@psavelis/enterprise-blockchain 0.1.0 → 1.1.1

package/README.md

@@ -1,16 +1,29 @@
 # @psavelis/enterprise-blockchain
 
-Production-grade enterprise blockchain modules: MPC, HSM, STARK settlement, post-quantum cryptography, and protocol adapters.
+Production-grade TypeScript modules for recursive STARK settlement, post-quantum cryptography (ML-KEM/ML-DSA), MPC, HSM, and multi-rail (Solana + Bitcoin + fiat) infrastructure.
 
 [![npm version](https://img.shields.io/npm/v/@psavelis/enterprise-blockchain)](https://www.npmjs.com/package/@psavelis/enterprise-blockchain)
 [![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](../../LICENSE)
 
-## Installation
+## Install in 10 Seconds
 
 ```bash
 npm install @psavelis/enterprise-blockchain
 ```
 
+```typescript
+import { KyberKem } from "@psavelis/enterprise-blockchain/mpc";
+
+// Post-quantum key exchange (NIST FIPS 203)
+const kem = new KyberKem();
+const { publicKey, secretKey } = kem.generateKeyPair("ml-kem-768");
+const { ciphertext, sharedSecret } = kem.encapsulate(publicKey, "ml-kem-768");
+const decrypted = kem.decapsulate(ciphertext, secretKey, "ml-kem-768");
+// sharedSecret === decrypted ✓
+```
+
+---
+
 ## Quick Start
 
 ### Post-Quantum Key Exchange (ML-KEM-768)

package/dist/aid-settlement/application/reconciler.d.ts

@@ -0,0 +1,13 @@
+import type { ReconciliationReport } from "../domain/entities.js";
+import type { AidSettlementRepository } from "../domain/ports.js";
+import type { Logger } from "../../shared/logger.js";
+export declare class Reconciler {
+    private readonly repo;
+    private readonly logger;
+    constructor(repo: AidSettlementRepository, logger?: Logger);
+    reconcile(): ReconciliationReport;
+    private rejectOrphanedClaims;
+    private processClaims;
+    private validateClaim;
+}
+//# sourceMappingURL=reconciler.d.ts.map

package/dist/aid-settlement/application/reconciler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reconciler.d.ts","sourceRoot":"","sources":["../../../src/aid-settlement/application/reconciler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAGV,oBAAoB,EACrB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC;AAClE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAGrD,qBAAa,UAAU;IAInB,OAAO,CAAC,QAAQ,CAAC,IAAI;IAHvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBAGb,IAAI,EAAE,uBAAuB,EAC9C,MAAM,CAAC,EAAE,MAAM;IAKjB,SAAS,IAAI,oBAAoB;IAiDjC,OAAO,CAAC,oBAAoB;IAY5B,OAAO,CAAC,aAAa;IA8BrB,OAAO,CAAC,aAAa;CA6BtB"}

