npm - @private.me/xbind - Versions diffs - 3.0.4 → 3.1.0 - Mend

@private.me/xbind 3.0.4 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/MIGRATING.md ADDED Viewed

@@ -0,0 +1,205 @@
+# xBind Migration Guide
+## 3.0.4 → 3.1.0 (Current)
+### Documentation Improvements
+**No Breaking Changes** - This is a documentation-only release:
+- ✅ **Migration Guide:** Added this MIGRATING.md file with upgrade paths for all versions
+- ✅ **Error Reference:** Comprehensive error code documentation with fixes for common issues
+- ✅ **Security API:** Clarified `security` parameter (official API) vs `payload.risk` (application data)
+- ✅ **Bundled README:** Fixed broken relative links, removed internal tracking codes, consistent PQ examples
+**Migration:** Update package version - no code changes required:
+```bash
+npm install @private.me/xbind@3.1.0
+```
+---
+## 3.0.3 → 3.0.4
+### Bug Fixes
+**H1 Security Tier Fix:**
+- **Issue:** `agent.send({ security: 'high' })` threw synchronously instead of returning `Result<T,E>`
+- **Fixed:** Now returns `Result` with error code `SPLIT_FAILED:CRYPTO_NOT_LOADED` when crypto package unavailable
+- **Migration:** No code changes required. If you had try-catch around `send()`, you can now use standard Result handling
+**Loopback URL Support:**
+- **Issue:** v3.0.3 broke dev/test workflows by rejecting `http://127.0.0.1` and `http://localhost`
+- **Fixed:** RFC 6761 loopback addresses now work without HTTPS requirement
+- **Migration:** No code changes required. Remove any HTTPS workarounds for local development
+### Supported Loopback Addresses
+- `http://127.0.0.1` (IPv4 loopback)
+- `http://localhost` (standard hostname)
+- `http://[::1]` or `http://::1` (IPv6 loopback)
+- `http://*.localhost` (RFC 6761 reserved)
+---
+## 1.x → 3.x (Major Version)
+### Breaking Changes
+**1. Full Control IP Protection**
+v3.x introduced 2-share XorIDA (Store Front + Vault Store) for IP protection:
+```typescript
+// v1.x: All crypto bundled in npm package
+npm install @private.me/xbind@1.4.2  // 8MB package
+// v3.x: Share 1 in npm, Share 2 payment-gated on EC2
+npm install @private.me/xbind@3.1.0  // 1.2MB package
+// Share 2 auto-fetched with billing OR set FULL_CONTROL_MASTER_KEY
+```
+**Migration:**
+- **No code changes** if you have active billing (Share 2 auto-fetched)
+- **For offline/dev:** Set `FULL_CONTROL_MASTER_KEY` environment variable (contact contact@private.me for key)
+**2. Result<T,E> Error Handling**
+All APIs now return `Result<T,E>` instead of throwing:
+```typescript
+// v1.x: Exception-based
+try {
+  const agent = await Agent.create({ ... });
+  await agent.send({ ... });
+} catch (error) {
+  console.error('Failed:', error);
+}
+// v3.x: Result-based
+const agentResult = await Agent.create({ ... });
+if (!agentResult.ok) {
+  console.error('Agent creation failed:', agentResult.error);
+  return;
+}
+const agent = agentResult.value;
+const sendResult = await agent.send({ ... });
+if (!sendResult.ok) {
+  console.error('Send failed:', sendResult.error);
+}
+```
+**3. Security Tier API**
+Explicit `security` parameter for split-channel:
+```typescript
+// v1.x: Implicit/auto-detection
+await agent.send({
+  to: recipientDid,
+  payload: { sensitive: true }
+});
+// v3.x: Explicit security parameter
+await agent.send({
+  to: recipientDid,
+  security: 'high',  // 2-of-3 threshold
+  payload: { sensitive: true }
+});
+```
+Options: `'standard'` (default), `'high'` (2-of-3), `'critical'` (3-of-5)
+**4. Transport Configuration**
+v3.x requires explicit transport configuration:
+```typescript
+// v1.x: Auto-configured
+const agent = await Agent.create({ name: 'MyAgent' });
+// v3.x: Explicit transport
+import { HttpsTransportAdapter } from '@private.me/xbind';
+const agent = await Agent.create({
+  name: 'MyAgent',
+  transport: new HttpsTransportAdapter({
+    baseUrl: 'https://private.me/relay'
+  })
+});
+```
+---
+## Common Migration Issues
+### Issue: npm install silently downgrades version
+**Symptom:** Running `npm install @private.me/xbind@latest` after local `file:` testing uninstalls xBind
