@sempdev/semp 0.4.3

package/dist/discovery/configuration.js

@@ -0,0 +1,146 @@
+/**
+ * Well-known configuration document parsing per DISCOVERY.md §3.1.
+ *
+ * The bootstrapping path `/.well-known/semp/configuration` returns a
+ * JSON document that describes a server's capabilities, transport
+ * endpoints, API endpoints, and supported extensions. This module
+ * provides a typed shape and a validator that enforces the §3.2
+ * "fixed by the protocol" rules:
+ *
+ *  - `type` MUST be `"SEMP_CONFIGURATION"`
+ *  - `endpoints.client` and `endpoints.federation` MUST each contain
+ *    at least an `h2` entry
+ *  - `endpoints.register`, `endpoints.keys`, `endpoints.domain_keys`
+ *    MUST be present
+ *  - `suites` MUST contain at least `x25519-chacha20-poly1305`
+ *  - `limits.max_envelope_size` MUST be present
+ *
+ * Unknown fields are preserved on the typed object via the
+ * index signature so callers can read forward-compatible additions
+ * without requiring a parser update.
+ *
+ * @module
+ */
+/** Canonical well-known path. Fixed by the protocol per §3. */
+export const WellKnownPath = "/.well-known/semp/configuration";
+/** Document `type` discriminator. */
+export const ConfigurationType = "SEMP_CONFIGURATION";
+/**
+ * Maximum byte size accepted for a fetched well-known body. 64 KiB
+ * is large enough for any reasonable configuration (including rich
+ * extension maps) without letting a hostile server feed us
+ * gigabytes.
+ */
+export const WellKnownMaxBytes = 64 * 1024;
+/**
+ * Validate and narrow a parsed JSON value into a {@link Configuration}.
+ * Throws with a descriptive message on the first protocol violation.
+ *
+ * The validator enforces the §3.2 mandatory-fixed rules (h2 baseline,
+ * x25519 baseline, max_envelope_size present) but is permissive about
+ * unknown fields per §3.1 ("Implementations MUST ignore unknown
+ * fields rather than failing").
+ */
+export function parseConfiguration(value) {
+    if (!isRecord(value)) {
+        throw new Error("configuration: not a JSON object");
+    }
+    if (value.type !== ConfigurationType) {
+        throw new Error(`configuration: type ${JSON.stringify(value.type)}, want ${ConfigurationType}`);
+    }
+    requireString(value, "version");
+    requireString(value, "domain");
+    requireInt(value, "revision");
+    requireInt(value, "ttl_seconds");
+    const endpoints = requireObject(value, "endpoints");
+    const client = requireTransportMap(endpoints, "endpoints.client");
+    const federation = requireTransportMap(endpoints, "endpoints.federation");
+    if (typeof client.h2 !== "string" || client.h2 === "") {
+        throw new Error("configuration: endpoints.client.h2 missing (mandatory baseline)");
+    }
+    if (typeof federation.h2 !== "string" || federation.h2 === "") {
+        throw new Error("configuration: endpoints.federation.h2 missing (mandatory baseline)");
+    }
+    requireString(endpoints, "register");
+    requireString(endpoints, "keys");
+    requireString(endpoints, "domain_keys");
+    const suites = requireStringArray(value, "suites");
+    if (!suites.includes("x25519-chacha20-poly1305")) {
+        throw new Error("configuration: suites missing x25519-chacha20-poly1305 (mandatory baseline)");
+    }
+    const limits = requireObject(value, "limits");
+    requireInt(limits, "max_envelope_size");
+    // Extensions optional per §3.1.4.
+    if (value.extensions !== undefined) {
+        if (!Array.isArray(value.extensions)) {
+            throw new Error("configuration: extensions: not an array");
+        }
+        for (let i = 0; i < value.extensions.length; i++) {
+            const ext = value.extensions[i];
+            if (!isRecord(ext)) {
+                throw new Error(`configuration: extensions[${i}]: not an object`);
+            }
+            if (typeof ext.id !== "string" || ext.id === "") {
+                throw new Error(`configuration: extensions[${i}].id missing`);
+            }
+            if (typeof ext.required !== "boolean") {
+                throw new Error(`configuration: extensions[${i}].required must be boolean`);
+            }
+        }
+    }
+    return value;
+}
+// ---------------------------------------------------------------------------
+// Tiny type-narrowing helpers shared with domain_keys.ts.
+export function isRecord(v) {
+    return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+export function requireString(obj, key) {
+    const v = obj[key];
+    if (typeof v !== "string" || v === "") {
+        throw new Error(`configuration: ${key}: missing or not a non-empty string`);
+    }
+    return v;
+}
+export function requireInt(obj, key) {
+    const v = obj[key];
+    if (typeof v !== "number" || !Number.isInteger(v)) {
+        throw new Error(`configuration: ${key}: missing or not an integer`);
+    }
+    return v;
+}
+export function requireObject(obj, key) {
+    const v = obj[key];
+    if (!isRecord(v)) {
+        throw new Error(`configuration: ${key}: missing or not an object`);
+    }
+    return v;
+}
+export function requireStringArray(obj, key) {
+    const v = obj[key];
+    if (!Array.isArray(v)) {
+        throw new Error(`configuration: ${key}: missing or not an array`);
+    }
+    for (let i = 0; i < v.length; i++) {
+        if (typeof v[i] !== "string") {
+            throw new Error(`configuration: ${key}[${i}]: not a string`);
+        }
+    }
+    return v;
+}
+function requireTransportMap(obj, key) {
+    // The path here is a dotted key like "endpoints.client" but the
+    // actual lookup is the leaf segment.
+    const leaf = key.split(".").pop() ?? key;
+    const v = obj[leaf];
+    if (!isRecord(v)) {
+        throw new Error(`configuration: ${key}: missing or not an object`);
+    }
+    for (const [k, val] of Object.entries(v)) {
+        if (typeof val !== "string" || val === "") {
+            throw new Error(`configuration: ${key}.${k}: not a non-empty string`);
+        }
+    }
+    return v;
+}
+//# sourceMappingURL=configuration.js.map

