
+        return (0, shared_1.ok)(undefined);
+    }
+    catch {
+        return (0, shared_1.err)('NETWORK_ERROR');
+    }
+}
+/**
+ * Compute SHA-256 hash of a bloom filter for proof creation.
+ *
+ * @param bloomFilter - Bloom filter bytes.
+ * @returns Hex-encoded SHA-256 hash.
+ *
+ * @example
+ * ```typescript
+ * const hash = await hashBloomFilter(bloomFilterBytes);
+ * if (hash.ok) {
+ *   const proof = await createSubscriptionProof(did, hash.value, privateKey);
+ * }
+ * ```
+ */
+async function hashBloomFilter(bloomFilter) {
+    return sha256Hash(bloomFilter);
+}

package/dist-standalone/cjs/succession.js

@@ -1 +1,148 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.createSuccession=createSuccession,exports.verifySuccession=verifySuccession,exports.encodeSuccession=encodeSuccession,exports.decodeSuccession=decodeSuccession;const identity_js_1=require("./identity.js"),shared_1=require("../_deps/shared/index.js");async function createSuccession(e,r,t,n,i,s=6048e5){const o=Date.now(),a=o,c=o+2592e6,d=`${e}||${t}||${i}||${a}||${c}||${s}||${o}`,_=(new TextEncoder).encode(d),u=await(0,identity_js_1.signMlDsa65)(r,_);if(!u.ok)return(0,shared_1.err)("SIGN_FAILED");const f=await(0,identity_js_1.signMlDsa65)(n,_);return f.ok?(0,shared_1.ok)({oldDid:e,newDid:t,rotation_sequence:i,effective_at:a,expires_at:c,grace_period_ms:s,timestamp:o,oldSignature:u.value,newSignature:f.value}):(0,shared_1.err)("SIGN_FAILED")}async function verifySuccession(e,r,t){const n=`${e.oldDid}||${e.newDid}||${e.rotation_sequence}||${e.effective_at}||${e.expires_at}||${e.grace_period_ms}||${e.timestamp}`,i=(new TextEncoder).encode(n),s=await(0,identity_js_1.verifyMlDsa65)(r,e.oldSignature,i);if(!s.ok)return(0,shared_1.err)("VERIFY_FAILED");const o=await(0,identity_js_1.verifyMlDsa65)(t,e.newSignature,i);if(!o.ok)return(0,shared_1.err)("VERIFY_FAILED");const a=s.value&&o.value;return(0,shared_1.ok)(a)}function encodeSuccession(e){return[e.oldDid,e.newDid,e.rotation_sequence.toString(),e.effective_at.toString(),e.expires_at.toString(),e.grace_period_ms.toString(),e.timestamp.toString(),Buffer.from(e.oldSignature).toString("base64"),Buffer.from(e.newSignature).toString("base64")].join("||")}function decodeSuccession(e){const r=e.split("||");if(9!==r.length)return(0,shared_1.err)("INVALID_FORMAT");const t=r[0],n=r[1],i=r[2],s=r[3],o=r[4],a=r[5],c=r[6],d=r[7],_=r[8];if(!(t&&n&&i&&s&&o&&a&&c&&d&&_))return(0,shared_1.err)("INVALID_FORMAT");const u=parseInt(i,10),f=parseInt(s,10),S=parseInt(o,10),p=parseInt(a,10),g=parseInt(c,10);if(isNaN(u)||u<0||isNaN(f)||f<0||isNaN(S)||S<0||isNaN(p)||p<0||isNaN(g)||g<0)return(0,shared_1.err)("INVALID_TIMESTAMP");try{return(0,shared_1.ok)({oldDid:t,newDid:n,rotation_sequence:u,effective_at:f,expires_at:S,grace_period_ms:p,timestamp:g,oldSignature:new Uint8Array(Buffer.from(d,"base64")),newSignature:new Uint8Array(Buffer.from(_,"base64"))})}catch{return(0,shared_1.err)("INVALID_FORMAT")}}
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSuccession = createSuccession;
+exports.verifySuccession = verifySuccession;
+exports.encodeSuccession = encodeSuccession;
+exports.decodeSuccession = decodeSuccession;
+const identity_js_1 = require("./identity.js");
+const shared_1 = require("../_deps/shared/index.js");
+/**
+ * Create DID succession announcement with dual signatures.
+ *
+ * Format: did:key:OLD||did:key:NEW||sequence||effective_at||expires_at||grace_period||timestamp||sig_OLD||sig_NEW
+ * Both old and new keys must sign to prove possession.
