npm - @sempdev/semp - Versions diffs - 0.4.3 - Mend

@sempdev/semp 0.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (559) hide show

package/LICENSE +21 -0
package/README.md +59 -0
package/dist/brief/address.d.ts +77 -0
package/dist/brief/address.d.ts.map +1 -0
package/dist/brief/address.js +217 -0
package/dist/brief/address.js.map +1 -0
package/dist/brief/brief.d.ts +75 -0
package/dist/brief/brief.d.ts.map +1 -0
package/dist/brief/brief.js +56 -0
package/dist/brief/brief.js.map +1 -0
package/dist/brief/index.d.ts +11 -0
package/dist/brief/index.d.ts.map +1 -0
package/dist/brief/index.js +11 -0
package/dist/brief/index.js.map +1 -0
package/dist/canonical/index.d.ts +8 -0
package/dist/canonical/index.d.ts.map +1 -0
package/dist/canonical/index.js +8 -0
package/dist/canonical/index.js.map +1 -0
package/dist/canonical/marshal.d.ts +35 -0
package/dist/canonical/marshal.d.ts.map +1 -0
package/dist/canonical/marshal.js +107 -0
package/dist/canonical/marshal.js.map +1 -0
package/dist/clockskew/index.d.ts +52 -0
package/dist/clockskew/index.d.ts.map +1 -0
package/dist/clockskew/index.js +62 -0
package/dist/clockskew/index.js.map +1 -0
package/dist/closure/closure.d.ts +106 -0
package/dist/closure/closure.d.ts.map +1 -0
package/dist/closure/closure.js +152 -0
package/dist/closure/closure.js.map +1 -0
package/dist/closure/driver.d.ts +103 -0
package/dist/closure/driver.d.ts.map +1 -0
package/dist/closure/driver.js +126 -0
package/dist/closure/driver.js.map +1 -0
package/dist/closure/index.d.ts +13 -0
package/dist/closure/index.d.ts.map +1 -0
package/dist/closure/index.js +13 -0
package/dist/closure/index.js.map +1 -0
package/dist/closure/store.d.ts +80 -0
package/dist/closure/store.d.ts.map +1 -0
package/dist/closure/store.js +89 -0
package/dist/closure/store.js.map +1 -0
package/dist/crypto/aead.d.ts +29 -0
package/dist/crypto/aead.d.ts.map +1 -0
package/dist/crypto/aead.js +48 -0
package/dist/crypto/aead.js.map +1 -0
package/dist/crypto/argon2.d.ts +20 -0
package/dist/crypto/argon2.d.ts.map +1 -0
package/dist/crypto/argon2.js +28 -0
package/dist/crypto/argon2.js.map +1 -0
package/dist/crypto/index.d.ts +14 -0
package/dist/crypto/index.d.ts.map +1 -0
package/dist/crypto/index.js +14 -0
package/dist/crypto/index.js.map +1 -0
package/dist/crypto/kdf.d.ts +96 -0
package/dist/crypto/kdf.d.ts.map +1 -0
package/dist/crypto/kdf.js +122 -0
package/dist/crypto/kdf.js.map +1 -0
package/dist/crypto/kem.d.ts +85 -0
package/dist/crypto/kem.d.ts.map +1 -0
package/dist/crypto/kem.js +130 -0
package/dist/crypto/kem.js.map +1 -0
package/dist/crypto/mac.d.ts +19 -0
package/dist/crypto/mac.d.ts.map +1 -0
package/dist/crypto/mac.js +32 -0
package/dist/crypto/mac.js.map +1 -0
package/dist/delivery/ack.d.ts +125 -0
package/dist/delivery/ack.d.ts.map +1 -0
package/dist/delivery/ack.js +141 -0
package/dist/delivery/ack.js.map +1 -0
package/dist/delivery/blocklist.d.ts +87 -0
package/dist/delivery/blocklist.d.ts.map +1 -0
package/dist/delivery/blocklist.js +107 -0
package/dist/delivery/blocklist.js.map +1 -0
package/dist/delivery/cancel.d.ts +60 -0
package/dist/delivery/cancel.d.ts.map +1 -0
package/dist/delivery/cancel.js +43 -0
package/dist/delivery/cancel.js.map +1 -0
package/dist/delivery/disposition.d.ts +106 -0
package/dist/delivery/disposition.d.ts.map +1 -0
package/dist/delivery/disposition.js +105 -0
package/dist/delivery/disposition.js.map +1 -0
package/dist/delivery/fetch.d.ts +59 -0
package/dist/delivery/fetch.d.ts.map +1 -0
package/dist/delivery/fetch.js +47 -0
package/dist/delivery/fetch.js.map +1 -0
package/dist/delivery/forwarder.d.ts +106 -0
package/dist/delivery/forwarder.d.ts.map +1 -0
package/dist/delivery/forwarder.js +251 -0
package/dist/delivery/forwarder.js.map +1 -0
package/dist/delivery/inbox.d.ts +42 -0
package/dist/delivery/inbox.d.ts.map +1 -0
package/dist/delivery/inbox.js +68 -0
package/dist/delivery/inbox.js.map +1 -0
package/dist/delivery/index.d.ts +31 -0
package/dist/delivery/index.d.ts.map +1 -0
package/dist/delivery/index.js +31 -0
package/dist/delivery/index.js.map +1 -0
package/dist/delivery/internalroute.d.ts +50 -0
package/dist/delivery/internalroute.d.ts.map +1 -0
package/dist/delivery/internalroute.js +23 -0
package/dist/delivery/internalroute.js.map +1 -0
package/dist/delivery/pipeline.d.ts +153 -0
package/dist/delivery/pipeline.d.ts.map +1 -0
package/dist/delivery/pipeline.js +356 -0
package/dist/delivery/pipeline.js.map +1 -0
package/dist/delivery/policy_state.d.ts +105 -0
package/dist/delivery/policy_state.d.ts.map +1 -0
package/dist/delivery/policy_state.js +293 -0
package/dist/delivery/policy_state.js.map +1 -0
package/dist/delivery/queue.d.ts +47 -0
package/dist/delivery/queue.d.ts.map +1 -0
package/dist/delivery/queue.js +33 -0
package/dist/delivery/queue.js.map +1 -0
package/dist/delivery/receipt.d.ts +137 -0
package/dist/delivery/receipt.d.ts.map +1 -0
package/dist/delivery/receipt.js +181 -0
package/dist/delivery/receipt.js.map +1 -0
package/dist/delivery/receipt_store.d.ts +81 -0
package/dist/delivery/receipt_store.d.ts.map +1 -0
package/dist/delivery/receipt_store.js +74 -0
package/dist/delivery/receipt_store.js.map +1 -0
package/dist/delivery/retry.d.ts +78 -0
package/dist/delivery/retry.d.ts.map +1 -0
package/dist/delivery/retry.js +132 -0
package/dist/delivery/retry.js.map +1 -0
package/dist/delivery/scheduler.d.ts +156 -0
package/dist/delivery/scheduler.d.ts.map +1 -0
package/dist/delivery/scheduler.js +349 -0
package/dist/delivery/scheduler.js.map +1 -0
package/dist/delivery/stage_partition.d.ts +87 -0
package/dist/delivery/stage_partition.d.ts.map +1 -0
package/dist/delivery/stage_partition.js +122 -0
package/dist/delivery/stage_partition.js.map +1 -0
package/dist/delivery/staged_runner.d.ts +100 -0
package/dist/delivery/staged_runner.d.ts.map +1 -0
package/dist/delivery/staged_runner.js +277 -0
package/dist/delivery/staged_runner.js.map +1 -0
package/dist/delivery/submission.d.ts +72 -0
package/dist/delivery/submission.d.ts.map +1 -0
package/dist/delivery/submission.js +58 -0
package/dist/delivery/submission.js.map +1 -0
package/dist/delivery/sync.d.ts +68 -0
package/dist/delivery/sync.d.ts.map +1 -0
package/dist/delivery/sync.js +99 -0
package/dist/delivery/sync.js.map +1 -0
package/dist/delivery/user_policy.d.ts +74 -0
package/dist/delivery/user_policy.d.ts.map +1 -0
package/dist/delivery/user_policy.js +140 -0
package/dist/delivery/user_policy.js.map +1 -0
package/dist/discovery/cache.d.ts +37 -0
package/dist/discovery/cache.d.ts.map +1 -0
package/dist/discovery/cache.js +45 -0
package/dist/discovery/cache.js.map +1 -0
package/dist/discovery/configuration.d.ts +97 -0
package/dist/discovery/configuration.d.ts.map +1 -0
package/dist/discovery/configuration.js +146 -0
package/dist/discovery/configuration.js.map +1 -0
package/dist/discovery/dns.d.ts +56 -0
package/dist/discovery/dns.d.ts.map +1 -0
package/dist/discovery/dns.js +120 -0
package/dist/discovery/dns.js.map +1 -0
package/dist/discovery/domain_keys.d.ts +62 -0
package/dist/discovery/domain_keys.d.ts.map +1 -0
package/dist/discovery/domain_keys.js +89 -0
package/dist/discovery/domain_keys.js.map +1 -0
package/dist/discovery/index.d.ts +19 -0
package/dist/discovery/index.d.ts.map +1 -0
package/dist/discovery/index.js +19 -0
package/dist/discovery/index.js.map +1 -0
package/dist/discovery/lookup.d.ts +72 -0
package/dist/discovery/lookup.d.ts.map +1 -0
package/dist/discovery/lookup.js +121 -0
package/dist/discovery/lookup.js.map +1 -0
package/dist/discovery/onion.d.ts +34 -0
package/dist/discovery/onion.d.ts.map +1 -0
package/dist/discovery/onion.js +61 -0
package/dist/discovery/onion.js.map +1 -0
package/dist/discovery/partition.d.ts +96 -0
package/dist/discovery/partition.d.ts.map +1 -0
package/dist/discovery/partition.js +247 -0
package/dist/discovery/partition.js.map +1 -0
package/dist/discovery/resolver.d.ts +113 -0
package/dist/discovery/resolver.d.ts.map +1 -0
package/dist/discovery/resolver.js +176 -0
package/dist/discovery/resolver.js.map +1 -0
package/dist/discovery/txt.d.ts +39 -0
package/dist/discovery/txt.d.ts.map +1 -0
package/dist/discovery/txt.js +71 -0