package/dist/discovery/configuration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"configuration.js","sourceRoot":"","sources":["../../src/discovery/configuration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,+DAA+D;AAC/D,MAAM,CAAC,MAAM,aAAa,GAAG,iCAAiC,CAAC;AAE/D,qCAAqC;AACrC,MAAM,CAAC,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;AAEtD;;;;;GAKG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,EAAE,GAAG,IAAI,CAAC;AAsD3C;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,uBAAuB,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,iBAAiB,EAAE,CAC/E,CAAC;IACJ,CAAC;IACD,aAAa,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IAChC,aAAa,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC/B,UAAU,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC9B,UAAU,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;IAEjC,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,mBAAmB,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;IAClE,MAAM,UAAU,GAAG,mBAAmB,CAAC,SAAS,EAAE,sBAAsB,CAAC,CAAC;IAC1E,IAAI,OAAO,MAAM,CAAC,EAAE,KAAK,QAAQ,IAAI,MAAM,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;IACrF,CAAC;IACD,IAAI,OAAO,UAAU,CAAC,EAAE,KAAK,QAAQ,IAAI,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;IACzF,CAAC;IACD,aAAa,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACrC,aAAa,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACjC,aAAa,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IAExC,MAAM,MAAM,GAAG,kBAAkB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACnD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,0BAA0B,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,KAAK,CACb,6EAA6E,CAC9E,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,aAAa,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC9C,UAAU,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;IAExC,kCAAkC;IAClC,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACnC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACjD,MAAM,GAAG,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAChC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,kBAAkB,CAAC,CAAC;YACpE,CAAC;YACD,IAAI,OAAO,GAAG,CAAC,EAAE,KAAK,QAAQ,IAAI,GAAG,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC;gBAChD,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,cAAc,CAAC,CAAC;YAChE,CAAC;YACD,IAAI,OAAO,GAAG,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,4BAA4B,CAAC,CAAC;YAC9E,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAiC,CAAC;AAC3C,CAAC;AAED,8EAA8E;AAC9E,0DAA0D;AAE1D,MAAM,UAAU,QAAQ,CAAC,CAAU;IACjC,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,GAA4B,EAAE,GAAW;IACrE,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACnB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,kBAAkB,GAAG,qCAAqC,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,GAA4B,EAAE,GAAW;IAClE,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACnB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,kBAAkB,GAAG,6BAA6B,CAAC,CAAC;IACtE,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,GAA4B,EAC5B,GAAW;IAEX,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACnB,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,kBAAkB,GAAG,4BAA4B,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,GAA4B,EAC5B,GAAW;IAEX,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACnB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,kBAAkB,GAAG,2BAA2B,CAAC,CAAC;IACpE,CAAC;IACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,kBAAkB,GAAG,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IACD,OAAO,CAAa,CAAC;AACvB,CAAC;AAED,SAAS,mBAAmB,CAC1B,GAA4B,EAC5B,GAAW;IAEX,gEAAgE;IAChE,qCAAqC;IACrC,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,GAAG,CAAC;IACzC,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC;IACpB,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,kBAAkB,GAAG,4BAA4B,CAAC,CAAC;IACrE,CAAC;IACD,KAAK,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;QACzC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,EAAE,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,kBAAkB,GAAG,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IACD,OAAO,CAAuB,CAAC;AACjC,CAAC"}

