@private.me/xbind 3.0.1 → 3.0.2

package/dist-standalone/trust-registry.js

@@ -1 +1,950 @@
-import{ok,err}from"./_deps/shared/index.js";import*as fs from"node:fs/promises";import*as path from"node:path";function isExpired(e){return!!e.expiresAt&&Date.now()>e.expiresAt}export class RegistrationRateLimiter{perIPTimestamps=new Map;globalTimestamps=[];perIPLimit;globalLimit;windowMs;cleanupInterval=null;constructor(e=10,t=1e3,i=36e5){this.perIPLimit=e,this.globalLimit=t,this.windowMs=i,this.cleanupInterval=setInterval(()=>this.cleanup(),3e5)}checkLimit(e){const t=Date.now()-this.windowMs;if((this.perIPTimestamps.get(e)||[]).filter(e=>e>t).length>=this.perIPLimit)return!1;return!(this.globalTimestamps.filter(e=>e>t).length>=this.globalLimit)}recordRegistration(e){const t=Date.now(),i=this.perIPTimestamps.get(e)||[];i.push(t),this.perIPTimestamps.set(e,i),this.globalTimestamps.push(t)}getRemainingForIP(e){const t=Date.now()-this.windowMs,i=(this.perIPTimestamps.get(e)||[]).filter(e=>e>t);return Math.max(0,this.perIPLimit-i.length)}getRemainingGlobal(){const e=Date.now()-this.windowMs,t=this.globalTimestamps.filter(t=>t>e);return Math.max(0,this.globalLimit-t.length)}getResetTimeForIP(e){const t=this.perIPTimestamps.get(e)||[];if(0===t.length)return null;const i=t[0];return i?i+this.windowMs:null}cleanup(){const e=Date.now()-this.windowMs;for(const[t,i]of this.perIPTimestamps.entries()){const s=i.filter(t=>t>e);0===s.length?this.perIPTimestamps.delete(t):this.perIPTimestamps.set(t,s)}const t=this.globalTimestamps.filter(t=>t>e);this.globalTimestamps.length=0,this.globalTimestamps.push(...t)}destroy(){this.cleanupInterval&&(clearInterval(this.cleanupInterval),this.cleanupInterval=null)}reset(){this.perIPTimestamps.clear(),this.globalTimestamps.length=0}}export class MemoryTrustRegistry{entries=new Map;rateLimiter;constructor(e){e?.enableRateLimiting&&(this.rateLimiter=e.rateLimiter||new RegistrationRateLimiter)}async register(e,t,i,s,r,n,o,a,c,l,h,p,u,d){if(this.rateLimiter&&d&&!this.rateLimiter.checkLimit(d))return err("RATE_LIMIT_EXCEEDED");if(this.entries.has(e))return err("ALREADY_REGISTERED");const y=u?Date.now()+u:void 0;return this.entries.set(e,{did:e,publicKey:t,name:i,scopes:new Set(s??[]),receiveScopes:c?new Set(c):void 0,revoked:!1,rotation_sequence:1,x25519PublicKey:r,mlKemPublicKey:n,mlDsaPublicKey:o,xchange:a,sdkVersion:l,minEnvelopeVersion:h,maxEnvelopeVersion:p,expiresAt:y}),this.rateLimiter&&d&&this.rateLimiter.recordRegistration(d),ok(void 0)}async resolve(e){const t=this.entries.get(e);return t?isExpired(t)?err("EXPIRED"):t.revoked?err("REVOKED"):ok(t.publicKey):err("NOT_FOUND")}async hasScope(e,t){const i=this.entries.get(e);return!(!i||isExpired(i)||i.revoked)&&i.scopes.has(t)}async hasReceiveScope(e,t){const i=this.entries.get(e);return!(!i||isExpired(i)||i.revoked)&&(!i.receiveScopes||i.receiveScopes.has(t))}async revoke(e){const t=this.entries.get(e);return t?(this.entries.set(e,{...t,revoked:!0}),ok(void 0)):err("NOT_FOUND")}async getEntry(e){const t=this.entries.get(e);return t?isExpired(t)?err("EXPIRED"):ok(t):err("NOT_FOUND")}async updateScopes(e,t){const i=this.entries.get(e);return i?isExpired(i)?err("EXPIRED"):i.revoked?err("REVOKED"):(this.entries.set(e,{...i,scopes:new Set(t)}),ok(void 0)):err("NOT_FOUND")}async cleanup(){let e=0;const t=Date.now();for(const[i,s]of this.entries)s.expiresAt&&t>s.expiresAt&&(this.entries.delete(i),e++);return e}get size(){return this.entries.size}}export class HttpTrustRegistry{baseUrl;fetchFn;cacheTtlMs;cacheFailureMode;enablePush;bloomFilterSize;bloomFilterFpr;resolveCache=new Map;entryCache=new Map;constructor(e){this.baseUrl=e.baseUrl.replace(/\/$/,""),this.fetchFn=e.fetch??globalThis.fetch.bind(globalThis),this.cacheTtlMs=e.cacheTtlMs??3e4,this.cacheFailureMode=e.cacheFailureMode??"fail-secure",this.enablePush=e.enablePush??!1,this.bloomFilterSize=e.bloomFilterSize??1e4,this.bloomFilterFpr=e.bloomFilterFpr??.01}clearCache(){this.resolveCache.clear(),this.entryCache.clear()}async register(e,t,i,s,r,n,o,a,c,l,h,p,u,d){try{const d=await this.fetchFn(`${this.baseUrl}/registry/register`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({did:e,publicKey:Array.from(t),name:i,scopes:s??[],...c?{receiveScopes:c}:{},...r?{x25519PublicKey:Array.from(r)}:{},...n?{mlKemPublicKey:Array.from(n)}:{},...o?{mlDsaPublicKey:Array.from(o)}:{},...void 0!==a?{xchange:a}:{},...void 0!==l?{sdkVersion:l}:{},...void 0!==h?{minEnvelopeVersion:h}:{},...void 0!==p?{maxEnvelopeVersion:p}:{},...void 0!==u?