@runcore-sh/runcore 0.1.9 → 0.1.10

package/dist/tier/bond.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Bond handshake — establishes trust after activation.
+ *
+ * Registration = identity ("I know who you are").
+ * Bonding = trust ("I can verify it's you").
+ *
+ * Flow:
+ * 1. `runcore activate <token>` saves the JWT locally
+ * 2. Immediately calls `bond()` — generates an Ed25519 keypair,
+ *    POSTs the public key + token JTI to the registry
+ * 3. Registry stores the public key alongside the approval record
+ * 4. Admin (Dash) sees "bonded" status on next poll
+ * 5. All future signed messages between instance and registry
+ *    use this keypair — freeze acks, heartbeat signatures, etc.
+ *
+ * The token is a one-time introducer. The keypair is the ongoing relationship.
+ */
+interface BondKeys {
+    publicKey: string;
+    privateKey: string;
+    fingerprint: string;
+    bondedAt: string;
+}
+/** Load existing bond keys, or null if not yet bonded. */
+export declare function loadBondKeys(root: string): Promise<BondKeys | null>;
+/** Check if this instance has completed bonding. */
+export declare function isBonded(root: string): Promise<boolean>;
+/**
+ * Execute the bond handshake.
+ * Called immediately after `runcore activate <token>`.
+ *
+ * 1. Generate keypair (or load existing)
+ * 2. POST public key + JTI to registry
+ * 3. Save keys locally on success
+ */
+export declare function bond(root: string, jwt: string, jti: string): Promise<{
+    fingerprint: string;
+    bonded: boolean;
+}>;
+/**
+ * Sign a message with this instance's bond private key.
+ * Used for authenticated communication after bonding.
+ */
+export declare function signMessage(root: string, message: string): Promise<string | null>;
+/**
+ * Verify a message signed by another instance's bond key.
+ * Used by the registry to verify instance identity.
+ */
+export declare function verifyMessage(message: string, signature: string, publicKeyPem: string): boolean;
+export {};
+//# sourceMappingURL=bond.d.ts.map

package/dist/tier/bond.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bond.d.ts","sourceRoot":"","sources":["../../src/tier/bond.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAWH,UAAU,QAAQ;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CAClB;AA+BD,0DAA0D;AAC1D,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CASzE;AASD,oDAAoD;AACpD,wBAAsB,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAG7D;AAED;;;;;;;GAOG;AACH,wBAAsB,IAAI,CACxB,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,MAAM,GACV,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAE,CAAC,CA2BnD;AA4BD;;;GAGG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAOxB;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,MAAM,GACnB,OAAO,CAQT"}