package/dist/aid-settlement/application/reconciler.js

@@ -0,0 +1,77 @@
+import { noopLogger } from "../../shared/logger.js";
+export class Reconciler {
+    repo;
+    logger;
+    constructor(repo, logger) {
+        this.repo = repo;
+        this.logger = logger ?? noopLogger;
+    }
+    reconcile() {
+        const start = Date.now();
+        this.logger.info("reconciliation started", {
+            operation: "Reconciler.reconcile",
+        });
+        const settledClaimIds = [];
+        const rejectedClaimIds = [];
+        const exceptions = [];
+        for (const grantId of this.repo.grantIds()) {
+            const grant = this.repo.grants.get(grantId);
+            const claims = this.repo.claimsForGrant(grantId);
+            if (!grant) {
+                this.rejectOrphanedClaims(claims, grantId, rejectedClaimIds, exceptions);
+                continue;
+            }
+            this.processClaims(grant, claims, settledClaimIds, rejectedClaimIds, exceptions);
+        }
+        const report = {
+            settledClaimIds,
+            rejectedClaimIds,
+            exceptions,
+        };
+        this.logger.info("reconciliation completed", {
+            operation: "Reconciler.reconcile",
+            result: exceptions.length > 0 ? "with-exceptions" : "clean",
+            durationMs: Date.now() - start,
+            settled: settledClaimIds.length,
+            rejected: rejectedClaimIds.length,
+        });
+        return report;
+    }
+    rejectOrphanedClaims(claims, grantId, rejectedClaimIds, exceptions) {
+        for (const claim of claims) {
+            rejectedClaimIds.push(claim.id);
+        }
+        exceptions.push(`Claims reference unknown grant ${grantId}.`);
+    }
+    processClaims(grant, claims, settledClaimIds, rejectedClaimIds, exceptions) {
+        let consumedAmountUsd = 0;
+        const seenInvoices = new Set();
+        for (const claim of claims) {
+            const rejection = this.validateClaim(claim, grant, consumedAmountUsd, seenInvoices);
+            if (rejection) {
+                rejectedClaimIds.push(claim.id);
+                exceptions.push(...rejection);
+                continue;
+            }
+            consumedAmountUsd += claim.amountUsd;
+            seenInvoices.add(claim.invoiceReference);
+            settledClaimIds.push(claim.id);
+        }
+    }
+    validateClaim(claim, grant, consumedAmountUsd, seenInvoices) {
+        const errors = [];
+        if (new Date(claim.submittedAt) > new Date(grant.expiresAt)) {
+            errors.push(`Claim ${claim.id} was submitted after grant ${grant.id} expired.`);
+        }
+        if (!grant.approvedMerchantCategories.includes(claim.merchantCategory)) {
+            errors.push(`Claim ${claim.id} used merchant category ${claim.merchantCategory}, which is not approved.`);
+        }
+        if (seenInvoices.has(claim.invoiceReference)) {
+            errors.push(`Claim ${claim.id} duplicated invoice ${claim.invoiceReference}.`);
+        }
+        if (consumedAmountUsd + claim.amountUsd > grant.amountUsd) {
+            errors.push(`Claim ${claim.id} would overspend grant ${grant.id}.`);
+        }
+        return errors.length > 0 ? errors : null;
+    }
+}

package/dist/aid-settlement/domain/entities.d.ts

@@ -0,0 +1,24 @@
+export interface AidGrant {
+    readonly id: string;
+    readonly beneficiaryId: string;
+    readonly program: string;
+    readonly issuedAt: string;
+    readonly expiresAt: string;
+    readonly approvedMerchantCategories: string[];
+    readonly amountUsd: number;
+}
+export interface RedemptionClaim {
+    readonly id: string;
+    readonly grantId: string;
+    readonly merchantId: string;
+    readonly merchantCategory: string;
+    readonly submittedAt: string;
+    readonly invoiceReference: string;
+    readonly amountUsd: number;
+}
+export interface ReconciliationReport {
+    readonly settledClaimIds: string[];
+    readonly rejectedClaimIds: string[];
+    readonly exceptions: string[];
+}
+//# sourceMappingURL=entities.d.ts.map

package/dist/aid-settlement/domain/entities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entities.d.ts","sourceRoot":"","sources":["../../../src/aid-settlement/domain/entities.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,0BAA0B,EAAE,MAAM,EAAE,CAAC;IAC9C,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,eAAe,EAAE,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,UAAU,EAAE,MAAM,EAAE,CAAC;CAC/B"}

package/dist/aid-settlement/domain/entities.js

@@ -0,0 +1 @@
+export {};

package/dist/aid-settlement/domain/ports.d.ts

@@ -0,0 +1,10 @@
+import type { ReadonlyStore } from "../../shared/store.js";
+import type { AidGrant, RedemptionClaim } from "./entities.js";
+export interface AidSettlementRepository {
+    readonly grants: ReadonlyStore<string, AidGrant>;
+    claimsForGrant(grantId: string): readonly RedemptionClaim[];
+    grantIds(): Iterable<string>;
+    addGrant(grant: AidGrant): void;
+    addClaim(claim: RedemptionClaim): void;
+}
+//# sourceMappingURL=ports.d.ts.map

package/dist/aid-settlement/domain/ports.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ports.d.ts","sourceRoot":"","sources":["../../../src/aid-settlement/domain/ports.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,KAAK,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAE/D,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACjD,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,eAAe,EAAE,CAAC;IAC5D,QAAQ,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC7B,QAAQ,CAAC,KAAK,EAAE,QAAQ,GAAG,IAAI,CAAC;IAChC,QAAQ,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI,CAAC;CACxC"}

