@sempdev/semp 0.4.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +59 -0
- package/dist/brief/address.d.ts +77 -0
- package/dist/brief/address.d.ts.map +1 -0
- package/dist/brief/address.js +217 -0
- package/dist/brief/address.js.map +1 -0
- package/dist/brief/brief.d.ts +75 -0
- package/dist/brief/brief.d.ts.map +1 -0
- package/dist/brief/brief.js +56 -0
- package/dist/brief/brief.js.map +1 -0
- package/dist/brief/index.d.ts +11 -0
- package/dist/brief/index.d.ts.map +1 -0
- package/dist/brief/index.js +11 -0
- package/dist/brief/index.js.map +1 -0
- package/dist/canonical/index.d.ts +8 -0
- package/dist/canonical/index.d.ts.map +1 -0
- package/dist/canonical/index.js +8 -0
- package/dist/canonical/index.js.map +1 -0
- package/dist/canonical/marshal.d.ts +35 -0
- package/dist/canonical/marshal.d.ts.map +1 -0
- package/dist/canonical/marshal.js +107 -0
- package/dist/canonical/marshal.js.map +1 -0
- package/dist/clockskew/index.d.ts +52 -0
- package/dist/clockskew/index.d.ts.map +1 -0
- package/dist/clockskew/index.js +62 -0
- package/dist/clockskew/index.js.map +1 -0
- package/dist/closure/closure.d.ts +106 -0
- package/dist/closure/closure.d.ts.map +1 -0
- package/dist/closure/closure.js +152 -0
- package/dist/closure/closure.js.map +1 -0
- package/dist/closure/driver.d.ts +103 -0
- package/dist/closure/driver.d.ts.map +1 -0
- package/dist/closure/driver.js +126 -0
- package/dist/closure/driver.js.map +1 -0
- package/dist/closure/index.d.ts +13 -0
- package/dist/closure/index.d.ts.map +1 -0
- package/dist/closure/index.js +13 -0
- package/dist/closure/index.js.map +1 -0
- package/dist/closure/store.d.ts +80 -0
- package/dist/closure/store.d.ts.map +1 -0
- package/dist/closure/store.js +89 -0
- package/dist/closure/store.js.map +1 -0
- package/dist/crypto/aead.d.ts +29 -0
- package/dist/crypto/aead.d.ts.map +1 -0
- package/dist/crypto/aead.js +48 -0
- package/dist/crypto/aead.js.map +1 -0
- package/dist/crypto/argon2.d.ts +20 -0
- package/dist/crypto/argon2.d.ts.map +1 -0
- package/dist/crypto/argon2.js +28 -0
- package/dist/crypto/argon2.js.map +1 -0
- package/dist/crypto/index.d.ts +14 -0
- package/dist/crypto/index.d.ts.map +1 -0
- package/dist/crypto/index.js +14 -0
- package/dist/crypto/index.js.map +1 -0
- package/dist/crypto/kdf.d.ts +96 -0
- package/dist/crypto/kdf.d.ts.map +1 -0
- package/dist/crypto/kdf.js +122 -0
- package/dist/crypto/kdf.js.map +1 -0
- package/dist/crypto/kem.d.ts +85 -0
- package/dist/crypto/kem.d.ts.map +1 -0
- package/dist/crypto/kem.js +130 -0
- package/dist/crypto/kem.js.map +1 -0
- package/dist/crypto/mac.d.ts +19 -0
- package/dist/crypto/mac.d.ts.map +1 -0
- package/dist/crypto/mac.js +32 -0
- package/dist/crypto/mac.js.map +1 -0
- package/dist/delivery/ack.d.ts +125 -0
- package/dist/delivery/ack.d.ts.map +1 -0
- package/dist/delivery/ack.js +141 -0
- package/dist/delivery/ack.js.map +1 -0
- package/dist/delivery/blocklist.d.ts +87 -0
- package/dist/delivery/blocklist.d.ts.map +1 -0
- package/dist/delivery/blocklist.js +107 -0
- package/dist/delivery/blocklist.js.map +1 -0
- package/dist/delivery/cancel.d.ts +60 -0
- package/dist/delivery/cancel.d.ts.map +1 -0
- package/dist/delivery/cancel.js +43 -0
- package/dist/delivery/cancel.js.map +1 -0
- package/dist/delivery/disposition.d.ts +106 -0
- package/dist/delivery/disposition.d.ts.map +1 -0
- package/dist/delivery/disposition.js +105 -0
- package/dist/delivery/disposition.js.map +1 -0
- package/dist/delivery/fetch.d.ts +59 -0
- package/dist/delivery/fetch.d.ts.map +1 -0
- package/dist/delivery/fetch.js +47 -0
- package/dist/delivery/fetch.js.map +1 -0
- package/dist/delivery/forwarder.d.ts +106 -0
- package/dist/delivery/forwarder.d.ts.map +1 -0
- package/dist/delivery/forwarder.js +251 -0
- package/dist/delivery/forwarder.js.map +1 -0
- package/dist/delivery/inbox.d.ts +42 -0
- package/dist/delivery/inbox.d.ts.map +1 -0
- package/dist/delivery/inbox.js +68 -0
- package/dist/delivery/inbox.js.map +1 -0
- package/dist/delivery/index.d.ts +31 -0
- package/dist/delivery/index.d.ts.map +1 -0
- package/dist/delivery/index.js +31 -0
- package/dist/delivery/index.js.map +1 -0
- package/dist/delivery/internalroute.d.ts +50 -0
- package/dist/delivery/internalroute.d.ts.map +1 -0
- package/dist/delivery/internalroute.js +23 -0
- package/dist/delivery/internalroute.js.map +1 -0
- package/dist/delivery/pipeline.d.ts +153 -0
- package/dist/delivery/pipeline.d.ts.map +1 -0
- package/dist/delivery/pipeline.js +356 -0
- package/dist/delivery/pipeline.js.map +1 -0
- package/dist/delivery/policy_state.d.ts +105 -0
- package/dist/delivery/policy_state.d.ts.map +1 -0
- package/dist/delivery/policy_state.js +293 -0
- package/dist/delivery/policy_state.js.map +1 -0
- package/dist/delivery/queue.d.ts +47 -0
- package/dist/delivery/queue.d.ts.map +1 -0
- package/dist/delivery/queue.js +33 -0
- package/dist/delivery/queue.js.map +1 -0
- package/dist/delivery/receipt.d.ts +137 -0
- package/dist/delivery/receipt.d.ts.map +1 -0
- package/dist/delivery/receipt.js +181 -0
- package/dist/delivery/receipt.js.map +1 -0
- package/dist/delivery/receipt_store.d.ts +81 -0
- package/dist/delivery/receipt_store.d.ts.map +1 -0
- package/dist/delivery/receipt_store.js +74 -0
- package/dist/delivery/receipt_store.js.map +1 -0
- package/dist/delivery/retry.d.ts +78 -0
- package/dist/delivery/retry.d.ts.map +1 -0
- package/dist/delivery/retry.js +132 -0
- package/dist/delivery/retry.js.map +1 -0
- package/dist/delivery/scheduler.d.ts +156 -0
- package/dist/delivery/scheduler.d.ts.map +1 -0
- package/dist/delivery/scheduler.js +349 -0
- package/dist/delivery/scheduler.js.map +1 -0
- package/dist/delivery/stage_partition.d.ts +87 -0
- package/dist/delivery/stage_partition.d.ts.map +1 -0
- package/dist/delivery/stage_partition.js +122 -0
- package/dist/delivery/stage_partition.js.map +1 -0
- package/dist/delivery/staged_runner.d.ts +100 -0
- package/dist/delivery/staged_runner.d.ts.map +1 -0
- package/dist/delivery/staged_runner.js +277 -0
- package/dist/delivery/staged_runner.js.map +1 -0
- package/dist/delivery/submission.d.ts +72 -0
- package/dist/delivery/submission.d.ts.map +1 -0
- package/dist/delivery/submission.js +58 -0
- package/dist/delivery/submission.js.map +1 -0
- package/dist/delivery/sync.d.ts +68 -0
- package/dist/delivery/sync.d.ts.map +1 -0
- package/dist/delivery/sync.js +99 -0
- package/dist/delivery/sync.js.map +1 -0
- package/dist/delivery/user_policy.d.ts +74 -0
- package/dist/delivery/user_policy.d.ts.map +1 -0
- package/dist/delivery/user_policy.js +140 -0
- package/dist/delivery/user_policy.js.map +1 -0
- package/dist/discovery/cache.d.ts +37 -0
- package/dist/discovery/cache.d.ts.map +1 -0
- package/dist/discovery/cache.js +45 -0
- package/dist/discovery/cache.js.map +1 -0
- package/dist/discovery/configuration.d.ts +97 -0
- package/dist/discovery/configuration.d.ts.map +1 -0
- package/dist/discovery/configuration.js +146 -0
- package/dist/discovery/configuration.js.map +1 -0
- package/dist/discovery/dns.d.ts +56 -0
- package/dist/discovery/dns.d.ts.map +1 -0
- package/dist/discovery/dns.js +120 -0
- package/dist/discovery/dns.js.map +1 -0
- package/dist/discovery/domain_keys.d.ts +62 -0
- package/dist/discovery/domain_keys.d.ts.map +1 -0
- package/dist/discovery/domain_keys.js +89 -0
- package/dist/discovery/domain_keys.js.map +1 -0
- package/dist/discovery/index.d.ts +19 -0