package/dist/tier/bond.js

@@ -0,0 +1,154 @@
+/**
+ * Bond handshake — establishes trust after activation.
+ *
+ * Registration = identity ("I know who you are").
+ * Bonding = trust ("I can verify it's you").
+ *
+ * Flow:
+ * 1. `runcore activate <token>` saves the JWT locally
+ * 2. Immediately calls `bond()` — generates an Ed25519 keypair,
+ *    POSTs the public key + token JTI to the registry
+ * 3. Registry stores the public key alongside the approval record
+ * 4. Admin (Dash) sees "bonded" status on next poll
+ * 5. All future signed messages between instance and registry
+ *    use this keypair — freeze acks, heartbeat signatures, etc.
+ *
+ * The token is a one-time introducer. The keypair is the ongoing relationship.
+ */
+import { generateKeyPairSync, createSign, createVerify } from "node:crypto";
+import { readFile, writeFile, mkdir } from "node:fs/promises";
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+import { createLogger } from "../utils/logger.js";
+const log = createLogger("bond");
+const REGISTRY_URL = "https://runcore.sh/api/registry";
+const KEYS_DIR = ".core";
+const KEYS_FILE = "bond-keys.json";
+function keysPath(root) {
+    return join(root, "brain", KEYS_DIR, KEYS_FILE);
+}
+/** Generate a new Ed25519 keypair for this instance. */
+function generateBondKeys() {
+    const { publicKey, privateKey } = generateKeyPairSync("ed25519", {
+        publicKeyEncoding: { type: "spki", format: "pem" },
+        privateKeyEncoding: { type: "pkcs8", format: "pem" },
+    });
+    // Fingerprint = first 16 chars of base64-encoded public key body
+    const pubBody = publicKey
+        .replace("-----BEGIN PUBLIC KEY-----", "")
+        .replace("-----END PUBLIC KEY-----", "")
+        .replace(/\s/g, "");
+    const fingerprint = pubBody.slice(0, 16);
+    return {
+        publicKey,
+        privateKey,
+        fingerprint,
+        bondedAt: new Date().toISOString(),
+    };
+}
+/** Load existing bond keys, or null if not yet bonded. */
+export async function loadBondKeys(root) {
+    const path = keysPath(root);
+    if (!existsSync(path))
+        return null;
+    try {
+        const raw = await readFile(path, "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+/** Save bond keys to disk. */
+async function saveBondKeys(root, keys) {
+    const dir = join(root, "brain", KEYS_DIR);
+    await mkdir(dir, { recursive: true });
+    await writeFile(keysPath(root), JSON.stringify(keys, null, 2), "utf-8");
+}
+/** Check if this instance has completed bonding. */
+export async function isBonded(root) {
+    const keys = await loadBondKeys(root);
+    return keys !== null;
+}
+/**
+ * Execute the bond handshake.
+ * Called immediately after `runcore activate <token>`.
+ *
+ * 1. Generate keypair (or load existing)
+ * 2. POST public key + JTI to registry
+ * 3. Save keys locally on success
+ */
+export async function bond(root, jwt, jti) {
+    // Check for existing bond
+    let keys = await loadBondKeys(root);
+    if (keys) {
+        log.info(`Already bonded (fingerprint: ${keys.fingerprint})`);
+        // Re-announce to registry in case it missed us
+        await announceToRegistry(jwt, keys);
+        return { fingerprint: keys.fingerprint, bonded: true };
+    }
+    // Generate new keypair
+    log.info("Generating bond keypair...");
+    keys = generateBondKeys();
+    // Announce to registry
+    const success = await announceToRegistry(jwt, keys);
+    if (!success) {
+        log.warn("Bond handshake failed — will retry on next heartbeat");
+        // Save keys locally anyway — we'll retry the announcement
+        await saveBondKeys(root, keys);
+        return { fingerprint: keys.fingerprint, bonded: false };
+    }
+    // Save keys
+    await saveBondKeys(root, keys);
+    log.info(`Bonded successfully (fingerprint: ${keys.fingerprint})`);
+    return { fingerprint: keys.fingerprint, bonded: true };
+}
+/** POST public key to the registry bond endpoint. */
+async function announceToRegistry(jwt, keys) {
+    try {
+        const res = await fetch(`${REGISTRY_URL}/bond`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${jwt}`,
+            },
+            body: JSON.stringify({
+                publicKey: keys.publicKey,
+                fingerprint: keys.fingerprint,
+                bondedAt: keys.bondedAt,
+            }),
+            signal: AbortSignal.timeout(10_000),
+        });
+        return res.ok;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Sign a message with this instance's bond private key.
+ * Used for authenticated communication after bonding.
+ */
+export async function signMessage(root, message) {
+    const keys = await loadBondKeys(root);
+    if (!keys)
+        return null;
+    const signer = createSign("Ed25519");
+    signer.update(message);
+    return signer.sign(keys.privateKey, "base64url");
+}
+/**
+ * Verify a message signed by another instance's bond key.
+ * Used by the registry to verify instance identity.
+ */
+export function verifyMessage(message, signature, publicKeyPem) {
+    try {
+        const verifier = createVerify("Ed25519");
+        verifier.update(message);
+        return verifier.verify(publicKeyPem, Buffer.from(signature, "base64url"));
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=bond.js.map