package/dist/aid-settlement/domain/ports.js

@@ -0,0 +1 @@
+export {};

package/dist/aid-settlement/index.d.ts

@@ -0,0 +1,19 @@
+export type { AidGrant, RedemptionClaim, ReconciliationReport, } from "./domain/entities.js";
+export type { AidSettlementRepository } from "./domain/ports.js";
+export { Reconciler } from "./application/reconciler.js";
+export { InMemoryAidSettlementRepository } from "./infrastructure/in-memory-store.js";
+import type { AidGrant, RedemptionClaim, ReconciliationReport } from "./domain/entities.js";
+import type { AidSettlementRepository } from "./domain/ports.js";
+import type { Logger } from "../shared/logger.js";
+export declare class AidSettlementLedger {
+    private readonly repo;
+    private readonly logger;
+    constructor(options?: {
+        repo?: AidSettlementRepository;
+        logger?: Logger;
+    });
+    issueGrant(grant: AidGrant): void;
+    submitClaim(claim: RedemptionClaim): void;
+    reconcile(): ReconciliationReport;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/aid-settlement/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/aid-settlement/index.ts"],"names":[],"mappings":"AACA,YAAY,EACV,QAAQ,EACR,eAAe,EACf,oBAAoB,GACrB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AAGjE,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAGzD,OAAO,EAAE,+BAA+B,EAAE,MAAM,qCAAqC,CAAC;AAMtF,OAAO,KAAK,EACV,QAAQ,EACR,eAAe,EACf,oBAAoB,EACrB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AACjE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAIlD,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,QAAQ,CAAC,IAAI,CAA0B;IAC/C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAqB;gBAEhC,OAAO,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,uBAAuB,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAKzE,UAAU,CAAC,KAAK,EAAE,QAAQ,GAAG,IAAI;IAIjC,WAAW,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI;IAIzC,SAAS,IAAI,oBAAoB;CAGlC"}

package/dist/aid-settlement/index.js

@@ -0,0 +1,23 @@
+// Application
+export { Reconciler } from "./application/reconciler.js";
+// Infrastructure
+export { InMemoryAidSettlementRepository } from "./infrastructure/in-memory-store.js";
+import { InMemoryAidSettlementRepository } from "./infrastructure/in-memory-store.js";
+import { Reconciler } from "./application/reconciler.js";
+export class AidSettlementLedger {
+    repo;
+    logger;
+    constructor(options) {
+        this.repo = options?.repo ?? new InMemoryAidSettlementRepository();
+        this.logger = options?.logger;
+    }
+    issueGrant(grant) {
+        this.repo.addGrant(grant);
+    }
+    submitClaim(claim) {
+        this.repo.addClaim(claim);
+    }
+    reconcile() {
+        return new Reconciler(this.repo, this.logger).reconcile();
+    }
+}

package/dist/aid-settlement/infrastructure/in-memory-store.d.ts

@@ -0,0 +1,12 @@
+import { InMemoryStore } from "../../shared/index.js";
+import type { AidGrant, RedemptionClaim } from "../domain/entities.js";
+import type { AidSettlementRepository } from "../domain/ports.js";
+export declare class InMemoryAidSettlementRepository implements AidSettlementRepository {
+    readonly grants: InMemoryStore<string, AidGrant>;
+    private readonly claims;
+    addGrant(grant: AidGrant): void;
+    addClaim(claim: RedemptionClaim): void;
+    claimsForGrant(grantId: string): readonly RedemptionClaim[];
+    grantIds(): Iterable<string>;
+}
+//# sourceMappingURL=in-memory-store.d.ts.map

package/dist/aid-settlement/infrastructure/in-memory-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"in-memory-store.d.ts","sourceRoot":"","sources":["../../../src/aid-settlement/infrastructure/in-memory-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAmB,MAAM,uBAAuB,CAAC;AACvE,OAAO,KAAK,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACvE,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC;AAElE,qBAAa,+BAAgC,YAAW,uBAAuB;IAC7E,QAAQ,CAAC,MAAM,kCAAyC;IACxD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAkD;IAEzE,QAAQ,CAAC,KAAK,EAAE,QAAQ,GAAG,IAAI;IAI/B,QAAQ,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI;IAItC,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,eAAe,EAAE;IAI3D,QAAQ,IAAI,QAAQ,CAAC,MAAM,CAAC;CAG7B"}