+**Cause:** npm's `file:` protocol creates a local package reference that persists across installs
+**Fix:**
+```bash
+# Remove cached local reference
+npm uninstall @private.me/xbind
+rm -rf node_modules/@private.me
+rm package-lock.json
+# Clean install from registry
+npm install @private.me/xbind@3.1.0
+```
+### Issue: ENVELOPE_FAILED:SPLIT error
+**Symptom:** `security:'high'` or `security:'critical'` returns `ENVELOPE_FAILED:SPLIT`
+**Cause:** Split-channel requires 3+ transports for `'high'`, 5+ for `'critical'`
+**Fix:**
+```typescript
+// Add multiple transports
+const agent = await Agent.create({
+  name: 'MyAgent',
+  transport: new HttpsTransportAdapter({ baseUrl: 'https://relay1.private.me' }),
+  // OR use quickstart which auto-configures transports
+});
+// Add more transports after creation
+agent.addTransport(new HttpsTransportAdapter({ baseUrl: 'https://relay2.private.me' }));
+agent.addTransport(new HttpsTransportAdapter({ baseUrl: 'https://relay3.private.me' }));
+// Now 'high' security will work
+const result = await agent.send({
+  to: recipientDid,
+  security: 'high',
+  payload: { message: 'Secured' }
+});
+```
+### Issue: IDENTITY_FAILED:VAULT_STORE error
+**Symptom:** Agent creation fails with `IDENTITY_FAILED:VAULT_STORE`
+**Cause:** Share 2 (Vault Store) unavailable - no billing and no `FULL_CONTROL_MASTER_KEY`
+**Fix (Production):**
+- Ensure billing is active (free tier: 100K ops/month)
+- Check internet connectivity
+**Fix (Development/Offline):**
+```bash
+# Add to .env
+FULL_CONTROL_MASTER_KEY=<your-key>
+# Contact contact@private.me for development key
+```
+---
+## Support
+- **Documentation:** https://private.me/docs/xbind.html
+- **npm:** https://www.npmjs.com/package/@private.me/xbind
+- **Email:** contact@private.me
+For enterprise migration assistance, contact contact@private.me

package/README.md CHANGED Viewed

@@ -1,7 +1,7 @@
 # @private.me/xbind
 ![npm version](https://img.shields.io/npm/v/@private.me/xbind)
-![version](https://img.shields.io/badge/version-3.0.3-blue)
+![version](https://img.shields.io/badge/version-3.1.0-blue)
 ![tests](https://img.shields.io/badge/tests-2951%20passing-brightgreen)
 ![TypeScript](https://img.shields.io/badge/TypeScript-strict-blue)
 ![license](https://img.shields.io/badge/license-Proprietary-blue)
@@ -12,7 +12,7 @@ Build AI agents that communicate securely using ML-DSA-65 DID identity, ML-KEM-7
 Part of the **Private.Me** platform—where APIs have keys, but ACIs have identity.
-**Version 3.0.3** — **Major Features:** LoopbackTransport export for testing (GAP-CORE-2), describeSecurityModeStructured export (GAP-API-3), Agent.quickstart() signature fixes. Full Control IP Protection (PLAN-13) - Vault Store architecture with payment-gated algorithm delivery. Store Front (npm) contains Share 1 only, Vault Store (EC2) contains Share 2 (payment-gated). Runtime crypto loading, 4-layer security (DID auth + usage quotas + rate limiting + audit logging). Usage-based model: Free tier 100K ops/month (includes vault access), Pro tier unlimited. Previous v3.0.2: Full Control IP Protection launch. Previous v1.4.2: Runtime compatibility, API enhancements.
+**Version 3.1.0** — **Documentation Improvements:** Migration guide (MIGRATING.md), comprehensive error reference, security API clarification, fixed all bundled README issues. **Bug Fixes (v3.0.4):** H1 security tier fix (security:'high'|'critical' now returns Result instead of throwing), loopback URL support restored (http://127.0.0.1 for dev/test workflows), deployment health endpoint added. Full Control IP Protection - Vault Store architecture with payment-gated algorithm delivery. Store Front (npm) contains Share 1 only, Vault Store (EC2) contains Share 2 (payment-gated). Runtime crypto loading, 4-layer security (DID auth + usage quotas + rate limiting + audit logging). Usage-based model: Free tier 100K ops/month (includes vault access), Pro tier unlimited. Previous v3.0.3: LoopbackTransport export, describeSecurityModeStructured export, Agent.quickstart() fixes. Previous v3.0.2: Full Control IP Protection launch.
