@private.me/xbind 3.0.2 → 3.0.4

package/dist-standalone/cjs/trust-registry.js

@@ -1,991 +1 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.FileTrustRegistry = exports.HttpTrustRegistry = exports.MemoryTrustRegistry = exports.RegistrationRateLimiter = void 0;
-exports.createEnterpriseTrustRegistry = createEnterpriseTrustRegistry;
-const shared_1 = require("../_deps/shared/index.js");
-const fs = __importStar(require("node:fs/promises"));
-const path = __importStar(require("node:path"));
-/* ── Types ── */
-/** Check if a registry entry has expired. */
-function isExpired(entry) {
-    if (!entry.expiresAt)
-        return false;
-    return Date.now() > entry.expiresAt;
-}
-/* ── Rate Limiting ── */
-/**
- * Rate limiter for DID registration endpoints.
- *
- * Implements sliding window algorithm with:
- * - Per-IP limit: 10 registrations/hour
- * - Global limit: 1000 registrations/hour
- *
- * Prevents DID registration spam attacks (SCALE-1).
- */
-class RegistrationRateLimiter {
-    perIPTimestamps = new Map();
-    globalTimestamps = [];
-    perIPLimit;
-    globalLimit;
-    windowMs;
-    cleanupInterval = null;
-    /**
-     * Create a new registration rate limiter.
-     *
-     * @param perIPLimit - Maximum registrations per IP in time window (default: 10)
-     * @param globalLimit - Maximum global registrations in time window (default: 1000)
-     * @param windowMs - Time window in milliseconds (default: 3600000 = 1 hour)
-     */
-    constructor(perIPLimit = 10, globalLimit = 1000, windowMs = 3600000) {
-        this.perIPLimit = perIPLimit;
-        this.globalLimit = globalLimit;
-        this.windowMs = windowMs;
-        // Cleanup old timestamps every 5 minutes
-        this.cleanupInterval = setInterval(() => this.cleanup(), 300000);
-    }
-    /**
-     * Check if registration is allowed for the given IP.
-     *
-     * @param ip - Client IP address
-     * @returns True if allowed, false if rate limited
-     */
-    checkLimit(ip) {
-        const now = Date.now();
-        const windowStart = now - this.windowMs;
-        // Check per-IP limit
-        const ipTimestamps = this.perIPTimestamps.get(ip) || [];
-        const recentIPRequests = ipTimestamps.filter((t) => t > windowStart);
-        if (recentIPRequests.length >= this.perIPLimit) {
-            return false;
-        }
-        // Check global limit
-        const recentGlobalRequests = this.globalTimestamps.filter((t) => t > windowStart);
-        if (recentGlobalRequests.length >= this.globalLimit) {
-            return false;
-        }
-        return true;
-    }
-    /**
-     * Record a registration attempt.
-     *
-     * Call this AFTER successful registration to avoid counting failures.
-     *
-     * @param ip - Client IP address
-     */
-    recordRegistration(ip) {
-        const now = Date.now();
-        // Record per-IP
-        const ipTimestamps = this.perIPTimestamps.get(ip) || [];
-        ipTimestamps.push(now);
-        this.perIPTimestamps.set(ip, ipTimestamps);
-        // Record global
-        this.globalTimestamps.push(now);
-    }
-    /**
-     * Get remaining registrations for an IP.
-     *
-     * @param ip - Client IP address
-     * @returns Remaining registrations allowed
-     */
-    getRemainingForIP(ip) {
-        const now = Date.now();
-        const windowStart = now - this.windowMs;
-        const ipTimestamps = this.perIPTimestamps.get(ip) || [];
-        const recentIPRequests = ipTimestamps.filter((t) => t > windowStart);
-        return Math.max(0, this.perIPLimit - recentIPRequests.length);
-    }
-    /**
-     * Get remaining global registrations.
-     *
-     * @returns Remaining global registrations allowed
-     */
-    getRemainingGlobal() {
-        const now = Date.now();
-        const windowStart = now - this.windowMs;
-        const recentGlobalRequests = this.globalTimestamps.filter((t) => t > windowStart);
-        return Math.max(0, this.globalLimit - recentGlobalRequests.length);
-    }
-    /**
-     * Get reset time for an IP's rate limit.
-     *
-     * @param ip - Client IP address
-     * @returns Unix timestamp (ms) when limit resets, or null if not rate limited
-     */
-    getResetTimeForIP(ip) {
-        const ipTimestamps = this.perIPTimestamps.get(ip) || [];
-        if (ipTimestamps.length === 0)
-            return null;
-        const oldestTimestamp = ipTimestamps[0];
-        if (!oldestTimestamp)
-            return null;
-        return oldestTimestamp + this.windowMs;
-    }
-    /**
-     * Cleanup old timestamps to prevent memory leaks.
-     *
-     * Removes entries with no requests in the last window period.
-     */
-    cleanup() {
-        const now = Date.now();
-        const windowStart = now - this.windowMs;
-        // Cleanup per-IP timestamps
-        for (const [ip, timestamps] of this.perIPTimestamps.entries()) {
-            const recentRequests = timestamps.filter((t) => t > windowStart);
-            if (recentRequests.length === 0) {
-                this.perIPTimestamps.delete(ip);
-            }
-            else {
-                this.perIPTimestamps.set(ip, recentRequests);
-            }
-        }
-        // Cleanup global timestamps
-        const recentGlobalRequests = this.globalTimestamps.filter((t) => t > windowStart);
-        this.globalTimestamps.length = 0;
-        this.globalTimestamps.push(...recentGlobalRequests);
-    }
-    /**
-     * Stop cleanup interval (for testing or shutdown).
-     */
-    destroy() {
-        if (this.cleanupInterval) {
-            clearInterval(this.cleanupInterval);
-            this.cleanupInterval = null;
-        }
-    }
-    /**
-     * Reset all rate limits (for testing).
-     */
-    reset() {
-        this.perIPTimestamps.clear();
-        this.globalTimestamps.length = 0;
-    }
-}
-exports.RegistrationRateLimiter = RegistrationRateLimiter;
-/* ── Memory Implementation ── */
-/**
- * In-memory trust registry for development and testing.