- package/dist/discovery/index.d.ts.map +1 -0
- package/dist/discovery/index.js +19 -0
- package/dist/discovery/index.js.map +1 -0
- package/dist/discovery/lookup.d.ts +72 -0
- package/dist/discovery/lookup.d.ts.map +1 -0
- package/dist/discovery/lookup.js +121 -0
- package/dist/discovery/lookup.js.map +1 -0
- package/dist/discovery/onion.d.ts +34 -0
- package/dist/discovery/onion.d.ts.map +1 -0
- package/dist/discovery/onion.js +61 -0
- package/dist/discovery/onion.js.map +1 -0
- package/dist/discovery/partition.d.ts +96 -0
- package/dist/discovery/partition.d.ts.map +1 -0
- package/dist/discovery/partition.js +247 -0
- package/dist/discovery/partition.js.map +1 -0
- package/dist/discovery/resolver.d.ts +113 -0
- package/dist/discovery/resolver.d.ts.map +1 -0
- package/dist/discovery/resolver.js +176 -0
- package/dist/discovery/resolver.js.map +1 -0
- package/dist/discovery/txt.d.ts +39 -0
- package/dist/discovery/txt.d.ts.map +1 -0
- package/dist/discovery/txt.js +71 -0
- package/dist/discovery/txt.js.map +1 -0
- package/dist/enclosure/forwarding.d.ts +128 -0
- package/dist/enclosure/forwarding.d.ts.map +1 -0
- package/dist/enclosure/forwarding.js +119 -0
- package/dist/enclosure/forwarding.js.map +1 -0
- package/dist/enclosure/index.d.ts +11 -0
- package/dist/enclosure/index.d.ts.map +1 -0
- package/dist/enclosure/index.js +11 -0
- package/dist/enclosure/index.js.map +1 -0
- package/dist/envelope/buckets.d.ts +38 -0
- package/dist/envelope/buckets.d.ts.map +1 -0
- package/dist/envelope/buckets.js +73 -0
- package/dist/envelope/buckets.js.map +1 -0
- package/dist/envelope/canonical.d.ts +28 -0
- package/dist/envelope/canonical.d.ts.map +1 -0
- package/dist/envelope/canonical.js +54 -0
- package/dist/envelope/canonical.js.map +1 -0
- package/dist/envelope/compose.d.ts +171 -0
- package/dist/envelope/compose.d.ts.map +1 -0
- package/dist/envelope/compose.js +237 -0
- package/dist/envelope/compose.js.map +1 -0
- package/dist/envelope/encode.d.ts +41 -0
- package/dist/envelope/encode.d.ts.map +1 -0
- package/dist/envelope/encode.js +69 -0
- package/dist/envelope/encode.js.map +1 -0
- package/dist/envelope/index.d.ts +20 -0
- package/dist/envelope/index.d.ts.map +1 -0
- package/dist/envelope/index.js +20 -0
- package/dist/envelope/index.js.map +1 -0
- package/dist/envelope/open_any.d.ts +48 -0
- package/dist/envelope/open_any.d.ts.map +1 -0
- package/dist/envelope/open_any.js +81 -0
- package/dist/envelope/open_any.js.map +1 -0
- package/dist/envelope/open_verified.d.ts +59 -0
- package/dist/envelope/open_verified.d.ts.map +1 -0
- package/dist/envelope/open_verified.js +67 -0
- package/dist/envelope/open_verified.js.map +1 -0
- package/dist/envelope/padding.d.ts +55 -0
- package/dist/envelope/padding.d.ts.map +1 -0
- package/dist/envelope/padding.js +162 -0
- package/dist/envelope/padding.js.map +1 -0
- package/dist/envelope/rejection.d.ts +22 -0
- package/dist/envelope/rejection.d.ts.map +1 -0
- package/dist/envelope/rejection.js +30 -0
- package/dist/envelope/rejection.js.map +1 -0
- package/dist/envelope/sendtime.d.ts +49 -0
- package/dist/envelope/sendtime.d.ts.map +1 -0
- package/dist/envelope/sendtime.js +87 -0
- package/dist/envelope/sendtime.js.map +1 -0
- package/dist/envelope/verify.d.ts +29 -0
- package/dist/envelope/verify.d.ts.map +1 -0
- package/dist/envelope/verify.js +90 -0
- package/dist/envelope/verify.js.map +1 -0
- package/dist/extensions/index.d.ts +7 -0
- package/dist/extensions/index.d.ts.map +1 -0
- package/dist/extensions/index.js +7 -0
- package/dist/extensions/index.js.map +1 -0
- package/dist/extensions/limits.d.ts +101 -0
- package/dist/extensions/limits.d.ts.map +1 -0
- package/dist/extensions/limits.js +175 -0
- package/dist/extensions/limits.js.map +1 -0
- package/dist/handshake/abort.d.ts +49 -0
- package/dist/handshake/abort.d.ts.map +1 -0
- package/dist/handshake/abort.js +82 -0
- package/dist/handshake/abort.js.map +1 -0
- package/dist/handshake/capabilities.d.ts +46 -0
- package/dist/handshake/capabilities.d.ts.map +1 -0
- package/dist/handshake/capabilities.js +114 -0
- package/dist/handshake/capabilities.js.map +1 -0
- package/dist/handshake/client_state.d.ts +186 -0
- package/dist/handshake/client_state.d.ts.map +1 -0
- package/dist/handshake/client_state.js +520 -0
- package/dist/handshake/client_state.js.map +1 -0
- package/dist/handshake/confirm.d.ts +21 -0
- package/dist/handshake/confirm.d.ts.map +1 -0
- package/dist/handshake/confirm.js +27 -0
- package/dist/handshake/confirm.js.map +1 -0
- package/dist/handshake/driver.d.ts +126 -0
- package/dist/handshake/driver.d.ts.map +1 -0
- package/dist/handshake/driver.js +251 -0
- package/dist/handshake/driver.js.map +1 -0
- package/dist/handshake/federation.d.ts +365 -0
- package/dist/handshake/federation.d.ts.map +1 -0
- package/dist/handshake/federation.js +664 -0
- package/dist/handshake/federation.js.map +1 -0
- package/dist/handshake/first_contact.d.ts +57 -0
- package/dist/handshake/first_contact.d.ts.map +1 -0
- package/dist/handshake/first_contact.js +124 -0
- package/dist/handshake/first_contact.js.map +1 -0
- package/dist/handshake/identity.d.ts +101 -0
- package/dist/handshake/identity.d.ts.map +1 -0
- package/dist/handshake/identity.js +117 -0
- package/dist/handshake/identity.js.map +1 -0
- package/dist/handshake/index.d.ts +21 -0
- package/dist/handshake/index.d.ts.map +1 -0
- package/dist/handshake/index.js +21 -0
- package/dist/handshake/index.js.map +1 -0
- package/dist/handshake/messages.d.ts +176 -0
- package/dist/handshake/messages.d.ts.map +1 -0
- package/dist/handshake/messages.js +125 -0
- package/dist/handshake/messages.js.map +1 -0
- package/dist/handshake/pow.d.ts +53 -0
- package/dist/handshake/pow.d.ts.map +1 -0
- package/dist/handshake/pow.js +142 -0
- package/dist/handshake/pow.js.map +1 -0
- package/dist/handshake/resume_driver.d.ts +56 -0
- package/dist/handshake/resume_driver.d.ts.map +1 -0
- package/dist/handshake/resume_driver.js +75 -0
- package/dist/handshake/resume_driver.js.map +1 -0
- package/dist/handshake/server.d.ts +112 -0
- package/dist/handshake/server.d.ts.map +1 -0
- package/dist/handshake/server.js +247 -0
- package/dist/handshake/server.js.map +1 -0
- package/dist/handshake/server_state.d.ts +102 -0
- package/dist/handshake/server_state.d.ts.map +1 -0
- package/dist/handshake/server_state.js +278 -0
- package/dist/handshake/server_state.js.map +1 -0
- package/dist/index.d.ts +33 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +33 -0
- package/dist/index.js.map +1 -0
- package/dist/keys/compromise.d.ts +118 -0
- package/dist/keys/compromise.d.ts.map +1 -0
- package/dist/keys/compromise.js +218 -0
- package/dist/keys/compromise.js.map +1 -0
- package/dist/keys/device_certificate.d.ts +166 -0
- package/dist/keys/device_certificate.d.ts.map +1 -0
- package/dist/keys/device_certificate.js +328 -0
- package/dist/keys/device_certificate.js.map +1 -0
- package/dist/keys/device_records.d.ts +175 -0
- package/dist/keys/device_records.d.ts.map +1 -0
- package/dist/keys/device_records.js +418 -0
- package/dist/keys/device_records.js.map +1 -0
- package/dist/keys/directory_cache.d.ts +64 -0
- package/dist/keys/directory_cache.d.ts.map +1 -0
- package/dist/keys/directory_cache.js +98 -0
- package/dist/keys/directory_cache.js.map +1 -0
- package/dist/keys/directory_state.d.ts +79 -0
- package/dist/keys/directory_state.d.ts.map +1 -0