{ttlMs:u}:{}})});return 409===d.status?err("ALREADY_REGISTERED"):429===d.status?err("RATE_LIMIT_EXCEEDED"):d.ok?ok(void 0):err("NETWORK_ERROR")}catch{return err("NETWORK_ERROR")}}async resolve(e){if(this.cacheTtlMs>0){const t=this.resolveCache.get(e);if(t&&t.expiry>Date.now())return t.value}let t;try{const i=await this.fetchFn(`${this.baseUrl}/registry/resolve/${encodeURIComponent(e)}`);if(404===i.status)t=err("NOT_FOUND");else if(408===i.status)t=err("EXPIRED");else if(410===i.status)t=err("REVOKED");else if(i.ok){const e=await i.json();t=ok(new Uint8Array(e.publicKey))}else t=err("NETWORK_ERROR")}catch{const i=this.resolveCache.get(e);if("fail-secure"===this.cacheFailureMode)t=err("NETWORK_ERROR");else{if(i)return i.value;t=err("NETWORK_ERROR")}}return this.cacheTtlMs>0&&this.resolveCache.set(e,{value:t,expiry:Date.now()+this.cacheTtlMs}),t}async hasScope(e,t){try{return(await this.fetchFn(`${this.baseUrl}/registry/scope/${encodeURIComponent(e)}/${encodeURIComponent(t)}`)).ok}catch{return!1}}async hasReceiveScope(e,t){try{return(await this.fetchFn(`${this.baseUrl}/registry/receive-scope/${encodeURIComponent(e)}/${encodeURIComponent(t)}`)).ok}catch{return!1}}async revoke(e){try{const t=await this.fetchFn(`${this.baseUrl}/registry/revoke/${encodeURIComponent(e)}`,{method:"POST"});return 404===t.status?err("NOT_FOUND"):t.ok?ok(void 0):err("NETWORK_ERROR")}catch{return err("NETWORK_ERROR")}}async getEntry(e){if(this.cacheTtlMs>0){const t=this.entryCache.get(e);if(t&&t.expiry>Date.now())return t.value}let t;try{const i=await this.fetchFn(`${this.baseUrl}/registry/entry/${encodeURIComponent(e)}`);if(404===i.status)t=err("NOT_FOUND");else if(408===i.status)t=err("EXPIRED");else if(i.ok){const e=await i.json();t=ok({did:e.did,publicKey:new Uint8Array(e.publicKey),name:e.name,scopes:new Set(e.scopes),receiveScopes:e.receiveScopes?new Set(e.receiveScopes):void 0,revoked:e.revoked,rotation_sequence:e.rotation_sequence??1,x25519PublicKey:e.x25519PublicKey?new Uint8Array(e.x25519PublicKey):void 0,mlKemPublicKey:e.mlKemPublicKey?new Uint8Array(e.mlKemPublicKey):void 0,mlDsaPublicKey:e.mlDsaPublicKey?new Uint8Array(e.mlDsaPublicKey):void 0,xchange:e.xchange,sdkVersion:e.sdkVersion,minEnvelopeVersion:e.minEnvelopeVersion,maxEnvelopeVersion:e.maxEnvelopeVersion,expiresAt:e.expiresAt})}else t=err("NETWORK_ERROR")}catch{t=err("NETWORK_ERROR")}return this.cacheTtlMs>0&&this.entryCache.set(e,{value:t,expiry:Date.now()+this.cacheTtlMs}),t}async rotate(e,t,i,s){const r=await this.fetchFn(`${this.baseUrl}/registry/rotate`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({did:e,newPublicKey:Array.from(t),proof:Array.from(i),rotationSequence:s})});if(!r.ok)throw new Error(`Key rotation failed: ${r.status} ${r.statusText}`);this.resolveCache.delete(e),this.entryCache.delete(e)}async subscribe(e,t){if(!this.enablePush)throw new Error("Push notifications not enabled (set enablePush: true in HttpTrustRegistryOptions)");const i=new Set(e.map(e=>this.hashDid(e))),s=this.baseUrl.replace(/^http/,"ws")+"/trust/events",r=new globalThis.WebSocket(s);return r.addEventListener("open",()=>{r.send(JSON.stringify({type:"subscribe",dids:e,bloomSize:this.bloomFilterSize,bloomFpr:this.bloomFilterFpr}))}),r.addEventListener("message",e=>{try{const s=JSON.parse(e.data),r=this.hashDid(s.did);i.has(r)&&("revocation"!==s.type&&"succession"!==s.type||(this.resolveCache.delete(s.did),this.entryCache.delete(s.did)),t(s))}catch(e){console.warn("Failed to parse trust event:",e)}}),r.addEventListener("error",e=>{console.error("WebSocket error:",e)}),()=>{r.readyState===globalThis.WebSocket.OPEN&&r.close()}}hashDid(e){let t=0;for(let i=0;i<e.length;i++)t=(t<<5)-t+e.charCodeAt(i),t&=t;return t}async resumeSubscriptions(e){try{return(await this.fetchFn(`${this.baseUrl}/trust/resume-batch`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({proofs:e})})).ok?ok(void 0):err("NETWORK_ERROR")}catch{return err("NETWORK_ERROR")}}async fetchCheckpoint(e){try{const t=await this.fetchFn(`${this.baseUrl}/registry/checkpoint/${encodeURIComponent(e)}`);if(404===t.status)return err("NOT_FOUND");if(!t.ok)return err("NETWORK_ERROR");const i=await t.json();return ok(i)}catch{return err("NETWORK_ERROR")}}async updateScopes(e,t){try{const i=await this.fetchFn(`${this.baseUrl}/registry/${encodeURIComponent(e)}/scopes`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({scopes:t})});return 404===i.status?err("NOT_FOUND"):410===i.status?err("REVOKED"):i.ok?(this.resolveCache.delete(e),this.entryCache.delete(e),ok(void 0)):err("NETWORK_ERROR")}catch{return err("NETWORK_ERROR")}}}export class FileTrustRegistry{path;entries=new Map;initialized=!1;constructor(e){this.path=e.path}async init(){if(!this.initialized){try{await fs.mkdir(path.dirname(this.path),{recursive:!0});const e=(await fs.readFile(this.path,"utf-8").catch(()=>"")).split("\n").filter(e=>e.trim());for(const t of e){const e=JSON.parse(t);if("register"===e.type&&e.publicKey&&e.name)this.entries.set(e.did,{did:e.did,publicKey:new Uint8Array(e.publicKey),name:e.name,scopes:new Set(e.scopes??