package/dist/discovery/dns.d.ts

@@ -0,0 +1,56 @@
+/**
+ * DNS lookup helpers per DISCOVERY.md §2.1 + §2.2 + §7.2.
+ *
+ * Provides `lookupSRV`, `lookupTXT`, and `lookupMX` wrappers around
+ * Node's `node:dns/promises` resolver. Tests inject a custom
+ * {@link DNSLookup} implementation.
+ *
+ * This module is Node-only; `defaultDNSLookup` calls into
+ * `node:dns/promises`. Browser / Deno callers must pass a custom
+ * {@link DNSLookup} (e.g. backed by DNS-over-HTTPS).
+ *
+ * @module
+ */
+import { type TXTCapabilities } from "./txt.js";
+/** A parsed _semp._tcp.<domain> SRV record per §2.1. */
+export interface SRVRecord {
+    priority: number;
+    weight: number;
+    port: number;
+    target: string;
+}
+/** A parsed MX record per §7.2. */
+export interface MXRecord {
+    preference: number;
+    exchange: string;
+}
+/**
+ * Narrow DNS interface that {@link lookupSRV} / {@link lookupTXT} /
+ * {@link lookupMX} consume. Tests inject a fake; production callers
+ * use {@link defaultDNSLookup}.
+ */
+export interface DNSLookup {
+    lookupSRV(domain: string): Promise<SRVRecord[]>;
+    lookupTXT(domain: string): Promise<string[]>;
+    lookupMX(domain: string): Promise<MXRecord[]>;
+}
+/**
+ * Default DNS lookup backed by Node's `node:dns/promises`. Throws
+ * a descriptive error in non-Node environments.
+ */
+export declare function defaultDNSLookup(): Promise<DNSLookup>;
+/**
+ * Look up `_semp._tcp.<domain>` SRV records and return them in
+ * priority-ascending order (clients applying weighted random
+ * selection per RFC 2782 sort within a priority group themselves).
+ */
+export declare function lookupSRV(domain: string, lookup?: DNSLookup): Promise<SRVRecord[]>;
+/**
+ * Look up `_semp._tcp.<domain>` TXT records and return the first
+ * one whose `v=` parameter is `semp1`. Returns null when no SEMP
+ * TXT record is published.
+ */
+export declare function lookupTXT(domain: string, lookup?: DNSLookup): Promise<TXTCapabilities | null>;
+/** Look up MX records for `domain`, sorted by preference ascending. */
+export declare function lookupMX(domain: string, lookup?: DNSLookup): Promise<MXRecord[]>;
+//# sourceMappingURL=dns.d.ts.map

package/dist/discovery/dns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dns.d.ts","sourceRoot":"","sources":["../../src/discovery/dns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,KAAK,eAAe,EAAwB,MAAM,UAAU,CAAC;AAEtE,wDAAwD;AACxD,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,mCAAmC;AACnC,MAAM,WAAW,QAAQ;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;GAIG;AACH,MAAM,WAAW,SAAS;IACxB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;IAChD,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7C,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;CAC/C;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,SAAS,CAAC,CAqD3D;AAoBD;;;;GAIG;AACH,wBAAsB,SAAS,CAC7B,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,SAAS,GACjB,OAAO,CAAC,SAAS,EAAE,CAAC,CAKtB;AAED;;;;GAIG;AACH,wBAAsB,SAAS,CAC7B,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,SAAS,GACjB,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAWjC;AAED,uEAAuE;AACvE,wBAAsB,QAAQ,CAC5B,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,SAAS,GACjB,OAAO,CAAC,QAAQ,EAAE,CAAC,CAGrB"}

package/dist/discovery/dns.js

@@ -0,0 +1,120 @@
+/**
+ * DNS lookup helpers per DISCOVERY.md §2.1 + §2.2 + §7.2.
+ *
+ * Provides `lookupSRV`, `lookupTXT`, and `lookupMX` wrappers around
+ * Node's `node:dns/promises` resolver. Tests inject a custom
+ * {@link DNSLookup} implementation.
+ *
+ * This module is Node-only; `defaultDNSLookup` calls into
+ * `node:dns/promises`. Browser / Deno callers must pass a custom
+ * {@link DNSLookup} (e.g. backed by DNS-over-HTTPS).
+ *
+ * @module
+ */
+import { parseTXTCapabilities } from "./txt.js";
+/**
+ * Default DNS lookup backed by Node's `node:dns/promises`. Throws
+ * a descriptive error in non-Node environments.
+ */
+export async function defaultDNSLookup() {
+    let dns;
+    try {
+        dns = await import("node:dns/promises");
+    }
+    catch {
+        throw new Error("discovery: node:dns/promises unavailable; pass a DNSLookup explicitly in non-Node environments");
+    }
+    return {
+        async lookupSRV(domain) {
+            try {
+                const recs = await dns.resolveSrv(domain);
+                return recs.map((r) => ({
+                    priority: r.priority,
+                    weight: r.weight,
+                    port: r.port,
+                    target: r.name.replace(/\.$/, ""),
+                }));
+            }
+            catch (err) {
+                if (isNoData(err) || isNotFound(err)) {
+                    return [];
+                }
+                throw err;
+            }
+        },
+        async lookupTXT(domain) {
+            try {
+                const recs = await dns.resolveTxt(domain);
+                return recs.map((parts) => parts.join(""));
+            }
+            catch (err) {
+                if (isNoData(err) || isNotFound(err)) {
+                    return [];
+                }
+                throw err;
+            }
+        },
+        async lookupMX(domain) {
+            try {
+                const recs = await dns.resolveMx(domain);
+                const sorted = [...recs].sort((a, b) => a.priority - b.priority);
+                return sorted.map((r) => ({
+                    preference: r.priority,
+                    exchange: r.exchange.replace(/\.$/, ""),
+                }));
+            }
+            catch (err) {
+                if (isNoData(err) || isNotFound(err)) {
+                    return [];
+                }
+                throw err;
+            }
+        },
+    };
+}
+function isNoData(err) {
+    return (err !== null &&
+        typeof err === "object" &&
+        "code" in err &&
+        err.code === "ENODATA");
+}
+function isNotFound(err) {
+    return (err !== null &&
+        typeof err === "object" &&
+        "code" in err &&
+        err.code === "ENOTFOUND");
+}
+/**
+ * Look up `_semp._tcp.<domain>` SRV records and return them in
+ * priority-ascending order (clients applying weighted random
+ * selection per RFC 2782 sort within a priority group themselves).
+ */
+export async function lookupSRV(domain, lookup) {
+    const dns = lookup ?? (await defaultDNSLookup());
+    const name = `_semp._tcp.${domain}`;
+    const recs = await dns.lookupSRV(name);
+    return [...recs].sort((a, b) => a.priority - b.priority);
+}
+/**
+ * Look up `_semp._tcp.<domain>` TXT records and return the first
+ * one whose `v=` parameter is `semp1`. Returns null when no SEMP
+ * TXT record is published.
+ */
+export async function lookupTXT(domain, lookup) {
+    const dns = lookup ?? (await defaultDNSLookup());
+    const name = `_semp._tcp.${domain}`;
+    const txts = await dns.lookupTXT(name);
+    for (const raw of txts) {
+        const cap = parseTXTCapabilities(raw);
+        if (cap.v === "semp1") {
+            return cap;
+        }
+    }
+    return null;
+}
+/** Look up MX records for `domain`, sorted by preference ascending. */
+export async function lookupMX(domain, lookup) {
+    const dns = lookup ?? (await defaultDNSLookup());
+    return dns.lookupMX(domain);
+}
+//# sourceMappingURL=dns.js.map