- */
-class MemoryTrustRegistry {
-    entries = new Map();
-    rateLimiter;
-    constructor(opts) {
-        if (opts?.enableRateLimiting) {
-            this.rateLimiter = opts.rateLimiter || new RegistrationRateLimiter();
-        }
-    }
-    async register(did, publicKey, name, scopes, x25519PublicKey, mlKemPublicKey, mlDsaPublicKey, xchange, receiveScopes, sdkVersion, minEnvelopeVersion, maxEnvelopeVersion, ttlMs, clientIP) {
-        // Check rate limit if enabled
-        if (this.rateLimiter && clientIP) {
-            if (!this.rateLimiter.checkLimit(clientIP)) {
-                return (0, shared_1.err)('RATE_LIMIT_EXCEEDED');
-            }
-        }
-        if (this.entries.has(did))
-            return (0, shared_1.err)('ALREADY_REGISTERED');
-        const expiresAt = ttlMs ? Date.now() + ttlMs : undefined;
-        this.entries.set(did, {
-            did,
-            publicKey,
-            name,
-            scopes: new Set(scopes ?? []),
-            receiveScopes: receiveScopes ? new Set(receiveScopes) : undefined,
-            revoked: false,
-            rotation_sequence: 1, // Initial sequence starts at 1
-            x25519PublicKey,
-            mlKemPublicKey,
-            mlDsaPublicKey,
-            xchange,
-            sdkVersion,
-            minEnvelopeVersion,
-            maxEnvelopeVersion,
-            expiresAt,
-        });
-        // Record registration after success
-        if (this.rateLimiter && clientIP) {
-            this.rateLimiter.recordRegistration(clientIP);
-        }
-        return (0, shared_1.ok)(undefined);
-    }
-    async resolve(did) {
-        const entry = this.entries.get(did);
-        if (!entry)
-            return (0, shared_1.err)('NOT_FOUND');
-        if (isExpired(entry))
-            return (0, shared_1.err)('EXPIRED');
-        if (entry.revoked)
-            return (0, shared_1.err)('REVOKED');
-        return (0, shared_1.ok)(entry.publicKey);
-    }
-    async hasScope(did, scope) {
-        const entry = this.entries.get(did);
-        if (!entry || isExpired(entry) || entry.revoked)
-            return false;
-        return entry.scopes.has(scope);
-    }
-    async hasReceiveScope(did, scope) {
-        const entry = this.entries.get(did);
-        if (!entry || isExpired(entry) || entry.revoked)
-            return false;
-        // Undefined = accept all scopes (backward compatibility)
-        if (!entry.receiveScopes)
-            return true;
-        return entry.receiveScopes.has(scope);
-    }
-    async revoke(did) {
-        const entry = this.entries.get(did);
-        if (!entry)
-            return (0, shared_1.err)('NOT_FOUND');
-        this.entries.set(did, { ...entry, revoked: true });
-        return (0, shared_1.ok)(undefined);
-    }
-    async getEntry(did) {
-        const entry = this.entries.get(did);
-        if (!entry)
-            return (0, shared_1.err)('NOT_FOUND');
-        if (isExpired(entry))
-            return (0, shared_1.err)('EXPIRED');
-        return (0, shared_1.ok)(entry);
-    }
-    async updateScopes(did, scopes) {
-        const entry = this.entries.get(did);
-        if (!entry)
-            return (0, shared_1.err)('NOT_FOUND');
-        if (isExpired(entry))
-            return (0, shared_1.err)('EXPIRED');
-        if (entry.revoked)
-            return (0, shared_1.err)('REVOKED');
-        this.entries.set(did, { ...entry, scopes: new Set(scopes) });
-        return (0, shared_1.ok)(undefined);
-    }
-    /** Remove all expired entries from the registry. */
-    async cleanup() {
-        let removed = 0;
-        const now = Date.now();
-        for (const [did, entry] of this.entries) {
-            if (entry.expiresAt && now > entry.expiresAt) {
-                this.entries.delete(did);
-                removed++;
-            }
-        }
-        return removed;
-    }
-    /** Number of entries (for testing). */
-    get size() {
-        return this.entries.size;
-    }
-}
-exports.MemoryTrustRegistry = MemoryTrustRegistry;
-/**
- * HTTP-backed trust registry for production use.
- * Delegates to a remote atelier.xail.io service.
- */
-class HttpTrustRegistry {
-    baseUrl;
-    fetchFn;
-    cacheTtlMs;
-    cacheFailureMode;
-    enablePush;
-    bloomFilterSize;
-    bloomFilterFpr;
-    resolveCache = new Map();
-    entryCache = new Map();
-    constructor(opts) {
-        this.baseUrl = opts.baseUrl.replace(/\/$/, '');
-        this.fetchFn = opts.fetch ?? globalThis.fetch.bind(globalThis);
-        this.cacheTtlMs = opts.cacheTtlMs ?? 30_000;
-        this.cacheFailureMode = opts.cacheFailureMode ?? 'fail-secure';
-        this.enablePush = opts.enablePush ?? false;
-        this.bloomFilterSize = opts.bloomFilterSize ?? 10_000;
-        this.bloomFilterFpr = opts.bloomFilterFpr ?? 0.01;
-    }
-    /** Clear all cached entries. Call after registration or revocation. */
-    clearCache() {
-        this.resolveCache.clear();
-        this.entryCache.clear();
-    }
-    async register(did, publicKey, name, scopes, x25519PublicKey, mlKemPublicKey, mlDsaPublicKey, xchange, receiveScopes, sdkVersion, minEnvelopeVersion, maxEnvelopeVersion, ttlMs, clientIP) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/register`, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({
-                    did,
-                    publicKey: Array.from(publicKey),
-                    name,
-                    scopes: scopes ?? [],
-                    ...(receiveScopes
-                        ? { receiveScopes }
-                        : {}),
-                    ...(x25519PublicKey
-                        ? { x25519PublicKey: Array.from(x25519PublicKey) }
-                        : {}),
-                    ...(mlKemPublicKey
-                        ? { mlKemPublicKey: Array.from(mlKemPublicKey) }
-                        : {}),
-                    ...(mlDsaPublicKey
-                        ? { mlDsaPublicKey: Array.from(mlDsaPublicKey) }
-                        : {}),
-                    ...(xchange !== undefined
-                        ? { xchange }
-                        : {}),
-                    ...(sdkVersion !== undefined
-                        ? { sdkVersion }
-                        : {}),
-                    ...(minEnvelopeVersion !== undefined
-                        ? { minEnvelopeVersion }
-                        : {}),
-                    ...(maxEnvelopeVersion !== undefined
-                        ? { maxEnvelopeVersion }
-                        : {}),
-                    ...(ttlMs !== undefined
-                        ? { ttlMs }
-                        : {}),
-                }),
-            });
-            if (res.status === 409)
-                return (0, shared_1.err)('ALREADY_REGISTERED');
-            if (res.status === 429)
-                return (0, shared_1.err)('RATE_LIMIT_EXCEEDED');
-            if (!res.ok)
-                return (0, shared_1.err)('NETWORK_ERROR');
-            return (0, shared_1.ok)(undefined);
-        }
-        catch {
-            return (0, shared_1.err)('NETWORK_ERROR');
-        }
-    }
-    async resolve(did) {
-        // Check cache first
-        if (this.cacheTtlMs > 0) {
-            const cached = this.resolveCache.get(did);
-            if (cached && cached.expiry > Date.now())
-                return cached.value;
-        }
-        let result;
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/resolve/${encodeURIComponent(did)}`);
-            if (res.status === 404)
-                result = (0, shared_1.err)('NOT_FOUND');
-            else if (res.status === 408)
-                result = (0, shared_1.err)('EXPIRED');
-            else if (res.status === 410)
-                result = (0, shared_1.err)('REVOKED');
-            else if (!res.ok)
-                result = (0, shared_1.err)('NETWORK_ERROR');
-            else {
-                const data = (await res.json());
-                result = (0, shared_1.ok)(new Uint8Array(data.publicKey));