package/dist/discovery/txt.js.map +1 -0
package/dist/enclosure/forwarding.d.ts +128 -0
package/dist/enclosure/forwarding.d.ts.map +1 -0
package/dist/enclosure/forwarding.js +119 -0
package/dist/enclosure/forwarding.js.map +1 -0
package/dist/enclosure/index.d.ts +11 -0
package/dist/enclosure/index.d.ts.map +1 -0
package/dist/enclosure/index.js +11 -0
package/dist/enclosure/index.js.map +1 -0
package/dist/envelope/buckets.d.ts +38 -0
package/dist/envelope/buckets.d.ts.map +1 -0
package/dist/envelope/buckets.js +73 -0
package/dist/envelope/buckets.js.map +1 -0
package/dist/envelope/canonical.d.ts +28 -0
package/dist/envelope/canonical.d.ts.map +1 -0
package/dist/envelope/canonical.js +54 -0
package/dist/envelope/canonical.js.map +1 -0
package/dist/envelope/compose.d.ts +171 -0
package/dist/envelope/compose.d.ts.map +1 -0
package/dist/envelope/compose.js +237 -0
package/dist/envelope/compose.js.map +1 -0
package/dist/envelope/encode.d.ts +41 -0
package/dist/envelope/encode.d.ts.map +1 -0
package/dist/envelope/encode.js +69 -0
package/dist/envelope/encode.js.map +1 -0
package/dist/envelope/index.d.ts +20 -0
package/dist/envelope/index.d.ts.map +1 -0
package/dist/envelope/index.js +20 -0
package/dist/envelope/index.js.map +1 -0
package/dist/envelope/open_any.d.ts +48 -0
package/dist/envelope/open_any.d.ts.map +1 -0
package/dist/envelope/open_any.js +81 -0
package/dist/envelope/open_any.js.map +1 -0
package/dist/envelope/open_verified.d.ts +59 -0
package/dist/envelope/open_verified.d.ts.map +1 -0
package/dist/envelope/open_verified.js +67 -0
package/dist/envelope/open_verified.js.map +1 -0
package/dist/envelope/padding.d.ts +55 -0
package/dist/envelope/padding.d.ts.map +1 -0
package/dist/envelope/padding.js +162 -0
package/dist/envelope/padding.js.map +1 -0
package/dist/envelope/rejection.d.ts +22 -0
package/dist/envelope/rejection.d.ts.map +1 -0
package/dist/envelope/rejection.js +30 -0
package/dist/envelope/rejection.js.map +1 -0
package/dist/envelope/sendtime.d.ts +49 -0
package/dist/envelope/sendtime.d.ts.map +1 -0
package/dist/envelope/sendtime.js +87 -0
package/dist/envelope/sendtime.js.map +1 -0
package/dist/envelope/verify.d.ts +29 -0
package/dist/envelope/verify.d.ts.map +1 -0
package/dist/envelope/verify.js +90 -0
package/dist/envelope/verify.js.map +1 -0
package/dist/extensions/index.d.ts +7 -0
package/dist/extensions/index.d.ts.map +1 -0
package/dist/extensions/index.js +7 -0
package/dist/extensions/index.js.map +1 -0
package/dist/extensions/limits.d.ts +101 -0
package/dist/extensions/limits.d.ts.map +1 -0
package/dist/extensions/limits.js +175 -0
package/dist/extensions/limits.js.map +1 -0
package/dist/handshake/abort.d.ts +49 -0
package/dist/handshake/abort.d.ts.map +1 -0
package/dist/handshake/abort.js +82 -0
package/dist/handshake/abort.js.map +1 -0
package/dist/handshake/capabilities.d.ts +46 -0
package/dist/handshake/capabilities.d.ts.map +1 -0
package/dist/handshake/capabilities.js +114 -0
package/dist/handshake/capabilities.js.map +1 -0
package/dist/handshake/client_state.d.ts +186 -0
package/dist/handshake/client_state.d.ts.map +1 -0
package/dist/handshake/client_state.js +520 -0
package/dist/handshake/client_state.js.map +1 -0
package/dist/handshake/confirm.d.ts +21 -0
package/dist/handshake/confirm.d.ts.map +1 -0
package/dist/handshake/confirm.js +27 -0
package/dist/handshake/confirm.js.map +1 -0
package/dist/handshake/driver.d.ts +126 -0
package/dist/handshake/driver.d.ts.map +1 -0
package/dist/handshake/driver.js +251 -0
package/dist/handshake/driver.js.map +1 -0
package/dist/handshake/federation.d.ts +365 -0
package/dist/handshake/federation.d.ts.map +1 -0
package/dist/handshake/federation.js +664 -0
package/dist/handshake/federation.js.map +1 -0
package/dist/handshake/first_contact.d.ts +57 -0
package/dist/handshake/first_contact.d.ts.map +1 -0
package/dist/handshake/first_contact.js +124 -0
package/dist/handshake/first_contact.js.map +1 -0
package/dist/handshake/identity.d.ts +101 -0
package/dist/handshake/identity.d.ts.map +1 -0
package/dist/handshake/identity.js +117 -0
package/dist/handshake/identity.js.map +1 -0
package/dist/handshake/index.d.ts +21 -0
package/dist/handshake/index.d.ts.map +1 -0
package/dist/handshake/index.js +21 -0
package/dist/handshake/index.js.map +1 -0
package/dist/handshake/messages.d.ts +176 -0
package/dist/handshake/messages.d.ts.map +1 -0
package/dist/handshake/messages.js +125 -0
package/dist/handshake/messages.js.map +1 -0
package/dist/handshake/pow.d.ts +53 -0
package/dist/handshake/pow.d.ts.map +1 -0
package/dist/handshake/pow.js +142 -0
package/dist/handshake/pow.js.map +1 -0
package/dist/handshake/resume_driver.d.ts +56 -0
package/dist/handshake/resume_driver.d.ts.map +1 -0
package/dist/handshake/resume_driver.js +75 -0
package/dist/handshake/resume_driver.js.map +1 -0
package/dist/handshake/server.d.ts +112 -0
package/dist/handshake/server.d.ts.map +1 -0
package/dist/handshake/server.js +247 -0
package/dist/handshake/server.js.map +1 -0
package/dist/handshake/server_state.d.ts +102 -0
package/dist/handshake/server_state.d.ts.map +1 -0
package/dist/handshake/server_state.js +278 -0
package/dist/handshake/server_state.js.map +1 -0
package/dist/index.d.ts +33 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +33 -0
package/dist/index.js.map +1 -0
package/dist/keys/compromise.d.ts +118 -0
package/dist/keys/compromise.d.ts.map +1 -0
package/dist/keys/compromise.js +218 -0
package/dist/keys/compromise.js.map +1 -0
package/dist/keys/device_certificate.d.ts +166 -0
package/dist/keys/device_certificate.d.ts.map +1 -0
package/dist/keys/device_certificate.js +328 -0
package/dist/keys/device_certificate.js.map +1 -0
package/dist/keys/device_records.d.ts +175 -0
package/dist/keys/device_records.d.ts.map +1 -0
package/dist/keys/device_records.js +418 -0
package/dist/keys/device_records.js.map +1 -0
package/dist/keys/directory_cache.d.ts +64 -0
package/dist/keys/directory_cache.d.ts.map +1 -0
package/dist/keys/directory_cache.js +98 -0
package/dist/keys/directory_cache.js.map +1 -0
package/dist/keys/directory_state.d.ts +79 -0
package/dist/keys/directory_state.d.ts.map +1 -0
package/dist/keys/directory_state.js +155 -0
package/dist/keys/directory_state.js.map +1 -0
package/dist/keys/index.d.ts +18 -0
package/dist/keys/index.d.ts.map +1 -0
package/dist/keys/index.js +18 -0
package/dist/keys/index.js.map +1 -0
package/dist/keys/key_revocation.d.ts +61 -0
package/dist/keys/key_revocation.d.ts.map +1 -0
package/dist/keys/key_revocation.js +88 -0
package/dist/keys/key_revocation.js.map +1 -0
package/dist/keys/request.d.ts +124 -0
package/dist/keys/request.d.ts.map +1 -0
package/dist/keys/request.js +130 -0
package/dist/keys/request.js.map +1 -0
package/dist/keys/sign.d.ts +49 -0
package/dist/keys/sign.d.ts.map +1 -0
package/dist/keys/sign.js +80 -0
package/dist/keys/sign.js.map +1 -0
package/dist/keys/signed.d.ts +80 -0
package/dist/keys/signed.d.ts.map +1 -0
package/dist/keys/signed.js +138 -0
package/dist/keys/signed.js.map +1 -0
package/dist/keys/store.d.ts +138 -0
package/dist/keys/store.d.ts.map +1 -0
package/dist/keys/store.js +107 -0
package/dist/keys/store.js.map +1 -0
package/dist/largeattachment/crypto.d.ts +47 -0
package/dist/largeattachment/crypto.d.ts.map +1 -0
package/dist/largeattachment/crypto.js +235 -0
package/dist/largeattachment/crypto.js.map +1 -0
package/dist/largeattachment/enclosure.d.ts +48 -0
package/dist/largeattachment/enclosure.d.ts.map +1 -0
package/dist/largeattachment/enclosure.js +102 -0
package/dist/largeattachment/enclosure.js.map +1 -0
package/dist/largeattachment/index.d.ts +15 -0
package/dist/largeattachment/index.d.ts.map +1 -0
package/dist/largeattachment/index.js +15 -0
package/dist/largeattachment/index.js.map +1 -0
package/dist/largeattachment/store.d.ts +36 -0
package/dist/largeattachment/store.d.ts.map +1 -0
package/dist/largeattachment/store.js +37 -0
package/dist/largeattachment/store.js.map +1 -0
package/dist/largeattachment/types.d.ts +56 -0
package/dist/largeattachment/types.d.ts.map +1 -0
package/dist/largeattachment/types.js +31 -0