package/dist/discovery/dns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dns.js","sourceRoot":"","sources":["../../src/discovery/dns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAwB,oBAAoB,EAAE,MAAM,UAAU,CAAC;AA2BtE;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,IAAI,GAAuC,CAAC;IAC5C,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,gGAAgG,CACjG,CAAC;IACJ,CAAC;IACD,OAAO;QACL,KAAK,CAAC,SAAS,CAAC,MAAc;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;gBAC1C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACtB,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;iBAClC,CAAC,CAAC,CAAC;YACN,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBACrC,OAAO,EAAE,CAAC;gBACZ,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QACD,KAAK,CAAC,SAAS,CAAC,MAAc;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;gBAC1C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YAC7C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBACrC,OAAO,EAAE,CAAC;gBACZ,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QACD,KAAK,CAAC,QAAQ,CAAC,MAAc;YAC3B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;gBACzC,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;gBACjE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACxB,UAAU,EAAE,CAAC,CAAC,QAAQ;oBACtB,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;iBACxC,CAAC,CAAC,CAAC;YACN,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBACrC,OAAO,EAAE,CAAC;gBACZ,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,GAAY;IAC5B,OAAO,CACL,GAAG,KAAK,IAAI;QACZ,OAAO,GAAG,KAAK,QAAQ;QACvB,MAAM,IAAI,GAAG;QACZ,GAAwB,CAAC,IAAI,KAAK,SAAS,CAC7C,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,GAAY;IAC9B,OAAO,CACL,GAAG,KAAK,IAAI;QACZ,OAAO,GAAG,KAAK,QAAQ;QACvB,MAAM,IAAI,GAAG;QACZ,GAAwB,CAAC,IAAI,KAAK,WAAW,CAC/C,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,MAAc,EACd,MAAkB;IAElB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,gBAAgB,EAAE,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,cAAc,MAAM,EAAE,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,MAAc,EACd,MAAkB;IAElB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,gBAAgB,EAAE,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,cAAc,MAAM,EAAE,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACvC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,GAAG,CAAC,CAAC,KAAK,OAAO,EAAE,CAAC;YACtB,OAAO,GAAG,CAAC;QACb,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,uEAAuE;AACvE,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,MAAc,EACd,MAAkB;IAElB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,gBAAgB,EAAE,CAAC,CAAC;IACjD,OAAO,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC9B,CAAC"}