-            }
-        }
-        catch {
-            // Network failure - apply cache failure mode
-            const staleCache = this.resolveCache.get(did);
-            if (this.cacheFailureMode === 'fail-secure') {
-                // Fail-secure: reject on cache refresh failure (default)
-                result = (0, shared_1.err)('NETWORK_ERROR');
-            }
-            else {
-                // Fail-open: accept stale cache if available
-                if (staleCache) {
-                    // Return stale cached value
-                    return staleCache.value;
-                }
-                result = (0, shared_1.err)('NETWORK_ERROR');
-            }
-        }
-        // Update cache with fresh result (only if cache enabled)
-        if (this.cacheTtlMs > 0) {
-            this.resolveCache.set(did, { value: result, expiry: Date.now() + this.cacheTtlMs });
-        }
-        return result;
-    }
-    async hasScope(did, scope) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/scope/${encodeURIComponent(did)}/${encodeURIComponent(scope)}`);
-            return res.ok;
-        }
-        catch {
-            return false;
-        }
-    }
-    async hasReceiveScope(did, scope) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/receive-scope/${encodeURIComponent(did)}/${encodeURIComponent(scope)}`);
-            return res.ok;
-        }
-        catch {
-            return false;
-        }
-    }
-    async revoke(did) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/revoke/${encodeURIComponent(did)}`, { method: 'POST' });
-            if (res.status === 404)
-                return (0, shared_1.err)('NOT_FOUND');
-            if (!res.ok)
-                return (0, shared_1.err)('NETWORK_ERROR');
-            return (0, shared_1.ok)(undefined);
-        }
-        catch {
-            return (0, shared_1.err)('NETWORK_ERROR');
-        }
-    }
-    async getEntry(did) {
-        if (this.cacheTtlMs > 0) {
-            const cached = this.entryCache.get(did);
-            if (cached && cached.expiry > Date.now())
-                return cached.value;
-        }
-        let result;
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/entry/${encodeURIComponent(did)}`);
-            if (res.status === 404)
-                result = (0, shared_1.err)('NOT_FOUND');
-            else if (res.status === 408)
-                result = (0, shared_1.err)('EXPIRED');
-            else if (!res.ok)
-                result = (0, shared_1.err)('NETWORK_ERROR');
-            else {
-                const data = (await res.json());
-                result = (0, shared_1.ok)({
-                    did: data.did,
-                    publicKey: new Uint8Array(data.publicKey),
-                    name: data.name,
-                    scopes: new Set(data.scopes),
-                    receiveScopes: data.receiveScopes ? new Set(data.receiveScopes) : undefined,
-                    revoked: data.revoked,
-                    rotation_sequence: data.rotation_sequence ?? 1,
-                    x25519PublicKey: data.x25519PublicKey
-                        ? new Uint8Array(data.x25519PublicKey)
-                        : undefined,
-                    mlKemPublicKey: data.mlKemPublicKey
-                        ? new Uint8Array(data.mlKemPublicKey)
-                        : undefined,
-                    mlDsaPublicKey: data.mlDsaPublicKey
-                        ? new Uint8Array(data.mlDsaPublicKey)
-                        : undefined,
-                    xchange: data.xchange,
-                    sdkVersion: data.sdkVersion,
-                    minEnvelopeVersion: data.minEnvelopeVersion,
-                    maxEnvelopeVersion: data.maxEnvelopeVersion,
-                    expiresAt: data.expiresAt,
-                });
-            }
-        }
-        catch {
-            result = (0, shared_1.err)('NETWORK_ERROR');
-        }
-        if (this.cacheTtlMs > 0) {
-            this.entryCache.set(did, { value: result, expiry: Date.now() + this.cacheTtlMs });
-        }
-        return result;
-    }
-    /**
-     * Rotate a DID to a new public key with cryptographic proof.
-     *
-     * Sends rotation request to gateway and invalidates local cache.
-     *
-     * @param did - DID being rotated (old key)
-     * @param newPublicKey - New public key bytes
-     * @param proof - Succession announcement (dual signatures from old and new keys)
-     * @param rotationSequence - Monotonically increasing sequence number (prevents rollback)
-     */
-    async rotate(did, newPublicKey, proof, rotationSequence) {
-        const res = await this.fetchFn(`${this.baseUrl}/registry/rotate`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-                did,
-                newPublicKey: Array.from(newPublicKey),
-                proof: Array.from(proof),
-                rotationSequence,
-            }),
-        });
-        if (!res.ok) {
-            throw new Error(`Key rotation failed: ${res.status} ${res.statusText}`);
-        }
-        // Invalidate cache for this DID
-        this.resolveCache.delete(did);
-        this.entryCache.delete(did);
-    }
-    /**
-     * Subscribe to real-time trust events (revocation, key rotation).
-     *
-     * Creates a bloom filter from DIDs and connects WebSocket to gateway.
-     * Events matching subscribed DIDs trigger the callback and invalidate cache.
-     *
-     * @param dids - Array of DIDs to monitor
-     * @param callback - Function called when trust events occur
-     * @returns Unsubscribe function to stop watching
-     *
-     * @throws Error if push notifications not enabled (enablePush: true)
-     */
-    async subscribe(dids, callback) {
-        if (!this.enablePush) {
-            throw new Error('Push notifications not enabled (set enablePush: true in HttpTrustRegistryOptions)');
-        }
-        // Simple bloom filter: hash each DID to track subscriptions
-        // Production implementation would use full bloom filter library
-        const bloomSet = new Set(dids.map(did => this.hashDid(did)));
-        // Convert HTTP URL to WebSocket URL
-        const wsUrl = this.baseUrl.replace(/^http/, 'ws') + '/trust/events';
-        // SAFETY: WebSocket is a standard browser/Node.js API
-        const ws = new globalThis.WebSocket(wsUrl);
-        ws.addEventListener('open', () => {
-            // Send subscription with bloom filter
-            ws.send(JSON.stringify({
-                type: 'subscribe',
-                dids: dids, // Simple implementation sends full DID list
-                bloomSize: this.bloomFilterSize,
-                bloomFpr: this.bloomFilterFpr,
-            }));
-        });
-        ws.addEventListener('message', (event) => {
-            try {
-                const trustEvent = JSON.parse(event.data);
-                // Check if event DID matches our subscription
-                const eventHash = this.hashDid(trustEvent.did);
-                if (bloomSet.has(eventHash)) {
-                    // Invalidate cache for this DID
-                    if (trustEvent.type === 'revocation' || trustEvent.type === 'succession') {
-                        this.resolveCache.delete(trustEvent.did);
-                        this.entryCache.delete(trustEvent.did);
-                    }
-                    // Notify callback
-                    callback(trustEvent);
-                }
-            }
-            catch (error) {
-                // Ignore malformed events
-                console.warn('Failed to parse trust event:', error);
-            }
-        });
-        ws.addEventListener('error', (error) => {
-            console.error('WebSocket error:', error);
-        });
-        // Return unsubscribe function
-        return () => {
-            if (ws.readyState === globalThis.WebSocket.OPEN) {
-                ws.close();
-            }
-        };
-    }
-    /**
-     * Simple hash function for bloom filter (DID → number).