[]),receiveScopes:e.receiveScopes?new Set(e.receiveScopes):void 0,revoked:!1,rotation_sequence:e.rotation_sequence??1,x25519PublicKey:e.x25519PublicKey?new Uint8Array(e.x25519PublicKey):void 0,mlKemPublicKey:e.mlKemPublicKey?new Uint8Array(e.mlKemPublicKey):void 0,mlDsaPublicKey:e.mlDsaPublicKey?new Uint8Array(e.mlDsaPublicKey):void 0,xchange:e.xchange,sdkVersion:e.sdkVersion,minEnvelopeVersion:e.minEnvelopeVersion,maxEnvelopeVersion:e.maxEnvelopeVersion,expiresAt:e.expiresAt});else if("revoke"===e.type){const t=this.entries.get(e.did);t&&this.entries.set(e.did,{...t,revoked:!0})}else if("update-scopes"===e.type){const t=this.entries.get(e.did);t&&this.entries.set(e.did,{...t,scopes:new Set(e.scopes??[])})}else if("rotate"===e.type&&e.publicKey&&e.rotation_sequence){const t=this.entries.get(e.did);t&&e.rotation_sequence>t.rotation_sequence&&this.entries.set(e.did,{...t,publicKey:new Uint8Array(e.publicKey),rotation_sequence:e.rotation_sequence})}}}catch(e){}this.initialized=!0}}async append(e){await fs.appendFile(this.path,JSON.stringify(e)+"\n","utf-8")}async register(e,t,i,s,r,n,o,a,c,l,h,p,u,d){if(await this.init(),this.entries.has(e))return err("ALREADY_REGISTERED");const y=u?Date.now()+u:void 0,m={did:e,publicKey:t,name:i,scopes:new Set(s??[]),receiveScopes:c?new Set(c):void 0,revoked:!1,rotation_sequence:1,x25519PublicKey:r,mlKemPublicKey:n,mlDsaPublicKey:o,xchange:a,sdkVersion:l,minEnvelopeVersion:h,maxEnvelopeVersion:p,expiresAt:y};return this.entries.set(e,m),await this.append({type:"register",did:e,publicKey:Array.from(t),name:i,scopes:s??[],rotation_sequence:1,...c?{receiveScopes:c}:{},...r?{x25519PublicKey:Array.from(r)}:{},...n?{mlKemPublicKey:Array.from(n)}:{},...o?{mlDsaPublicKey:Array.from(o)}:{},...void 0!==a?{xchange:a}:{},...void 0!==l?{sdkVersion:l}:{},...void 0!==h?{minEnvelopeVersion:h}:{},...void 0!==p?{maxEnvelopeVersion:p}:{},...void 0!==y?{expiresAt:y}:{}}),ok(void 0)}async resolve(e){await this.init();const t=this.entries.get(e);return t?isExpired(t)?err("EXPIRED"):t.revoked?err("REVOKED"):ok(t.publicKey):err("NOT_FOUND")}async hasScope(e,t){await this.init();const i=this.entries.get(e);return!(!i||isExpired(i)||i.revoked)&&i.scopes.has(t)}async hasReceiveScope(e,t){await this.init();const i=this.entries.get(e);return!(!i||isExpired(i)||i.revoked)&&(!i.receiveScopes||i.receiveScopes.has(t))}async revoke(e){await this.init();const t=this.entries.get(e);return t?(this.entries.set(e,{...t,revoked:!0}),await this.append({type:"revoke",did:e}),ok(void 0)):err("NOT_FOUND")}async getEntry(e){await this.init();const t=this.entries.get(e);return t?isExpired(t)?err("EXPIRED"):ok(t):err("NOT_FOUND")}async updateScopes(e,t){await this.init();const i=this.entries.get(e);return i?isExpired(i)?err("EXPIRED"):i.revoked?err("REVOKED"):(this.entries.set(e,{...i,scopes:new Set(t)}),await this.append({type:"update-scopes",did:e,scopes:t}),ok(void 0)):err("NOT_FOUND")}async cleanup(){await this.init();let e=0;const t=Date.now();for(const[i,s]of this.entries)s.expiresAt&&t>s.expiresAt&&(this.entries.delete(i),e++);return e}async rotate(e,t,i,s){await this.init();const r=this.entries.get(e);if(!r)throw new Error(`DID not found: ${e}`);if(s<=r.rotation_sequence)throw new Error(`Rotation sequence ${s} must be > current ${r.rotation_sequence} (rollback attack prevented)`);await this.append({type:"rotate",did:e,publicKey:Array.from(t),proof:Array.from(i),rotation_sequence:s,timestamp:Date.now()}),this.entries.set(e,{...r,publicKey:t,rotation_sequence:s})}get size(){return this.entries.size}}export async function createEnterpriseTrustRegistry(e){let t;if("file"===e.storage){if(!e.path)throw new Error("FileTrustRegistry requires path option");t=new FileTrustRegistry({path:e.path})}else if("http"===e.storage){if(!e.baseUrl)throw new Error("HttpTrustRegistry requires baseUrl option");t=new HttpTrustRegistry({baseUrl:e.baseUrl})}else t=new MemoryTrustRegistry;if(e.preload)for(const i of e.preload)await t.register(i.did,i.publicKey,i.name,i.scopes,i.x25519PublicKey,i.mlKemPublicKey,i.mlDsaPublicKey,i.xchange,i.receiveScopes,i.sdkVersion,i.minEnvelopeVersion,i.maxEnvelopeVersion);return t}
+import { ok, err } from"./_deps/shared/index.js";
+import * as fs from 'node:fs/promises';
+import * as path from 'node:path';
+/* ── Types ── */
+/** Check if a registry entry has expired. */
+function isExpired(entry) {
+    if (!entry.expiresAt)
+        return false;
+    return Date.now() > entry.expiresAt;
+}
+/* ── Rate Limiting ── */
+/**
+ * Rate limiter for DID registration endpoints.
+ *
+ * Implements sliding window algorithm with:
+ * - Per-IP limit: 10 registrations/hour
+ * - Global limit: 1000 registrations/hour
+ *
+ * Prevents DID registration spam attacks (SCALE-1).
+ */
+export class RegistrationRateLimiter {
+    perIPTimestamps = new Map();
+    globalTimestamps = [];
+    perIPLimit;
+    globalLimit;
+    windowMs;
+    cleanupInterval = null;
+    /**
+     * Create a new registration rate limiter.