package/dist/aid-settlement/infrastructure/in-memory-store.js

@@ -0,0 +1,17 @@
+import { InMemoryStore, CollectionStore } from "../../shared/index.js";
+export class InMemoryAidSettlementRepository {
+    grants = new InMemoryStore();
+    claims = new CollectionStore();
+    addGrant(grant) {
+        this.grants.set(grant.id, grant);
+    }
+    addClaim(claim) {
+        this.claims.append(claim.grantId, claim);
+    }
+    claimsForGrant(grantId) {
+        return this.claims.getAll(grantId);
+    }
+    grantIds() {
+        return this.claims.keys();
+    }
+}

package/dist/credentialing/application/clearance-evaluator.d.ts

@@ -0,0 +1,10 @@
+import type { ClearanceDecision, StaffingAssignment } from "../domain/entities.js";
+import type { CredentialRepository } from "../domain/ports.js";
+import type { Logger } from "../../shared/logger.js";
+export declare class ClearanceEvaluator {
+    private readonly repo;
+    private readonly logger;
+    constructor(repo: CredentialRepository, logger?: Logger);
+    evaluate(assignment: StaffingAssignment): ClearanceDecision;
+}
+//# sourceMappingURL=clearance-evaluator.d.ts.map

package/dist/credentialing/application/clearance-evaluator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"clearance-evaluator.d.ts","sourceRoot":"","sources":["../../../src/credentialing/application/clearance-evaluator.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,iBAAiB,EACjB,kBAAkB,EACnB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAGrD,qBAAa,kBAAkB;IAI3B,OAAO,CAAC,QAAQ,CAAC,IAAI;IAHvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBAGb,IAAI,EAAE,oBAAoB,EAC3C,MAAM,CAAC,EAAE,MAAM;IAKjB,QAAQ,CAAC,UAAU,EAAE,kBAAkB,GAAG,iBAAiB;CAuE5D"}

package/dist/credentialing/application/clearance-evaluator.js

@@ -0,0 +1,63 @@
+import { daysUntil } from "../../shared/date.js";
+import { noopLogger } from "../../shared/logger.js";
+export class ClearanceEvaluator {
+    repo;
+    logger;
+    constructor(repo, logger) {
+        this.repo = repo;
+        this.logger = logger ?? noopLogger;
+    }
+    evaluate(assignment) {
+        const start = Date.now();
+        this.logger.info("clearance evaluation started", {
+            operation: "ClearanceEvaluator.evaluate",
+            entityId: assignment.providerId,
+        });
+        const provider = this.repo.providers.get(assignment.providerId);
+        if (!provider) {
+            throw new Error(`Unknown provider ${assignment.providerId}`);
+        }
+        const credentials = this.repo.getCredentials(assignment.providerId);
+        const reasons = [];
+        const missingCredentials = [];
+        const expiringSoon = [];
+        const scheduleDate = new Date(assignment.scheduledAt);
+        if (provider.sanctionStatus !== "clear") {
+            reasons.push(`Provider sanction status is ${provider.sanctionStatus}.`);
+        }
+        for (const required of assignment.requiredCredentials) {
+            const credential = credentials.find((c) => c.type === required &&
+                c.jurisdictions.includes(assignment.jurisdiction));
+            if (!credential) {
+                missingCredentials.push(required);
+                reasons.push(`Missing ${required} credential for jurisdiction ${assignment.jurisdiction}.`);
+                continue;
+            }
+            const validUntil = new Date(credential.validUntil);
+            if (validUntil < scheduleDate) {
+                missingCredentials.push(required);
+                reasons.push(`${required} expires before the scheduled procedure.`);
+                continue;
+            }
+            const remaining = daysUntil(scheduleDate, validUntil);
+            if (remaining <= 30) {
+                expiringSoon.push(`${required} (${remaining} days remaining)`);
+            }
+        }
+        const decision = {
+            approved: reasons.length === 0 &&
+                missingCredentials.length === 0 &&
+                provider.sanctionStatus === "clear",
+            missingCredentials,
+            expiringSoon,
+            reasons,
+        };
+        this.logger.info(decision.approved ? "clearance approved" : "clearance denied", {
+            operation: "ClearanceEvaluator.evaluate",
+            entityId: assignment.providerId,
+            result: decision.approved ? "approved" : "denied",
+            durationMs: Date.now() - start,
+        });
+        return decision;
+    }
+}