package/dist/tier/bond.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bond.js","sourceRoot":"","sources":["../../src/tier/bond.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,mBAAmB,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC5E,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;AACjC,MAAM,YAAY,GAAG,iCAAiC,CAAC;AASvD,MAAM,QAAQ,GAAG,OAAO,CAAC;AACzB,MAAM,SAAS,GAAG,gBAAgB,CAAC;AAEnC,SAAS,QAAQ,CAAC,IAAY;IAC5B,OAAO,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;AAClD,CAAC;AAED,wDAAwD;AACxD,SAAS,gBAAgB;IACvB,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,SAAS,EAAE;QAC/D,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;QAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;KACrD,CAAC,CAAC;IAEH,iEAAiE;IACjE,MAAM,OAAO,GAAG,SAAS;SACtB,OAAO,CAAC,4BAA4B,EAAE,EAAE,CAAC;SACzC,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC;SACvC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACtB,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAEzC,OAAO;QACL,SAAS;QACT,UAAU;QACV,WAAW;QACX,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC;AACJ,CAAC;AAED,0DAA0D;AAC1D,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAY;IAC7C,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC5B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8BAA8B;AAC9B,KAAK,UAAU,YAAY,CAAC,IAAY,EAAE,IAAc;IACtD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1C,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,MAAM,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AAC1E,CAAC;AAED,oDAAoD;AACpD,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,IAAY;IACzC,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,OAAO,IAAI,KAAK,IAAI,CAAC;AACvB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,IAAI,CACxB,IAAY,EACZ,GAAW,EACX,GAAW;IAEX,0BAA0B;IAC1B,IAAI,IAAI,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,IAAI,IAAI,EAAE,CAAC;QACT,GAAG,CAAC,IAAI,CAAC,gCAAgC,IAAI,CAAC,WAAW,GAAG,CAAC,CAAC;QAC9D,+CAA+C;QAC/C,MAAM,kBAAkB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACpC,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACzD,CAAC;IAED,uBAAuB;IACvB,GAAG,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACvC,IAAI,GAAG,gBAAgB,EAAE,CAAC;IAE1B,uBAAuB;IACvB,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACpD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QACjE,0DAA0D;QAC1D,MAAM,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC/B,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC1D,CAAC;IAED,YAAY;IACZ,MAAM,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC/B,GAAG,CAAC,IAAI,CAAC,qCAAqC,IAAI,CAAC,WAAW,GAAG,CAAC,CAAC;IACnE,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AACzD,CAAC;AAED,qDAAqD;AACrD,KAAK,UAAU,kBAAkB,CAC/B,GAAW,EACX,IAAc;IAEd,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,YAAY,OAAO,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,GAAG,EAAE;aAC/B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACxB,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACpC,CAAC,CAAC;QAEH,OAAO,GAAG,CAAC,EAAE,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAY,EACZ,OAAe;IAEf,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;IACrC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACvB,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;AACnD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,OAAe,EACf,SAAiB,EACjB,YAAoB;IAEpB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;QACzC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,CAAC;IAC5E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/tier/freeze.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Freeze — dormant mode for agents.
+ *
+ * When a freeze signal arrives (via heartbeat or local endpoint):
+ * 1. All agents go dormant (mid-task, mid-token — frozen, not killed)
+ * 2. Metabolic pulses pause
+ * 3. No new work starts
+ * 4. State is preserved for triage
+ *
+ * The operator then reviews the frozen field and selectively resumes.
+ */
+import type { FreezeSignal } from "./types.js";
+export declare function isFrozen(): boolean;
+export declare function getFreezeSignal(): FreezeSignal | null;
+export declare function onFreeze(listener: (signal: FreezeSignal) => void): void;
+export declare function onThaw(listener: () => void): void;
+/** Freeze all agents. Called by heartbeat handler or local /api/freeze endpoint. */
+export declare function freeze(signal: FreezeSignal, root: string): Promise<void>;
+/** Thaw — resume operations after operator review. */
+export declare function thaw(root: string): Promise<void>;
+//# sourceMappingURL=freeze.d.ts.map

package/dist/tier/freeze.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"freeze.d.ts","sourceRoot":"","sources":["../../src/tier/freeze.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAM/C,wBAAgB,QAAQ,IAAI,OAAO,CAElC;AAED,wBAAgB,eAAe,IAAI,YAAY,GAAG,IAAI,CAErD;AAED,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,YAAY,KAAK,IAAI,GAAG,IAAI,CAEvE;AAED,wBAAgB,MAAM,CAAC,QAAQ,EAAE,MAAM,IAAI,GAAG,IAAI,CAEjD;AAED,oFAAoF;AACpF,wBAAsB,MAAM,CAAC,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA0B9E;AAED,sDAAsD;AACtD,wBAAsB,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAwBtD"}