 ## Install
@@ -26,7 +26,7 @@ pip install private-me-xbind
 **Distribution Model:** xBind uses Full Control IP protection (2-share XorIDA). Share 1 (Store Front) is distributed via npm registry. Share 2 (Vault Store) is served via `/api/full-control/share2/:package/:version` and requires payment verification and xBind authentication.
-[Python SDK documentation](./python/README.md) • [Complete docs](./docs/README.md) • [White paper](https://private.me/docs/xbind.html)
+[Migration Guide](./MIGRATING.md) • [Python SDK](https://pypi.org/project/private-me-xbind/) • [White paper](https://private.me/docs/xbind.html) • [npm](https://www.npmjs.com/package/@private.me/xbind)
 ## Security Notice
@@ -106,7 +106,7 @@ const seed = await getSeed();
 const result = await Agent.fromSeed(Buffer.from(seed, 'hex'), {
   registry: new HttpTrustRegistry({ baseUrl: 'https://private.me/registry' }),
   transport: new HttpsTransportAdapter({ baseUrl: 'https://private.me/relay' }),
-  postQuantumSig: false
+  postQuantumSig: true  // ML-DSA-65 post-quantum signatures (default)
 });
 if (!result.ok) {
@@ -136,7 +136,7 @@ if (!seed) throw new Error('Seed not found in credential store');
 const result = await Agent.fromSeed(Buffer.from(seed, 'hex'), {
   registry: new HttpTrustRegistry({ baseUrl: 'https://private.me/registry' }),
   transport: new HttpsTransportAdapter({ baseUrl: 'https://private.me/relay' }),
-  postQuantumSig: false
+  postQuantumSig: true  // ML-DSA-65 post-quantum signatures (default)
 });
 if (!result.ok) {
@@ -165,7 +165,7 @@ if (!seed) throw new Error('Seed not found in Secret Service');
 const result = await Agent.fromSeed(Buffer.from(seed, 'hex'), {
   registry: new HttpTrustRegistry({ baseUrl: 'https://private.me/registry' }),
   transport: new HttpsTransportAdapter({ baseUrl: 'https://private.me/relay' }),
-  postQuantumSig: false
+  postQuantumSig: true  // ML-DSA-65 post-quantum signatures (default)
 });
 if (!result.ok) {
@@ -211,7 +211,7 @@ const decryptedSeed = await kms.send(new DecryptCommand({
 const result = await Agent.fromSeed(Buffer.from(decryptedSeed.Plaintext), {
   registry: new HttpTrustRegistry({ baseUrl: 'https://private.me/registry' }),
   transport: new HttpsTransportAdapter({ baseUrl: 'https://private.me/relay' }),
-  postQuantumSig: false
+  postQuantumSig: true  // ML-DSA-65 post-quantum signatures (default)
 });
 if (!result.ok) {
@@ -543,7 +543,7 @@ console.log('Scope:', message.scope);
 **JITR (Just-in-Time Registration):** Agents created with `Agent.fromSeed()` automatically register with the trust registry on first use. No manual registration scripts required. Includes all encryption keys (Ed25519, X25519, ML-KEM, ML-DSA) for zero-config encrypted messaging.
-[More examples](./docs/examples.md) • [Python examples](./python/README.md)
+[White paper](https://private.me/docs/xbind.html) • [Python SDK](https://pypi.org/project/private-me-xbind/)
 ## Programmatic Quickstart
@@ -622,7 +622,7 @@ Transport type: HttpsTransportAdapter
 - Exceeding 100K operations/month
 - Accessing production features
-[More examples](./docs/examples.md) • [Python examples](./python/README.md)
+[White paper](https://private.me/docs/xbind.html) • [Python SDK](https://pypi.org/project/private-me-xbind/)
 ## Post-Quantum Cryptography & Envelopes
@@ -1684,7 +1684,7 @@ else:
     print(f"Error: {result['error']['message']}")
 ```
-See [Python SDK documentation](./python/README.md) for complete API reference and examples.
+See [Python SDK on PyPI](https://pypi.org/project/private-me-xbind/) for complete API reference and examples.