package/dist/credentialing/domain/entities.d.ts

@@ -0,0 +1,28 @@
+export interface ClinicalCredential {
+    readonly id: string;
+    readonly providerId: string;
+    readonly type: string;
+    readonly jurisdictions: string[];
+    readonly validUntil: string;
+}
+export interface ProviderProfile {
+    readonly id: string;
+    readonly name: string;
+    readonly specialties: string[];
+    readonly sanctionStatus: "clear" | "review" | "blocked";
+}
+export interface StaffingAssignment {
+    readonly providerId: string;
+    readonly facility: string;
+    readonly jurisdiction: string;
+    readonly requiredCredentials: string[];
+    readonly procedure: string;
+    readonly scheduledAt: string;
+}
+export interface ClearanceDecision {
+    readonly approved: boolean;
+    readonly missingCredentials: string[];
+    readonly expiringSoon: string[];
+    readonly reasons: string[];
+}
+//# sourceMappingURL=entities.d.ts.map

package/dist/credentialing/domain/entities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entities.d.ts","sourceRoot":"","sources":["../../../src/credentialing/domain/entities.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,aAAa,EAAE,MAAM,EAAE,CAAC;IACjC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC;IAC/B,QAAQ,CAAC,cAAc,EAAE,OAAO,GAAG,QAAQ,GAAG,SAAS,CAAC;CACzD;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,mBAAmB,EAAE,MAAM,EAAE,CAAC;IACvC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC;CAC5B"}

package/dist/credentialing/domain/entities.js

@@ -0,0 +1 @@
+export {};

package/dist/credentialing/domain/ports.d.ts

@@ -0,0 +1,9 @@
+import type { ReadonlyStore } from "../../shared/store.js";
+import type { ClinicalCredential, ProviderProfile } from "./entities.js";
+export interface CredentialRepository {
+    readonly providers: ReadonlyStore<string, ProviderProfile>;
+    getCredentials(providerId: string): readonly ClinicalCredential[];
+    addProvider(provider: ProviderProfile): void;
+    addCredential(credential: ClinicalCredential): void;
+}
+//# sourceMappingURL=ports.d.ts.map

package/dist/credentialing/domain/ports.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ports.d.ts","sourceRoot":"","sources":["../../../src/credentialing/domain/ports.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,KAAK,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEzE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC3D,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,kBAAkB,EAAE,CAAC;IAClE,WAAW,CAAC,QAAQ,EAAE,eAAe,GAAG,IAAI,CAAC;IAC7C,aAAa,CAAC,UAAU,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACrD"}

package/dist/credentialing/domain/ports.js

@@ -0,0 +1 @@
+export {};