package/dist/tier/freeze.js

@@ -0,0 +1,73 @@
+/**
+ * Freeze — dormant mode for agents.
+ *
+ * When a freeze signal arrives (via heartbeat or local endpoint):
+ * 1. All agents go dormant (mid-task, mid-token — frozen, not killed)
+ * 2. Metabolic pulses pause
+ * 3. No new work starts
+ * 4. State is preserved for triage
+ *
+ * The operator then reviews the frozen field and selectively resumes.
+ */
+import { appendFile } from "node:fs/promises";
+import { join } from "node:path";
+let frozenState = null;
+let freezeListeners = [];
+let thawListeners = [];
+export function isFrozen() {
+    return frozenState !== null;
+}
+export function getFreezeSignal() {
+    return frozenState;
+}
+export function onFreeze(listener) {
+    freezeListeners.push(listener);
+}
+export function onThaw(listener) {
+    thawListeners.push(listener);
+}
+/** Freeze all agents. Called by heartbeat handler or local /api/freeze endpoint. */
+export async function freeze(signal, root) {
+    frozenState = signal;
+    // Log the freeze event
+    const entry = JSON.stringify({
+        type: "freeze",
+        ...signal,
+        frozenAt: new Date().toISOString(),
+    });
+    await appendFile(join(root, "brain", "ops", "audit.jsonl"), entry + "\n").catch(() => { });
+    // Notify all listeners (agent pool, metabolic pulse, work queue)
+    for (const listener of freezeListeners) {
+        try {
+            listener(signal);
+        }
+        catch {
+            // Don't let a listener failure prevent freeze
+        }
+    }
+    console.log(`\n  FROZEN — ${signal.reason}`);
+    console.log(`  Issued by: ${signal.issuedBy} at ${signal.issuedAt}`);
+    console.log(`  All agents dormant. Awaiting operator triage.\n`);
+}
+/** Thaw — resume operations after operator review. */
+export async function thaw(root) {
+    if (!frozenState)
+        return;
+    const entry = JSON.stringify({
+        type: "thaw",
+        previousFreeze: frozenState.jti,
+        thawedAt: new Date().toISOString(),
+    });
+    await appendFile(join(root, "brain", "ops", "audit.jsonl"), entry + "\n").catch(() => { });
+    frozenState = null;
+    for (const listener of thawListeners) {
+        try {
+            listener();
+        }
+        catch {
+            // Don't let a listener failure prevent thaw
+        }
+    }
+    console.log("  THAWED — operations resuming.\n");
+}
+//# sourceMappingURL=freeze.js.map

package/dist/tier/freeze.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"freeze.js","sourceRoot":"","sources":["../../src/tier/freeze.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,IAAI,WAAW,GAAwB,IAAI,CAAC;AAC5C,IAAI,eAAe,GAA0C,EAAE,CAAC;AAChE,IAAI,aAAa,GAAsB,EAAE,CAAC;AAE1C,MAAM,UAAU,QAAQ;IACtB,OAAO,WAAW,KAAK,IAAI,CAAC;AAC9B,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,QAAwC;IAC/D,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,MAAM,CAAC,QAAoB;IACzC,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED,oFAAoF;AACpF,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,MAAoB,EAAE,IAAY;IAC7D,WAAW,GAAG,MAAM,CAAC;IAErB,uBAAuB;IACvB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC;QAC3B,IAAI,EAAE,QAAQ;QACd,GAAG,MAAM;QACT,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC,CAAC;IACH,MAAM,UAAU,CACd,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,aAAa,CAAC,EACzC,KAAK,GAAG,IAAI,CACb,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAElB,iEAAiE;IACjE,KAAK,MAAM,QAAQ,IAAI,eAAe,EAAE,CAAC;QACvC,IAAI,CAAC;YACH,QAAQ,CAAC,MAAM,CAAC,CAAC;QACnB,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,QAAQ,OAAO,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IACrE,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;AACnE,CAAC;AAED,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,IAAY;IACrC,IAAI,CAAC,WAAW;QAAE,OAAO;IAEzB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC;QAC3B,IAAI,EAAE,MAAM;QACZ,cAAc,EAAE,WAAW,CAAC,GAAG;QAC/B,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC,CAAC;IACH,MAAM,UAAU,CACd,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,aAAa,CAAC,EACzC,KAAK,GAAG,IAAI,CACb,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAElB,WAAW,GAAG,IAAI,CAAC;IAEnB,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;QACrC,IAAI,CAAC;YACH,QAAQ,EAAE,CAAC;QACb,CAAC;QAAC,MAAM,CAAC;YACP,4CAA4C;QAC9C,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;AACnD,CAAC"}

package/dist/tier/gate.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Capability gate — checks tier before allowing features.
+ */
+import { type TierName } from "./types.js";
+export declare function meetsMinimum(current: TierName, required: TierName): boolean;
+export declare function canServe(tier: TierName): boolean;
+export declare function canMesh(tier: TierName): boolean;
+export declare function canSpawn(tier: TierName): boolean;
+export declare function canAlert(tier: TierName): boolean;
+export declare function requireTier(current: TierName, required: TierName): void;
+//# sourceMappingURL=gate.d.ts.map