+     *
+     * @param perIPLimit - Maximum registrations per IP in time window (default: 10)
+     * @param globalLimit - Maximum global registrations in time window (default: 1000)
+     * @param windowMs - Time window in milliseconds (default: 3600000 = 1 hour)
+     */
+    constructor(perIPLimit = 10, globalLimit = 1000, windowMs = 3600000) {
+        this.perIPLimit = perIPLimit;
+        this.globalLimit = globalLimit;
+        this.windowMs = windowMs;
+        // Cleanup old timestamps every 5 minutes
+        this.cleanupInterval = setInterval(() => this.cleanup(), 300000);
+    }
+    /**
+     * Check if registration is allowed for the given IP.
+     *
+     * @param ip - Client IP address
+     * @returns True if allowed, false if rate limited
+     */
+    checkLimit(ip) {
+        const now = Date.now();
+        const windowStart = now - this.windowMs;
+        // Check per-IP limit
+        const ipTimestamps = this.perIPTimestamps.get(ip) || [];
+        const recentIPRequests = ipTimestamps.filter((t) => t > windowStart);
+        if (recentIPRequests.length >= this.perIPLimit) {
+            return false;
+        }
+        // Check global limit
+        const recentGlobalRequests = this.globalTimestamps.filter((t) => t > windowStart);
+        if (recentGlobalRequests.length >= this.globalLimit) {
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Record a registration attempt.
+     *
+     * Call this AFTER successful registration to avoid counting failures.
+     *
+     * @param ip - Client IP address
+     */
+    recordRegistration(ip) {
+        const now = Date.now();
+        // Record per-IP
+        const ipTimestamps = this.perIPTimestamps.get(ip) || [];
+        ipTimestamps.push(now);
+        this.perIPTimestamps.set(ip, ipTimestamps);
+        // Record global
+        this.globalTimestamps.push(now);
+    }
+    /**
+     * Get remaining registrations for an IP.
+     *
+     * @param ip - Client IP address
+     * @returns Remaining registrations allowed
+     */
+    getRemainingForIP(ip) {
+        const now = Date.now();
+        const windowStart = now - this.windowMs;
+        const ipTimestamps = this.perIPTimestamps.get(ip) || [];
+        const recentIPRequests = ipTimestamps.filter((t) => t > windowStart);
+        return Math.max(0, this.perIPLimit - recentIPRequests.length);
+    }
+    /**
+     * Get remaining global registrations.
+     *
+     * @returns Remaining global registrations allowed
+     */
+    getRemainingGlobal() {
+        const now = Date.now();
+        const windowStart = now - this.windowMs;
+        const recentGlobalRequests = this.globalTimestamps.filter((t) => t > windowStart);
+        return Math.max(0, this.globalLimit - recentGlobalRequests.length);
+    }
+    /**
+     * Get reset time for an IP's rate limit.
+     *
+     * @param ip - Client IP address
+     * @returns Unix timestamp (ms) when limit resets, or null if not rate limited
+     */
+    getResetTimeForIP(ip) {
+        const ipTimestamps = this.perIPTimestamps.get(ip) || [];
+        if (ipTimestamps.length === 0)
+            return null;
+        const oldestTimestamp = ipTimestamps[0];
+        if (!oldestTimestamp)
+            return null;
+        return oldestTimestamp + this.windowMs;
+    }
+    /**
+     * Cleanup old timestamps to prevent memory leaks.
+     *
+     * Removes entries with no requests in the last window period.
+     */
+    cleanup() {
+        const now = Date.now();
+        const windowStart = now - this.windowMs;
+        // Cleanup per-IP timestamps
+        for (const [ip, timestamps] of this.perIPTimestamps.entries()) {
+            const recentRequests = timestamps.filter((t) => t > windowStart);
+            if (recentRequests.length === 0) {
+                this.perIPTimestamps.delete(ip);
+            }
+            else {
+                this.perIPTimestamps.set(ip, recentRequests);
+            }
+        }
+        // Cleanup global timestamps
+        const recentGlobalRequests = this.globalTimestamps.filter((t) => t > windowStart);
+        this.globalTimestamps.length = 0;
+        this.globalTimestamps.push(...recentGlobalRequests);
+    }
+    /**
+     * Stop cleanup interval (for testing or shutdown).
+     */
+    destroy() {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+            this.cleanupInterval = null;
+        }
+    }
+    /**
+     * Reset all rate limits (for testing).
+     */
+    reset() {
+        this.perIPTimestamps.clear();
+        this.globalTimestamps.length = 0;
+    }
+}
+/* ── Memory Implementation ── */
+/**
+ * In-memory trust registry for development and testing.
+ */
+export class MemoryTrustRegistry {
+    entries = new Map();
+    rateLimiter;
+    constructor(opts) {
+        if (opts?.enableRateLimiting) {
+            this.rateLimiter = opts.rateLimiter || new RegistrationRateLimiter();
+        }
+    }
+    async register(did, publicKey, name, scopes, x25519PublicKey, mlKemPublicKey, mlDsaPublicKey, xchange, receiveScopes, sdkVersion, minEnvelopeVersion, maxEnvelopeVersion, ttlMs, clientIP) {
+        // Check rate limit if enabled
+        if (this.rateLimiter && clientIP) {
+            if (!this.rateLimiter.checkLimit(clientIP)) {
+                return err('RATE_LIMIT_EXCEEDED');
+            }
+        }
+        if (this.entries.has(did))
+            return err('ALREADY_REGISTERED');
+        const expiresAt = ttlMs ? Date.now() + ttlMs : undefined;
+        this.entries.set(did, {
+            did,
+            publicKey,
+            name,
+            scopes: new Set(scopes ?? []),
+            receiveScopes: receiveScopes ? new Set(receiveScopes) : undefined,
+            revoked: false,
+            rotation_sequence: 1, // Initial sequence starts at 1
+            x25519PublicKey,
+            mlKemPublicKey,
+            mlDsaPublicKey,
+            xchange,
+            sdkVersion,
+            minEnvelopeVersion,
+            maxEnvelopeVersion,
+            expiresAt,
+        });
+        // Record registration after success
+        if (this.rateLimiter && clientIP) {
+            this.rateLimiter.recordRegistration(clientIP);
+        }
+        return ok(undefined);
+    }
+    async resolve(did) {
+        const entry = this.entries.get(did);
+        if (!entry)
+            return err('NOT_FOUND');
+        if (isExpired(entry))
+            return err('EXPIRED');
+        if (entry.revoked)
+            return err('REVOKED');
+        return ok(entry.publicKey);
+    }
+    async hasScope(did, scope) {
+        const entry = this.entries.get(did);
+        if (!entry || isExpired(entry) || entry.revoked)
+            return false;
+        return entry.scopes.has(scope);
+    }
+    async hasReceiveScope(did, scope) {
+        const entry = this.entries.get(did);
+        if (!entry || isExpired(entry) || entry.revoked)
+            return false;
+        // Undefined = accept all scopes (backward compatibility)
+        if (!entry.receiveScopes)
+            return true;
+        return entry.receiveScopes.has(scope);
+    }
+    async revoke(did) {
+        const entry = this.entries.get(did);
+        if (!entry)
+            return err('NOT_FOUND');
+        this.entries.set(did, { ...entry, revoked: true });
+        return ok(undefined);
+    }
+    async getEntry(did) {
+        const entry = this.entries.get(did);
+        if (!entry)
+            return err('NOT_FOUND');
+        if (isExpired(entry))
+            return err('EXPIRED');
+        return ok(entry);
+    }
+    async updateScopes(did, scopes) {
+        const entry = this.entries.get(did);
+        if (!entry)
+            return err('NOT_FOUND');
+        if (isExpired(entry))
+            return err('EXPIRED');
+        if (entry.revoked)
+            return err('REVOKED');
+        this.entries.set(did, { ...entry, scopes: new Set(scopes) });
+        return ok(undefined);
+    }
+    /** Remove all expired entries from the registry. */
+    async cleanup() {
+        let removed = 0;
+        const now = Date.now();
+        for (const [did, entry] of this.entries) {
+            if (entry.expiresAt && now > entry.expiresAt) {
+                this.entries.delete(did);
+                removed++;
+            }
+        }
+        return removed;
+    }
+    /** Number of entries (for testing). */
+    get size() {
+        return this.entries.size;
+    }
+}
+/**
+ * HTTP-backed trust registry for production use.