package/dist/discovery/domain_keys.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Domain key publication parsing per DISCOVERY.md §3.3.
+ *
+ * Federation peers fetch the domain signing + encryption keys from
+ * the URL advertised as `endpoints.domain_keys` in a server's
+ * configuration document. The HTTPS certificate chain is the trust
+ * anchor: if the TLS certificate is valid for the hostname, the
+ * domain keys it publishes are trusted (§3.3 paragraph 4).
+ *
+ * Beyond the TLS check, peers MUST cross-verify that
+ * `signing_key.key_id` is the SHA-256 fingerprint of the published
+ * `signing_key.public_key`. Otherwise a misconfigured server (or an
+ * attacker on the publication path) could swap in a key whose
+ * fingerprint doesn't match the one the peer cached. This module
+ * exposes that check as {@link verifyDomainKeyFingerprint}.
+ *
+ * @module
+ */
+/** `type` discriminator for a domain-keys document. */
+export declare const DomainKeysType = "SEMP_DOMAIN_KEYS";
+/** Maximum byte size accepted for a fetched domain-keys body. */
+export declare const DomainKeysMaxBytes: number;
+/** A single algorithm-tagged public key block. */
+export interface KeyBlock {
+    algorithm: string;
+    /** Base64-encoded raw public key bytes. */
+    public_key: string;
+    /** SHA-256 fingerprint of the raw public key bytes, hex-encoded. */
+    key_id: string;
+}
+/** Parsed domain-keys document per §3.3. */
+export interface DomainKeys {
+    type: typeof DomainKeysType;
+    version: string;
+    domain: string;
+    signing_key: KeyBlock;
+    encryption_key: KeyBlock;
+    /** Forward-compatible: unknown fields preserved. */
+    [key: string]: unknown;
+}
+/**
+ * Validate and narrow a parsed JSON value into a {@link DomainKeys}.
+ * Does NOT perform the fingerprint cross-check; call
+ * {@link verifyDomainKeyFingerprint} on each {@link KeyBlock} after
+ * parsing.
+ */
+export declare function parseDomainKeys(value: unknown): DomainKeys;
+/**
+ * Decode `block.public_key` from base64. The caller asserts the
+ * algorithm is one whose raw key is a fixed size (32 bytes for both
+ * Ed25519 signing and X25519 encryption); this helper does not
+ * enforce a length.
+ */
+export declare function decodeKeyBlockPublic(block: KeyBlock): Uint8Array;
+/**
+ * Cross-check that `block.key_id` is the lowercase-hex SHA-256
+ * fingerprint of the decoded `block.public_key`. Returns true when
+ * the binding holds. Production callers MUST use this on every
+ * fetched {@link DomainKeys} before trusting either key.
+ */
+export declare function verifyDomainKeyFingerprint(block: KeyBlock): boolean;
+//# sourceMappingURL=domain_keys.d.ts.map

package/dist/discovery/domain_keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"domain_keys.d.ts","sourceRoot":"","sources":["../../src/discovery/domain_keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AASH,uDAAuD;AACvD,eAAO,MAAM,cAAc,qBAAqB,CAAC;AAEjD,iEAAiE;AACjE,eAAO,MAAM,kBAAkB,QAAY,CAAC;AAE5C,kDAAkD;AAClD,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,oEAAoE;IACpE,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,OAAO,cAAc,CAAC;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,QAAQ,CAAC;IACtB,cAAc,EAAE,QAAQ,CAAC;IACzB,oDAAoD;IACpD,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,UAAU,CAuB1D;AAcD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,QAAQ,GAAG,UAAU,CAUhE;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,QAAQ,GAAG,OAAO,CAInE"}

package/dist/discovery/domain_keys.js

@@ -0,0 +1,89 @@
+/**
+ * Domain key publication parsing per DISCOVERY.md §3.3.
+ *
+ * Federation peers fetch the domain signing + encryption keys from
+ * the URL advertised as `endpoints.domain_keys` in a server's
+ * configuration document. The HTTPS certificate chain is the trust
+ * anchor: if the TLS certificate is valid for the hostname, the
+ * domain keys it publishes are trusted (§3.3 paragraph 4).
+ *
+ * Beyond the TLS check, peers MUST cross-verify that
+ * `signing_key.key_id` is the SHA-256 fingerprint of the published
+ * `signing_key.public_key`. Otherwise a misconfigured server (or an
+ * attacker on the publication path) could swap in a key whose
+ * fingerprint doesn't match the one the peer cached. This module
+ * exposes that check as {@link verifyDomainKeyFingerprint}.
+ *
+ * @module
+ */
+import { fingerprint as computeFingerprint } from "../keys/index.js";
+import { isRecord, requireString, } from "./configuration.js";
+/** `type` discriminator for a domain-keys document. */
+export const DomainKeysType = "SEMP_DOMAIN_KEYS";
+/** Maximum byte size accepted for a fetched domain-keys body. */
+export const DomainKeysMaxBytes = 32 * 1024;
+/**
+ * Validate and narrow a parsed JSON value into a {@link DomainKeys}.
+ * Does NOT perform the fingerprint cross-check; call
+ * {@link verifyDomainKeyFingerprint} on each {@link KeyBlock} after
+ * parsing.
+ */
+export function parseDomainKeys(value) {
+    if (!isRecord(value)) {
+        throw new Error("domain_keys: not a JSON object");
+    }
+    if (value.type !== DomainKeysType) {
+        throw new Error(`domain_keys: type ${JSON.stringify(value.type)}, want ${DomainKeysType}`);
+    }
+    requireString(value, "version");
+    requireString(value, "domain");
+    if (!isRecord(value.signing_key)) {
+        throw new Error("domain_keys: signing_key: missing or not an object");
+    }
+    validateKeyBlock(value.signing_key, "signing_key");
+    if (!isRecord(value.encryption_key)) {
+        throw new Error("domain_keys: encryption_key: missing or not an object");
+    }
+    validateKeyBlock(value.encryption_key, "encryption_key");
+    return value;
+}
+function validateKeyBlock(obj, label) {
+    if (typeof obj.algorithm !== "string" || obj.algorithm === "") {
+        throw new Error(`domain_keys: ${label}.algorithm: missing`);
+    }
+    if (typeof obj.public_key !== "string" || obj.public_key === "") {
+        throw new Error(`domain_keys: ${label}.public_key: missing`);
+    }
+    if (typeof obj.key_id !== "string" || obj.key_id === "") {
+        throw new Error(`domain_keys: ${label}.key_id: missing`);
+    }
+}
+/**
+ * Decode `block.public_key` from base64. The caller asserts the
+ * algorithm is one whose raw key is a fixed size (32 bytes for both
+ * Ed25519 signing and X25519 encryption); this helper does not
+ * enforce a length.
+ */
+export function decodeKeyBlockPublic(block) {
+    if (typeof Buffer !== "undefined") {
+        return new Uint8Array(Buffer.from(block.public_key, "base64"));
+    }
+    const bin = atob(block.public_key);
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) {
+        out[i] = bin.charCodeAt(i);
+    }
+    return out;
+}
+/**
+ * Cross-check that `block.key_id` is the lowercase-hex SHA-256
+ * fingerprint of the decoded `block.public_key`. Returns true when
+ * the binding holds. Production callers MUST use this on every
+ * fetched {@link DomainKeys} before trusting either key.
+ */
+export function verifyDomainKeyFingerprint(block) {
+    const pub = decodeKeyBlockPublic(block);
+    const want = computeFingerprint(pub);
+    return block.key_id.toLowerCase() === want;
+}
+//# sourceMappingURL=domain_keys.js.map