- package/dist/keys/directory_state.js +155 -0
- package/dist/keys/directory_state.js.map +1 -0
- package/dist/keys/index.d.ts +18 -0
- package/dist/keys/index.d.ts.map +1 -0
- package/dist/keys/index.js +18 -0
- package/dist/keys/index.js.map +1 -0
- package/dist/keys/key_revocation.d.ts +61 -0
- package/dist/keys/key_revocation.d.ts.map +1 -0
- package/dist/keys/key_revocation.js +88 -0
- package/dist/keys/key_revocation.js.map +1 -0
- package/dist/keys/request.d.ts +124 -0
- package/dist/keys/request.d.ts.map +1 -0
- package/dist/keys/request.js +130 -0
- package/dist/keys/request.js.map +1 -0
- package/dist/keys/sign.d.ts +49 -0
- package/dist/keys/sign.d.ts.map +1 -0
- package/dist/keys/sign.js +80 -0
- package/dist/keys/sign.js.map +1 -0
- package/dist/keys/signed.d.ts +80 -0
- package/dist/keys/signed.d.ts.map +1 -0
- package/dist/keys/signed.js +138 -0
- package/dist/keys/signed.js.map +1 -0
- package/dist/keys/store.d.ts +138 -0
- package/dist/keys/store.d.ts.map +1 -0
- package/dist/keys/store.js +107 -0
- package/dist/keys/store.js.map +1 -0
- package/dist/largeattachment/crypto.d.ts +47 -0
- package/dist/largeattachment/crypto.d.ts.map +1 -0
- package/dist/largeattachment/crypto.js +235 -0
- package/dist/largeattachment/crypto.js.map +1 -0
- package/dist/largeattachment/enclosure.d.ts +48 -0
- package/dist/largeattachment/enclosure.d.ts.map +1 -0
- package/dist/largeattachment/enclosure.js +102 -0
- package/dist/largeattachment/enclosure.js.map +1 -0
- package/dist/largeattachment/index.d.ts +15 -0
- package/dist/largeattachment/index.d.ts.map +1 -0
- package/dist/largeattachment/index.js +15 -0
- package/dist/largeattachment/index.js.map +1 -0
- package/dist/largeattachment/store.d.ts +36 -0
- package/dist/largeattachment/store.d.ts.map +1 -0
- package/dist/largeattachment/store.js +37 -0
- package/dist/largeattachment/store.js.map +1 -0
- package/dist/largeattachment/types.d.ts +56 -0
- package/dist/largeattachment/types.d.ts.map +1 -0
- package/dist/largeattachment/types.js +31 -0
- package/dist/largeattachment/types.js.map +1 -0
- package/dist/largeattachment/upload.d.ts +62 -0
- package/dist/largeattachment/upload.d.ts.map +1 -0
- package/dist/largeattachment/upload.js +166 -0
- package/dist/largeattachment/upload.js.map +1 -0
- package/dist/migration/index.d.ts +17 -0
- package/dist/migration/index.d.ts.map +1 -0
- package/dist/migration/index.js +17 -0
- package/dist/migration/index.js.map +1 -0
- package/dist/migration/lockout.d.ts +48 -0
- package/dist/migration/lockout.d.ts.map +1 -0
- package/dist/migration/lockout.js +57 -0
- package/dist/migration/lockout.js.map +1 -0
- package/dist/migration/migration.d.ts +48 -0
- package/dist/migration/migration.d.ts.map +1 -0
- package/dist/migration/migration.js +58 -0
- package/dist/migration/migration.js.map +1 -0
- package/dist/migration/notice.d.ts +33 -0
- package/dist/migration/notice.d.ts.map +1 -0
- package/dist/migration/notice.js +85 -0
- package/dist/migration/notice.js.map +1 -0
- package/dist/migration/orchestrate.d.ts +109 -0
- package/dist/migration/orchestrate.d.ts.map +1 -0
- package/dist/migration/orchestrate.js +212 -0
- package/dist/migration/orchestrate.js.map +1 -0
- package/dist/migration/publication_store.d.ts +34 -0
- package/dist/migration/publication_store.d.ts.map +1 -0
- package/dist/migration/publication_store.js +44 -0
- package/dist/migration/publication_store.js.map +1 -0
- package/dist/migration/sign.d.ts +65 -0
- package/dist/migration/sign.d.ts.map +1 -0
- package/dist/migration/sign.js +331 -0
- package/dist/migration/sign.js.map +1 -0
- package/dist/migration/types.d.ts +92 -0
- package/dist/migration/types.d.ts.map +1 -0
- package/dist/migration/types.js +26 -0
- package/dist/migration/types.js.map +1 -0
- package/dist/reasoncodes.d.ts +42 -0
- package/dist/reasoncodes.d.ts.map +1 -0
- package/dist/reasoncodes.js +80 -0
- package/dist/reasoncodes.js.map +1 -0
- package/dist/recovery/bundle.d.ts +34 -0
- package/dist/recovery/bundle.d.ts.map +1 -0
- package/dist/recovery/bundle.js +144 -0
- package/dist/recovery/bundle.js.map +1 -0
- package/dist/recovery/bundle_crypto.d.ts +60 -0
- package/dist/recovery/bundle_crypto.d.ts.map +1 -0
- package/dist/recovery/bundle_crypto.js +179 -0
- package/dist/recovery/bundle_crypto.js.map +1 -0
- package/dist/recovery/bundle_store.d.ts +57 -0
- package/dist/recovery/bundle_store.d.ts.map +1 -0
- package/dist/recovery/bundle_store.js +104 -0
- package/dist/recovery/bundle_store.js.map +1 -0
- package/dist/recovery/index.d.ts +19 -0
- package/dist/recovery/index.d.ts.map +1 -0
- package/dist/recovery/index.js +19 -0
- package/dist/recovery/index.js.map +1 -0
- package/dist/recovery/manifest_crosscheck.d.ts +59 -0
- package/dist/recovery/manifest_crosscheck.d.ts.map +1 -0
- package/dist/recovery/manifest_crosscheck.js +59 -0
- package/dist/recovery/manifest_crosscheck.js.map +1 -0
- package/dist/recovery/shamir.d.ts +51 -0
- package/dist/recovery/shamir.d.ts.map +1 -0
- package/dist/recovery/shamir.js +181 -0
- package/dist/recovery/shamir.js.map +1 -0
- package/dist/recovery/sign.d.ts +61 -0
- package/dist/recovery/sign.d.ts.map +1 -0
- package/dist/recovery/sign.js +359 -0
- package/dist/recovery/sign.js.map +1 -0
- package/dist/recovery/types.d.ts +180 -0
- package/dist/recovery/types.d.ts.map +1 -0
- package/dist/recovery/types.js +31 -0
- package/dist/recovery/types.js.map +1 -0
- package/dist/reputation/abuse_report.d.ts +62 -0
- package/dist/reputation/abuse_report.d.ts.map +1 -0
- package/dist/reputation/abuse_report.js +111 -0
- package/dist/reputation/abuse_report.js.map +1 -0
- package/dist/reputation/bucketize.d.ts +31 -0
- package/dist/reputation/bucketize.d.ts.map +1 -0
- package/dist/reputation/bucketize.js +77 -0
- package/dist/reputation/bucketize.js.map +1 -0
- package/dist/reputation/gossip.d.ts +24 -0
- package/dist/reputation/gossip.d.ts.map +1 -0
- package/dist/reputation/gossip.js +64 -0
- package/dist/reputation/gossip.js.map +1 -0
- package/dist/reputation/gossip_fetch.d.ts +64 -0
- package/dist/reputation/gossip_fetch.d.ts.map +1 -0
- package/dist/reputation/gossip_fetch.js +114 -0
- package/dist/reputation/gossip_fetch.js.map +1 -0
- package/dist/reputation/index.d.ts +20 -0
- package/dist/reputation/index.d.ts.map +1 -0
- package/dist/reputation/index.js +20 -0
- package/dist/reputation/index.js.map +1 -0
- package/dist/reputation/observation_store.d.ts +67 -0
- package/dist/reputation/observation_store.d.ts.map +1 -0
- package/dist/reputation/observation_store.js +171 -0
- package/dist/reputation/observation_store.js.map +1 -0
- package/dist/reputation/pow.d.ts +91 -0
- package/dist/reputation/pow.d.ts.map +1 -0
- package/dist/reputation/pow.js +209 -0
- package/dist/reputation/pow.js.map +1 -0
- package/dist/reputation/sign.d.ts +40 -0
- package/dist/reputation/sign.d.ts.map +1 -0
- package/dist/reputation/sign.js +202 -0
- package/dist/reputation/sign.js.map +1 -0
- package/dist/reputation/types.d.ts +133 -0
- package/dist/reputation/types.d.ts.map +1 -0
- package/dist/reputation/types.js +33 -0
- package/dist/reputation/types.js.map +1 -0
- package/dist/reputation/whois.d.ts +25 -0
- package/dist/reputation/whois.d.ts.map +1 -0
- package/dist/reputation/whois.js +20 -0
- package/dist/reputation/whois.js.map +1 -0
- package/dist/seal/index.d.ts +8 -0
- package/dist/seal/index.d.ts.map +1 -0
- package/dist/seal/index.js +8 -0