-     * Production implementation would use proper bloom filter hashing.
-     */
-    hashDid(did) {
-        let hash = 0;
-        for (let i = 0; i < did.length; i++) {
-            hash = ((hash << 5) - hash) + did.charCodeAt(i);
-            hash = hash & hash; // Convert to 32-bit integer
-        }
-        return hash;
-    }
-    /**
-     * Resume subscriptions on this gateway using proofs from another gateway.
-     *
-     * Allows clients to migrate between gateways without re-subscribing.
-     * Validates proofs and restores subscription state.
-     *
-     * @param proofs - Array of subscription proofs from previous gateway.
-     * @returns Success or error.
-     *
-     * @example
-     * ```typescript
-     * const registry = new HttpTrustRegistry({ baseUrl: 'https://atelier2.xail.io' });
-     * const result = await registry.resumeSubscriptions([proof1, proof2]);
-     * ```
-     */
-    async resumeSubscriptions(proofs) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/trust/resume-batch`, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ proofs }),
-            });
-            if (!res.ok)
-                return (0, shared_1.err)('NETWORK_ERROR');
-            return (0, shared_1.ok)(undefined);
-        }
-        catch {
-            return (0, shared_1.err)('NETWORK_ERROR');
-        }
-    }
-    /**
-     * Fetch signed checkpoint for a DID (freshness primitive).
-     *
-     * Checkpoints provide cryptographic proof of DID state at a specific timestamp.
-     * Clients verify checkpoint signature and compare rotation_sequence to detect staleness.
-     *
-     * @param did - DID to fetch checkpoint for
-     * @returns Signed checkpoint or error
-     *
-     * @example
-     * ```typescript
-     * const checkpoint = await registry.fetchCheckpoint('did:key:z6Mk...');
-     * if (checkpoint.ok) {
-     *   const verified = await verifyCheckpoint(checkpoint.value, gatewayPubKey);
-     *   if (verified.ok && verified.value) {
-     *     // Use checkpoint for staleness detection
-     *     if (isCacheStale(localCache, checkpoint.value)) {
-     *       // Refresh cache
-     *     }
-     *   }
-     * }
-     * ```
-     */
-    async fetchCheckpoint(did) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/checkpoint/${encodeURIComponent(did)}`);
-            if (res.status === 404)
-                return (0, shared_1.err)('NOT_FOUND');
-            if (!res.ok)
-                return (0, shared_1.err)('NETWORK_ERROR');
-            const checkpoint = (await res.json());
-            return (0, shared_1.ok)(checkpoint);
-        }
-        catch {
-            return (0, shared_1.err)('NETWORK_ERROR');
-        }
-    }
-    async updateScopes(did, scopes) {
-        try {
-            const res = await this.fetchFn(`${this.baseUrl}/registry/${encodeURIComponent(did)}/scopes`, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ scopes }),
-            });
-            if (res.status === 404)
-                return (0, shared_1.err)('NOT_FOUND');
-            if (res.status === 410)
-                return (0, shared_1.err)('REVOKED');
-            if (!res.ok)
-                return (0, shared_1.err)('NETWORK_ERROR');
-            // Clear cache for this DID
-            this.resolveCache.delete(did);
-            this.entryCache.delete(did);
-            return (0, shared_1.ok)(undefined);
-        }
-        catch {
-            return (0, shared_1.err)('NETWORK_ERROR');
-        }
-    }
-}
-exports.HttpTrustRegistry = HttpTrustRegistry;
-/**
- * File-based trust registry using JSONL append-only log.
- * Replays all entries on initialization, keeps in-memory Map for fast access.
- * Suitable for production deployments with local persistence.
- */
-class FileTrustRegistry {
-    path;
-    entries = new Map();
-    initialized = false;
-    constructor(opts) {
-        this.path = opts.path;
-    }
-    /** Initialize by replaying JSONL log. Called automatically on first operation. */
-    async init() {
-        if (this.initialized)
-            return;
-        try {
-            // Ensure directory exists
-            await fs.mkdir(path.dirname(this.path), { recursive: true });
-            // Read and replay JSONL file
-            const content = await fs.readFile(this.path, 'utf-8').catch(() => '');
-            const lines = content.split('\n').filter((line) => line.trim());
-            for (const line of lines) {
-                const record = JSON.parse(line);
-                if (record.type === 'register' && record.publicKey && record.name) {
-                    this.entries.set(record.did, {
-                        did: record.did,
-                        publicKey: new Uint8Array(record.publicKey),
-                        name: record.name,
-                        scopes: new Set(record.scopes ?? []),
-                        receiveScopes: record.receiveScopes ? new Set(record.receiveScopes) : undefined,
-                        revoked: false,
-                        rotation_sequence: record.rotation_sequence ?? 1,
-                        x25519PublicKey: record.x25519PublicKey
-                            ? new Uint8Array(record.x25519PublicKey)
-                            : undefined,
-                        mlKemPublicKey: record.mlKemPublicKey
-                            ? new Uint8Array(record.mlKemPublicKey)
-                            : undefined,
-                        mlDsaPublicKey: record.mlDsaPublicKey
-                            ? new Uint8Array(record.mlDsaPublicKey)
-                            : undefined,
-                        xchange: record.xchange,
-                        sdkVersion: record.sdkVersion,
-                        minEnvelopeVersion: record.minEnvelopeVersion,
-                        maxEnvelopeVersion: record.maxEnvelopeVersion,
-                        expiresAt: record.expiresAt,
-                    });
-                }
-                else if (record.type === 'revoke') {
-                    const entry = this.entries.get(record.did);
-                    if (entry) {
-                        this.entries.set(record.did, { ...entry, revoked: true });
-                    }
-                }
-                else if (record.type === 'update-scopes') {
-                    const entry = this.entries.get(record.did);
-                    if (entry) {
-                        this.entries.set(record.did, { ...entry, scopes: new Set(record.scopes ?? []) });
-                    }
-                }
-                else if (record.type === 'rotate' && record.publicKey && record.rotation_sequence) {
-                    const entry = this.entries.get(record.did);
-                    if (entry) {
-                        // Only apply rotation if sequence is greater (prevents replaying stale rotations)
-                        if (record.rotation_sequence > entry.rotation_sequence) {