package/dist/tier/gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.d.ts","sourceRoot":"","sources":["../../src/tier/gate.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,KAAK,QAAQ,EAAyB,MAAM,YAAY,CAAC;AAElE,wBAAgB,YAAY,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAE3E;AAED,wBAAgB,QAAQ,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAEhD;AAED,wBAAgB,OAAO,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAE/C;AAED,wBAAgB,QAAQ,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAEhD;AAED,wBAAgB,QAAQ,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAEhD;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAMvE"}

package/dist/tier/gate.js

@@ -0,0 +1,25 @@
+/**
+ * Capability gate — checks tier before allowing features.
+ */
+import { TIER_LEVEL, TIER_CAPS } from "./types.js";
+export function meetsMinimum(current, required) {
+    return TIER_LEVEL[current] >= TIER_LEVEL[required];
+}
+export function canServe(tier) {
+    return TIER_CAPS[tier].server;
+}
+export function canMesh(tier) {
+    return TIER_CAPS[tier].mesh;
+}
+export function canSpawn(tier) {
+    return TIER_CAPS[tier].spawning;
+}
+export function canAlert(tier) {
+    return TIER_CAPS[tier].alerting;
+}
+export function requireTier(current, required) {
+    if (!meetsMinimum(current, required)) {
+        throw new Error(`Tier "${required}" required (current: "${current}"). Run \`runcore register\` to upgrade.`);
+    }
+}
+//# sourceMappingURL=gate.js.map

package/dist/tier/gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.js","sourceRoot":"","sources":["../../src/tier/gate.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAiB,UAAU,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAElE,MAAM,UAAU,YAAY,CAAC,OAAiB,EAAE,QAAkB;IAChE,OAAO,UAAU,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,IAAc;IACrC,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,IAAc;IACpC,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC;AAC9B,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,IAAc;IACrC,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,IAAc;IACrC,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,OAAiB,EAAE,QAAkB;IAC/D,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,SAAS,QAAQ,yBAAyB,OAAO,0CAA0C,CAC5F,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/tier/heartbeat.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Registry heartbeat — periodic check-in for tier >= byok.
+ *
+ * Reports: version, tier, uptime.
+ * Receives: token validity, freeze signals.
+ * Non-blocking, best-effort. Failures are logged, not fatal.
+ */
+import type { TierName, FreezeSignal } from "./types.js";
+export interface HeartbeatResponse {
+    valid: boolean;
+    frozen?: boolean;
+    freeze?: FreezeSignal;
+    tier?: TierName;
+}
+export type FreezeHandler = (signal: FreezeSignal) => void;
+export type DowngradeHandler = (newTier: TierName) => void;
+export declare function onFreezeSignal(handler: FreezeHandler): void;
+export declare function onTierDowngrade(handler: DowngradeHandler): void;
+export declare function isFrozen(): boolean;
+export declare function startHeartbeat(jwt: string, tier: TierName, root?: string): void;
+export declare function stopHeartbeat(): void;
+//# sourceMappingURL=heartbeat.d.ts.map

package/dist/tier/heartbeat.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"heartbeat.d.ts","sourceRoot":"","sources":["../../src/tier/heartbeat.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAWzD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,IAAI,CAAC,EAAE,QAAQ,CAAC;CACjB;AAED,MAAM,MAAM,aAAa,GAAG,CAAC,MAAM,EAAE,YAAY,KAAK,IAAI,CAAC;AAC3D,MAAM,MAAM,gBAAgB,GAAG,CAAC,OAAO,EAAE,QAAQ,KAAK,IAAI,CAAC;AAK3D,wBAAgB,cAAc,CAAC,OAAO,EAAE,aAAa,GAAG,IAAI,CAE3D;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,gBAAgB,GAAG,IAAI,CAE/D;AAED,wBAAgB,QAAQ,IAAI,OAAO,CAElC;AAkED,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAmB/E;AAkBD,wBAAgB,aAAa,IAAI,IAAI,CAKpC"}