- package/dist/seal/index.js.map +1 -0
- package/dist/seal/wrap.d.ts +74 -0
- package/dist/seal/wrap.d.ts.map +1 -0
- package/dist/seal/wrap.js +213 -0
- package/dist/seal/wrap.js.map +1 -0
- package/dist/session/dispatcher.d.ts +65 -0
- package/dist/session/dispatcher.d.ts.map +1 -0
- package/dist/session/dispatcher.js +96 -0
- package/dist/session/dispatcher.js.map +1 -0
- package/dist/session/index.d.ts +15 -0
- package/dist/session/index.d.ts.map +1 -0
- package/dist/session/index.js +15 -0
- package/dist/session/index.js.map +1 -0
- package/dist/session/rekey.d.ts +108 -0
- package/dist/session/rekey.d.ts.map +1 -0
- package/dist/session/rekey.js +207 -0
- package/dist/session/rekey.js.map +1 -0
- package/dist/session/rekey_seal.d.ts +66 -0
- package/dist/session/rekey_seal.d.ts.map +1 -0
- package/dist/session/rekey_seal.js +153 -0
- package/dist/session/rekey_seal.js.map +1 -0
- package/dist/session/resume.d.ts +125 -0
- package/dist/session/resume.d.ts.map +1 -0
- package/dist/session/resume.js +263 -0
- package/dist/session/resume.js.map +1 -0
- package/dist/session/session.d.ts +136 -0
- package/dist/session/session.d.ts.map +1 -0
- package/dist/session/session.js +188 -0
- package/dist/session/session.js.map +1 -0
- package/dist/transparency/index.d.ts +13 -0
- package/dist/transparency/index.d.ts.map +1 -0
- package/dist/transparency/index.js +13 -0
- package/dist/transparency/index.js.map +1 -0
- package/dist/transparency/log.d.ts +61 -0
- package/dist/transparency/log.d.ts.map +1 -0
- package/dist/transparency/log.js +133 -0
- package/dist/transparency/log.js.map +1 -0
- package/dist/transparency/merkle.d.ts +59 -0
- package/dist/transparency/merkle.d.ts.map +1 -0
- package/dist/transparency/merkle.js +314 -0
- package/dist/transparency/merkle.js.map +1 -0
- package/dist/transparency/sign.d.ts +48 -0
- package/dist/transparency/sign.d.ts.map +1 -0
- package/dist/transparency/sign.js +140 -0
- package/dist/transparency/sign.js.map +1 -0
- package/dist/transparency/types.d.ts +97 -0
- package/dist/transparency/types.d.ts.map +1 -0
- package/dist/transparency/types.js +25 -0
- package/dist/transparency/types.js.map +1 -0
- package/dist/transport/h2.d.ts +163 -0
- package/dist/transport/h2.d.ts.map +1 -0
- package/dist/transport/h2.js +397 -0
- package/dist/transport/h2.js.map +1 -0
- package/dist/transport/index.d.ts +15 -0
- package/dist/transport/index.d.ts.map +1 -0
- package/dist/transport/index.js +15 -0
- package/dist/transport/index.js.map +1 -0
- package/dist/transport/memory.d.ts +21 -0
- package/dist/transport/memory.d.ts.map +1 -0
- package/dist/transport/memory.js +112 -0
- package/dist/transport/memory.js.map +1 -0
- package/dist/transport/transport.d.ts +54 -0
- package/dist/transport/transport.d.ts.map +1 -0
- package/dist/transport/transport.js +20 -0
- package/dist/transport/transport.js.map +1 -0
- package/dist/transport/ws.d.ts +40 -0
- package/dist/transport/ws.d.ts.map +1 -0
- package/dist/transport/ws.js +204 -0
- package/dist/transport/ws.js.map +1 -0
- package/package.json +147 -0
|
@@ -0,0 +1,359 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Sign / verify primitives for recovery wire records per
|
|
3
|
+
* RECOVERY.md §5.2, §5.3, §7.3, §7.5.
|
|
4
|
+
*
|
|
5
|
+
* @module
|
|
6
|
+
*/
|
|
7
|
+
import { marshal as canonicalMarshal } from "../canonical/index.js";
|
|
8
|
+
import { sign as ed25519Sign, verify as ed25519Verify } from "../keys/index.js";
|
|
9
|
+
import { signSignedDoc, verifySignedDoc } from "../keys/index.js";
|
|
10
|
+
import { RecoveryManifestPrefix, RecoveryShareSignaturePrefix, SignatureAlgorithmEd25519, SuccessorRecordPrefix, } from "./types.js";
|
|
11
|
+
// ---------------------------------------------------------------------------
|
|
12
|
+
// SuccessorRecord — three-signature record per §7.3
|
|
13
|
+
/**
|
|
14
|
+
* Pre-populate the algorithm + key_id fields on all three signature
|
|
15
|
+
* blocks so the canonical bytes are stable across the three signing
|
|
16
|
+
* passes. Every signing pass signs the SAME canonical bytes (with
|
|
17
|
+
* all three `value` fields elided), so this MUST be called before
|
|
18
|
+
* any of the {@link signSuccessor*} functions.
|
|
19
|
+
*/
|
|
20
|
+
export function prepareSuccessorSignatures(r, recoveryKeyId, newKeyId, domainKeyId) {
|
|
21
|
+
r.recovery_signature.algorithm = SignatureAlgorithmEd25519;
|
|
22
|
+
r.recovery_signature.key_id = recoveryKeyId;
|
|
23
|
+
r.recovery_signature.value = "";
|
|
24
|
+
r.new_key_signature.algorithm = SignatureAlgorithmEd25519;
|
|
25
|
+
r.new_key_signature.key_id = newKeyId;
|
|
26
|
+
r.new_key_signature.value = "";
|
|
27
|
+
r.domain_signature.algorithm = SignatureAlgorithmEd25519;
|
|
28
|
+
r.domain_signature.key_id = domainKeyId;
|
|
29
|
+
r.domain_signature.value = "";
|
|
30
|
+
}
|
|
31
|
+
/** Sign `r.recovery_signature` per §7.3. */
|
|
32
|
+
export function signSuccessorRecovery(r, recoveryPriv, recoveryKeyId) {
|
|
33
|
+
return signOneOfThree(r, "recovery_signature", recoveryPriv, recoveryKeyId, "recoveryKeyId");
|
|
34
|
+
}
|
|
35
|
+
/** Sign `r.new_key_signature` per §7.3. */
|
|
36
|
+
export function signSuccessorNewKey(r, newIdentityPriv, newKeyId) {
|
|
37
|
+
return signOneOfThree(r, "new_key_signature", newIdentityPriv, newKeyId, "newKeyId");
|
|
38
|
+
}
|
|
39
|
+
/** Sign `r.domain_signature` per §7.3. */
|
|
40
|
+
export function signSuccessorDomain(r, domainPriv, domainKeyId) {
|
|
41
|
+
return signOneOfThree(r, "domain_signature", domainPriv, domainKeyId, "domainKeyId");
|
|
42
|
+
}
|
|
43
|
+
function signOneOfThree(r, field, priv, keyId, argLabel) {
|
|
44
|
+
if (priv.length === 0) {
|
|
45
|
+
throw new Error(`recovery: empty private key for ${field}`);
|
|
46
|
+
}
|
|
47
|
+
if (keyId === "") {
|
|
48
|
+
throw new Error(`recovery: empty ${argLabel}`);
|
|
49
|
+
}
|
|
50
|
+
validateSuccessorRecord(r, { skipSignatureCheck: true });
|
|
51
|
+
const sigBlock = r[field];
|
|
52
|
+
if (sigBlock.algorithm === "" || sigBlock.key_id === "") {
|
|
53
|
+
throw new Error(`recovery: call prepareSuccessorSignatures before sign${field}`);
|
|
54
|
+
}
|
|
55
|
+
if (sigBlock.key_id !== keyId) {
|
|
56
|
+
throw new Error(`recovery: ${field}.key_id ${JSON.stringify(sigBlock.key_id)} does not match passed ${argLabel} ${JSON.stringify(keyId)}`);
|
|
57
|
+
}
|
|
58
|
+
sigBlock.value = "";
|
|
59
|
+
const canonical = canonicalSuccessorBytesElidingThreeSignatures(r);
|
|
60
|
+
const signingInput = concat(new TextEncoder().encode(SuccessorRecordPrefix), canonical);
|
|
61
|
+
const sig = ed25519Sign(priv, signingInput);
|
|
62
|
+
const sigB64 = base64Encode(sig);
|
|
63
|
+
sigBlock.value = sigB64;
|
|
64
|
+
return sigB64;
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Verify the two device-side signatures (recovery, new_key) on `r`
|
|
68
|
+
* and accept an empty `domain_signature.value`. This is what the
|
|
69
|
+
* home server runs on receipt of a key-compromise rotation cascade
|
|
70
|
+
* (KEY.md §10.5.5): the device produced both signatures, the server
|
|
71
|
+
* has not yet added its own.
|
|
72
|
+
*/
|
|
73
|
+
export function verifySuccessorTwoSignatures(r, recoveryVerifyPub, newKeyPub) {
|
|
74
|
+
// Skip the full-signature-presence check; this two-signature
|
|
75
|
+
// entry point intentionally accepts an empty domain signature.