-                            this.entries.set(record.did, {
-                                ...entry,
-                                publicKey: new Uint8Array(record.publicKey),
-                                rotation_sequence: record.rotation_sequence,
-                            });
-                        }
-                    }
-                }
-            }
-        }
-        catch (error) {
-            // If file doesn't exist yet, that's OK - it will be created on first write
-        }
-        this.initialized = true;
-    }
-    /** Append record to JSONL file. */
-    async append(record) {
-        await fs.appendFile(this.path, JSON.stringify(record) + '\n', 'utf-8');
-    }
-    async register(did, publicKey, name, scopes, x25519PublicKey, mlKemPublicKey, mlDsaPublicKey, xchange, receiveScopes, sdkVersion, minEnvelopeVersion, maxEnvelopeVersion, ttlMs, clientIP) {
-        await this.init();
-        if (this.entries.has(did))
-            return (0, shared_1.err)('ALREADY_REGISTERED');
-        const expiresAt = ttlMs ? Date.now() + ttlMs : undefined;
-        const entry = {
-            did,
-            publicKey,
-            name,
-            scopes: new Set(scopes ?? []),
-            receiveScopes: receiveScopes ? new Set(receiveScopes) : undefined,
-            revoked: false,
-            rotation_sequence: 1, // Initial sequence starts at 1
-            x25519PublicKey,
-            mlKemPublicKey,
-            mlDsaPublicKey,
-            xchange,
-            sdkVersion,
-            minEnvelopeVersion,
-            maxEnvelopeVersion,
-            expiresAt,
-        };
-        this.entries.set(did, entry);
-        // Append to JSONL
-        await this.append({
-            type: 'register',
-            did,
-            publicKey: Array.from(publicKey),
-            name,
-            scopes: scopes ?? [],
-            rotation_sequence: 1,
-            ...(receiveScopes ? { receiveScopes } : {}),
-            ...(x25519PublicKey ? { x25519PublicKey: Array.from(x25519PublicKey) } : {}),
-            ...(mlKemPublicKey ? { mlKemPublicKey: Array.from(mlKemPublicKey) } : {}),
-            ...(mlDsaPublicKey ? { mlDsaPublicKey: Array.from(mlDsaPublicKey) } : {}),
-            ...(xchange !== undefined ? { xchange } : {}),
-            ...(sdkVersion !== undefined ? { sdkVersion } : {}),
-            ...(minEnvelopeVersion !== undefined ? { minEnvelopeVersion } : {}),
-            ...(maxEnvelopeVersion !== undefined ? { maxEnvelopeVersion } : {}),
-            ...(expiresAt !== undefined ? { expiresAt } : {}),
-        });
-        return (0, shared_1.ok)(undefined);
-    }
-    async resolve(did) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry)
-            return (0, shared_1.err)('NOT_FOUND');
-        if (isExpired(entry))
-            return (0, shared_1.err)('EXPIRED');
-        if (entry.revoked)
-            return (0, shared_1.err)('REVOKED');
-        return (0, shared_1.ok)(entry.publicKey);
-    }
-    async hasScope(did, scope) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry || isExpired(entry) || entry.revoked)
-            return false;
-        return entry.scopes.has(scope);
-    }
-    async hasReceiveScope(did, scope) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry || isExpired(entry) || entry.revoked)
-            return false;
-        // Undefined = accept all scopes (backward compatibility)
-        if (!entry.receiveScopes)
-            return true;
-        return entry.receiveScopes.has(scope);
-    }
-    async revoke(did) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry)
-            return (0, shared_1.err)('NOT_FOUND');
-        this.entries.set(did, { ...entry, revoked: true });
-        await this.append({ type: 'revoke', did });
-        return (0, shared_1.ok)(undefined);
-    }
-    async getEntry(did) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry)
-            return (0, shared_1.err)('NOT_FOUND');
-        if (isExpired(entry))
-            return (0, shared_1.err)('EXPIRED');
-        return (0, shared_1.ok)(entry);
-    }
-    async updateScopes(did, scopes) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry)
-            return (0, shared_1.err)('NOT_FOUND');
-        if (isExpired(entry))
-            return (0, shared_1.err)('EXPIRED');
-        if (entry.revoked)
-            return (0, shared_1.err)('REVOKED');
-        this.entries.set(did, { ...entry, scopes: new Set(scopes) });
-        await this.append({ type: 'update-scopes', did, scopes });
-        return (0, shared_1.ok)(undefined);
-    }
-    /** Remove all expired entries from the registry. */
-    async cleanup() {
-        await this.init();
-        let removed = 0;
-        const now = Date.now();
-        for (const [did, entry] of this.entries) {
-            if (entry.expiresAt && now > entry.expiresAt) {
-                this.entries.delete(did);
-                removed++;
-            }
-        }
-        return removed;
-    }
-    /**
-     * Rotate a DID to a new public key with rollback protection.
-     *
-     * Validates that rotationSequence is greater than current sequence to prevent
-     * rollback attacks. Appends rotation event to JSONL and updates in-memory state.
-     *
-     * @param did - DID being rotated
-     * @param newPublicKey - New public key bytes
-     * @param proof - Cryptographic proof (e.g., signature from old key)
-     * @param rotationSequence - Monotonically increasing sequence number
-     * @throws Error if DID not found or sequence validation fails
-     */
-    async rotate(did, newPublicKey, proof, rotationSequence) {
-        await this.init();
-        const entry = this.entries.get(did);
-        if (!entry) {
-            throw new Error(`DID not found: ${did}`);
-        }
-        // Rollback protection: new sequence must be greater than current
-        if (rotationSequence <= entry.rotation_sequence) {
-            throw new Error(`Rotation sequence ${rotationSequence} must be > current ${entry.rotation_sequence} (rollback attack prevented)`);
-        }
-        // Append rotation event to JSONL
-        await this.append({
-            type: 'rotate',
-            did,
-            publicKey: Array.from(newPublicKey),
-            proof: Array.from(proof),
-            rotation_sequence: rotationSequence,
-            timestamp: Date.now(),
-        });
-        // Update in-memory entry
-        this.entries.set(did, {
-            ...entry,
-            publicKey: newPublicKey,
-            rotation_sequence: rotationSequence,
-        });
-    }
-    /** Number of entries (for testing). */
-    get size() {
-        return this.entries.size;
-    }
-}
-exports.FileTrustRegistry = FileTrustRegistry;
-/* ── Enterprise Factory ── */
-/**
- * Create an enterprise trust registry with optional pre-population.
- * Suitable for corporate deployments with centralized trust management.