package/dist/credentialing/index.d.ts

@@ -0,0 +1,19 @@
+export type { ClinicalCredential, ProviderProfile, StaffingAssignment, ClearanceDecision, } from "./domain/entities.js";
+export type { CredentialRepository } from "./domain/ports.js";
+export { ClearanceEvaluator } from "./application/clearance-evaluator.js";
+export { InMemoryCredentialRepository } from "./infrastructure/in-memory-store.js";
+import type { ClinicalCredential, ClearanceDecision, ProviderProfile, StaffingAssignment } from "./domain/entities.js";
+import type { CredentialRepository } from "./domain/ports.js";
+import type { Logger } from "../shared/logger.js";
+export declare class CredentialRegistry {
+    private readonly repo;
+    private readonly evaluator;
+    constructor(options?: {
+        repo?: CredentialRepository;
+        logger?: Logger;
+    });
+    registerProvider(provider: ProviderProfile): void;
+    issueCredential(credential: ClinicalCredential): void;
+    evaluateAssignment(assignment: StaffingAssignment): ClearanceDecision;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/credentialing/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/credentialing/index.ts"],"names":[],"mappings":"AACA,YAAY,EACV,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAG9D,OAAO,EAAE,kBAAkB,EAAE,MAAM,sCAAsC,CAAC;AAG1E,OAAO,EAAE,4BAA4B,EAAE,MAAM,qCAAqC,CAAC;AAMnF,OAAO,KAAK,EACV,kBAAkB,EAClB,iBAAiB,EACjB,eAAe,EACf,kBAAkB,EACnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAIlD,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAuB;IAC5C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAqB;gBAEnC,OAAO,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,oBAAoB,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAKtE,gBAAgB,CAAC,QAAQ,EAAE,eAAe,GAAG,IAAI;IAIjD,eAAe,CAAC,UAAU,EAAE,kBAAkB,GAAG,IAAI;IAIrD,kBAAkB,CAAC,UAAU,EAAE,kBAAkB,GAAG,iBAAiB;CAGtE"}

package/dist/credentialing/index.js

@@ -0,0 +1,23 @@
+// Application
+export { ClearanceEvaluator } from "./application/clearance-evaluator.js";
+// Infrastructure
+export { InMemoryCredentialRepository } from "./infrastructure/in-memory-store.js";
+import { InMemoryCredentialRepository } from "./infrastructure/in-memory-store.js";
+import { ClearanceEvaluator } from "./application/clearance-evaluator.js";
+export class CredentialRegistry {
+    repo;
+    evaluator;
+    constructor(options) {
+        this.repo = options?.repo ?? new InMemoryCredentialRepository();
+        this.evaluator = new ClearanceEvaluator(this.repo, options?.logger);
+    }
+    registerProvider(provider) {
+        this.repo.addProvider(provider);
+    }
+    issueCredential(credential) {
+        this.repo.addCredential(credential);
+    }
+    evaluateAssignment(assignment) {
+        return this.evaluator.evaluate(assignment);
+    }
+}

package/dist/credentialing/infrastructure/in-memory-store.d.ts

@@ -0,0 +1,11 @@
+import { InMemoryStore } from "../../shared/index.js";
+import type { ClinicalCredential, ProviderProfile } from "../domain/entities.js";
+import type { CredentialRepository } from "../domain/ports.js";
+export declare class InMemoryCredentialRepository implements CredentialRepository {
+    readonly providers: InMemoryStore<string, ProviderProfile>;
+    private readonly credentials;
+    addProvider(provider: ProviderProfile): void;
+    addCredential(credential: ClinicalCredential): void;
+    getCredentials(providerId: string): readonly ClinicalCredential[];
+}
+//# sourceMappingURL=in-memory-store.d.ts.map

package/dist/credentialing/infrastructure/in-memory-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"in-memory-store.d.ts","sourceRoot":"","sources":["../../../src/credentialing/infrastructure/in-memory-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAmB,MAAM,uBAAuB,CAAC;AACvE,OAAO,KAAK,EACV,kBAAkB,EAClB,eAAe,EAChB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE/D,qBAAa,4BAA6B,YAAW,oBAAoB;IACvE,QAAQ,CAAC,SAAS,yCAAgD;IAClE,OAAO,CAAC,QAAQ,CAAC,WAAW,CAGxB;IAEJ,WAAW,CAAC,QAAQ,EAAE,eAAe,GAAG,IAAI;IAI5C,aAAa,CAAC,UAAU,EAAE,kBAAkB,GAAG,IAAI;IAInD,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,kBAAkB,EAAE;CAGlE"}

package/dist/credentialing/infrastructure/in-memory-store.js

@@ -0,0 +1,14 @@
+import { InMemoryStore, CollectionStore } from "../../shared/index.js";
+export class InMemoryCredentialRepository {
+    providers = new InMemoryStore();
+    credentials = new CollectionStore();
+    addProvider(provider) {
+        this.providers.set(provider.id, provider);
+    }
+    addCredential(credential) {
+        this.credentials.append(credential.providerId, credential);
+    }
+    getCredentials(providerId) {
+        return this.credentials.getAll(providerId);
+    }
+}