|
|
76
|
+
validateSuccessorRecord(r, { skipSignatureCheck: true });
|
|
77
|
+
if (r.recovery_signature.value === "" || r.new_key_signature.value === "") {
|
|
78
|
+
return false;
|
|
79
|
+
}
|
|
80
|
+
if (r.domain_signature.value !== "") {
|
|
81
|
+
throw new Error("recovery: verifySuccessorTwoSignatures called on a fully-signed record; use verifySuccessorRecord");
|
|
82
|
+
}
|
|
83
|
+
const canonical = canonicalSuccessorBytesElidingThreeSignatures(r);
|
|
84
|
+
const signingInput = concat(new TextEncoder().encode(SuccessorRecordPrefix), canonical);
|
|
85
|
+
if (!ed25519Verify(recoveryVerifyPub, base64Decode(r.recovery_signature.value), signingInput)) {
|
|
86
|
+
return false;
|
|
87
|
+
}
|
|
88
|
+
if (!ed25519Verify(newKeyPub, base64Decode(r.new_key_signature.value), signingInput)) {
|
|
89
|
+
return false;
|
|
90
|
+
}
|
|
91
|
+
return true;
|
|
92
|
+
}
|
|
93
|
+
/** Verify all three signatures on `r` per §7.5. */
|
|
94
|
+
export function verifySuccessorRecord(r, recoveryVerifyPub, newKeyPub, domainPub) {
|
|
95
|
+
validateSuccessorRecord(r);
|
|
96
|
+
if (r.recovery_signature.value === "" ||
|
|
97
|
+
r.new_key_signature.value === "" ||
|
|
98
|
+
r.domain_signature.value === "") {
|
|
99
|
+
return false;
|
|
100
|
+
}
|
|
101
|
+
const canonical = canonicalSuccessorBytesElidingThreeSignatures(r);
|
|
102
|
+
const signingInput = concat(new TextEncoder().encode(SuccessorRecordPrefix), canonical);
|
|
103
|
+
return (ed25519Verify(recoveryVerifyPub, base64Decode(r.recovery_signature.value), signingInput) &&
|
|
104
|
+
ed25519Verify(newKeyPub, base64Decode(r.new_key_signature.value), signingInput) &&
|
|
105
|
+
ed25519Verify(domainPub, base64Decode(r.domain_signature.value), signingInput));
|
|
106
|
+
}
|
|
107
|
+
/** Structural validation per §7. Throws on first violation. */
|
|
108
|
+
export function validateSuccessorRecord(r, opts = {}) {
|
|
109
|
+
if (r.type !== "SEMP_SUCCESSOR") {
|
|
110
|
+
throw new Error(`recovery: successor type ${JSON.stringify(r.type)}, want SEMP_SUCCESSOR`);
|
|
111
|
+
}
|
|
112
|
+
for (const f of ["user_id", "prior_key_id", "new_key_id", "new_public_key", "recovered_at"]) {
|
|
113
|
+
if (typeof r[f] !== "string" || r[f] === "") {
|
|
114
|
+
throw new Error(`recovery: successor record missing ${f}`);
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
if (Number.isNaN(Date.parse(r.recovered_at))) {
|
|
118
|
+
throw new Error("recovery: recovered_at is not ISO 8601");
|
|
119
|
+
}
|
|
120
|
+
for (const f of ["recovery_signature", "new_key_signature", "domain_signature"]) {
|
|
121
|
+
if (typeof r[f]?.algorithm !== "string") {
|
|
122
|
+
throw new Error(`recovery: ${f}.algorithm missing`);
|
|
123
|
+
}
|
|
124
|
+
if (typeof r[f]?.key_id !== "string") {
|
|
125
|
+
throw new Error(`recovery: ${f}.key_id missing`);
|
|
126
|
+
}
|
|
127
|
+
if (typeof r[f]?.value !== "string") {
|
|
128
|
+
throw new Error(`recovery: ${f}.value must be a string`);
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
if (!opts.skipSignatureCheck &&
|
|
132
|
+
(r.recovery_signature.value === "" ||
|
|
133
|
+
r.new_key_signature.value === "" ||
|
|
134
|
+
r.domain_signature.value === "")) {
|
|
135
|
+
throw new Error("recovery: successor record missing one or more signatures");
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
/**
|
|
139
|
+
* Canonical bytes of `r` with all three signature `value` fields
|
|
140
|
+
* elided to "" (algorithm and key_id are covered).
|
|
141
|
+
*/
|
|
142
|
+
function canonicalSuccessorBytesElidingThreeSignatures(r) {
|
|
143
|
+
const clone = JSON.parse(JSON.stringify(r));
|
|
144
|
+
for (const f of ["recovery_signature", "new_key_signature", "domain_signature"]) {
|
|
145
|
+
const sig = clone[f];
|
|
146
|
+
sig.value = "";
|
|
147
|
+
}
|
|
148
|
+
return canonicalMarshal(clone);
|
|
149
|
+
}
|
|
150
|
+
// ---------------------------------------------------------------------------
|
|
151
|
+
// RecoverySetManifest — single user-identity signature per §5.2
|
|
152
|
+
/**
|
|
153
|
+
* Sign `m.signature` with the user's identity private key per §5.2.
|
|
154
|
+
* Pre-populates algorithm + key_id so the canonical bytes cover them.
|
|
155
|
+
*/
|
|
156
|
+
export function signManifest(m, identityPriv, identityKeyId) {
|
|
157
|
+
if (identityKeyId === "") {
|
|
158
|
+
throw new Error("recovery: empty identity key_id");
|
|
159
|
+
}
|
|
160
|
+
validateManifest(m, { skipSignatureCheck: true });
|
|
161
|
+
m.signature.algorithm = SignatureAlgorithmEd25519;
|
|
162
|
+
m.signature.key_id = identityKeyId;
|
|
163
|
+
m.signature.value = "";
|
|
164
|
+
const { signedJSON, signatureB64 } = signSignedDoc({
|
|
165
|
+
preSignJSON: m,
|
|
166
|
+
seed: identityPriv,
|
|
167
|
+
signaturePath: "signature.value",
|
|
168
|
+
prefix: RecoveryManifestPrefix,
|
|
169
|
+
});
|
|
170
|
+
// signSignedDoc returns a clone; mutate the caller-supplied object
|
|
171
|
+
// in place so behavior matches the other recovery sign* functions.