package/dist/largeattachment/types.js.map +1 -0
package/dist/largeattachment/upload.d.ts +62 -0
package/dist/largeattachment/upload.d.ts.map +1 -0
package/dist/largeattachment/upload.js +166 -0
package/dist/largeattachment/upload.js.map +1 -0
package/dist/migration/index.d.ts +17 -0
package/dist/migration/index.d.ts.map +1 -0
package/dist/migration/index.js +17 -0
package/dist/migration/index.js.map +1 -0
package/dist/migration/lockout.d.ts +48 -0
package/dist/migration/lockout.d.ts.map +1 -0
package/dist/migration/lockout.js +57 -0
package/dist/migration/lockout.js.map +1 -0
package/dist/migration/migration.d.ts +48 -0
package/dist/migration/migration.d.ts.map +1 -0
package/dist/migration/migration.js +58 -0
package/dist/migration/migration.js.map +1 -0
package/dist/migration/notice.d.ts +33 -0
package/dist/migration/notice.d.ts.map +1 -0
package/dist/migration/notice.js +85 -0
package/dist/migration/notice.js.map +1 -0
package/dist/migration/orchestrate.d.ts +109 -0
package/dist/migration/orchestrate.d.ts.map +1 -0
package/dist/migration/orchestrate.js +212 -0
package/dist/migration/orchestrate.js.map +1 -0
package/dist/migration/publication_store.d.ts +34 -0
package/dist/migration/publication_store.d.ts.map +1 -0
package/dist/migration/publication_store.js +44 -0
package/dist/migration/publication_store.js.map +1 -0
package/dist/migration/sign.d.ts +65 -0
package/dist/migration/sign.d.ts.map +1 -0
package/dist/migration/sign.js +331 -0
package/dist/migration/sign.js.map +1 -0
package/dist/migration/types.d.ts +92 -0
package/dist/migration/types.d.ts.map +1 -0
package/dist/migration/types.js +26 -0
package/dist/migration/types.js.map +1 -0
package/dist/reasoncodes.d.ts +42 -0
package/dist/reasoncodes.d.ts.map +1 -0
package/dist/reasoncodes.js +80 -0
package/dist/reasoncodes.js.map +1 -0
package/dist/recovery/bundle.d.ts +34 -0
package/dist/recovery/bundle.d.ts.map +1 -0
package/dist/recovery/bundle.js +144 -0
package/dist/recovery/bundle.js.map +1 -0
package/dist/recovery/bundle_crypto.d.ts +60 -0
package/dist/recovery/bundle_crypto.d.ts.map +1 -0
package/dist/recovery/bundle_crypto.js +179 -0
package/dist/recovery/bundle_crypto.js.map +1 -0
package/dist/recovery/bundle_store.d.ts +57 -0
package/dist/recovery/bundle_store.d.ts.map +1 -0
package/dist/recovery/bundle_store.js +104 -0
package/dist/recovery/bundle_store.js.map +1 -0
package/dist/recovery/index.d.ts +19 -0
package/dist/recovery/index.d.ts.map +1 -0
package/dist/recovery/index.js +19 -0
package/dist/recovery/index.js.map +1 -0
package/dist/recovery/manifest_crosscheck.d.ts +59 -0
package/dist/recovery/manifest_crosscheck.d.ts.map +1 -0
package/dist/recovery/manifest_crosscheck.js +59 -0
package/dist/recovery/manifest_crosscheck.js.map +1 -0
package/dist/recovery/shamir.d.ts +51 -0
package/dist/recovery/shamir.d.ts.map +1 -0
package/dist/recovery/shamir.js +181 -0
package/dist/recovery/shamir.js.map +1 -0
package/dist/recovery/sign.d.ts +61 -0
package/dist/recovery/sign.d.ts.map +1 -0
package/dist/recovery/sign.js +359 -0
package/dist/recovery/sign.js.map +1 -0
package/dist/recovery/types.d.ts +180 -0
package/dist/recovery/types.d.ts.map +1 -0
package/dist/recovery/types.js +31 -0
package/dist/recovery/types.js.map +1 -0
package/dist/reputation/abuse_report.d.ts +62 -0
package/dist/reputation/abuse_report.d.ts.map +1 -0
package/dist/reputation/abuse_report.js +111 -0
package/dist/reputation/abuse_report.js.map +1 -0
package/dist/reputation/bucketize.d.ts +31 -0
package/dist/reputation/bucketize.d.ts.map +1 -0
package/dist/reputation/bucketize.js +77 -0
package/dist/reputation/bucketize.js.map +1 -0
package/dist/reputation/gossip.d.ts +24 -0
package/dist/reputation/gossip.d.ts.map +1 -0
package/dist/reputation/gossip.js +64 -0
package/dist/reputation/gossip.js.map +1 -0
package/dist/reputation/gossip_fetch.d.ts +64 -0
package/dist/reputation/gossip_fetch.d.ts.map +1 -0
package/dist/reputation/gossip_fetch.js +114 -0
package/dist/reputation/gossip_fetch.js.map +1 -0
package/dist/reputation/index.d.ts +20 -0
package/dist/reputation/index.d.ts.map +1 -0
package/dist/reputation/index.js +20 -0
package/dist/reputation/index.js.map +1 -0
package/dist/reputation/observation_store.d.ts +67 -0
package/dist/reputation/observation_store.d.ts.map +1 -0
package/dist/reputation/observation_store.js +171 -0
package/dist/reputation/observation_store.js.map +1 -0
package/dist/reputation/pow.d.ts +91 -0
package/dist/reputation/pow.d.ts.map +1 -0
package/dist/reputation/pow.js +209 -0
package/dist/reputation/pow.js.map +1 -0
package/dist/reputation/sign.d.ts +40 -0
package/dist/reputation/sign.d.ts.map +1 -0
package/dist/reputation/sign.js +202 -0
package/dist/reputation/sign.js.map +1 -0
package/dist/reputation/types.d.ts +133 -0
package/dist/reputation/types.d.ts.map +1 -0
package/dist/reputation/types.js +33 -0
package/dist/reputation/types.js.map +1 -0
package/dist/reputation/whois.d.ts +25 -0
package/dist/reputation/whois.d.ts.map +1 -0
package/dist/reputation/whois.js +20 -0
package/dist/reputation/whois.js.map +1 -0
package/dist/seal/index.d.ts +8 -0
package/dist/seal/index.d.ts.map +1 -0
package/dist/seal/index.js +8 -0
package/dist/seal/index.js.map +1 -0
package/dist/seal/wrap.d.ts +74 -0
package/dist/seal/wrap.d.ts.map +1 -0
package/dist/seal/wrap.js +213 -0
package/dist/seal/wrap.js.map +1 -0
package/dist/session/dispatcher.d.ts +65 -0
package/dist/session/dispatcher.d.ts.map +1 -0
package/dist/session/dispatcher.js +96 -0
package/dist/session/dispatcher.js.map +1 -0
package/dist/session/index.d.ts +15 -0
package/dist/session/index.d.ts.map +1 -0
package/dist/session/index.js +15 -0
package/dist/session/index.js.map +1 -0
package/dist/session/rekey.d.ts +108 -0
package/dist/session/rekey.d.ts.map +1 -0
package/dist/session/rekey.js +207 -0
package/dist/session/rekey.js.map +1 -0
package/dist/session/rekey_seal.d.ts +66 -0
package/dist/session/rekey_seal.d.ts.map +1 -0
package/dist/session/rekey_seal.js +153 -0
package/dist/session/rekey_seal.js.map +1 -0
package/dist/session/resume.d.ts +125 -0
package/dist/session/resume.d.ts.map +1 -0
package/dist/session/resume.js +263 -0
package/dist/session/resume.js.map +1 -0
package/dist/session/session.d.ts +136 -0
package/dist/session/session.d.ts.map +1 -0
package/dist/session/session.js +188 -0
package/dist/session/session.js.map +1 -0
package/dist/transparency/index.d.ts +13 -0
package/dist/transparency/index.d.ts.map +1 -0
package/dist/transparency/index.js +13 -0
package/dist/transparency/index.js.map +1 -0
package/dist/transparency/log.d.ts +61 -0
package/dist/transparency/log.d.ts.map +1 -0
package/dist/transparency/log.js +133 -0
package/dist/transparency/log.js.map +1 -0
package/dist/transparency/merkle.d.ts +59 -0
package/dist/transparency/merkle.d.ts.map +1 -0
package/dist/transparency/merkle.js +314 -0
package/dist/transparency/merkle.js.map +1 -0
package/dist/transparency/sign.d.ts +48 -0
package/dist/transparency/sign.d.ts.map +1 -0
package/dist/transparency/sign.js +140 -0
package/dist/transparency/sign.js.map +1 -0
package/dist/transparency/types.d.ts +97 -0
package/dist/transparency/types.d.ts.map +1 -0
package/dist/transparency/types.js +25 -0
package/dist/transparency/types.js.map +1 -0
package/dist/transport/h2.d.ts +163 -0
package/dist/transport/h2.d.ts.map +1 -0
package/dist/transport/h2.js +397 -0
package/dist/transport/h2.js.map +1 -0
package/dist/transport/index.d.ts +15 -0
package/dist/transport/index.d.ts.map +1 -0
package/dist/transport/index.js +15 -0
package/dist/transport/index.js.map +1 -0
package/dist/transport/memory.d.ts +21 -0
package/dist/transport/memory.d.ts.map +1 -0
package/dist/transport/memory.js +112 -0
package/dist/transport/memory.js.map +1 -0
package/dist/transport/transport.d.ts +54 -0
package/dist/transport/transport.d.ts.map +1 -0
package/dist/transport/transport.js +20 -0
package/dist/transport/transport.js.map +1 -0
package/dist/transport/ws.d.ts +40 -0
package/dist/transport/ws.d.ts.map +1 -0
package/dist/transport/ws.js +204 -0
package/dist/transport/ws.js.map +1 -0
package/package.json +147 -0