- *
- * @example
- * ```typescript
- * const registry = await TrustRegistry.enterprise({
- *   storage: 'file',
- *   path: '/opt/corp/trust.jsonl',
- *   preload: [
- *     { did: 'did:web:corp.example.com', publicKey: ..., name: 'Corporate Gateway' }
- *   ]
- * });
- * ```
- */
-async function createEnterpriseTrustRegistry(opts) {
-    let registry;
-    if (opts.storage === 'file') {
-        if (!opts.path)
-            throw new Error('FileTrustRegistry requires path option');
-        registry = new FileTrustRegistry({ path: opts.path });
-    }
-    else if (opts.storage === 'http') {
-        if (!opts.baseUrl)
-            throw new Error('HttpTrustRegistry requires baseUrl option');
-        registry = new HttpTrustRegistry({ baseUrl: opts.baseUrl });
-    }
-    else {
-        registry = new MemoryTrustRegistry();
-    }
-    // Pre-populate if requested
-    if (opts.preload) {
-        for (const entry of opts.preload) {
-            await registry.register(entry.did, entry.publicKey, entry.name, entry.scopes, entry.x25519PublicKey, entry.mlKemPublicKey, entry.mlDsaPublicKey, entry.xchange, entry.receiveScopes, entry.sdkVersion, entry.minEnvelopeVersion, entry.maxEnvelopeVersion);
-        }
-    }
-    return registry;
-}
+"use strict";var __createBinding=this&&this.__createBinding||(Object.create?function(e,t,r,s){void 0===s&&(s=r);var i=Object.getOwnPropertyDescriptor(t,r);i&&!("get"in i?!t.__esModule:i.writable||i.configurable)||(i={enumerable:!0,get:function(){return t[r]}}),Object.defineProperty(e,s,i)}:function(e,t,r,s){void 0===s&&(s=r),e[s]=t[r]}),__setModuleDefault=this&&this.__setModuleDefault||(Object.create?function(e,t){Object.defineProperty(e,"default",{enumerable:!0,value:t})}:function(e,t){e.default=t}),__importStar=this&&this.__importStar||function(){var e=function(t){return e=Object.getOwnPropertyNames||function(e){var t=[];for(var r in e)Object.prototype.hasOwnProperty.call(e,r)&&(t[t.length]=r);return t},e(t)};return function(t){if(t&&t.__esModule)return t;var r={};if(null!=t)for(var s=e(t),i=0;i<s.length;i++)"default"!==s[i]&&__createBinding(r,t,s[i]);return __setModuleDefault(r,t),r}}();Object.defineProperty(exports,"__esModule",{value:!0}),exports.FileTrustRegistry=exports.HttpTrustRegistry=exports.MemoryTrustRegistry=exports.RegistrationRateLimiter=void 0,exports.createEnterpriseTrustRegistry=createEnterpriseTrustRegistry;const shared_1=require("../_deps/shared/index.js"),fs=__importStar(require("node:fs/promises")),path=__importStar(require("node:path"));function isExpired(e){return!!e.expiresAt&&Date.now()>e.expiresAt}class RegistrationRateLimiter{perIPTimestamps=new Map;globalTimestamps=[];perIPLimit;globalLimit;windowMs;cleanupInterval=null;constructor(e=10,t=1e3,r=36e5){this.perIPLimit=e,this.globalLimit=t,this.windowMs=r,this.cleanupInterval=setInterval(()=>this.cleanup(),3e5)}checkLimit(e){const t=Date.now()-this.windowMs;if((this.perIPTimestamps.get(e)||[]).filter(e=>e>t).length>=this.perIPLimit)return!1;return!(this.globalTimestamps.filter(e=>e>t).length>=this.globalLimit)}recordRegistration(e){const t=Date.now(),r=this.perIPTimestamps.get(e)||[];r.push(t),this.perIPTimestamps.set(e,r),this.globalTimestamps.push(t)}getRemainingForIP(e){const t=Date.now()-this.windowMs,r=(this.perIPTimestamps.get(e)||[]).filter(e=>e>t);return Math.max(0,this.perIPLimit-r.length)}getRemainingGlobal(){const e=Date.now()-this.windowMs,t=this.globalTimestamps.filter(t=>t>e);return Math.max(0,this.globalLimit-t.length)}getResetTimeForIP(e){const t=this.perIPTimestamps.get(e)||[];if(0===t.length)return null;const r=t[0];return r?r+this.windowMs:null}cleanup(){const e=Date.now()-this.windowMs;for(const[t,r]of this.perIPTimestamps.entries()){const s=r.filter(t=>t>e);0===s.length?this.perIPTimestamps.delete(t):this.perIPTimestamps.set(t,s)}const t=this.globalTimestamps.filter(t=>t>e);this.globalTimestamps.length=0,this.globalTimestamps.push(...t)}destroy(){this.cleanupInterval&&(clearInterval(this.cleanupInterval),this.cleanupInterval=null)}reset(){this.perIPTimestamps.clear(),this.globalTimestamps.length=0}}exports.RegistrationRateLimiter=RegistrationRateLimiter;class MemoryTrustRegistry{entries=new Map;rateLimiter;constructor(e){e?.enableRateLimiting&&(this.rateLimiter=e.rateLimiter||new RegistrationRateLimiter)}async register(e,t,r,s,i,n,a,o,c,h,l,d,p,u){if(this.rateLimiter&&u&&!this.rateLimiter.checkLimit(u))return(0,shared_1.err)("RATE_LIMIT_EXCEEDED");if(this.entries.has(e))return(0,shared_1.err)("ALREADY_REGISTERED");const y=p?Date.now()+p:void 0;return this.entries.set(e,{did:e,publicKey:t,name:r,scopes:new Set(s??[]),receiveScopes:c?new Set(c):void 0,revoked:!1,rotation_sequence:1,x25519PublicKey:i,mlKemPublicKey:n,mlDsaPublicKey:a,xchange:o,sdkVersion:h,minEnvelopeVersion:l,maxEnvelopeVersion:d,expiresAt:y}),this.rateLimiter&&u&&this.rateLimiter.recordRegistration(u),(0,shared_1.ok)(void 0)}async resolve(e){const t=this.entries.get(e);return t?isExpired(t)?(0,shared_1.err)("EXPIRED"):t.revoked?(0,shared_1.err)("REVOKED"):(0,shared_1.ok)(t.publicKey):(0,shared_1.err)("NOT_FOUND")}async hasScope(e,t){const r=this.entries.get(e);return!(!r||isExpired(r)||r.revoked)&&r.scopes.has(t)}async hasReceiveScope(e,t){const r=this.entries.get(e);return!(!r||isExpired(r)||r.revoked)&&(!r.receiveScopes||r.receiveScopes.has(t))}async revoke(e){const t=this.entries.get(e);return t?(this.entries.set(e,{...t,revoked:!0}),(0,shared_1.ok)(void 0)):(0,shared_1.err)("NOT_FOUND")}async getEntry(e){const t=this.entries.get(e);return t?isExpired(t)?(0,shared_1.err)("EXPIRED"):(0,shared_1.ok)(t):(0,shared_1.err)("NOT_FOUND")}async updateScopes(e,t){const r=this.entries.get(e);return r?isExpired(r)?