+ *
+ * @param oldDid - DID being rotated (old key)
+ * @param oldPrivateKey - ML-DSA-65 secret key (32-byte seed) for old DID
+ * @param newDid - DID replacing old DID
+ * @param newPrivateKey - ML-DSA-65 secret key (32-byte seed) for new DID
+ * @param rotationSequence - Monotonically increasing sequence number
+ * @param gracePeriodMs - Overlap window in milliseconds (default: 7 days)
+ * @returns Succession announcement with dual signatures or error
+ */
+async function createSuccession(oldDid, oldPrivateKey, newDid, newPrivateKey, rotationSequence, gracePeriodMs = 7 * 24 * 60 * 60 * 1000 // 7 days default
+) {
+    const timestamp = Date.now();
+    const effective_at = timestamp;
+    const expires_at = timestamp + 30 * 24 * 60 * 60 * 1000; // 30 days proof validity
+    const message = `${oldDid}||${newDid}||${rotationSequence}||${effective_at}||${expires_at}||${gracePeriodMs}||${timestamp}`;
+    const messageBytes = new TextEncoder().encode(message);
+    const oldSigResult = await (0, identity_js_1.signMlDsa65)(oldPrivateKey, messageBytes);
+    if (!oldSigResult.ok) {
+        return (0, shared_1.err)('SIGN_FAILED');
+    }
+    const newSigResult = await (0, identity_js_1.signMlDsa65)(newPrivateKey, messageBytes);
+    if (!newSigResult.ok) {
+        return (0, shared_1.err)('SIGN_FAILED');
+    }
+    return (0, shared_1.ok)({
+        oldDid,
+        newDid,
+        rotation_sequence: rotationSequence,
+        effective_at,
+        expires_at,
+        grace_period_ms: gracePeriodMs,
+        timestamp,
+        oldSignature: oldSigResult.value,
+        newSignature: newSigResult.value
+    });
+}
+/**
+ * Verify succession announcement dual signatures.
+ *
+ * Both old and new keys must have valid signatures.
+ * Also checks sequence monotonicity (new sequence must be greater than current).
+ *
+ * @param announcement - Succession announcement to verify
+ * @param oldPublicKey - ML-DSA-65 public key (1952 bytes) for old DID
+ * @param newPublicKey - ML-DSA-65 public key (1952 bytes) for new DID
+ * @returns true if both signatures valid, false otherwise
+ */
+async function verifySuccession(announcement, oldPublicKey, newPublicKey) {
+    const message = `${announcement.oldDid}||${announcement.newDid}||${announcement.rotation_sequence}||${announcement.effective_at}||${announcement.expires_at}||${announcement.grace_period_ms}||${announcement.timestamp}`;
+    const messageBytes = new TextEncoder().encode(message);
+    const oldValidResult = await (0, identity_js_1.verifyMlDsa65)(oldPublicKey, announcement.oldSignature, messageBytes);
+    if (!oldValidResult.ok) {
+        return (0, shared_1.err)('VERIFY_FAILED');
+    }
+    const newValidResult = await (0, identity_js_1.verifyMlDsa65)(newPublicKey, announcement.newSignature, messageBytes);
+    if (!newValidResult.ok) {
+        return (0, shared_1.err)('VERIFY_FAILED');
+    }
+    const bothValid = oldValidResult.value && newValidResult.value;
+    return (0, shared_1.ok)(bothValid);
+}
+/**
+ * Encode succession announcement to wire format.
+ *
+ * Format: did:key:OLD||did:key:NEW||sequence||effective_at||expires_at||grace_period||timestamp||sig_OLD||sig_NEW
+ *
+ * @param announcement - Succession announcement to encode
+ * @returns Wire format string (base64-encoded signatures)
+ */
+function encodeSuccession(announcement) {
+    const parts = [
+        announcement.oldDid,
+        announcement.newDid,
+        announcement.rotation_sequence.toString(),
+        announcement.effective_at.toString(),
+        announcement.expires_at.toString(),
+        announcement.grace_period_ms.toString(),
+        announcement.timestamp.toString(),
+        Buffer.from(announcement.oldSignature).toString('base64'),
+        Buffer.from(announcement.newSignature).toString('base64')
+    ];
+    return parts.join('||');
+}
+/**
+ * Decode succession announcement from wire format.
+ *
+ * @param encoded - Wire format string
+ * @returns Parsed succession announcement or error
+ */
+function decodeSuccession(encoded) {
+    const parts = encoded.split('||');
+    if (parts.length !== 9) {
+        return (0, shared_1.err)('INVALID_FORMAT');
+    }
+    const oldDid = parts[0];
+    const newDid = parts[1];
+    const sequenceStr = parts[2];
+    const effectiveAtStr = parts[3];
+    const expiresAtStr = parts[4];
+    const gracePeriodStr = parts[5];
+    const timestampStr = parts[6];
+    const oldSigB64 = parts[7];
+    const newSigB64 = parts[8];
+    if (!oldDid || !newDid || !sequenceStr || !effectiveAtStr || !expiresAtStr || !gracePeriodStr || !timestampStr || !oldSigB64 || !newSigB64) {
+        return (0, shared_1.err)('INVALID_FORMAT');
+    }
+    const rotation_sequence = parseInt(sequenceStr, 10);
+    const effective_at = parseInt(effectiveAtStr, 10);
+    const expires_at = parseInt(expiresAtStr, 10);
+    const grace_period_ms = parseInt(gracePeriodStr, 10);
+    const timestamp = parseInt(timestampStr, 10);
+    if (isNaN(rotation_sequence) || rotation_sequence < 0 ||
+        isNaN(effective_at) || effective_at < 0 ||
+        isNaN(expires_at) || expires_at < 0 ||
+        isNaN(grace_period_ms) || grace_period_ms < 0 ||
+        isNaN(timestamp) || timestamp < 0) {
+        return (0, shared_1.err)('INVALID_TIMESTAMP');
+    }
+    try {
+        return (0, shared_1.ok)({
+            oldDid,
+            newDid,
+            rotation_sequence,
+            effective_at,
+            expires_at,
+            grace_period_ms,
+            timestamp,
+            oldSignature: new Uint8Array(Buffer.from(oldSigB64, 'base64')),
+            newSignature: new Uint8Array(Buffer.from(newSigB64, 'base64'))
+        });
+    }
+    catch {
+        return (0, shared_1.err)('INVALID_FORMAT');
+    }
+}