package/dist/largeattachment/store.js ADDED Viewed

@@ -0,0 +1,37 @@
+/**
+ * Operator-side store interface for large-attachment ciphertext
+ * blobs per ATTACHMENTS.md §4.2 + §4.3.
+ *
+ * The store holds the encrypted blobs that envelopes reference by
+ * URL. Production deployments wrap S3, GCS, a CDN, etc.; this
+ * module ships an in-memory reference for tests + demos.
+ *
+ * @module
+ */
+/** Reference in-memory store. Single-process only. */
+export class InMemoryAttachmentStore {
+    blobs = new Map();
+    async put(id, ciphertext) {
+        if (id === "") {
+            throw new Error("largeattachment: empty id");
+        }
+        if (this.blobs.has(id)) {
+            throw new Error(`largeattachment: blob already stored for ${id}`);
+        }
+        this.blobs.set(id, ciphertext);
+    }
+    async get(id) {
+        return this.blobs.get(id) ?? null;
+    }
+    async stat(id) {
+        const blob = this.blobs.get(id);
+        if (blob === undefined) {
+            return { size: 0, present: false };
+        }
+        return { size: blob.length, present: true };
+    }
+    async del(id) {
+        this.blobs.delete(id);
+    }
+}
+//# sourceMappingURL=store.js.map

package/dist/largeattachment/store.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/largeattachment/store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAcH,sDAAsD;AACtD,MAAM,OAAO,uBAAuB;IACjB,KAAK,GAAG,IAAI,GAAG,EAAsB,CAAC;IAEvD,KAAK,CAAC,GAAG,CAAC,EAAU,EAAE,UAAsB;QAC1C,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,4CAA4C,EAAE,EAAE,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAU;QACnB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QACrC,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC9C,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACxB,CAAC;CACF"}