+ * Delegates to a remote atelier.xail.io service.
+ */
+export class HttpTrustRegistry {
+    baseUrl;
+    fetchFn;
+    cacheTtlMs;
+    cacheFailureMode;
+    enablePush;
+    bloomFilterSize;
+    bloomFilterFpr;
+    resolveCache = new Map();
+    entryCache = new Map();
+    constructor(opts) {
+        this.baseUrl = opts.baseUrl.replace(/\/$/, '');
+        this.fetchFn = opts.fetch ?? globalThis.fetch.bind(globalThis);
+        this.cacheTtlMs = opts.cacheTtlMs ?? 30_000;
+        this.cacheFailureMode = opts.cacheFailureMode ?? 'fail-secure';
+        this.enablePush = opts.enablePush ?? false;
+        this.bloomFilterSize = opts.bloomFilterSize ?? 10_000;
+        this.bloomFilterFpr = opts.bloomFilterFpr ?? 0.01;
+    }
+    /** Clear all cached entries. Call after registration or revocation. */
+    clearCache() {
+        this.resolveCache.clear();
+        this.entryCache.clear();
+    }
+    async register(did, publicKey, name, scopes, x25519PublicKey, mlKemPublicKey, mlDsaPublicKey, xchange, receiveScopes, sdkVersion, minEnvelopeVersion, maxEnvelopeVersion, ttlMs, clientIP) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/register`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    did,
+                    publicKey: Array.from(publicKey),
+                    name,
+                    scopes: scopes ?? [],
+                    ...(receiveScopes
+                        ? { receiveScopes }
+                        : {}),
+                    ...(x25519PublicKey
+                        ? { x25519PublicKey: Array.from(x25519PublicKey) }
+                        : {}),
+                    ...(mlKemPublicKey
+                        ? { mlKemPublicKey: Array.from(mlKemPublicKey) }
+                        : {}),
+                    ...(mlDsaPublicKey
+                        ? { mlDsaPublicKey: Array.from(mlDsaPublicKey) }
+                        : {}),
+                    ...(xchange !== undefined
+                        ? { xchange }
+                        : {}),
+                    ...(sdkVersion !== undefined
+                        ? { sdkVersion }
+                        : {}),
+                    ...(minEnvelopeVersion !== undefined
+                        ? { minEnvelopeVersion }
+                        : {}),
+                    ...(maxEnvelopeVersion !== undefined
+                        ? { maxEnvelopeVersion }
+                        : {}),
+                    ...(ttlMs !== undefined
+                        ? { ttlMs }
+                        : {}),
+                }),
+            });
+            if (res.status === 409)
+                return err('ALREADY_REGISTERED');
+            if (res.status === 429)
+                return err('RATE_LIMIT_EXCEEDED');
+            if (!res.ok)
+                return err('NETWORK_ERROR');
+            return ok(undefined);
+        }
+        catch {
+            return err('NETWORK_ERROR');
+        }
+    }
+    async resolve(did) {
+        // Check cache first
+        if (this.cacheTtlMs > 0) {
+            const cached = this.resolveCache.get(did);
+            if (cached && cached.expiry > Date.now())
+                return cached.value;
+        }
+        let result;
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/resolve/${encodeURIComponent(did)}`);
+            if (res.status === 404)
+                result = err('NOT_FOUND');
+            else if (res.status === 408)
+                result = err('EXPIRED');
+            else if (res.status === 410)
+                result = err('REVOKED');
+            else if (!res.ok)
+                result = err('NETWORK_ERROR');
+            else {
+                const data = (await res.json());
+                result = ok(new Uint8Array(data.publicKey));
+            }
+        }
+        catch {
+            // Network failure - apply cache failure mode
+            const staleCache = this.resolveCache.get(did);
+            if (this.cacheFailureMode === 'fail-secure') {
+                // Fail-secure: reject on cache refresh failure (default)
+                result = err('NETWORK_ERROR');
+            }
+            else {
+                // Fail-open: accept stale cache if available
+                if (staleCache) {
+                    // Return stale cached value
+                    return staleCache.value;
+                }
+                result = err('NETWORK_ERROR');
+            }
+        }
+        // Update cache with fresh result (only if cache enabled)
+        if (this.cacheTtlMs > 0) {
+            this.resolveCache.set(did, { value: result, expiry: Date.now() + this.cacheTtlMs });
+        }
+        return result;
+    }
+    async hasScope(did, scope) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/scope/${encodeURIComponent(did)}/${encodeURIComponent(scope)}`);
+            return res.ok;
+        }
+        catch {
+            return false;
+        }
+    }
+    async hasReceiveScope(did, scope) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/receive-scope/${encodeURIComponent(did)}/${encodeURIComponent(scope)}`);
+            return res.ok;
+        }
+        catch {
+            return false;
+        }
+    }
+    async revoke(did) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/revoke/${encodeURIComponent(did)}`, { method: 'POST' });
+            if (res.status === 404)
+                return err('NOT_FOUND');
+            if (!res.ok)
+                return err('NETWORK_ERROR');
+            return ok(undefined);
+        }
+        catch {
+            return err('NETWORK_ERROR');
+        }
+    }
+    async getEntry(did) {
+        if (this.cacheTtlMs > 0) {
+            const cached = this.entryCache.get(did);
+            if (cached && cached.expiry > Date.now())
+                return cached.value;
+        }
+        let result;
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/entry/${encodeURIComponent(did)}`);
+            if (res.status === 404)
+                result = err('NOT_FOUND');
+            else if (res.status === 408)
+                result = err('EXPIRED');
+            else if (!res.ok)