package/dist/hsm/application/asymmetric-key-service.d.ts

@@ -0,0 +1,23 @@
+import type { HsmKeyPair, HsmSignatureResult } from "../domain/entities.js";
+import type { AuditLog, KeyStore } from "../domain/ports.js";
+/**
+ * EC P-256 asymmetric operations — signing, verification, key export.
+ *
+ * Mirrors a PKCS#11 CKM_ECDSA / CKM_EC_KEY_PAIR_GEN subset.
+ * Ref: PKCS#11 v3.1, §2.3.6 — https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.1/pkcs11-curr-v3.1.html
+ *
+ * Note: Domain entities store keys as PEM strings (infrastructure-agnostic).
+ * This service converts to/from KeyObject for cryptographic operations.
+ */
+export declare class AsymmetricKeyService {
+    private readonly keyStore;
+    private readonly audit;
+    private readonly slotId;
+    constructor(keyStore: KeyStore, audit: AuditLog, slotId: string);
+    generateKeyPair(keyLabel: string): HsmKeyPair;
+    sign(keyLabel: string, data: string): HsmSignatureResult;
+    verify(keyLabel: string, data: string, signature: string): boolean;
+    exportPublicKey(keyLabel: string): string;
+    private requireAsymmetric;
+}
+//# sourceMappingURL=asymmetric-key-service.d.ts.map

package/dist/hsm/application/asymmetric-key-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"asymmetric-key-service.d.ts","sourceRoot":"","sources":["../../../src/hsm/application/asymmetric-key-service.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAEV,UAAU,EACV,kBAAkB,EACnB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE7D;;;;;;;;GAQG;AACH,qBAAa,oBAAoB;IAE7B,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAFN,QAAQ,EAAE,QAAQ,EAClB,KAAK,EAAE,QAAQ,EACf,MAAM,EAAE,MAAM;IAGjC,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU;IA8C7C,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,kBAAkB;IA4BxD,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO;IAoBlE,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;IAMzC,OAAO,CAAC,iBAAiB;CAY1B"}