package/dist/largeattachment/types.d.ts ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * Type definitions for the `semp.dev/large-attachment` extension
+ * per ATTACHMENTS.md.
+ *
+ * Large attachments live as encrypted blobs at HTTPS URLs outside
+ * the envelope; the envelope's enclosure carries metadata under
+ * the `semp.dev/large-attachment` extension key. Each attachment is
+ * encrypted under a key derived from K_enclosure via HKDF-Expand
+ * with info `"semp-attachment:" || attachment_id` so any recipient
+ * that can decrypt the enclosure can also decrypt every external
+ * attachment without additional key wrapping.
+ *
+ * @module
+ */
+/** Extension identifier per ATTACHMENTS.md §1.2. */
+export declare const ExtensionKey = "semp.dev/large-attachment";
+/**
+ * Byte-prefix mixed into HKDF-Expand to derive per-attachment keys
+ * per §3.1. The full info input is `HKDFInfoPrefix || attachment_id`.
+ */
+export declare const HKDFInfoPrefix = "semp-attachment:";
+/** AEAD algorithm identifier for the baseline suite per §3.2. */
+export declare const AEADChaCha20Poly1305 = "chacha20-poly1305";
+/** AEAD algorithm identifier for the PQ suite per §3.2. */
+export declare const AEADXChaCha20Poly1305 = "xchacha20-poly1305";
+/**
+ * Hash algorithm identifier for `ciphertext_hash`. The wire form is
+ * `algorithm:hex` per §2.3.
+ */
+export declare const HashAlgorithmSHA256 = "sha256";
+/** One entry in the large-attachment extension's items array per §2.2. */
+export interface Item {
+    /** Unique attachment id within the envelope. ULID RECOMMENDED. */
+    id: string;
+    /** Original filename. MUST NOT contain path separators per §2.3. */
+    filename: string;
+    /** Plaintext MIME type. */
+    mime_type: string;
+    /** Plaintext size in bytes. */
+    plaintext_size: number;
+    /** HTTPS URL the ciphertext is fetched from. */
+    url: string;
+    /** Digest of the ciphertext bytes, encoded `algorithm:hex`. */
+    ciphertext_hash: string;
+    /** AEAD algorithm identifier; consistent with the negotiated suite. */
+    aead_algorithm: string;
+    /** Base64-encoded AEAD nonce. */
+    aead_nonce: string;
+    /** Non-normative retrieval hints (bearer tokens, range support, …). */
+    extensions?: Record<string, unknown>;
+}
+/** Inner `data` shape of the extension entry per §2.1. */
+export interface ExtensionData {
+    items: Item[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/largeattachment/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/largeattachment/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,oDAAoD;AACpD,eAAO,MAAM,YAAY,8BAA8B,CAAC;AAExD;;;GAGG;AACH,eAAO,MAAM,cAAc,qBAAqB,CAAC;AAEjD,iEAAiE;AACjE,eAAO,MAAM,oBAAoB,sBAAsB,CAAC;AAExD,2DAA2D;AAC3D,eAAO,MAAM,qBAAqB,uBAAuB,CAAC;AAE1D;;;GAGG;AACH,eAAO,MAAM,mBAAmB,WAAW,CAAC;AAE5C,0EAA0E;AAC1E,MAAM,WAAW,IAAI;IACnB,kEAAkE;IAClE,EAAE,EAAE,MAAM,CAAC;IACX,oEAAoE;IACpE,QAAQ,EAAE,MAAM,CAAC;IACjB,2BAA2B;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,+BAA+B;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,+DAA+D;IAC/D,eAAe,EAAE,MAAM,CAAC;IACxB,uEAAuE;IACvE,cAAc,EAAE,MAAM,CAAC;IACvB,iCAAiC;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,uEAAuE;IACvE,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,0DAA0D;AAC1D,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,IAAI,EAAE,CAAC;CACf"}

package/dist/largeattachment/types.js ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * Type definitions for the `semp.dev/large-attachment` extension
+ * per ATTACHMENTS.md.
+ *
+ * Large attachments live as encrypted blobs at HTTPS URLs outside
+ * the envelope; the envelope's enclosure carries metadata under
+ * the `semp.dev/large-attachment` extension key. Each attachment is
+ * encrypted under a key derived from K_enclosure via HKDF-Expand
+ * with info `"semp-attachment:" || attachment_id` so any recipient
+ * that can decrypt the enclosure can also decrypt every external
+ * attachment without additional key wrapping.
+ *
+ * @module
+ */
+/** Extension identifier per ATTACHMENTS.md §1.2. */
+export const ExtensionKey = "semp.dev/large-attachment";
+/**
+ * Byte-prefix mixed into HKDF-Expand to derive per-attachment keys
+ * per §3.1. The full info input is `HKDFInfoPrefix || attachment_id`.
+ */
+export const HKDFInfoPrefix = "semp-attachment:";
+/** AEAD algorithm identifier for the baseline suite per §3.2. */
+export const AEADChaCha20Poly1305 = "chacha20-poly1305";
+/** AEAD algorithm identifier for the PQ suite per §3.2. */
+export const AEADXChaCha20Poly1305 = "xchacha20-poly1305";
+/**
+ * Hash algorithm identifier for `ciphertext_hash`. The wire form is
+ * `algorithm:hex` per §2.3.
+ */
+export const HashAlgorithmSHA256 = "sha256";
+//# sourceMappingURL=types.js.map

package/dist/largeattachment/types.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/largeattachment/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,oDAAoD;AACpD,MAAM,CAAC,MAAM,YAAY,GAAG,2BAA2B,CAAC;AAExD;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,kBAAkB,CAAC;AAEjD,iEAAiE;AACjE,MAAM,CAAC,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AAExD,2DAA2D;AAC3D,MAAM,CAAC,MAAM,qBAAqB,GAAG,oBAAoB,CAAC;AAE1D;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,QAAQ,CAAC"}

package/dist/largeattachment/upload.d.ts ADDED Viewed

@@ -0,0 +1,62 @@
+/**
+ * Sender-side encrypt + recipient-side decrypt per ATTACHMENTS.md
+ * §5 / §6.
+ *
+ * @module
+ */
+import { type Item } from "./types.js";
+/** Suite identifier for which AEAD an item uses per §3.2. */
+export type AttachmentSuite = "x25519-chacha20-poly1305" | "pq-kyber768-x25519";
+/** Inputs to {@link encryptAttachment}. */
+export interface EncryptAttachmentInput {
+    /** Negotiated session suite — selects the AEAD per §3.2. */
+    suite: AttachmentSuite;
+    /** 32-byte K_enclosure from the envelope this item belongs to. */
+    kEnclosure: Uint8Array;
+    /** Plaintext bytes to encrypt. */
+    plaintext: Uint8Array;
+    /** Original filename. MUST NOT contain path separators. */
+    filename: string;
+    /** Plaintext MIME type. */
+    mimeType: string;
+    /** HTTPS URL the ciphertext will be retrievable at. */
+    url: string;
+    /** Optional pre-assigned attachment id; when omitted, a fresh ULID is minted. */
+    id?: string;
+    /** Optional pre-assigned AEAD nonce; when omitted, fresh entropy is sourced. */
+    aeadNonce?: Uint8Array;
+    /** Optional non-normative retrieval hints. */
+    extensions?: Record<string, unknown>;
+}
+/** Result of a successful {@link encryptAttachment} call. */
+export interface EncryptAttachmentResult {
+    /** Fully populated item ready to drop into the enclosure. */
+    item: Item;
+    /** AEAD ciphertext bytes — uploaded by the caller to `item.url`. */
+    ciphertext: Uint8Array;
+}
+/**
+ * §5 sender-side flow: derive K_attachment, AEAD-seal the
+ * plaintext, populate the item with `ciphertext_hash` and return
+ * the bytes the caller uploads to `item.url`.
+ *
+ * Does NOT upload anything — the caller PUTs `ciphertext` to `url`.
+ */
+export declare function encryptAttachment(input: EncryptAttachmentInput): EncryptAttachmentResult;
+/**
+ * §6 recipient-side flow: verify ciphertext_hash, derive
+ * K_attachment, AEAD-open the ciphertext, return plaintext.
+ *
+ * Throws {@link CiphertextHashMismatchError} on §7.2 ciphertext-
+ * integrity failure (BEFORE attempting AEAD open). Throws on
+ * §7.3 decryption-integrity failure when AEAD open fails.
+ */
+export declare function decryptAttachment(suite: AttachmentSuite, kEnclosure: Uint8Array, item: Item, ciphertext: Uint8Array): Uint8Array;
+/**
+ * Thrown by {@link decryptAttachment} when `item.ciphertext_hash`
+ * does not match the SHA-256 of the supplied ciphertext per §7.2.
+ */
+export declare class CiphertextHashMismatchError extends Error {
+    readonly name = "CiphertextHashMismatchError";
+}
+//# sourceMappingURL=upload.d.ts.map

package/dist/largeattachment/upload.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"upload.d.ts","sourceRoot":"","sources":["../../src/largeattachment/upload.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH,OAAO,EACL,KAAK,IAAI,EAGV,MAAM,YAAY,CAAC;AAEpB,6DAA6D;AAC7D,MAAM,MAAM,eAAe,GACvB,0BAA0B,GAC1B,oBAAoB,CAAC;AAEzB,2CAA2C;AAC3C,MAAM,WAAW,sBAAsB;IACrC,4DAA4D;IAC5D,KAAK,EAAE,eAAe,CAAC;IACvB,kEAAkE;IAClE,UAAU,EAAE,UAAU,CAAC;IACvB,kCAAkC;IAClC,SAAS,EAAE,UAAU,CAAC;IACtB,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,2BAA2B;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,GAAG,EAAE,MAAM,CAAC;IACZ,iFAAiF;IACjF,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,gFAAgF;IAChF,SAAS,CAAC,EAAE,UAAU,CAAC;IACvB,8CAA8C;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACtC,6DAA6D;IAC7D,IAAI,EAAE,IAAI,CAAC;IACX,oEAAoE;IACpE,UAAU,EAAE,UAAU,CAAC;CACxB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,sBAAsB,GAC5B,uBAAuB,CA+CzB;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,eAAe,EACtB,UAAU,EAAE,UAAU,EACtB,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,UAAU,GACrB,UAAU,CA4BZ;AAED;;;GAGG;AACH,qBAAa,2BAA4B,SAAQ,KAAK;IACpD,SAAkB,IAAI,iCAAiC;CACxD"}