+                result = err('NETWORK_ERROR');
+            else {
+                const data = (await res.json());
+                result = ok({
+                    did: data.did,
+                    publicKey: new Uint8Array(data.publicKey),
+                    name: data.name,
+                    scopes: new Set(data.scopes),
+                    receiveScopes: data.receiveScopes ? new Set(data.receiveScopes) : undefined,
+                    revoked: data.revoked,
+                    rotation_sequence: data.rotation_sequence ?? 1,
+                    x25519PublicKey: data.x25519PublicKey
+                        ? new Uint8Array(data.x25519PublicKey)
+                        : undefined,
+                    mlKemPublicKey: data.mlKemPublicKey
+                        ? new Uint8Array(data.mlKemPublicKey)
+                        : undefined,
+                    mlDsaPublicKey: data.mlDsaPublicKey
+                        ? new Uint8Array(data.mlDsaPublicKey)
+                        : undefined,
+                    xchange: data.xchange,
+                    sdkVersion: data.sdkVersion,
+                    minEnvelopeVersion: data.minEnvelopeVersion,
+                    maxEnvelopeVersion: data.maxEnvelopeVersion,
+                    expiresAt: data.expiresAt,
+                });
+            }
+        }
+        catch {
+            result = err('NETWORK_ERROR');
+        }
+        if (this.cacheTtlMs > 0) {
+            this.entryCache.set(did, { value: result, expiry: Date.now() + this.cacheTtlMs });
+        }
+        return result;
+    }
+    /**
+     * Rotate a DID to a new public key with cryptographic proof.
+     *
+     * Sends rotation request to gateway and invalidates local cache.
+     *
+     * @param did - DID being rotated (old key)
+     * @param newPublicKey - New public key bytes
+     * @param proof - Succession announcement (dual signatures from old and new keys)
+     * @param rotationSequence - Monotonically increasing sequence number (prevents rollback)
+     */
+    async rotate(did, newPublicKey, proof, rotationSequence) {
+        const res = await this.fetchFn(`${this.baseUrl}/registry/rotate`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                did,
+                newPublicKey: Array.from(newPublicKey),
+                proof: Array.from(proof),
+                rotationSequence,
+            }),
+        });
+        if (!res.ok) {
+            throw new Error(`Key rotation failed: ${res.status} ${res.statusText}`);
+        }
+        // Invalidate cache for this DID
+        this.resolveCache.delete(did);
+        this.entryCache.delete(did);
+    }
+    /**
+     * Subscribe to real-time trust events (revocation, key rotation).
+     *
+     * Creates a bloom filter from DIDs and connects WebSocket to gateway.
+     * Events matching subscribed DIDs trigger the callback and invalidate cache.
+     *
+     * @param dids - Array of DIDs to monitor
+     * @param callback - Function called when trust events occur
+     * @returns Unsubscribe function to stop watching
+     *
+     * @throws Error if push notifications not enabled (enablePush: true)
+     */
+    async subscribe(dids, callback) {
+        if (!this.enablePush) {
+            throw new Error('Push notifications not enabled (set enablePush: true in HttpTrustRegistryOptions)');
+        }
+        // Simple bloom filter: hash each DID to track subscriptions
+        // Production implementation would use full bloom filter library
+        const bloomSet = new Set(dids.map(did => this.hashDid(did)));
+        // Convert HTTP URL to WebSocket URL
+        const wsUrl = this.baseUrl.replace(/^http/, 'ws') + '/trust/events';
+        // SAFETY: WebSocket is a standard browser/Node.js API
+        const ws = new globalThis.WebSocket(wsUrl);
+        ws.addEventListener('open', () => {
+            // Send subscription with bloom filter
+            ws.send(JSON.stringify({
+                type: 'subscribe',
+                dids: dids, // Simple implementation sends full DID list
+                bloomSize: this.bloomFilterSize,
+                bloomFpr: this.bloomFilterFpr,
+            }));
+        });
+        ws.addEventListener('message', (event) => {
+            try {
+                const trustEvent = JSON.parse(event.data);
+                // Check if event DID matches our subscription
+                const eventHash = this.hashDid(trustEvent.did);
+                if (bloomSet.has(eventHash)) {
+                    // Invalidate cache for this DID
+                    if (trustEvent.type === 'revocation' || trustEvent.type === 'succession') {
+                        this.resolveCache.delete(trustEvent.did);
+                        this.entryCache.delete(trustEvent.did);
+                    }
+                    // Notify callback
+                    callback(trustEvent);
+                }
+            }
+            catch (error) {
+                // Ignore malformed events
+                console.warn('Failed to parse trust event:', error);
+            }
+        });
+        ws.addEventListener('error', (error) => {
+            console.error('WebSocket error:', error);
+        });
+        // Return unsubscribe function
+        return () => {
+            if (ws.readyState === globalThis.WebSocket.OPEN) {
+                ws.close();
+            }
+        };
+    }
+    /**
+     * Simple hash function for bloom filter (DID → number).
+     * Production implementation would use proper bloom filter hashing.
+     */
+    hashDid(did) {
+        let hash = 0;
+        for (let i = 0; i < did.length; i++) {
+            hash = ((hash << 5) - hash) + did.charCodeAt(i);
+            hash = hash & hash; // Convert to 32-bit integer
+        }
+        return hash;
+    }
+    /**
+     * Resume subscriptions on this gateway using proofs from another gateway.
+     *
+     * Allows clients to migrate between gateways without re-subscribing.
+     * Validates proofs and restores subscription state.
+     *
+     * @param proofs - Array of subscription proofs from previous gateway.
+     * @returns Success or error.