(0,shared_1.err)("EXPIRED"):r.revoked?(0,shared_1.err)("REVOKED"):(this.entries.set(e,{...r,scopes:new Set(t)}),(0,shared_1.ok)(void 0)):(0,shared_1.err)("NOT_FOUND")}async cleanup(){let e=0;const t=Date.now();for(const[r,s]of this.entries)s.expiresAt&&t>s.expiresAt&&(this.entries.delete(r),e++);return e}get size(){return this.entries.size}}exports.MemoryTrustRegistry=MemoryTrustRegistry;class HttpTrustRegistry{baseUrl;fetchFn;cacheTtlMs;cacheFailureMode;enablePush;bloomFilterSize;bloomFilterFpr;resolveCache=new Map;entryCache=new Map;constructor(e){this.baseUrl=e.baseUrl.replace(/\/$/,""),this.fetchFn=e.fetch??globalThis.fetch.bind(globalThis),this.cacheTtlMs=e.cacheTtlMs??3e4,this.cacheFailureMode=e.cacheFailureMode??"fail-secure",this.enablePush=e.enablePush??!1,this.bloomFilterSize=e.bloomFilterSize??1e4,this.bloomFilterFpr=e.bloomFilterFpr??.01}clearCache(){this.resolveCache.clear(),this.entryCache.clear()}async register(e,t,r,s,i,n,a,o,c,h,l,d,p,u){try{const u=await this.fetchFn(`${this.baseUrl}/registry/register`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({did:e,publicKey:Array.from(t),name:r,scopes:s??[],...c?{receiveScopes:c}:{},...i?{x25519PublicKey:Array.from(i)}:{},...n?{mlKemPublicKey:Array.from(n)}:{},...a?{mlDsaPublicKey:Array.from(a)}:{},...void 0!==o?{xchange:o}:{},...void 0!==h?{sdkVersion:h}:{},...void 0!==l?{minEnvelopeVersion:l}:{},...void 0!==d?{maxEnvelopeVersion:d}:{},...void 0!==p?{ttlMs:p}:{}})});return 409===u.status?(0,shared_1.err)("ALREADY_REGISTERED"):429===u.status?(0,shared_1.err)("RATE_LIMIT_EXCEEDED"):u.ok?(0,shared_1.ok)(void 0):(0,shared_1.err)("NETWORK_ERROR")}catch{return(0,shared_1.err)("NETWORK_ERROR")}}async resolve(e){if(this.cacheTtlMs>0){const t=this.resolveCache.get(e);if(t&&t.expiry>Date.now())return t.value}let t;try{const r=await this.fetchFn(`${this.baseUrl}/registry/resolve/${encodeURIComponent(e)}`);if(404===r.status)t=(0,shared_1.err)("NOT_FOUND");else if(408===r.status)t=(0,shared_1.err)("EXPIRED");else if(410===r.status)t=(0,shared_1.err)("REVOKED");else if(r.ok){const e=await r.json();t=(0,shared_1.ok)(new Uint8Array(e.publicKey))}else t=(0,shared_1.err)("NETWORK_ERROR")}catch{const r=this.resolveCache.get(e);if("fail-secure"===this.cacheFailureMode)t=(0,shared_1.err)("NETWORK_ERROR");else{if(r)return r.value;t=(0,shared_1.err)("NETWORK_ERROR")}}return this.cacheTtlMs>0&&this.resolveCache.set(e,{value:t,expiry:Date.now()+this.cacheTtlMs}),t}async hasScope(e,t){try{return(await this.fetchFn(`${this.baseUrl}/registry/scope/${encodeURIComponent(e)}/${encodeURIComponent(t)}`)).ok}catch{return!1}}async hasReceiveScope(e,t){try{return(await this.fetchFn(`${this.baseUrl}/registry/receive-scope/${encodeURIComponent(e)}/${encodeURIComponent(t)}`)).ok}catch{return!1}}async revoke(e){try{const t=await this.fetchFn(`${this.baseUrl}/registry/revoke/${encodeURIComponent(e)}`,{method:"POST"});return 404===t.status?(0,shared_1.err)("NOT_FOUND"):t.ok?(0,shared_1.ok)(void 0):(0,shared_1.err)("NETWORK_ERROR")}catch{return(0,shared_1.err)("NETWORK_ERROR")}}async getEntry(e){if(this.cacheTtlMs>0){const t=this.entryCache.get(e);if(t&&t.expiry>Date.now())return t.value}let t;try{const r=await this.fetchFn(`${this.baseUrl}/registry/entry/${encodeURIComponent(e)}`);if(404===r.status)t=(0,shared_1.err)("NOT_FOUND");else if(408===r.status)t=(0,shared_1.err)("EXPIRED");else if(r.ok){const e=await r.json();t=(0,shared_1.ok)({did:e.did,publicKey:new Uint8Array(e.publicKey),name:e.name,scopes:new Set(e.scopes),receiveScopes:e.receiveScopes?new Set(e.receiveScopes):void 0,revoked:e.revoked,rotation_sequence:e.rotation_sequence??1,x25519PublicKey:e.x25519PublicKey?new Uint8Array(e.x25519PublicKey):void 0,mlKemPublicKey:e.mlKemPublicKey?new Uint8Array(e.mlKemPublicKey):void 0,mlDsaPublicKey:e.mlDsaPublicKey?new Uint8Array(e.mlDsaPublicKey):void 0,xchange:e.xchange,sdkVersion:e.sdkVersion,minEnvelopeVersion:e.minEnvelopeVersion,maxEnvelopeVersion:e.maxEnvelopeVersion,expiresAt:e.expiresAt})}else t=(0,shared_1.err)("NETWORK_ERROR")}catch{t=(0,shared_1.err)("NETWORK_ERROR")}return this.cacheTtlMs>0&&this.entryCache.set(e,{value:t,expiry:Date.now()+this.cacheTtlMs}),t}async rotate(e,t,r,s){const i=await this.fetchFn(`${this.baseUrl}/registry/rotate`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({did:e,newPublicKey:Array.from(t),proof:Array.from(r),rotationSequence:s})});if(!i.ok)throw new Error(`Key rotation failed: ${i.status} ${i.statusText}`);this.resolveCache.delete(e),this.entryCache.delete(e)}async subscribe(e,t){if(!this.enablePush)throw new Error("Push notifications not enabled (set enablePush: true in HttpTrustRegistryOptions)");const r=new Set(e.map(e=>this.hashDid(e))),s=this.baseUrl.replace(/^http/,"ws")+"/trust/events",i=new globalThis.WebSocket(s);return i.addEventListener("open",()=>{i.send(JSON.stringify({type:"subscribe",dids:e,bloomSize:this.bloomFilterSize,bloomFpr:this.bloomFilterFpr}))}),i.addEventListener("message",e=>{try{const s=JSON.parse(e.data),i=this.hashDid(s.did);r.has(i)&&("revocation"!==s.type&&"succession"!==s.type||(this.resolveCache.delete(s.did),this.entryCache.delete(s.did)),t(s))}catch(e){console.warn("Failed to parse trust event:",e)}}),i.addEventListener("error",e=>{console.error("WebSocket error:",e)}),()=>{i.readyState===globalThis.WebSocket.OPEN&&i.close()}}hashDid(e){let t=0;for(let r=0;r<e.length;r++)t=(t<<5)-t+e.charCodeAt(r),t&=t;return t}async resumeSubscriptions(e){try{return(await this.fetchFn(`${this.baseUrl}/trust/resume-batch`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({proofs:e})})).ok?