package/dist/tier/heartbeat.js

@@ -0,0 +1,128 @@
+/**
+ * Registry heartbeat — periodic check-in for tier >= byok.
+ *
+ * Reports: version, tier, uptime.
+ * Receives: token validity, freeze signals.
+ * Non-blocking, best-effort. Failures are logged, not fatal.
+ */
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+const REGISTRY_URL = "https://runcore.sh/api/registry";
+const HEARTBEAT_INTERVAL_MS = 6 * 60 * 60 * 1000; // 6 hours
+const REVALIDATE_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours
+let heartbeatTimer = null;
+let revalidateTimer = null;
+let startedAt = Date.now();
+let frozen = false;
+let onFreeze = null;
+let onDowngrade = null;
+export function onFreezeSignal(handler) {
+    onFreeze = handler;
+}
+export function onTierDowngrade(handler) {
+    onDowngrade = handler;
+}
+export function isFrozen() {
+    return frozen;
+}
+function getVersion() {
+    try {
+        const pkg = JSON.parse(readFileSync(join(import.meta.dirname, "../../package.json"), "utf-8"));
+        return pkg.version ?? "unknown";
+    }
+    catch {
+        return "unknown";
+    }
+}
+async function sendHeartbeat(jwt, tier) {
+    try {
+        const res = await fetch(`${REGISTRY_URL}/heartbeat`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${jwt}`,
+            },
+            body: JSON.stringify({
+                version: getVersion(),
+                tier,
+                uptime: Math.floor((Date.now() - startedAt) / 1000),
+            }),
+            signal: AbortSignal.timeout(10_000),
+        });
+        if (!res.ok)
+            return;
+        const data = (await res.json());
+        if (data.frozen && data.freeze) {
+            frozen = true;
+            onFreeze?.(data.freeze);
+        }
+        if (!data.valid) {
+            // Token revoked — downgrade to local
+            onDowngrade?.("local");
+        }
+        if (data.tier && data.tier !== tier) {
+            // Tier changed (upgrade or downgrade by admin)
+            onDowngrade?.(data.tier);
+        }
+    }
+    catch {
+        // Best effort — swallow network errors
+    }
+}
+async function revalidateToken(jwt) {
+    try {
+        const res = await fetch(`${REGISTRY_URL}/validate`, {
+            headers: { Authorization: `Bearer ${jwt}` },
+            signal: AbortSignal.timeout(10_000),
+        });
+        if (!res.ok)
+            return false;
+        const data = (await res.json());
+        return data.valid === true;
+    }
+    catch {
+        return true; // Assume valid if we can't reach registry (offline-first)
+    }
+}
+export function startHeartbeat(jwt, tier, root) {
+    startedAt = Date.now();
+    // Retry bond if not yet confirmed
+    if (root) {
+        retryBondIfNeeded(root, jwt).catch(() => { });
+    }
+    // Immediate first heartbeat
+    sendHeartbeat(jwt, tier);
+    heartbeatTimer = setInterval(() => sendHeartbeat(jwt, tier), HEARTBEAT_INTERVAL_MS);
+    heartbeatTimer.unref();
+    revalidateTimer = setInterval(async () => {
+        const valid = await revalidateToken(jwt);
+        if (!valid)
+            onDowngrade?.("local");
+    }, REVALIDATE_INTERVAL_MS);
+    revalidateTimer.unref();
+}
+/** Retry bond announcement if keys exist locally but registry hasn't confirmed. */
+async function retryBondIfNeeded(root, jwt) {
+    try {
+        const { loadBondKeys, bond } = await import("./bond.js");
+        const keys = await loadBondKeys(root);
+        if (!keys)
+            return; // No keys = not activated yet, nothing to retry
+        // Try to announce again — bond() handles the idempotency
+        const parts = jwt.split(".");
+        const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf-8"));
+        await bond(root, jwt, payload.jti);
+    }
+    catch {
+        // Best effort
+    }
+}
+export function stopHeartbeat() {
+    if (heartbeatTimer)
+        clearInterval(heartbeatTimer);
+    if (revalidateTimer)
+        clearInterval(revalidateTimer);
+    heartbeatTimer = null;
+    revalidateTimer = null;
+}
+//# sourceMappingURL=heartbeat.js.map