 ## Why xBind?
@@ -1768,11 +1768,11 @@ Zero key management, zero cascade failures, zero bearer credentials. Cryptograph
 - **End-to-end integration:** Full message flow tests (Agent A → Gateway → Agent B)
 - **Gateway concurrency:** 100 concurrent sends, race condition detection
 - **Network partition recovery:** Disconnect/reconnect cycles with retry logic
-- **PLAN-3 hybrid signatures:** Bilateral authorization with composite verification
+- **Hybrid signatures:** Bilateral authorization with composite verification
 ## Bundle Size Optimization (Tree-Shaking)
-**New in v3.0.3:** LoopbackTransport export (testing workflow), describeSecurityModeStructured export (white paper examples), Agent.quickstart() signature fixes (README correctness). Full Control IP Protection (v3.0.2) - cryptographic algorithms delivered via payment-gated Vault Store. Share 1 in npm (useless alone), Share 2 in EC2 (completes algorithm). Information-theoretic security for proprietary IP.
+**New in v3.1.0:** Documentation improvements - Migration guide (MIGRATING.md), comprehensive error reference section, security API clarification (security parameter vs payload.risk), fixed all customer-reported README issues (broken links, tracking codes, PQ example consistency). Previous v3.0.4: Bug fixes - H1 security tier fix, loopback URL support, deployment health endpoint. Full Control IP Protection (v3.0.2) - cryptographic algorithms delivered via payment-gated Vault Store. Share 1 in npm (useless alone), Share 2 in EC2 (completes algorithm). Information-theoretic security for proprietary IP.
 ### Full Import (Convenience)
@@ -1810,36 +1810,35 @@ import { generateIdentity } from '@private.me/xbind/identity';
 xBind automatically activates information-theoretic XorIDA threshold sharing for high-risk operations. No code changes required—security is transparent.
-### Risk Tags (Recommended for Crypto)
+### Security Tiers (Official API)
-For cryptocurrency transactions (BTC, ETH, etc.), use explicit risk tags in your payload:
+**Use the `security` parameter to control split-channel protection level:**
 ```typescript
-// Low risk: 2-of-2 threshold
+// Standard: Single-channel delivery (default, fastest)
 await agent.send({
   to: recipientDid,
-  payload: { amount: 0.5, currency: 'BTC', risk: 'low' }
+  security: 'standard',  // Default, no split-channel
+  payload: { amount: 0.5, currency: 'BTC' }
 });
-// Medium risk: 2-of-3 threshold
+// High: 2-of-3 threshold sharing (recommended for crypto)
 await agent.send({
   to: recipientDid,
-  payload: { amount: 5.0, currency: 'ETH', risk: 'medium' }
+  security: 'high',  // Requires 3+ transports
+  payload: { amount: 50, currency: 'BTC' }
 });
-// High risk: 3-of-5 threshold
+// Critical: 3-of-5 threshold sharing (maximum security)
 await agent.send({
   to: recipientDid,
-  payload: { amount: 50, currency: 'BTC', risk: 'high' }
-});
-// Critical risk: 3-of-5 threshold
-await agent.send({
-  to: recipientDid,
-  payload: { amount: 100, currency: 'BTC', risk: 'critical' }
+  security: 'critical',  // Requires 5+ transports
+  payload: { amount: 100, currency: 'BTC' }
 });
 ```
+**Note:** The `security` parameter controls xBind's cryptographic protection. Application-level risk assessment (like `payload.risk`) is separate from xBind's security tier and has no effect on split-channel behavior.
 ### Fiat Currency Auto-Detection
 For fiat currencies (USD, EUR, GBP), xBind uses numeric thresholds:
@@ -2739,7 +2738,7 @@ await registry.register(
   mlDsaPublicKey,
   true, // xchange enabled
   ['billing', 'auth'], // receive scopes
-  '3.0.3', // SDK version
+  '3.0.4', // SDK version
   1, // minEnvelopeVersion
   4  // maxEnvelopeVersion
 );
@@ -2948,6 +2947,70 @@ const received = await bob.receive(envelope);
 - CI/CD pipelines that need fast, deterministic tests
 - Integration testing of multi-agent workflows
+## Error Reference
+xBind returns detailed error codes via `Result<T,E>` pattern. All errors follow the format `CATEGORY:SUBCODE` for precise diagnostics.