(0,shared_1.ok)(void 0):(0,shared_1.err)("NETWORK_ERROR")}catch{return(0,shared_1.err)("NETWORK_ERROR")}}async fetchCheckpoint(e){try{const t=await this.fetchFn(`${this.baseUrl}/registry/checkpoint/${encodeURIComponent(e)}`);if(404===t.status)return(0,shared_1.err)("NOT_FOUND");if(!t.ok)return(0,shared_1.err)("NETWORK_ERROR");const r=await t.json();return(0,shared_1.ok)(r)}catch{return(0,shared_1.err)("NETWORK_ERROR")}}async updateScopes(e,t){try{const r=await this.fetchFn(`${this.baseUrl}/registry/${encodeURIComponent(e)}/scopes`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({scopes:t})});return 404===r.status?(0,shared_1.err)("NOT_FOUND"):410===r.status?(0,shared_1.err)("REVOKED"):r.ok?(this.resolveCache.delete(e),this.entryCache.delete(e),(0,shared_1.ok)(void 0)):(0,shared_1.err)("NETWORK_ERROR")}catch{return(0,shared_1.err)("NETWORK_ERROR")}}}exports.HttpTrustRegistry=HttpTrustRegistry;class FileTrustRegistry{path;entries=new Map;initialized=!1;constructor(e){this.path=e.path}async init(){if(!this.initialized){try{await fs.mkdir(path.dirname(this.path),{recursive:!0});const e=(await fs.readFile(this.path,"utf-8").catch(()=>"")).split("\n").filter(e=>e.trim());for(const t of e){const e=JSON.parse(t);if("register"===e.type&&e.publicKey&&e.name)this.entries.set(e.did,{did:e.did,publicKey:new Uint8Array(e.publicKey),name:e.name,scopes:new Set(e.scopes??[]),receiveScopes:e.receiveScopes?new Set(e.receiveScopes):void 0,revoked:!1,rotation_sequence:e.rotation_sequence??1,x25519PublicKey:e.x25519PublicKey?new Uint8Array(e.x25519PublicKey):void 0,mlKemPublicKey:e.mlKemPublicKey?new Uint8Array(e.mlKemPublicKey):void 0,mlDsaPublicKey:e.mlDsaPublicKey?new Uint8Array(e.mlDsaPublicKey):void 0,xchange:e.xchange,sdkVersion:e.sdkVersion,minEnvelopeVersion:e.minEnvelopeVersion,maxEnvelopeVersion:e.maxEnvelopeVersion,expiresAt:e.expiresAt});else if("revoke"===e.type){const t=this.entries.get(e.did);t&&this.entries.set(e.did,{...t,revoked:!0})}else if("update-scopes"===e.type){const t=this.entries.get(e.did);t&&this.entries.set(e.did,{...t,scopes:new Set(e.scopes??[])})}else if("rotate"===e.type&&e.publicKey&&e.rotation_sequence){const t=this.entries.get(e.did);t&&e.rotation_sequence>t.rotation_sequence&&this.entries.set(e.did,{...t,publicKey:new Uint8Array(e.publicKey),rotation_sequence:e.rotation_sequence})}}}catch{}this.initialized=!0}}async append(e){await fs.appendFile(this.path,JSON.stringify(e)+"\n","utf-8")}async register(e,t,r,s,i,n,a,o,c,h,l,d,p,u){if(await this.init(),this.entries.has(e))return(0,shared_1.err)("ALREADY_REGISTERED");const y=p?Date.now()+p:void 0,m={did:e,publicKey:t,name:r,scopes:new Set(s??[]),receiveScopes:c?new Set(c):void 0,revoked:!1,rotation_sequence:1,x25519PublicKey:i,mlKemPublicKey:n,mlDsaPublicKey:a,xchange:o,sdkVersion:h,minEnvelopeVersion:l,maxEnvelopeVersion:d,expiresAt:y};return this.entries.set(e,m),await this.append({type:"register",did:e,publicKey:Array.from(t),name:r,scopes:s??[],rotation_sequence:1,...c?{receiveScopes:c}:{},...i?{x25519PublicKey:Array.from(i)}:{},...n?{mlKemPublicKey:Array.from(n)}:{},...a?{mlDsaPublicKey:Array.from(a)}:{},...void 0!==o?{xchange:o}:{},...void 0!==h?{sdkVersion:h}:{},...void 0!==l?{minEnvelopeVersion:l}:{},...void 0!==d?{maxEnvelopeVersion:d}:{},...void 0!==y?{expiresAt:y}:{}}),(0,shared_1.ok)(void 0)}async resolve(e){await this.init();const t=this.entries.get(e);return t?isExpired(t)?(0,shared_1.err)("EXPIRED"):t.revoked?(0,shared_1.err)("REVOKED"):(0,shared_1.ok)(t.publicKey):(0,shared_1.err)("NOT_FOUND")}async hasScope(e,t){await this.init();const r=this.entries.get(e);return!(!r||isExpired(r)||r.revoked)&&r.scopes.has(t)}async hasReceiveScope(e,t){await this.init();const r=this.entries.get(e);return!(!r||isExpired(r)||r.revoked)&&(!r.receiveScopes||r.receiveScopes.has(t))}async revoke(e){await this.init();const t=this.entries.get(e);return t?(this.entries.set(e,{...t,revoked:!0}),await this.append({type:"revoke",did:e}),(0,shared_1.ok)(void 0)):(0,shared_1.err)("NOT_FOUND")}async getEntry(e){await this.init();const t=this.entries.get(e);return t?isExpired(t)?(0,shared_1.err)("EXPIRED"):(0,shared_1.ok)(t):(0,shared_1.err)("NOT_FOUND")}async updateScopes(e,t){await this.init();const r=this.entries.get(e);return r?isExpired(r)?(0,shared_1.err)("EXPIRED"):r.revoked?(0,shared_1.err)("REVOKED"):(this.entries.set(e,{...r,scopes:new Set(t)}),await this.append({type:"update-scopes",did:e,scopes:t}),(0,shared_1.ok)(void 0)):(0,shared_1.err)("NOT_FOUND")}async cleanup(){await this.init();let e=0;const t=Date.now();for(const[r,s]of this.entries)s.expiresAt&&t>s.expiresAt&&(this.entries.delete(r),e++);return e}async rotate(e,t,r,s){await this.init();const i=this.entries.get(e);if(!i)throw new Error(`DID not found: ${e}`);if(s<=i.rotation_sequence)throw new Error(`Rotation sequence ${s} must be > current ${i.rotation_sequence} (rollback attack prevented)`);await this.append({type:"rotate",did:e,publicKey:Array.from(t),proof:Array.from(r),rotation_sequence:s,timestamp:Date.now()}),this.entries.set(e,{...i,publicKey:t,rotation_sequence:s})}get size(){return this.entries.size}}async function createEnterpriseTrustRegistry(e){let t;if("file"===e.storage){if(!e.path)throw new Error("FileTrustRegistry requires path option");t=new FileTrustRegistry({path:e.path})}else if("http"===e.storage){if(!e.baseUrl)throw new Error("HttpTrustRegistry requires baseUrl option");t=new HttpTrustRegistry({baseUrl:e.baseUrl})}else t=new MemoryTrustRegistry;if(e.preload)for(const r of e.preload)await t.register(r.did,r.publicKey,r.name,r.scopes,r.x25519PublicKey,r.mlKemPublicKey,r.mlDsaPublicKey,r.xchange,r.receiveScopes,r.sdkVersion,r.minEnvelopeVersion,r.maxEnvelopeVersion);return t}exports.FileTrustRegistry=FileTrustRegistry;