package/dist/discovery/domain_keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"domain_keys.js","sourceRoot":"","sources":["../../src/discovery/domain_keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,WAAW,IAAI,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAErE,OAAO,EACL,QAAQ,EACR,aAAa,GACd,MAAM,oBAAoB,CAAC;AAE5B,uDAAuD;AACvD,MAAM,CAAC,MAAM,cAAc,GAAG,kBAAkB,CAAC;AAEjD,iEAAiE;AACjE,MAAM,CAAC,MAAM,kBAAkB,GAAG,EAAE,GAAG,IAAI,CAAC;AAsB5C;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,KAAc;IAC5C,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,qBAAqB,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,cAAc,EAAE,CAC1E,CAAC;IACJ,CAAC;IACD,aAAa,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IAChC,aAAa,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAE/B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,gBAAgB,CAAC,KAAK,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IAEnD,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IACD,gBAAgB,CAAC,KAAK,CAAC,cAAc,EAAE,gBAAgB,CAAC,CAAC;IAEzD,OAAO,KAA8B,CAAC;AACxC,CAAC;AAED,SAAS,gBAAgB,CAAC,GAA4B,EAAE,KAAa;IACnE,IAAI,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,IAAI,GAAG,CAAC,SAAS,KAAK,EAAE,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,gBAAgB,KAAK,qBAAqB,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,KAAK,EAAE,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,gBAAgB,KAAK,sBAAsB,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,gBAAgB,KAAK,kBAAkB,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAe;IAClD,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjE,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,0BAA0B,CAAC,KAAe;IACxD,MAAM,GAAG,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACrC,OAAO,KAAK,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC;AAC7C,CAAC"}