|
|
172
|
+
m.signature.value = signedJSON.signature.value;
|
|
173
|
+
return signatureB64;
|
|
174
|
+
}
|
|
175
|
+
/** Verify `m.signature` against `identityPub` per §5.2. */
|
|
176
|
+
export function verifyManifest(m, identityPub) {
|
|
177
|
+
validateManifest(m);
|
|
178
|
+
if (m.signature.value === "") {
|
|
179
|
+
return false;
|
|
180
|
+
}
|
|
181
|
+
const { ok } = verifySignedDoc({
|
|
182
|
+
signedJSON: m,
|
|
183
|
+
publicKey: identityPub,
|
|
184
|
+
signaturePath: "signature.value",
|
|
185
|
+
prefix: RecoveryManifestPrefix,
|
|
186
|
+
});
|
|
187
|
+
return ok;
|
|
188
|
+
}
|
|
189
|
+
/** Structural validation per §5.2. Throws on first violation. */
|
|
190
|
+
export function validateManifest(m, opts = {}) {
|
|
191
|
+
if (m.type !== "SEMP_RECOVERY_SET_MANIFEST") {
|
|
192
|
+
throw new Error(`recovery: manifest type ${JSON.stringify(m.type)}, want SEMP_RECOVERY_SET_MANIFEST`);
|
|
193
|
+
}
|
|
194
|
+
if (typeof m.bundle_id !== "string" || m.bundle_id === "") {
|
|
195
|
+
throw new Error("recovery: manifest missing bundle_id");
|
|
196
|
+
}
|
|
197
|
+
if (!Number.isInteger(m.threshold) || m.threshold < 1) {
|
|
198
|
+
throw new Error(`recovery: manifest threshold ${m.threshold} MUST be >= 1`);
|
|
199
|
+
}
|
|
200
|
+
if (!Number.isInteger(m.total_shares) || m.total_shares < m.threshold) {
|
|
201
|
+
throw new Error(`recovery: manifest total_shares ${m.total_shares} MUST be >= threshold ${m.threshold}`);
|
|
202
|
+
}
|
|
203
|
+
if (!Array.isArray(m.contributors) || m.contributors.length !== m.total_shares) {
|
|
204
|
+
throw new Error(`recovery: manifest contributors length ${m.contributors?.length ?? 0} MUST equal total_shares ${m.total_shares}`);
|
|
205
|
+
}
|
|
206
|
+
if (typeof m.issued_at !== "string" || m.issued_at === "") {
|
|
207
|
+
throw new Error("recovery: manifest missing issued_at");
|
|
208
|
+
}
|
|
209
|
+
const seenIndex = new Set();
|
|
210
|
+
const seenDevice = new Set();
|
|
211
|
+
for (let i = 0; i < m.contributors.length; i++) {
|
|
212
|
+
const c = m.contributors[i];
|
|
213
|
+
if (!Number.isInteger(c.share_index) ||
|
|
214
|
+
c.share_index < 1 ||
|
|
215
|
+
c.share_index > m.total_shares) {
|
|
216
|
+
throw new Error(`recovery: manifest contributors[${i}] share_index ${c.share_index} out of [1, ${m.total_shares}]`);
|
|
217
|
+
}
|
|
218
|
+
if (seenIndex.has(c.share_index)) {
|
|
219
|
+
throw new Error(`recovery: manifest share_index ${c.share_index} appears more than once`);
|
|
220
|
+
}
|
|
221
|
+
seenIndex.add(c.share_index);
|
|
222
|
+
if (typeof c.device_id !== "string" || c.device_id === "") {
|
|
223
|
+
throw new Error(`recovery: manifest contributors[${i}] missing device_id`);
|
|
224
|
+
}
|
|
225
|
+
if (seenDevice.has(c.device_id)) {
|
|
226
|
+
throw new Error(`recovery: manifest device_id ${JSON.stringify(c.device_id)} appears more than once`);
|
|
227
|
+
}
|
|
228
|
+
seenDevice.add(c.device_id);
|
|
229
|
+
if (typeof c.device_identity_pubkey?.public_key !== "string" ||
|
|
230
|
+
c.device_identity_pubkey.public_key === "") {
|
|
231
|
+
throw new Error(`recovery: manifest contributors[${i}] missing device_identity_pubkey.public_key`);
|
|
232
|
+
}
|
|
233
|
+
if (typeof c.device_identity_pubkey?.algorithm !== "string" ||
|
|
234
|
+
c.device_identity_pubkey.algorithm === "") {
|
|
235
|
+
throw new Error(`recovery: manifest contributors[${i}] missing device_identity_pubkey.algorithm`);
|
|
236
|
+
}
|
|
237
|
+
}
|
|
238
|
+
if (!opts.skipSignatureCheck && m.signature.value === "") {
|
|
239
|
+
throw new Error("recovery: manifest is unsigned");
|
|
240
|
+
}
|
|
241
|
+
}
|
|
242
|
+
// ---------------------------------------------------------------------------
|
|
243
|
+
// RecoveryShareRecord — single device-identity signature per §5.3
|
|
244
|
+
/** Sign `s.device_signature` with the device's identity private key per §5.3. */
|
|
245
|
+
export function signShareRecord(s, devicePriv, deviceKeyId) {
|
|
246
|
+
if (deviceKeyId === "") {
|
|
247
|
+
throw new Error("recovery: empty device key_id");
|
|
248
|
+
}
|
|
249
|
+
validateShareRecord(s, { skipSignatureCheck: true });
|
|
250
|
+
s.device_signature.algorithm = SignatureAlgorithmEd25519;
|
|
251
|
+
s.device_signature.key_id = deviceKeyId;
|
|
252
|
+
s.device_signature.value = "";
|
|
253
|
+
const { signedJSON, signatureB64 } = signSignedDoc({
|
|
254
|
+
preSignJSON: s,
|
|
255
|
+
seed: devicePriv,
|
|
256
|
+
signaturePath: "device_signature.value",
|
|
257
|
+
prefix: RecoveryShareSignaturePrefix,
|
|
258
|
+
});
|
|
259
|
+
s.device_signature.value = signedJSON.device_signature.value;
|
|
260
|
+
return signatureB64;
|
|
261
|
+
}
|
|
262
|
+
/** Verify `s.device_signature` against `devicePub` per §5.3. */
|
|
263
|
+
export function verifyShareRecord(s, devicePub) {
|
|
264
|
+
validateShareRecord(s);
|
|
265
|
+
if (s.device_signature.value === "") {
|
|
266
|
+
return false;
|
|
267
|
+
}
|
|
268
|
+
const { ok } = verifySignedDoc({
|
|
269
|
+
signedJSON: s,
|
|
270
|
+
publicKey: devicePub,
|
|
271
|
+
signaturePath: "device_signature.value",
|
|
272
|
+
prefix: RecoveryShareSignaturePrefix,
|
|
273
|
+
});
|
|
274
|
+
return ok;
|
|
275
|
+
}
|
|
276
|
+
/** Structural validation per §5.3. Throws on first violation. */
|
|
277
|
+
export function validateShareRecord(s, opts = {}) {
|
|
278
|
+
if (s.type !== "SEMP_RECOVERY_SHARE") {
|
|
279
|
+
throw new Error(`recovery: share type ${JSON.stringify(s.type)}, want SEMP_RECOVERY_SHARE`);
|
|
280
|
+
}
|
|
281
|
+
if (typeof s.bundle_id !== "string" || s.bundle_id === "") {
|
|
282
|
+
throw new Error("recovery: share record missing bundle_id");
|
|
283
|
+
}
|
|
284
|
+
if (!Number.isInteger(s.share_index) || s.share_index < 1) {
|
|
285
|
+
throw new Error(`recovery: share record share_index ${s.share_index} MUST be >= 1`);
|
|
286
|
+
}
|
|
287
|
+
if (!Number.isInteger(s.threshold) ||
|
|
288
|
+
s.threshold < 1 ||
|
|
289
|
+
!Number.isInteger(s.total_shares) ||
|
|
290
|
+
s.total_shares < s.threshold ||
|
|
291
|
+
s.share_index > s.total_shares) {
|
|
292
|
+
throw new Error(`recovery: share record (threshold=${s.threshold}, total_shares=${s.total_shares}, share_index=${s.share_index}) is inconsistent`);
|
|
293
|
+
}
|
|
294
|
+
if (typeof s.device_id !== "string" || s.device_id === "") {
|
|
295
|
+
throw new Error("recovery: share record missing device_id");
|
|
296
|
+
}
|
|
297
|
+
if (typeof s.share_value !== "string" || s.share_value === "") {
|
|
298
|
+
throw new Error("recovery: share record missing share_value");
|
|
299
|
+
}
|
|
300
|
+
if (typeof s.issued_at !== "string" || s.issued_at === "") {
|
|
301
|
+
throw new Error("recovery: share record missing issued_at");
|
|
302
|
+
}
|
|
303
|
+
if (!opts.skipSignatureCheck && s.device_signature.value === "") {
|
|
304
|
+
throw new Error("recovery: share record is unsigned");
|
|
305
|
+
}
|
|
306
|
+
}
|
|
307
|
+
/**
|
|
308
|
+
* Cross-check that `s` belongs to `m` per §5.3 step 2: bundle_id,
|
|
309
|
+
* share_index, device_id, threshold, total_shares MUST all match.
|
|
310
|
+
* Returns true when every check passes.