package/dist/tier/heartbeat.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"heartbeat.js","sourceRoot":"","sources":["../../src/tier/heartbeat.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,MAAM,YAAY,GAAG,iCAAiC,CAAC;AACvD,MAAM,qBAAqB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;AAC5D,MAAM,sBAAsB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW;AAE/D,IAAI,cAAc,GAA0C,IAAI,CAAC;AACjE,IAAI,eAAe,GAA0C,IAAI,CAAC;AAClE,IAAI,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;AAC3B,IAAI,MAAM,GAAG,KAAK,CAAC;AAYnB,IAAI,QAAQ,GAAyB,IAAI,CAAC;AAC1C,IAAI,WAAW,GAA4B,IAAI,CAAC;AAEhD,MAAM,UAAU,cAAc,CAAC,OAAsB;IACnD,QAAQ,GAAG,OAAO,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAyB;IACvD,WAAW,GAAG,OAAO,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,QAAQ;IACtB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,UAAU;IACjB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CACpB,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,oBAAoB,CAAC,EAAE,OAAO,CAAC,CACvE,CAAC;QACF,OAAO,GAAG,CAAC,OAAO,IAAI,SAAS,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,GAAW,EAAE,IAAc;IACtD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,YAAY,YAAY,EAAE;YACnD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,GAAG,EAAE;aAC/B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,OAAO,EAAE,UAAU,EAAE;gBACrB,IAAI;gBACJ,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,GAAG,IAAI,CAAC;aACpD,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACpC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO;QAEpB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAsB,CAAC;QAErD,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAC/B,MAAM,GAAG,IAAI,CAAC;YACd,QAAQ,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,qCAAqC;YACrC,WAAW,EAAE,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YACpC,+CAA+C;YAC/C,WAAW,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uCAAuC;IACzC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,GAAW;IACxC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,YAAY,WAAW,EAAE;YAClD,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE;YAC3C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACpC,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,KAAK,CAAC;QAC1B,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;QACtD,OAAO,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,CAAC,0DAA0D;IACzE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,GAAW,EAAE,IAAc,EAAE,IAAa;IACvE,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,kCAAkC;IAClC,IAAI,IAAI,EAAE,CAAC;QACT,iBAAiB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,4BAA4B;IAC5B,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAEzB,cAAc,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,qBAAqB,CAAC,CAAC;IACpF,cAAc,CAAC,KAAK,EAAE,CAAC;IAEvB,eAAe,GAAG,WAAW,CAAC,KAAK,IAAI,EAAE;QACvC,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK;YAAE,WAAW,EAAE,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC,EAAE,sBAAsB,CAAC,CAAC;IAC3B,eAAe,CAAC,KAAK,EAAE,CAAC;AAC1B,CAAC;AAED,mFAAmF;AACnF,KAAK,UAAU,iBAAiB,CAAC,IAAY,EAAE,GAAW;IACxD,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QACzD,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI;YAAE,OAAO,CAAC,gDAAgD;QAEnE,yDAAyD;QACzD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QACjF,MAAM,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,IAAI,cAAc;QAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IAClD,IAAI,eAAe;QAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IACpD,cAAc,GAAG,IAAI,CAAC;IACtB,eAAe,GAAG,IAAI,CAAC;AACzB,CAAC"}

package/dist/tier/token.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Activation token — Ed25519 signed JWT, offline-verifiable.
+ *
+ * Private key lives in the registry backend (Dash's dead drop / Cloudflare Worker).
+ * Public key ships in this package. Tokens validate without network.
+ * Revocation is checked periodically (24h) via registry heartbeat.
+ */
+import { type ActivationToken, type TierName } from "./types.js";
+/** Sign a JWT with Ed25519 private key (used by Dash / registry backend) */
+export declare function signToken(payload: ActivationToken, privateKeyPem: string): string;
+/** Load and validate the local activation token. Returns null if none or invalid. */
+export declare function loadActivationToken(root: string): Promise<{
+    token: ActivationToken;
+    raw: string;
+} | null>;
+/** Store an activation token to disk */
+export declare function saveActivationToken(root: string, jwt: string): Promise<ActivationToken>;
+/** Get the current tier from the stored token, defaulting to "local" */
+export declare function currentTier(root: string): Promise<TierName>;
+/** Set a custom public key (for testing or key rotation) */
+export declare function setPublicKey(pem: string): void;
+//# sourceMappingURL=token.d.ts.map

package/dist/tier/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/tier/token.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,EAAE,KAAK,eAAe,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,CAAC;AAsCjE,4EAA4E;AAC5E,wBAAgB,SAAS,CACvB,OAAO,EAAE,eAAe,EACxB,aAAa,EAAE,MAAM,GACpB,MAAM,CAUR;AAED,qFAAqF;AACrF,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;IAAE,KAAK,EAAE,eAAe,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAqBzD;AAED,wCAAwC;AACxC,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,eAAe,CAAC,CAU1B;AAED,wEAAwE;AACxE,wBAAsB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAGjE;AAED,4DAA4D;AAC5D,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAG9C"}