package/dist/largeattachment/upload.js ADDED Viewed

@@ -0,0 +1,166 @@
+/**
+ * Sender-side encrypt + recipient-side decrypt per ATTACHMENTS.md
+ * §5 / §6.
+ *
+ * @module
+ */
+import { aeadOpen, aeadSeal } from "../crypto/index.js";
+import { additionalData, ciphertextHash, deriveAttachmentKey, validateItem, validateUrl, verifyCiphertextHash, } from "./crypto.js";
+import { AEADChaCha20Poly1305, AEADXChaCha20Poly1305, } from "./types.js";
+/**
+ * §5 sender-side flow: derive K_attachment, AEAD-seal the
+ * plaintext, populate the item with `ciphertext_hash` and return
+ * the bytes the caller uploads to `item.url`.
+ *
+ * Does NOT upload anything — the caller PUTs `ciphertext` to `url`.
+ */
+export function encryptAttachment(input) {
+    if (input.kEnclosure.length === 0) {
+        throw new Error("largeattachment: empty K_enclosure");
+    }
+    if (input.filename === "" || input.mimeType === "" || input.url === "") {
+        throw new Error("largeattachment: filename, mimeType, and url are required");
+    }
+    validateUrl(input.url);
+    const algo = aeadAlgorithmFor(input.suite);
+    const nonceLen = nonceLengthFor(algo);
+    const keyLen = 32; // Both AEAD algorithms use a 32-byte key.
+    const id = input.id ?? newULID();
+    let nonce = input.aeadNonce;
+    if (nonce === undefined) {
+        nonce = new Uint8Array(nonceLen);
+        globalThis.crypto.getRandomValues(nonce);
+    }
+    else if (nonce.length !== nonceLen) {
+        throw new Error(`largeattachment: nonce length ${nonce.length}, want ${nonceLen} for ${algo}`);
+    }
+    const kAttachment = deriveAttachmentKey(input.kEnclosure, id, keyLen);
+    // Build the partly-populated item for AAD. The AAD function
+    // strips ciphertext_hash + extensions internally so we leave them
+    // out of the input; aead_nonce is also stripped but we still set
+    // it on the item so the final result is complete.
+    const item = {
+        id,
+        filename: input.filename,
+        mime_type: input.mimeType,
+        plaintext_size: input.plaintext.length,
+        url: input.url,
+        aead_algorithm: algo,
+        aead_nonce: base64Encode(nonce),
+        ciphertext_hash: "",
+    };
+    const aad = additionalData(item);
+    const ciphertext = aeadSeal(algo, kAttachment, nonce, input.plaintext, aad);
+    item.ciphertext_hash = ciphertextHash(ciphertext);
+    if (input.extensions !== undefined) {
+        item.extensions = input.extensions;
+    }
+    return { item, ciphertext };
+}
+/**
+ * §6 recipient-side flow: verify ciphertext_hash, derive
+ * K_attachment, AEAD-open the ciphertext, return plaintext.
+ *
+ * Throws {@link CiphertextHashMismatchError} on §7.2 ciphertext-
+ * integrity failure (BEFORE attempting AEAD open). Throws on
+ * §7.3 decryption-integrity failure when AEAD open fails.
+ */
+export function decryptAttachment(suite, kEnclosure, item, ciphertext) {
+    if (kEnclosure.length === 0) {
+        throw new Error("largeattachment: empty K_enclosure");
+    }
+    validateItem(item);
+    const expectedAlgo = aeadAlgorithmFor(suite);
+    if (item.aead_algorithm !== expectedAlgo) {
+        throw new Error(`largeattachment: item aead_algorithm ${JSON.stringify(item.aead_algorithm)} does not match suite ${JSON.stringify(suite)} (expected ${expectedAlgo})`);
+    }
+    if (!verifyCiphertextHash(item, ciphertext)) {
+        throw new CiphertextHashMismatchError("largeattachment: ciphertext hash mismatch");
+    }
+    const nonce = base64Decode(item.aead_nonce);
+    const nonceLen = nonceLengthFor(expectedAlgo);
+    if (nonce.length !== nonceLen) {
+        throw new Error(`largeattachment: aead_nonce length ${nonce.length}, want ${nonceLen} for ${expectedAlgo}`);
+    }
+    const kAttachment = deriveAttachmentKey(kEnclosure, item.id, 32);
+    const aad = additionalData(item);
+    return aeadOpen(expectedAlgo, kAttachment, nonce, ciphertext, aad);
+}
+/**
+ * Thrown by {@link decryptAttachment} when `item.ciphertext_hash`
+ * does not match the SHA-256 of the supplied ciphertext per §7.2.
+ */
+export class CiphertextHashMismatchError extends Error {
+    name = "CiphertextHashMismatchError";
+}
+// ---------------------------------------------------------------------------
+// Suite → AEAD mapping per §3.2
+function aeadAlgorithmFor(suite) {
+    switch (suite) {
+        case "x25519-chacha20-poly1305":
+            return AEADChaCha20Poly1305;
+        case "pq-kyber768-x25519":
+            return AEADXChaCha20Poly1305;
+        default:
+            throw new Error(`largeattachment: no attachment AEAD wired for suite ${JSON.stringify(suite)}`);
+    }
+}
+function nonceLengthFor(algo) {
+    return algo === "chacha20-poly1305" ? 12 : 24;
+}
+// ---------------------------------------------------------------------------
+// ULID minting (inlined; matches semp-go's local helper)
+const ULID_ALPHABET = "0123456789ABCDEFGHJKMNPQRSTVWXYZ";
+function newULID() {
+    const bits = new Uint8Array(16);
+    const ms = BigInt(Date.now());
+    bits[0] = Number((ms >> 40n) & 0xffn);
+    bits[1] = Number((ms >> 32n) & 0xffn);
+    bits[2] = Number((ms >> 24n) & 0xffn);
+    bits[3] = Number((ms >> 16n) & 0xffn);
+    bits[4] = Number((ms >> 8n) & 0xffn);
+    bits[5] = Number(ms & 0xffn);
+    globalThis.crypto.getRandomValues(bits.subarray(6));
+    // Crockford base32 encoding of 16 bytes → 26 chars.
+    // Treat bits as two big-endian 64-bit words.
+    let u = 0n;
+    for (let i = 0; i < 8; i++) {
+        u = (u << 8n) | BigInt(bits[i] ?? 0);
+    }
+    let u2 = 0n;
+    for (let i = 8; i < 16; i++) {
+        u2 = (u2 << 8n) | BigInt(bits[i] ?? 0);
+    }
+    const out = new Array(26);
+    for (let i = 25; i >= 13; i--) {
+        out[i] = ULID_ALPHABET[Number(u2 & 31n)] ?? "0";
+        u2 >>= 5n;
+    }
+    for (let i = 12; i >= 0; i--) {
+        out[i] = ULID_ALPHABET[Number(u & 31n)] ?? "0";
+        u >>= 5n;
+    }
+    return out.join("");
+}
+function base64Encode(b) {
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(b).toString("base64");
+    }
+    let bin = "";
+    for (let i = 0; i < b.length; i++) {
+        bin += String.fromCharCode(b[i] ?? 0);
+    }
+    return btoa(bin);
+}
+function base64Decode(s) {
+    if (typeof Buffer !== "undefined") {
+        return new Uint8Array(Buffer.from(s, "base64"));
+    }
+    const bin = atob(s);
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) {
+        out[i] = bin.charCodeAt(i);
+    }
+    return out;
+}
+//# sourceMappingURL=upload.js.map