package/dist/hsm/application/asymmetric-key-service.js

@@ -0,0 +1,109 @@
+import { createPrivateKey, createPublicKey, createSign, createVerify, generateKeyPairSync, randomBytes, } from "node:crypto";
+import { sha256hex } from "../../shared/crypto.js";
+/**
+ * EC P-256 asymmetric operations — signing, verification, key export.
+ *
+ * Mirrors a PKCS#11 CKM_ECDSA / CKM_EC_KEY_PAIR_GEN subset.
+ * Ref: PKCS#11 v3.1, §2.3.6 — https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.1/pkcs11-curr-v3.1.html
+ *
+ * Note: Domain entities store keys as PEM strings (infrastructure-agnostic).
+ * This service converts to/from KeyObject for cryptographic operations.
+ */
+export class AsymmetricKeyService {
+    keyStore;
+    audit;
+    slotId;
+    constructor(keyStore, audit, slotId) {
+        this.keyStore = keyStore;
+        this.audit = audit;
+        this.slotId = slotId;
+    }
+    generateKeyPair(keyLabel) {
+        if (this.keyStore.has(keyLabel)) {
+            throw new Error(`HSM key already exists: ${keyLabel}`);
+        }
+        const { privateKey, publicKey } = generateKeyPairSync("ec", {
+            namedCurve: "P-256",
+        });
+        const createdAt = new Date().toISOString();
+        const handle = `hsm:${this.slotId}:${keyLabel}:${randomBytes(8).toString("hex")}`;
+        // Export to PEM for storage (domain stays infrastructure-agnostic)
+        const privateKeyPem = privateKey.export({
+            type: "pkcs8",
+            format: "pem",
+        });
+        const publicKeyPem = publicKey.export({
+            type: "spki",
+            format: "pem",
+        });
+        // Type guard: PEM format always returns string
+        if (typeof privateKeyPem !== "string" || typeof publicKeyPem !== "string") {
+            throw new Error("HSM: unexpected binary output from PEM export");
+        }
+        this.keyStore.set(keyLabel, {
+            kind: "asymmetric",
+            keyLabel,
+            privateKeyPem,
+            publicKeyPem,
+            namedCurve: "P-256",
+            createdAt,
+        });
+        this.audit.record("generateKeyPair", keyLabel, "success");
+        return {
+            keyLabel,
+            keyType: "EC",
+            namedCurve: "P-256",
+            publicKeyPem,
+            privateKeyHandle: handle,
+            createdAt,
+        };
+    }
+    sign(keyLabel, data) {
+        const entry = this.requireAsymmetric(keyLabel);
+        const timestamp = new Date().toISOString();
+        // Convert PEM back to KeyObject for signing
+        const privateKey = createPrivateKey(entry.privateKeyPem);
+        const signer = createSign("SHA256");
+        signer.update(data);
+        signer.end();
+        const signature = signer.sign(privateKey).toString("hex");
+        const hsmAttestation = sha256hex(`${this.slotId}:${keyLabel}:${timestamp}:${signature}`);
+        this.audit.record("sign", keyLabel, "success");
+        return {
+            keyLabel,
+            algorithm: "ecdsa-sha256",
+            signature,
+            publicKeyPem: entry.publicKeyPem,
+            timestamp,
+            hsmAttestation,
+        };
+    }
+    verify(keyLabel, data, signature) {
+        const entry = this.requireAsymmetric(keyLabel);
+        // Convert PEM back to KeyObject for verification
+        const publicKey = createPublicKey(entry.publicKeyPem);
+        const verifier = createVerify("SHA256");
+        verifier.update(data);
+        verifier.end();
+        const valid = verifier.verify(publicKey, Buffer.from(signature, "hex"));
+        this.audit.record("verify", keyLabel, "success", valid ? "valid" : "invalid");
+        return valid;
+    }
+    exportPublicKey(keyLabel) {
+        const entry = this.requireAsymmetric(keyLabel);
+        this.audit.record("exportPublicKey", keyLabel, "success");
+        return entry.publicKeyPem;
+    }
+    requireAsymmetric(keyLabel) {
+        const entry = this.keyStore.get(keyLabel);
+        if (!entry) {
+            this.audit.record("keyLookup", keyLabel, "failed", "key not found");
+            throw new Error(`HSM key not found: ${keyLabel}`);
+        }
+        if (entry.kind !== "asymmetric") {
+            this.audit.record("keyLookup", keyLabel, "failed", "unexpected key type");
+            throw new Error(`HSM key '${keyLabel}' is not an asymmetric key`);
+        }
+        return entry;
+    }
+}

package/dist/hsm/application/envelope-encryption-service.d.ts

@@ -0,0 +1,18 @@
+import type { EncryptedRecord, EnvelopeEncryptionResult, WrappedKey } from "../domain/entities.js";
+import type { AuditLog } from "../domain/ports.js";
+import type { SymmetricKeyService } from "./symmetric-key-service.js";
+/**
+ * DEK/KEK envelope encryption — ephemeral DEK wrapped by a stored KEK.
+ *
+ * The resulting ciphertext is suitable for storage on a distributed ledger:
+ *  - encryptedRecord  = AES-256-GCM ciphertext of the payload
+ *  - wrappedDek       = GCM-wrapped DEK (only the HSM can unwrap it)
+ */
+export declare class EnvelopeEncryptionService {
+    private readonly symmetric;
+    private readonly audit;
+    constructor(symmetric: SymmetricKeyService, audit: AuditLog);
+    encrypt(kekLabel: string, plaintext: string): EnvelopeEncryptionResult;
+    decrypt(wrappedDek: WrappedKey, encryptedRecord: EncryptedRecord): string;
+}
+//# sourceMappingURL=envelope-encryption-service.d.ts.map

package/dist/hsm/application/envelope-encryption-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope-encryption-service.d.ts","sourceRoot":"","sources":["../../../src/hsm/application/envelope-encryption-service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,eAAe,EACf,wBAAwB,EACxB,UAAU,EACX,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAEtE;;;;;;GAMG;AACH,qBAAa,yBAAyB;IAElC,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,KAAK;gBADL,SAAS,EAAE,mBAAmB,EAC9B,KAAK,EAAE,QAAQ;IAGlC,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,wBAAwB;IAyBtE,OAAO,CAAC,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,eAAe,GAAG,MAAM;CA4B1E"}