package/dist/discovery/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Discovery layer per DISCOVERY.md.
+ *
+ * DNS lookups (SRV / TXT / MX), well-known URI configuration +
+ * domain-keys fetch (§3), signed SEMP_DISCOVERY lookup (§4), and
+ * a discovery result cache (§6.1).
+ *
+ * @module
+ */
+export { parseTXTCapabilities, type TXTCapabilities } from "./txt.js";
+export { type ConfigEndpoints, type ConfigExtension, type ConfigLimits, type Configuration, type TransportEndpoints, ConfigurationType, WellKnownMaxBytes, WellKnownPath, parseConfiguration, } from "./configuration.js";
+export { type DomainKeys, type KeyBlock, DomainKeysMaxBytes, DomainKeysType, decodeKeyBlockPublic, parseDomainKeys, verifyDomainKeyFingerprint, } from "./domain_keys.js";
+export { type FetchLike, type FetchOptions, type ResolveServerOptions, type ResolvedServer, fetchConfiguration, fetchDomainKeys, resolveServer, wellKnownUrl, } from "./resolver.js";
+export { type DNSLookup, type MXRecord, type SRVRecord, defaultDNSLookup, lookupMX, lookupSRV, lookupTXT, } from "./dns.js";
+export { type DiscoveryCache, DefaultTTLLegacyMs, DefaultTTLNotFoundMs, DefaultTTLSEMPMs, InMemoryDiscoveryCache, } from "./cache.js";
+export { type DiscoveryRequest, type DiscoveryResponse, type DiscoveryResult, type DiscoverySignature, type DiscoveryStatus, DiscoveryMessageType, DiscoveryRecordVersion, DiscoverySignaturePrefix, DiscoveryStepRequest, DiscoveryStepResponse, signDiscoveryResponse, validateDiscoveryRequest, validateDiscoveryResponse, verifyDiscoveryResponse, } from "./lookup.js";
+export { OnionSuffix, OnionV3LabelLength, isOnionDomain, validateOnionDomain, } from "./onion.js";
+export { type AlphaRange, type PartitionConfig, type PartitionLookupFunc, type PartitionResolverConfig, type PartitionStrategy, defaultAlphaRanges, parsePartitionTXT, resolvePartition, } from "./partition.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/discovery/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/discovery/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,oBAAoB,EAAE,KAAK,eAAe,EAAE,MAAM,UAAU,CAAC;AAEtE,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,aAAa,EACb,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,KAAK,UAAU,EACf,KAAK,QAAQ,EACb,kBAAkB,EAClB,cAAc,EACd,oBAAoB,EACpB,eAAe,EACf,0BAA0B,GAC3B,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,KAAK,SAAS,EACd,KAAK,YAAY,EACjB,KAAK,oBAAoB,EACzB,KAAK,cAAc,EACnB,kBAAkB,EAClB,eAAe,EACf,aAAa,EACb,YAAY,GACb,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,KAAK,SAAS,EACd,KAAK,QAAQ,EACb,KAAK,SAAS,EACd,gBAAgB,EAChB,QAAQ,EACR,SAAS,EACT,SAAS,GACV,MAAM,UAAU,CAAC;AAElB,OAAO,EACL,KAAK,cAAc,EACnB,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,wBAAwB,EACxB,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,EACrB,wBAAwB,EACxB,yBAAyB,EACzB,uBAAuB,GACxB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,mBAAmB,GACpB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,iBAAiB,EACtB,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,gBAAgB,CAAC"}

package/dist/discovery/index.js

@@ -0,0 +1,19 @@
+/**
+ * Discovery layer per DISCOVERY.md.
+ *
+ * DNS lookups (SRV / TXT / MX), well-known URI configuration +
+ * domain-keys fetch (§3), signed SEMP_DISCOVERY lookup (§4), and
+ * a discovery result cache (§6.1).
+ *
+ * @module
+ */
+export { parseTXTCapabilities } from "./txt.js";
+export { ConfigurationType, WellKnownMaxBytes, WellKnownPath, parseConfiguration, } from "./configuration.js";
+export { DomainKeysMaxBytes, DomainKeysType, decodeKeyBlockPublic, parseDomainKeys, verifyDomainKeyFingerprint, } from "./domain_keys.js";
+export { fetchConfiguration, fetchDomainKeys, resolveServer, wellKnownUrl, } from "./resolver.js";
+export { defaultDNSLookup, lookupMX, lookupSRV, lookupTXT, } from "./dns.js";
+export { DefaultTTLLegacyMs, DefaultTTLNotFoundMs, DefaultTTLSEMPMs, InMemoryDiscoveryCache, } from "./cache.js";
+export { DiscoveryMessageType, DiscoveryRecordVersion, DiscoverySignaturePrefix, DiscoveryStepRequest, DiscoveryStepResponse, signDiscoveryResponse, validateDiscoveryRequest, validateDiscoveryResponse, verifyDiscoveryResponse, } from "./lookup.js";
+export { OnionSuffix, OnionV3LabelLength, isOnionDomain, validateOnionDomain, } from "./onion.js";
+export { defaultAlphaRanges, parsePartitionTXT, resolvePartition, } from "./partition.js";
+//# sourceMappingURL=index.js.map

package/dist/discovery/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/discovery/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,oBAAoB,EAAwB,MAAM,UAAU,CAAC;AAEtE,OAAO,EAML,iBAAiB,EACjB,iBAAiB,EACjB,aAAa,EACb,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAGL,kBAAkB,EAClB,cAAc,EACd,oBAAoB,EACpB,eAAe,EACf,0BAA0B,GAC3B,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAKL,kBAAkB,EAClB,eAAe,EACf,aAAa,EACb,YAAY,GACb,MAAM,eAAe,CAAC;AAEvB,OAAO,EAIL,gBAAgB,EAChB,QAAQ,EACR,SAAS,EACT,SAAS,GACV,MAAM,UAAU,CAAC;AAElB,OAAO,EAEL,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAML,oBAAoB,EACpB,sBAAsB,EACtB,wBAAwB,EACxB,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,EACrB,wBAAwB,EACxB,yBAAyB,EACzB,uBAAuB,GACxB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,mBAAmB,GACpB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAML,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,gBAAgB,CAAC"}