+     *
+     * @example
+     * ```typescript
+     * const registry = new HttpTrustRegistry({ baseUrl: 'https://atelier2.xail.io' });
+     * const result = await registry.resumeSubscriptions([proof1, proof2]);
+     * ```
+     */
+    async resumeSubscriptions(proofs) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/trust/resume-batch`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ proofs }),
+            });
+            if (!res.ok)
+                return err('NETWORK_ERROR');
+            return ok(undefined);
+        }
+        catch {
+            return err('NETWORK_ERROR');
+        }
+    }
+    /**
+     * Fetch signed checkpoint for a DID (freshness primitive).
+     *
+     * Checkpoints provide cryptographic proof of DID state at a specific timestamp.
+     * Clients verify checkpoint signature and compare rotation_sequence to detect staleness.
+     *
+     * @param did - DID to fetch checkpoint for
+     * @returns Signed checkpoint or error
+     *
+     * @example
+     * ```typescript
+     * const checkpoint = await registry.fetchCheckpoint('did:key:z6Mk...');
+     * if (checkpoint.ok) {
+     *   const verified = await verifyCheckpoint(checkpoint.value, gatewayPubKey);
+     *   if (verified.ok && verified.value) {
+     *     // Use checkpoint for staleness detection
+     *     if (isCacheStale(localCache, checkpoint.value)) {
+     *       // Refresh cache
+     *     }
+     *   }
+     * }
+     * ```
+     */
+    async fetchCheckpoint(did) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/checkpoint/${encodeURIComponent(did)}`);
+            if (res.status === 404)
+                return err('NOT_FOUND');
+            if (!res.ok)
+                return err('NETWORK_ERROR');
+            const checkpoint = (await res.json());
+            return ok(checkpoint);
+        }
+        catch {
+            return err('NETWORK_ERROR');
+        }
+    }
+    async updateScopes(did, scopes) {
+        try {
+            const res = await this.fetchFn(`${this.baseUrl}/registry/${encodeURIComponent(did)}/scopes`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ scopes }),
+            });
+            if (res.status === 404)
+                return err('NOT_FOUND');
+            if (res.status === 410)
+                return err('REVOKED');
+            if (!res.ok)
+                return err('NETWORK_ERROR');
+            // Clear cache for this DID
+            this.resolveCache.delete(did);
+            this.entryCache.delete(did);
+            return ok(undefined);
+        }
+        catch {
+            return err('NETWORK_ERROR');
+        }
+    }
+}
+/**
+ * File-based trust registry using JSONL append-only log.
+ * Replays all entries on initialization, keeps in-memory Map for fast access.
+ * Suitable for production deployments with local persistence.
+ */
+export class FileTrustRegistry {
+    path;
+    entries = new Map();
+    initialized = false;
+    constructor(opts) {
+        this.path = opts.path;
+    }
+    /** Initialize by replaying JSONL log. Called automatically on first operation. */
+    async init() {
+        if (this.initialized)
+            return;
+        try {
+            // Ensure directory exists
+            await fs.mkdir(path.dirname(this.path), { recursive: true });
+            // Read and replay JSONL file
+            const content = await fs.readFile(this.path, 'utf-8').catch(() => '');
+            const lines = content.split('\n').filter((line) => line.trim());
+            for (const line of lines) {
+                const record = JSON.parse(line);
+                if (record.type === 'register' && record.publicKey && record.name) {
+                    this.entries.set(record.did, {
+                        did: record.did,
+                        publicKey: new Uint8Array(record.publicKey),
+                        name: record.name,
+                        scopes: new Set(record.scopes ?? []),
+                        receiveScopes: record.receiveScopes ? new Set(record.receiveScopes) : undefined,
+                        revoked: false,
+                        rotation_sequence: record.rotation_sequence ?? 1,
+                        x25519PublicKey: record.x25519PublicKey
+                            ? new Uint8Array(record.x25519PublicKey)
+                            : undefined,
+                        mlKemPublicKey: record.mlKemPublicKey
+                            ? new Uint8Array(record.mlKemPublicKey)
+                            : undefined,
+                        mlDsaPublicKey: record.mlDsaPublicKey
+                            ? new Uint8Array(record.mlDsaPublicKey)
+                            : undefined,
+                        xchange: record.xchange,
+                        sdkVersion: record.sdkVersion,
+                        minEnvelopeVersion: record.minEnvelopeVersion,
+                        maxEnvelopeVersion: record.maxEnvelopeVersion,
+                        expiresAt: record.expiresAt,
+                    });
+                }
+                else if (record.type === 'revoke') {
+                    const entry = this.entries.get(record.did);
+                    if (entry) {
+                        this.entries.set(record.did, { ...entry, revoked: true });
+                    }
+                }
+                else if (record.type === 'update-scopes') {
+                    const entry = this.entries.get(record.did);
+                    if (entry) {
+                        this.entries.set(record.did, { ...entry, scopes: new Set(record.scopes ?? []) });
+                    }
+                }
+                else if (record.type === 'rotate' && record.publicKey && record.rotation_sequence) {
+                    const entry = this.entries.get(record.did);
+                    if (entry) {
+                        // Only apply rotation if sequence is greater (prevents replaying stale rotations)
+                        if (record.rotation_sequence > entry.rotation_sequence) {
+                            this.entries.set(record.did, {
+                                ...entry,
+                                publicKey: new Uint8Array(record.publicKey),
+                                rotation_sequence: record.rotation_sequence,
+                            });
+                        }
+                    }
+                }
+            }
+        }
+        catch (error) {
+            // If file doesn't exist yet, that's OK - it will be created on first write
+        }
+        this.initialized = true;
+    }
+    /** Append record to JSONL file. */
+    async append(record) {
+        await fs.appendFile(this.path, JSON.stringify(record) + '\n', 'utf-8');
+    }
+    async register(did, publicKey, name, scopes, x25519PublicKey, mlKemPublicKey, mlDsaPublicKey, xchange, receiveScopes, sdkVersion, minEnvelopeVersion, maxEnvelopeVersion, ttlMs, clientIP) {
+        await this.init();
+        if (this.entries.has(did))