+### Common Errors
+**ENVELOPE_FAILED Family** - Message envelope creation/processing failures:
+- `ENVELOPE_FAILED:SPLIT` - Split-channel requires 3+ transports. **Fix:** Add more transports to your agent configuration OR disable split-channel (use `security:'standard'` instead of `'high'`/`'critical'`)
+- `ENVELOPE_FAILED:SIGNATURE` - Message signing failed (corrupted keys or invalid DID)
+- `ENVELOPE_FAILED:ENCRYPTION` - Key agreement or encryption failed
+**IDENTITY_FAILED Family** - Agent identity/key issues:
+- `IDENTITY_FAILED:KEYGEN` - Cryptographic key generation failed
+- `IDENTITY_FAILED:VAULT_STORE` - Share 2 (Vault Store) unavailable. **Fix:** Check internet connectivity, verify billing status, or set `FULL_CONTROL_MASTER_KEY` environment variable for offline mode
+- `SPLIT_FAILED:CRYPTO_NOT_LOADED` - Crypto package not loaded (missing Share 2). **Fix:** Ensure `loadCryptoPackage()` is called OR billing is active for automatic Vault Store access
+**Network/Transport Errors:**
+- `RECIPIENT_UNREACHABLE` - Unable to deliver message to recipient DID
+- `TIMEOUT` - Network operation exceeded timeout threshold (default: 10s)
+- `NETWORK_ERROR` - General network failure (DNS, connection refused, etc.)
+- `HTTPS_REQUIRED` - Non-loopback HTTP URL rejected (security policy). **Fix:** Use HTTPS URLs for production OR use loopback addresses (127.0.0.1, localhost, ::1) for development
+**Registry Errors:**
+- `REGISTRATION_FAILED:ALREADY_REGISTERED` - DID already exists in trust registry
+- `REGISTRATION_FAILED:NETWORK_ERROR` - Registry unreachable or network failure
+- `RESOLVE_FAILED:NOT_FOUND` - Recipient DID not found in trust registry
+### Error Handling Example
+```typescript
+const result = await agent.send({
+  to: recipientDid,
+  security: 'high',  // Requires 3+ transports
+  payload: { message: 'Hello' }
+});
+if (!result.ok) {
+  switch (result.error) {
+    case 'ENVELOPE_FAILED:SPLIT':
+      console.error('Need 3+ transports for high security. Add more transports or use security:"standard"');
+      break;
+    case 'IDENTITY_FAILED:VAULT_STORE':
+      console.error('Vault Store unavailable. Check billing or set FULL_CONTROL_MASTER_KEY');
+      break;
+    case 'RECIPIENT_UNREACHABLE':
+      console.error('Cannot reach recipient. Check DID and network connectivity');
+      break;
+    default:
+      console.error('Send failed:', result.error);
+  }
+}
+```
+### Debugging Tips
+1. **Split-channel errors:** Ensure `agent.transports.length >= 3` before using `security:'high'` or `'critical'`
+2. **Vault Store errors:** Check `.env` for `FULL_CONTROL_MASTER_KEY` (offline mode) or verify billing status (online mode)
+3. **Network errors:** Enable debug logging with `DEBUG=xbind:* npm start`
+4. **Type safety:** Use TypeScript for autocomplete on all error codes
 ## Full Control IP Protection
 xBind uses **Full Control** (2-share XorIDA) to protect proprietary cryptographic algorithms while maintaining a seamless developer experience.
@@ -3138,7 +3201,7 @@ This package contains cryptographic software. Export restrictions may apply. Use
 ---
-**Questions?** [Documentation](./docs/README.md) • [White paper](https://private.me/docs/xbind.html) • [Issues](https://github.com/xail-io/xail/issues)
+**Questions?** [White paper](https://private.me/docs/xbind.html) • [npm](https://www.npmjs.com/package/@private.me/xbind) • contact@private.me
 ### Stream Processing Utilities

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@private.me/xbind",
-  "version": "3.0.4",
+  "version": "3.1.0",
   "description": "Identity-based M2M authentication (Contains encryption - export restrictions apply)",
   "license": "Proprietary",
   "author": "Private.Me Contributors",
@@ -83,6 +83,7 @@
     "!dist-standalone/_deps/crypto/**",
     "share1.dat",
     "README.md",
+    "MIGRATING.md",
     "LICENSE.md",
     "LICENSES.md",
     "AGENTS.md",

package/share1.dat CHANGED Viewed

Binary file