package/dist/largeattachment/upload.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"upload.js","sourceRoot":"","sources":["../../src/largeattachment/upload.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAExD,OAAO,EACL,cAAc,EACd,cAAc,EACd,mBAAmB,EACnB,YAAY,EACZ,WAAW,EACX,oBAAoB,GACrB,MAAM,aAAa,CAAC;AACrB,OAAO,EAEL,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,YAAY,CAAC;AAqCpB;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAC/B,KAA6B;IAE7B,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,KAAK,EAAE,IAAI,KAAK,CAAC,QAAQ,KAAK,EAAE,IAAI,KAAK,CAAC,GAAG,KAAK,EAAE,EAAE,CAAC;QACvE,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;IAC/E,CAAC;IACD,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEvB,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,EAAE,CAAC,CAAC,0CAA0C;IAE7D,MAAM,EAAE,GAAG,KAAK,CAAC,EAAE,IAAI,OAAO,EAAE,CAAC;IACjC,IAAI,KAAK,GAAG,KAAK,CAAC,SAAS,CAAC;IAC5B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;QACjC,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC;SAAM,IAAI,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,iCAAiC,KAAK,CAAC,MAAM,UAAU,QAAQ,QAAQ,IAAI,EAAE,CAC9E,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,mBAAmB,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;IAEtE,4DAA4D;IAC5D,kEAAkE;IAClE,iEAAiE;IACjE,kDAAkD;IAClD,MAAM,IAAI,GAAS;QACjB,EAAE;QACF,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,SAAS,EAAE,KAAK,CAAC,QAAQ;QACzB,cAAc,EAAE,KAAK,CAAC,SAAS,CAAC,MAAM;QACtC,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,cAAc,EAAE,IAAI;QACpB,UAAU,EAAE,YAAY,CAAC,KAAK,CAAC;QAC/B,eAAe,EAAE,EAAE;KACpB,CAAC;IACF,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACjC,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAC5E,IAAI,CAAC,eAAe,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;IAClD,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACnC,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IACrC,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AAC9B,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAC/B,KAAsB,EACtB,UAAsB,EACtB,IAAU,EACV,UAAsB;IAEtB,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,YAAY,CAAC,IAAI,CAAC,CAAC;IAEnB,MAAM,YAAY,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC7C,IAAI,IAAI,CAAC,cAAc,KAAK,YAAY,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CACb,wCAAwC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,yBAAyB,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,cAAc,YAAY,GAAG,CACvJ,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,2BAA2B,CACnC,2CAA2C,CAC5C,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,cAAc,CAAC,YAAY,CAAC,CAAC;IAC9C,IAAI,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CACb,sCAAsC,KAAK,CAAC,MAAM,UAAU,QAAQ,QAAQ,YAAY,EAAE,CAC3F,CAAC;IACJ,CAAC;IACD,MAAM,WAAW,GAAG,mBAAmB,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACjC,OAAO,QAAQ,CAAC,YAAY,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;AACrE,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,2BAA4B,SAAQ,KAAK;IAClC,IAAI,GAAG,6BAA6B,CAAC;CACxD;AAED,8EAA8E;AAC9E,gCAAgC;AAEhC,SAAS,gBAAgB,CACvB,KAAsB;IAEtB,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,0BAA0B;YAC7B,OAAO,oBAAoB,CAAC;QAC9B,KAAK,oBAAoB;YACvB,OAAO,qBAAqB,CAAC;QAC/B;YACE,MAAM,IAAI,KAAK,CAAC,uDAAuD,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpG,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CACrB,IAAgD;IAEhD,OAAO,IAAI,KAAK,mBAAmB,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAChD,CAAC;AAED,8EAA8E;AAC9E,yDAAyD;AAEzD,MAAM,aAAa,GAAG,kCAAkC,CAAC;AAEzD,SAAS,OAAO;IACd,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAChC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC9B,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC;IACrC,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,EAAE,GAAG,KAAK,CAAC,CAAC;IAC7B,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAEpD,oDAAoD;IACpD,6CAA6C;IAC7C,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvC,CAAC;IACD,IAAI,EAAE,GAAG,EAAE,CAAC;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,EAAE,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,KAAK,CAAS,EAAE,CAAC,CAAC;IAClC,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9B,GAAG,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,EAAE,GAAG,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC;QAChD,EAAE,KAAK,EAAE,CAAC;IACZ,CAAC;IACD,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,GAAG,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC;QAC/C,CAAC,KAAK,EAAE,CAAC;IACX,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,YAAY,CAAC,CAAa;IACjC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;AACnB,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/migration/index.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * Migration layer per MIGRATION.md.
+ *
+ * Wire records (4-signature MIGRATION chain), signing primitives,
+ * full submission/acceptance flow, lockout registry, notice
+ * messages, third-party verification hooks, publication store.
+ *
+ * @module
+ */
+export { type MigrationMode, type MigrationNotice, type MigrationNoticeRejection, type MigrationRecord, type MigrationSignatureBlock, MaxForwardingWindowMs, MigrationNoticeType, MigrationPrefix, MigrationRecordType, MigrationRecordVersion, MinForwardingWindowMs, RecommendedForwardingWindowMs, SignatureAlgorithmEd25519, } from "./types.js";
+export { checkMigratedAtBound, prepareSignatures, signNewDomain, signNewIdentity, signOldDomain, signOldIdentity, validateMigrationRecord, verifyMigrationPass, verifyMigrationRecord, } from "./sign.js";
+export { type ComposeMigrationInput, composeMigrationRecord, } from "./migration.js";
+export { type AcceptSubmissionInput, type BuildSubmissionInput, type ThirdPartyHook, type ThirdPartyPolicy, acceptSubmission, applyThirdPartyPolicy, buildSubmission, } from "./orchestrate.js";
+export { type LockoutRegistry, type LockoutReservation, InMemoryLockoutRegistry, } from "./lockout.js";
+export { type BuildMigrationNoticeInput, buildMigrationNotice, newMigrationNoticeRejection, } from "./notice.js";
+export { type PublicationStore, InMemoryPublicationStore, } from "./publication_store.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/migration/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/migration/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,eAAe,EACpB,KAAK,wBAAwB,EAC7B,KAAK,eAAe,EACpB,KAAK,uBAAuB,EAC5B,qBAAqB,EACrB,mBAAmB,EACnB,eAAe,EACf,mBAAmB,EACnB,sBAAsB,EACtB,qBAAqB,EACrB,6BAA6B,EAC7B,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,aAAa,EACb,eAAe,EACf,uBAAuB,EACvB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,KAAK,qBAAqB,EAC1B,sBAAsB,GACvB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,KAAK,qBAAqB,EAC1B,KAAK,oBAAoB,EACzB,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,gBAAgB,EAChB,qBAAqB,EACrB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,KAAK,yBAAyB,EAC9B,oBAAoB,EACpB,2BAA2B,GAC5B,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,KAAK,gBAAgB,EACrB,wBAAwB,GACzB,MAAM,wBAAwB,CAAC"}

package/dist/migration/index.js ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * Migration layer per MIGRATION.md.
+ *
+ * Wire records (4-signature MIGRATION chain), signing primitives,
+ * full submission/acceptance flow, lockout registry, notice
+ * messages, third-party verification hooks, publication store.
+ *
+ * @module
+ */
+export { MaxForwardingWindowMs, MigrationNoticeType, MigrationPrefix, MigrationRecordType, MigrationRecordVersion, MinForwardingWindowMs, RecommendedForwardingWindowMs, SignatureAlgorithmEd25519, } from "./types.js";
+export { checkMigratedAtBound, prepareSignatures, signNewDomain, signNewIdentity, signOldDomain, signOldIdentity, validateMigrationRecord, verifyMigrationPass, verifyMigrationRecord, } from "./sign.js";
+export { composeMigrationRecord, } from "./migration.js";
+export { acceptSubmission, applyThirdPartyPolicy, buildSubmission, } from "./orchestrate.js";
+export { InMemoryLockoutRegistry, } from "./lockout.js";
+export { buildMigrationNotice, newMigrationNoticeRejection, } from "./notice.js";
+export { InMemoryPublicationStore, } from "./publication_store.js";
+//# sourceMappingURL=index.js.map

package/dist/migration/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/migration/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAML,qBAAqB,EACrB,mBAAmB,EACnB,eAAe,EACf,mBAAmB,EACnB,sBAAsB,EACtB,qBAAqB,EACrB,6BAA6B,EAC7B,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,aAAa,EACb,eAAe,EACf,uBAAuB,EACvB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,WAAW,CAAC;AAEnB,OAAO,EAEL,sBAAsB,GACvB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAKL,gBAAgB,EAChB,qBAAqB,EACrB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAGL,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAEL,oBAAoB,EACpB,2BAA2B,GAC5B,MAAM,aAAa,CAAC;AAErB,OAAO,EAEL,wBAAwB,GACzB,MAAM,wBAAwB,CAAC"}