package/dist/tier/token.js

@@ -0,0 +1,100 @@
+/**
+ * Activation token — Ed25519 signed JWT, offline-verifiable.
+ *
+ * Private key lives in the registry backend (Dash's dead drop / Cloudflare Worker).
+ * Public key ships in this package. Tokens validate without network.
+ * Revocation is checked periodically (24h) via registry heartbeat.
+ */
+import { readFile, writeFile, mkdir } from "node:fs/promises";
+import { join } from "node:path";
+import { createVerify, createSign } from "node:crypto";
+// Ed25519 public key — embedded in package, used for offline token verification.
+// Replace with real key after generating the keypair.
+const PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAPLACENTER_REAL_KEY_HERE_AFTER_KEYGEN=
+-----END PUBLIC KEY-----`;
+const TOKEN_DIR = ".core";
+const TOKEN_FILE = "activation.json";
+function tokenPath(root) {
+    return join(root, "brain", TOKEN_DIR, TOKEN_FILE);
+}
+/** Decode a compact JWT (header.payload.signature) without verification */
+function decodePayload(jwt) {
+    const parts = jwt.split(".");
+    if (parts.length !== 3)
+        throw new Error("Invalid token format");
+    const payload = Buffer.from(parts[1], "base64url").toString("utf-8");
+    return JSON.parse(payload);
+}
+/** Verify Ed25519 signature on a JWT */
+function verifySignature(jwt, publicKey) {
+    const parts = jwt.split(".");
+    if (parts.length !== 3)
+        return false;
+    const data = `${parts[0]}.${parts[1]}`;
+    const signature = Buffer.from(parts[2], "base64url");
+    const verifier = createVerify("Ed25519");
+    verifier.update(data);
+    try {
+        return verifier.verify(publicKey, signature);
+    }
+    catch {
+        return false;
+    }
+}
+/** Sign a JWT with Ed25519 private key (used by Dash / registry backend) */
+export function signToken(payload, privateKeyPem) {
+    const header = Buffer.from(JSON.stringify({ alg: "EdDSA", typ: "JWT" })).toString("base64url");
+    const body = Buffer.from(JSON.stringify(payload)).toString("base64url");
+    const data = `${header}.${body}`;
+    const signer = createSign("Ed25519");
+    signer.update(data);
+    const signature = signer.sign(privateKeyPem, "base64url");
+    return `${data}.${signature}`;
+}
+/** Load and validate the local activation token. Returns null if none or invalid. */
+export async function loadActivationToken(root) {
+    try {
+        const raw = (await readFile(tokenPath(root), "utf-8")).trim();
+        if (!raw)
+            return null;
+        if (!verifySignature(raw, PUBLIC_KEY_PEM)) {
+            console.warn("  Activation token has invalid signature — ignoring.");
+            return null;
+        }
+        const token = decodePayload(raw);
+        if (new Date(token.expires) < new Date()) {
+            console.warn("  Activation token expired — running as Local tier.");
+            return null;
+        }
+        return { token, raw };
+    }
+    catch {
+        return null;
+    }
+}
+/** Store an activation token to disk */
+export async function saveActivationToken(root, jwt) {
+    if (!verifySignature(jwt, PUBLIC_KEY_PEM)) {
+        throw new Error("Token signature verification failed. Token not saved.");
+    }
+    const token = decodePayload(jwt);
+    const dir = join(root, "brain", TOKEN_DIR);
+    await mkdir(dir, { recursive: true });
+    await writeFile(tokenPath(root), jwt, "utf-8");
+    return token;
+}
+/** Get the current tier from the stored token, defaulting to "local" */
+export async function currentTier(root) {
+    const result = await loadActivationToken(root);
+    return result?.token.tier ?? "local";
+}
+/** Set a custom public key (for testing or key rotation) */
+export function setPublicKey(pem) {
+    // Only used in test — production uses the embedded key
+    globalThis.__CORE_TIER_PUBKEY = pem;
+}
+function getPublicKey() {
+    return globalThis.__CORE_TIER_PUBKEY ?? PUBLIC_KEY_PEM;
+}
+//# sourceMappingURL=token.js.map