package/dist/discovery/lookup.d.ts

@@ -0,0 +1,72 @@
+/**
+ * SEMP_DISCOVERY signed lookup per DISCOVERY.md §4.
+ *
+ * Wire shape:
+ *   - Request body: `{type, step="request", version, id, timestamp,
+ *     addresses, extensions?}`
+ *   - Response body: `{type, step="response", version, id, timestamp,
+ *     results, signature, extensions?}`
+ *
+ * The response is signed by the answering server's domain signing
+ * key with the `SEMP-DISCOVERY:` prefix per ENVELOPE.md §4.3.
+ *
+ * @module
+ */
+/** Wire-level constants. */
+export declare const DiscoveryMessageType = "SEMP_DISCOVERY";
+export declare const DiscoveryStepRequest = "request";
+export declare const DiscoveryStepResponse = "response";
+export declare const DiscoveryRecordVersion = "1.0.0";
+export declare const DiscoverySignaturePrefix = "SEMP-DISCOVERY:";
+/** §4.6 status values. */
+export type DiscoveryStatus = "found" | "not_found" | "unsupported" | "rate_limited" | "deferred";
+/** Reusable signature block. */
+export interface DiscoverySignature {
+    algorithm: string;
+    key_id: string;
+    value: string;
+}
+/** SEMP_DISCOVERY request body per §4.1. */
+export interface DiscoveryRequest {
+    type: typeof DiscoveryMessageType;
+    step: typeof DiscoveryStepRequest;
+    version: string;
+    id: string;
+    /** ISO 8601 UTC. */
+    timestamp: string;
+    addresses: string[];
+    extensions?: Record<string, unknown>;
+}
+/** One entry in a {@link DiscoveryResponse}. */
+export interface DiscoveryResult {
+    address: string;
+    status: DiscoveryStatus;
+    transports?: string[];
+    suites?: string[];
+    server?: string;
+    /** Cache TTL in seconds. */
+    ttl: number;
+}
+/** SEMP_DISCOVERY response body per §4.3. */
+export interface DiscoveryResponse {
+    type: typeof DiscoveryMessageType;
+    step: typeof DiscoveryStepResponse;
+    version: string;
+    id: string;
+    /** ISO 8601 UTC. */
+    timestamp: string;
+    results: DiscoveryResult[];
+    signature: DiscoverySignature;
+    extensions?: Record<string, unknown>;
+}
+/** Sign a {@link DiscoveryResponse} under the answering domain's signing key. */
+export declare function signDiscoveryResponse(resp: DiscoveryResponse, domainPriv: Uint8Array, domainKeyId: string): string;
+/** Verify a {@link DiscoveryResponse} under the answering domain's public key. */
+export declare function verifyDiscoveryResponse(resp: DiscoveryResponse, domainPub: Uint8Array): boolean;
+/** Structural validation of a {@link DiscoveryRequest}. Throws on first violation. */
+export declare function validateDiscoveryRequest(req: DiscoveryRequest): void;
+/** Structural validation of a {@link DiscoveryResponse}. Throws on first violation. */
+export declare function validateDiscoveryResponse(resp: DiscoveryResponse, opts?: {
+    skipSignatureCheck?: boolean;
+}): void;
+//# sourceMappingURL=lookup.d.ts.map

package/dist/discovery/lookup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/discovery/lookup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,4BAA4B;AAC5B,eAAO,MAAM,oBAAoB,mBAAmB,CAAC;AACrD,eAAO,MAAM,oBAAoB,YAAY,CAAC;AAC9C,eAAO,MAAM,qBAAqB,aAAa,CAAC;AAChD,eAAO,MAAM,sBAAsB,UAAU,CAAC;AAC9C,eAAO,MAAM,wBAAwB,oBAAoB,CAAC;AAE1D,0BAA0B;AAC1B,MAAM,MAAM,eAAe,GACvB,OAAO,GACP,WAAW,GACX,aAAa,GACb,cAAc,GACd,UAAU,CAAC;AAEf,gCAAgC;AAChC,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,4CAA4C;AAC5C,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,OAAO,oBAAoB,CAAC;IAClC,IAAI,EAAE,OAAO,oBAAoB,CAAC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,gDAAgD;AAChD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,eAAe,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4BAA4B;IAC5B,GAAG,EAAE,MAAM,CAAC;CACb;AAED,6CAA6C;AAC7C,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,OAAO,oBAAoB,CAAC;IAClC,IAAI,EAAE,OAAO,qBAAqB,CAAC;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,eAAe,EAAE,CAAC;IAC3B,SAAS,EAAE,kBAAkB,CAAC;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,iFAAiF;AACjF,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,iBAAiB,EACvB,UAAU,EAAE,UAAU,EACtB,WAAW,EAAE,MAAM,GAClB,MAAM,CAgBR;AAED,kFAAkF;AAClF,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,iBAAiB,EACvB,SAAS,EAAE,UAAU,GACpB,OAAO,CAYT;AAED,sFAAsF;AACtF,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,gBAAgB,GAAG,IAAI,CA2BpE;AAED,uFAAuF;AACvF,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,iBAAiB,EACvB,IAAI,GAAE;IAAE,kBAAkB,CAAC,EAAE,OAAO,CAAA;CAAO,GAC1C,IAAI,CAgDN"}