package/dist/migration/lockout.d.ts ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * Local-part lockout registry per MIGRATION.md §6.
+ *
+ * After a cooperative migration finalizes, the old provider MUST
+ * lock out the old local-part for the duration of the forwarding
+ * window so a different account cannot be reassigned the old
+ * address while forwarding is still expected to honor it.
+ *
+ * @module
+ */
+/** Reservation record held by the registry. */
+export interface LockoutReservation {
+    localpart: string;
+    /** ISO 8601 UTC. */
+    until: string;
+    /** record_id of the migration record that triggered the lockout. */
+    recordId: string;
+}
+/** Persistence interface for lockout state. */
+export interface LockoutRegistry {
+    /**
+     * Reserve `localpart` until `until`, attributed to `recordId`.
+     * Throws when the local-part is already reserved.
+     */
+    reserve(localpart: string, until: Date, recordId: string): Promise<void>;
+    /**
+     * Report whether `localpart` is currently locked out at `now`.
+     * Returns the active reservation or null when none exists / has
+     * already expired.
+     */
+    isLockedOut(localpart: string, now: Date): Promise<LockoutReservation | null>;
+    /** Clear the reservation for `localpart`. Idempotent. */
+    release(localpart: string): Promise<void>;
+    /**
+     * Drop reservations whose `until` is at or before `now`.
+     * Returns the number pruned.
+     */
+    pruneExpired(now: Date): Promise<number>;
+}
+/** Reference {@link LockoutRegistry}. Single-process only. */
+export declare class InMemoryLockoutRegistry implements LockoutRegistry {
+    private readonly entries;
+    reserve(localpart: string, until: Date, recordId: string): Promise<void>;
+    isLockedOut(localpart: string, now: Date): Promise<LockoutReservation | null>;
+    release(localpart: string): Promise<void>;
+    pruneExpired(now: Date): Promise<number>;
+}
+//# sourceMappingURL=lockout.d.ts.map

package/dist/migration/lockout.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"lockout.d.ts","sourceRoot":"","sources":["../../src/migration/lockout.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,+CAA+C;AAC/C,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,oBAAoB;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,+CAA+C;AAC/C,MAAM,WAAW,eAAe;IAC9B;;;OAGG;IACH,OAAO,CACL,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;;OAIG;IACH,WAAW,CACT,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,IAAI,GACR,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAEtC,yDAAyD;IACzD,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1C;;;OAGG;IACH,YAAY,CAAC,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC1C;AAED,8DAA8D;AAC9D,qBAAa,uBAAwB,YAAW,eAAe;IAC7D,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyC;IAE3D,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IAkBV,WAAW,CACf,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,IAAI,GACR,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAc/B,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzC,YAAY,CAAC,GAAG,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;CAW/C"}

package/dist/migration/lockout.js ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * Local-part lockout registry per MIGRATION.md §6.
+ *
+ * After a cooperative migration finalizes, the old provider MUST
+ * lock out the old local-part for the duration of the forwarding
+ * window so a different account cannot be reassigned the old
+ * address while forwarding is still expected to honor it.
+ *
+ * @module
+ */
+/** Reference {@link LockoutRegistry}. Single-process only. */
+export class InMemoryLockoutRegistry {
+    entries = new Map();
+    async reserve(localpart, until, recordId) {
+        if (localpart === "") {
+            throw new Error("migration: empty localpart");
+        }
+        const key = localpart.toLowerCase();
+        if (this.entries.has(key)) {
+            const existing = this.entries.get(key);
+            throw new Error(`migration: localpart ${JSON.stringify(localpart)} already locked out until ${existing.until} (record ${existing.recordId})`);
+        }
+        this.entries.set(key, {
+            localpart,
+            until: until.toISOString(),
+            recordId,
+        });
+    }
+    async isLockedOut(localpart, now) {
+        const key = localpart.toLowerCase();
+        const r = this.entries.get(key);
+        if (r === undefined) {
+            return null;
+        }
+        const untilMs = Date.parse(r.until);
+        if (Number.isNaN(untilMs) || untilMs <= now.getTime()) {
+            this.entries.delete(key);
+            return null;
+        }
+        return { ...r };
+    }
+    async release(localpart) {
+        this.entries.delete(localpart.toLowerCase());
+    }
+    async pruneExpired(now) {
+        let pruned = 0;
+        for (const [key, r] of this.entries) {
+            const untilMs = Date.parse(r.until);
+            if (Number.isNaN(untilMs) || untilMs <= now.getTime()) {
+                this.entries.delete(key);
+                pruned++;
+            }
+        }
+        return pruned;
+    }
+}
+//# sourceMappingURL=lockout.js.map

package/dist/migration/lockout.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"lockout.js","sourceRoot":"","sources":["../../src/migration/lockout.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AA2CH,8DAA8D;AAC9D,MAAM,OAAO,uBAAuB;IACjB,OAAO,GAAG,IAAI,GAAG,EAA8B,CAAC;IAEjE,KAAK,CAAC,OAAO,CACX,SAAiB,EACjB,KAAW,EACX,QAAgB;QAEhB,IAAI,SAAS,KAAK,EAAE,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QACD,MAAM,GAAG,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;QACpC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CACb,wBAAwB,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,6BAA6B,QAAQ,CAAC,KAAK,YAAY,QAAQ,CAAC,QAAQ,GAAG,CAC7H,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE;YACpB,SAAS;YACT,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE;YAC1B,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CACf,SAAiB,EACjB,GAAS;QAET,MAAM,GAAG,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,OAAO,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;YACtD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,SAAiB;QAC7B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAS;QAC1B,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACpC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YACpC,IAAI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,OAAO,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;gBACtD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACzB,MAAM,EAAE,CAAC;YACX,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/dist/migration/migration.d.ts ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * Convenience compose for the full migration record per MIGRATION.md §3.
+ *
+ * Wraps {@link prepareSignatures} + the four `sign*` passes into a
+ * single deterministic composer. Production callers that need the
+ * cooperative submit / accept flow use
+ * {@link "./orchestrate".buildSubmission} +
+ * {@link "./orchestrate".acceptSubmission} instead.
+ *
+ * @module
+ */
+import { type MigrationMode, type MigrationRecord, MigrationPrefix } from "./types.js";
+/** Inputs to {@link composeMigrationRecord}. */
+export interface ComposeMigrationInput {
+    mode: MigrationMode;
+    /** ULID for the migration record. */
+    recordId: string;
+    /** ISO 8601 UTC timestamp the migration was effected. */
+    migratedAt: string;
+    /**
+     * ISO 8601 UTC timestamp until which the old domain forwards.
+     * REQUIRED when `mode === "cooperative"`. Pass null/undefined in
+     * unilateral mode to omit.
+     */
+    forwardingWindowUntil?: string | null;
+    oldAddress: string;
+    newAddress: string;
+    oldIdentityKeyId: string;
+    oldIdentitySeed: Uint8Array;
+    newIdentityKeyId: string;
+    /** Base64-encoded new identity public key. */
+    newIdentityPublicKey: string;
+    newIdentitySeed: Uint8Array;
+    newDomainKeyId: string;
+    newDomainSeed: Uint8Array;
+    /** Cooperative mode only. */
+    oldDomainKeyId?: string;
+    /** Cooperative mode only. */
+    oldDomainSeed?: Uint8Array;
+    extensions?: Record<string, unknown>;
+}
+/**
+ * Compose a fully-signed migration record. The four (or three, in
+ * unilateral mode) signatures are applied in §3.3 chain order.
+ */
+export declare function composeMigrationRecord(input: ComposeMigrationInput): MigrationRecord;
+export { MigrationPrefix };
+//# sourceMappingURL=migration.d.ts.map

package/dist/migration/migration.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"migration.d.ts","sourceRoot":"","sources":["../../src/migration/migration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AASH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,eAAe,EACpB,eAAe,EAGhB,MAAM,YAAY,CAAC;AAEpB,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,aAAa,CAAC;IACpB,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IAEnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,UAAU,CAAC;IAE5B,gBAAgB,EAAE,MAAM,CAAC;IACzB,8CAA8C;IAC9C,oBAAoB,EAAE,MAAM,CAAC;IAC7B,eAAe,EAAE,UAAU,CAAC;IAE5B,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,UAAU,CAAC;IAE1B,6BAA6B;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,6BAA6B;IAC7B,aAAa,CAAC,EAAE,UAAU,CAAC;IAE3B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,qBAAqB,GAC3B,eAAe,CAgDjB;AAGD,OAAO,EAAE,eAAe,EAAE,CAAC"}