+            return err('ALREADY_REGISTERED');
+        const expiresAt = ttlMs ? Date.now() + ttlMs : undefined;
+        const entry = {
+            did,
+            publicKey,
+            name,
+            scopes: new Set(scopes ?? []),
+            receiveScopes: receiveScopes ? new Set(receiveScopes) : undefined,
+            revoked: false,
+            rotation_sequence: 1, // Initial sequence starts at 1
+            x25519PublicKey,
+            mlKemPublicKey,
+            mlDsaPublicKey,
+            xchange,
+            sdkVersion,
+            minEnvelopeVersion,
+            maxEnvelopeVersion,
+            expiresAt,
+        };
+        this.entries.set(did, entry);
+        // Append to JSONL
+        await this.append({
+            type: 'register',
+            did,
+            publicKey: Array.from(publicKey),
+            name,
+            scopes: scopes ?? [],
+            rotation_sequence: 1,
+            ...(receiveScopes ? { receiveScopes } : {}),
+            ...(x25519PublicKey ? { x25519PublicKey: Array.from(x25519PublicKey) } : {}),
+            ...(mlKemPublicKey ? { mlKemPublicKey: Array.from(mlKemPublicKey) } : {}),
+            ...(mlDsaPublicKey ? { mlDsaPublicKey: Array.from(mlDsaPublicKey) } : {}),
+            ...(xchange !== undefined ? { xchange } : {}),
+            ...(sdkVersion !== undefined ? { sdkVersion } : {}),
+            ...(minEnvelopeVersion !== undefined ? { minEnvelopeVersion } : {}),
+            ...(maxEnvelopeVersion !== undefined ? { maxEnvelopeVersion } : {}),
+            ...(expiresAt !== undefined ? { expiresAt } : {}),
+        });
+        return ok(undefined);
+    }
+    async resolve(did) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry)
+            return err('NOT_FOUND');
+        if (isExpired(entry))
+            return err('EXPIRED');
+        if (entry.revoked)
+            return err('REVOKED');
+        return ok(entry.publicKey);
+    }
+    async hasScope(did, scope) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry || isExpired(entry) || entry.revoked)
+            return false;
+        return entry.scopes.has(scope);
+    }
+    async hasReceiveScope(did, scope) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry || isExpired(entry) || entry.revoked)
+            return false;
+        // Undefined = accept all scopes (backward compatibility)
+        if (!entry.receiveScopes)
+            return true;
+        return entry.receiveScopes.has(scope);
+    }
+    async revoke(did) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry)
+            return err('NOT_FOUND');
+        this.entries.set(did, { ...entry, revoked: true });
+        await this.append({ type: 'revoke', did });
+        return ok(undefined);
+    }
+    async getEntry(did) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry)
+            return err('NOT_FOUND');
+        if (isExpired(entry))
+            return err('EXPIRED');
+        return ok(entry);
+    }
+    async updateScopes(did, scopes) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry)
+            return err('NOT_FOUND');
+        if (isExpired(entry))
+            return err('EXPIRED');
+        if (entry.revoked)
+            return err('REVOKED');
+        this.entries.set(did, { ...entry, scopes: new Set(scopes) });
+        await this.append({ type: 'update-scopes', did, scopes });
+        return ok(undefined);
+    }
+    /** Remove all expired entries from the registry. */
+    async cleanup() {
+        await this.init();
+        let removed = 0;
+        const now = Date.now();
+        for (const [did, entry] of this.entries) {
+            if (entry.expiresAt && now > entry.expiresAt) {
+                this.entries.delete(did);
+                removed++;
+            }
+        }
+        return removed;
+    }
+    /**
+     * Rotate a DID to a new public key with rollback protection.
+     *
+     * Validates that rotationSequence is greater than current sequence to prevent
+     * rollback attacks. Appends rotation event to JSONL and updates in-memory state.
+     *
+     * @param did - DID being rotated
+     * @param newPublicKey - New public key bytes
+     * @param proof - Cryptographic proof (e.g., signature from old key)
+     * @param rotationSequence - Monotonically increasing sequence number
+     * @throws Error if DID not found or sequence validation fails
+     */
+    async rotate(did, newPublicKey, proof, rotationSequence) {
+        await this.init();
+        const entry = this.entries.get(did);
+        if (!entry) {
+            throw new Error(`DID not found: ${did}`);
+        }
+        // Rollback protection: new sequence must be greater than current
+        if (rotationSequence <= entry.rotation_sequence) {
+            throw new Error(`Rotation sequence ${rotationSequence} must be > current ${entry.rotation_sequence} (rollback attack prevented)`);
+        }
+        // Append rotation event to JSONL
+        await this.append({
+            type: 'rotate',
+            did,
+            publicKey: Array.from(newPublicKey),
+            proof: Array.from(proof),
+            rotation_sequence: rotationSequence,
+            timestamp: Date.now(),
+        });
+        // Update in-memory entry
+        this.entries.set(did, {
+            ...entry,
+            publicKey: newPublicKey,
+            rotation_sequence: rotationSequence,
+        });
+    }
+    /** Number of entries (for testing). */
+    get size() {
+        return this.entries.size;
+    }
+}
+/* ── Enterprise Factory ── */
+/**
+ * Create an enterprise trust registry with optional pre-population.
+ * Suitable for corporate deployments with centralized trust management.
+ *
+ * @example
+ * ```typescript
+ * const registry = await TrustRegistry.enterprise({
+ *   storage: 'file',
+ *   path: '/opt/corp/trust.jsonl',
+ *   preload: [
+ *     { did: 'did:web:corp.example.com', publicKey: ..., name: 'Corporate Gateway' }
+ *   ]
+ * });
+ * ```
+ */
+export async function createEnterpriseTrustRegistry(opts) {
+    let registry;
+    if (opts.storage === 'file') {
+        if (!opts.path)
+            throw new Error('FileTrustRegistry requires path option');
+        registry = new FileTrustRegistry({ path: opts.path });
+    }
+    else if (opts.storage === 'http') {
+        if (!opts.baseUrl)
+            throw new Error('HttpTrustRegistry requires baseUrl option');
+        registry = new HttpTrustRegistry({ baseUrl: opts.baseUrl });
+    }
+    else {
+        registry = new MemoryTrustRegistry();
+    }
+    // Pre-populate if requested
+    if (opts.preload) {
+        for (const entry of opts.preload) {
+            await registry.register(entry.did, entry.publicKey, entry.name, entry.scopes, entry.x25519PublicKey, entry.mlKemPublicKey, entry.mlDsaPublicKey, entry.xchange, entry.receiveScopes, entry.sdkVersion, entry.minEnvelopeVersion, entry.maxEnvelopeVersion);
+        }
+    }
+    return registry;
+}