|
|
311
|
+
*/
|
|
312
|
+
export function checkShareMatchesManifest(s, m) {
|
|
313
|
+
if (s.bundle_id !== m.bundle_id) {
|
|
314
|
+
return false;
|
|
315
|
+
}
|
|
316
|
+
if (s.threshold !== m.threshold) {
|
|
317
|
+
return false;
|
|
318
|
+
}
|
|
319
|
+
if (s.total_shares !== m.total_shares) {
|
|
320
|
+
return false;
|
|
321
|
+
}
|
|
322
|
+
for (const c of m.contributors) {
|
|
323
|
+
if (c.share_index !== s.share_index) {
|
|
324
|
+
continue;
|
|
325
|
+
}
|
|
326
|
+
return c.device_id === s.device_id;
|
|
327
|
+
}
|
|
328
|
+
return false;
|
|
329
|
+
}
|
|
330
|
+
// ---------------------------------------------------------------------------
|
|
331
|
+
// Helpers
|
|
332
|
+
function concat(a, b) {
|
|
333
|
+
const out = new Uint8Array(a.length + b.length);
|
|
334
|
+
out.set(a, 0);
|
|
335
|
+
out.set(b, a.length);
|
|
336
|
+
return out;
|
|
337
|
+
}
|
|
338
|
+
function base64Encode(b) {
|
|
339
|
+
if (typeof Buffer !== "undefined") {
|
|
340
|
+
return Buffer.from(b).toString("base64");
|
|
341
|
+
}
|
|
342
|
+
let bin = "";
|
|
343
|
+
for (let i = 0; i < b.length; i++) {
|
|
344
|
+
bin += String.fromCharCode(b[i] ?? 0);
|
|
345
|
+
}
|
|
346
|
+
return btoa(bin);
|
|
347
|
+
}
|
|
348
|
+
function base64Decode(s) {
|
|
349
|
+
if (typeof Buffer !== "undefined") {
|
|
350
|
+
return new Uint8Array(Buffer.from(s, "base64"));
|
|
351
|
+
}
|
|
352
|
+
const bin = atob(s);
|
|
353
|
+
const out = new Uint8Array(bin.length);
|
|
354
|
+
for (let i = 0; i < bin.length; i++) {
|
|
355
|
+
out[i] = bin.charCodeAt(i);
|
|
356
|
+
}
|
|
357
|
+
return out;
|
|
358
|
+
}
|
|
359
|
+
//# sourceMappingURL=sign.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sign.js","sourceRoot":"","sources":["../../src/recovery/sign.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,IAAI,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACpE,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,IAAI,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAChF,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAElE,OAAO,EAIL,sBAAsB,EACtB,4BAA4B,EAC5B,yBAAyB,EACzB,qBAAqB,GACtB,MAAM,YAAY,CAAC;AAEpB,8EAA8E;AAC9E,oDAAoD;AAEpD;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CACxC,CAAkB,EAClB,aAAqB,EACrB,QAAgB,EAChB,WAAmB;IAEnB,CAAC,CAAC,kBAAkB,CAAC,SAAS,GAAG,yBAAyB,CAAC;IAC3D,CAAC,CAAC,kBAAkB,CAAC,MAAM,GAAG,aAAa,CAAC;IAC5C,CAAC,CAAC,kBAAkB,CAAC,KAAK,GAAG,EAAE,CAAC;IAChC,CAAC,CAAC,iBAAiB,CAAC,SAAS,GAAG,yBAAyB,CAAC;IAC1D,CAAC,CAAC,iBAAiB,CAAC,MAAM,GAAG,QAAQ,CAAC;IACtC,CAAC,CAAC,iBAAiB,CAAC,KAAK,GAAG,EAAE,CAAC;IAC/B,CAAC,CAAC,gBAAgB,CAAC,SAAS,GAAG,yBAAyB,CAAC;IACzD,CAAC,CAAC,gBAAgB,CAAC,MAAM,GAAG,WAAW,CAAC;IACxC,CAAC,CAAC,gBAAgB,CAAC,KAAK,GAAG,EAAE,CAAC;AAChC,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,qBAAqB,CACnC,CAAkB,EAClB,YAAwB,EACxB,aAAqB;IAErB,OAAO,cAAc,CACnB,CAAC,EACD,oBAAoB,EACpB,YAAY,EACZ,aAAa,EACb,eAAe,CAChB,CAAC;AACJ,CAAC;AAED,2CAA2C;AAC3C,MAAM,UAAU,mBAAmB,CACjC,CAAkB,EAClB,eAA2B,EAC3B,QAAgB;IAEhB,OAAO,cAAc,CACnB,CAAC,EACD,mBAAmB,EACnB,eAAe,EACf,QAAQ,EACR,UAAU,CACX,CAAC;AACJ,CAAC;AAED,0CAA0C;AAC1C,MAAM,UAAU,mBAAmB,CACjC,CAAkB,EAClB,UAAsB,EACtB,WAAmB;IAEnB,OAAO,cAAc,CACnB,CAAC,EACD,kBAAkB,EAClB,UAAU,EACV,WAAW,EACX,aAAa,CACd,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CACrB,CAAkB,EAClB,KAAsE,EACtE,IAAgB,EAChB,KAAa,EACb,QAAgB;IAEhB,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,mCAAmC,KAAK,EAAE,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,EAAE,CAAC,CAAC;IACjD,CAAC;IACD,uBAAuB,CAAC,CAAC,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAC1B,IAAI,QAAQ,CAAC,SAAS,KAAK,EAAE,IAAI,QAAQ,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CACb,wDAAwD,KAAK,EAAE,CAChE,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CACb,aAAa,KAAK,WAAW,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,0BAA0B,QAAQ,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAC1H,CAAC;IACJ,CAAC;IACD,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAC;IACpB,MAAM,SAAS,GAAG,6CAA6C,CAAC,CAAC,CAAC,CAAC;IACnE,MAAM,YAAY,GAAG,MAAM,CACzB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,qBAAqB,CAAC,EAC/C,SAAS,CACV,CAAC;IACF,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IACjC,QAAQ,CAAC,KAAK,GAAG,MAAM,CAAC;IACxB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,4BAA4B,CAC1C,CAAkB,EAClB,iBAA6B,EAC7B,SAAqB;IAErB,6DAA6D;IAC7D,+DAA+D;IAC/D,uBAAuB,CAAC,CAAC,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,IAAI,CAAC,CAAC,kBAAkB,CAAC,KAAK,KAAK,EAAE,IAAI,CAAC,CAAC,iBAAiB,CAAC,KAAK,KAAK,EAAE,EAAE,CAAC;QAC1E,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,CAAC,CAAC,gBAAgB,CAAC,KAAK,KAAK,EAAE,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CACb,mGAAmG,CACpG,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,6CAA6C,CAAC,CAAC,CAAC,CAAC;IACnE,MAAM,YAAY,GAAG,MAAM,CACzB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,qBAAqB,CAAC,EAC/C,SAAS,CACV,CAAC;IACF,IACE,CAAC,aAAa,CACZ,iBAAiB,EACjB,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,EACxC,YAAY,CACb,EACD,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IACE,CAAC,aAAa,CACZ,SAAS,EACT,YAAY,CAAC,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,EACvC,YAAY,CACb,EACD,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,qBAAqB,CACnC,CAAkB,EAClB,iBAA6B,EAC7B,SAAqB,EACrB,SAAqB;IAErB,uBAAuB,CAAC,CAAC,CAAC,CAAC;IAC3B,IACE,CAAC,CAAC,kBAAkB,CAAC,KAAK,KAAK,EAAE;QACjC,CAAC,CAAC,iBAAiB,CAAC,KAAK,KAAK,EAAE;QAChC,CAAC,CAAC,gBAAgB,CAAC,KAAK,KAAK,EAAE,EAC/B,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,SAAS,GAAG,6CAA6C,CAAC,CAAC,CAAC,CAAC;IACnE,MAAM,YAAY,GAAG,MAAM,CACzB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,qBAAqB,CAAC,EAC/C,SAAS,CACV,CAAC;IACF,OAAO,CACL,aAAa,CACX,iBAAiB,EACjB,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,EACxC,YAAY,CACb;QACD,aAAa,CACX,SAAS,EACT,YAAY,CAAC,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,EACvC,YAAY,CACb;QACD,aAAa,CACX,SAAS,EACT,YAAY,CAAC,CAAC,CAAC,gBAAgB,CAAC,KAAK,CAAC,EACtC,YAAY,CACb,CACF,CAAC;AACJ,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,uBAAuB,CACrC,CAAkB,EAClB,OAAyC,EAAE;IAE3C,IAAI,CAAC,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,4BAA4B,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IAC7F,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,EAAE,YAAY,EAAE,gBAAgB,EAAE,cAAc,CAAU,EAAE,CAAC;QACrG,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,CAAC,oBAAoB,EAAE,mBAAmB,EAAE,kBAAkB,CAAU,EAAE,CAAC;QACzF,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,SAAS,KAAK,QAAQ,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,oBAAoB,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,iBAAiB,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,yBAAyB,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IACD,IACE,CAAC,IAAI,CAAC,kBAAkB;QACxB,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,KAAK,EAAE;YAChC,CAAC,CAAC,iBAAiB,CAAC,KAAK,KAAK,EAAE;YAChC,CAAC,CAAC,gBAAgB,CAAC,KAAK,KAAK,EAAE,CAAC,EAClC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;IAC/E,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,6CAA6C,CACpD,CAAkB;IAElB,MAAM,KAAK,GAA4B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;IACrE,KAAK,MAAM,CAAC,IAAI,CAAC,oBAAoB,EAAE,mBAAmB,EAAE,kBAAkB,CAAU,EAAE,CAAC;QACzF,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAA4B,CAAC;QAChD,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC;IACjB,CAAC;IACD,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC;AACjC,CAAC;AAED,8EAA8E;AAC9E,gEAAgE;AAEhE;;;GAGG;AACH,MAAM,UAAU,YAAY,CAC1B,CAAsB,EACtB,YAAwB,EACxB,aAAqB;IAErB,IAAI,aAAa,KAAK,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IACD,gBAAgB,CAAC,CAAC,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC,CAAC,SAAS,CAAC,SAAS,GAAG,yBAAyB,CAAC;IAClD,CAAC,CAAC,SAAS,CAAC,MAAM,GAAG,aAAa,CAAC;IACnC,CAAC,CAAC,SAAS,CAAC,KAAK,GAAG,EAAE,CAAC;IACvB,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,aAAa,CAAC;QACjD,WAAW,EAAE,CAAuC;QACpD,IAAI,EAAE,YAAY;QAClB,aAAa,EAAE,iBAAiB;QAChC,MAAM,EAAE,sBAAsB;KAC/B,CAAC,CAAC;IACH,mEAAmE;IACnE,mEAAmE;IACnE,CAAC,CAAC,SAAS,CAAC,KAAK,GAAI,UAAU,CAAC,SAA+B,CAAC,KAAK,CAAC;IACtE,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,cAAc,CAC5B,CAAsB,EACtB,WAAuB;IAEvB,gBAAgB,CAAC,CAAC,CAAC,CAAC;IACpB,IAAI,CAAC,CAAC,SAAS,CAAC,KAAK,KAAK,EAAE,EAAE,CAAC;QAC7B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,EAAE,EAAE,EAAE,GAAG,eAAe,CAAC;QAC7B,UAAU,EAAE,CAAuC;QACnD,SAAS,EAAE,WAAW;QACtB,aAAa,EAAE,iBAAiB;QAChC,MAAM,EAAE,sBAAsB;KAC/B,CAAC,CAAC;IACH,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,gBAAgB,CAC9B,CAAsB,EACtB,OAAyC,EAAE;IAE3C,IAAI,CAAC,CAAC,IAAI,KAAK,4BAA4B,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CACb,2BAA2B,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,mCAAmC,CACrF,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,KAAK,EAAE,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC,SAAS,eAAe,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,YAAY,GAAG,CAAC,CAAC,SAAS,EAAE,CAAC;QACtE,MAAM,IAAI,KAAK,CACb,mCAAmC,CAAC,CAAC,YAAY,yBAAyB,CAAC,CAAC,SAAS,EAAE,CACxF,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,CAAC,YAAY,EAAE,CAAC;QAC/E,MAAM,IAAI,KAAK,CACb,0CAA0C,CAAC,CAAC,YAAY,EAAE,MAAM,IAAI,CAAC,4BAA4B,CAAC,CAAC,YAAY,EAAE,CAClH,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,KAAK,EAAE,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/C,MAAM,CAAC,GAAG,CAAC,CAAC,YAAY,CAAC,CAAC,CAAE,CAAC;QAC7B,IACE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC;YAChC,CAAC,CAAC,WAAW,GAAG,CAAC;YACjB,CAAC,CAAC,WAAW,GAAG,CAAC,CAAC,YAAY,EAC9B,CAAC;YACD,MAAM,IAAI,KAAK,CACb,mCAAmC,CAAC,iBAAiB,CAAC,CAAC,WAAW,eAAe,CAAC,CAAC,YAAY,GAAG,CACnG,CAAC;QACJ,CAAC;QACD,IAAI,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CACb,kCAAkC,CAAC,CAAC,WAAW,yBAAyB,CACzE,CAAC;QACJ,CAAC;QACD,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QAC7B,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,KAAK,EAAE,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,qBAAqB,CAAC,CAAC;QAC7E,CAAC;QACD,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CACb,gCAAgC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,yBAAyB,CACrF,CAAC;QACJ,CAAC;QACD,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAC5B,IACE,OAAO,CAAC,CAAC,sBAAsB,EAAE,UAAU,KAAK,QAAQ;YACxD,CAAC,CAAC,sBAAsB,CAAC,UAAU,KAAK,EAAE,EAC1C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,mCAAmC,CAAC,6CAA6C,CAClF,CAAC;QACJ,CAAC;QACD,IACE,OAAO,CAAC,CAAC,sBAAsB,EAAE,SAAS,KAAK,QAAQ;YACvD,CAAC,CAAC,sBAAsB,CAAC,SAAS,KAAK,EAAE,EACzC,CAAC;YACD,MAAM,IAAI,KAAK,CACb,mCAAmC,CAAC,4CAA4C,CACjF,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,CAAC,SAAS,CAAC,KAAK,KAAK,EAAE,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,kEAAkE;AAElE,iFAAiF;AACjF,MAAM,UAAU,eAAe,CAC7B,CAAsB,EACtB,UAAsB,EACtB,WAAmB;IAEnB,IAAI,WAAW,KAAK,EAAE,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,mBAAmB,CAAC,CAAC,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,CAAC,CAAC,gBAAgB,CAAC,SAAS,GAAG,yBAAyB,CAAC;IACzD,CAAC,CAAC,gBAAgB,CAAC,MAAM,GAAG,WAAW,CAAC;IACxC,CAAC,CAAC,gBAAgB,CAAC,KAAK,GAAG,EAAE,CAAC;IAC9B,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,aAAa,CAAC;QACjD,WAAW,EAAE,CAAuC;QACpD,IAAI,EAAE,UAAU;QAChB,aAAa,EAAE,wBAAwB;QACvC,MAAM,EAAE,4BAA4B;KACrC,CAAC,CAAC;IACH,CAAC,CAAC,gBAAgB,CAAC,KAAK,GAAI,UAAU,CAAC,gBAAsC,CAAC,KAAK,CAAC;IACpF,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,iBAAiB,CAC/B,CAAsB,EACtB,SAAqB;IAErB,mBAAmB,CAAC,CAAC,CAAC,CAAC;IACvB,IAAI,CAAC,CAAC,gBAAgB,CAAC,KAAK,KAAK,EAAE,EAAE,CAAC;QACpC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,EAAE,EAAE,EAAE,GAAG,eAAe,CAAC;QAC7B,UAAU,EAAE,CAAuC;QACnD,SAAS,EAAE,SAAS;QACpB,aAAa,EAAE,wBAAwB;QACvC,MAAM,EAAE,4BAA4B;KACrC,CAAC,CAAC;IACH,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,mBAAmB,CACjC,CAAsB,EACtB,OAAyC,EAAE;IAE3C,IAAI,CAAC,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,wBAAwB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,4BAA4B,CAC3E,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,KAAK,EAAE,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,WAAW,GAAG,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CACb,sCAAsC,CAAC,CAAC,WAAW,eAAe,CACnE,CAAC;IACJ,CAAC;IACD,IACE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9B,CAAC,CAAC,SAAS,GAAG,CAAC;QACf,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC;QACjC,CAAC,CAAC,YAAY,GAAG,CAAC,CAAC,SAAS;QAC5B,CAAC,CAAC,WAAW,GAAG,CAAC,CAAC,YAAY,EAC9B,CAAC;QACD,MAAM,IAAI,KAAK,CACb,qCAAqC,CAAC,CAAC,SAAS,kBAAkB,CAAC,CAAC,YAAY,iBAAiB,CAAC,CAAC,WAAW,mBAAmB,CAClI,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,KAAK,EAAE,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ,IAAI,CAAC,CAAC,WAAW,KAAK,EAAE,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,KAAK,EAAE,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,CAAC,gBAAgB,CAAC,KAAK,KAAK,EAAE,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,yBAAyB,CACvC,CAAsB,EACtB,CAAsB;IAEtB,IAAI,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,SAAS,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,SAAS,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,YAAY,EAAE,CAAC;QACtC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,CAAC;QAC/B,IAAI,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;YACpC,SAAS;QACX,CAAC;QACD,OAAO,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,SAAS,CAAC;IACrC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,UAAU;AAEV,SAAS,MAAM,CAAC,CAAa,EAAE,CAAa;IAC1C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;IAChD,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACd,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IACrB,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,YAAY,CAAC,CAAa;IACjC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;AACnB,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -0,0 +1,180 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Wire-record types for SEMP account recovery per RECOVERY.md.
|
|
3
|
+
*
|
|
4
|
+
* @module
|
|
5
|
+
*/
|
|
6
|
+
/** Wire-level type discriminators per RECOVERY.md. */
|
|
7
|
+
export declare const SuccessorRecordType = "SEMP_SUCCESSOR";
|
|
8
|
+
export declare const RecoverySetManifestType = "SEMP_RECOVERY_SET_MANIFEST";
|
|
9
|
+
export declare const RecoveryShareRecordType = "SEMP_RECOVERY_SHARE";
|
|
10
|
+
export declare const BundleType = "SEMP_BACKUP_BUNDLE";
|
|
11
|
+
export declare const RecordVersion = "1.0.0";
|
|
12
|
+
/** Domain-separation prefixes per ENVELOPE.md §4.3. */
|
|
13
|
+
export declare const SuccessorRecordPrefix = "SEMP-SUCCESSOR-RECORD:";
|
|
14
|
+
export declare const RecoveryManifestPrefix = "SEMP-RECOVERY-MANIFEST:";
|
|
15
|
+
export declare const RecoveryShareSignaturePrefix = "SEMP-RECOVERY-SHARE:";
|
|
16
|
+
export declare const RecoveryBundlePrefix = "SEMP-RECOVERY-BUNDLE:";
|
|
17
|
+
/** Only signature algorithm currently defined for recovery records. */
|
|
18
|
+
export declare const SignatureAlgorithmEd25519 = "ed25519";
|
|
19
|
+
/** Bundle payload AEAD per §2.5: xchacha20-poly1305 with 24-byte nonce. */
|
|
20
|
+
export declare const BundlePayloadAEAD = "xchacha20-poly1305";
|
|
21
|
+
/** Bundle KDF per §2.5: Argon2id. */
|
|
22
|
+
export declare const KDFAlgorithmArgon2id = "argon2id";
|
|
23
|
+
/** Argon2id parameter floors per §2.5. */
|
|
24
|
+
export declare const MinKDFMemoryKB = 65536;
|
|
25
|
+
export declare const MinKDFIterations = 2;
|
|
26
|
+
export declare const MinKDFParallelism = 1;
|
|
27
|
+
export declare const MinKDFSaltBytes = 16;
|
|
28
|
+
export declare const RecommendedKDFMemoryKB = 262144;
|
|
29
|
+
export declare const RecommendedKDFIterations = 3;
|
|
30
|
+
export declare const RecommendedKDFParallelism = 4;
|
|
31
|
+
/** Reusable signature block. */
|
|
32
|
+
export interface RecoverySignatureBlock {
|
|
33
|
+
algorithm: string;
|
|
34
|
+
key_id: string;
|
|
35
|
+
value: string;
|
|
36
|
+
}
|
|
37
|
+
/**
|
|
38
|
+
* SEMP_SUCCESSOR per §7.2 — links a prior identity key to a new one
|
|
39
|
+
* after recovery or rotation. Carries three independent signatures
|
|
40
|
+
* so third-party domains can verify continuity without needing the
|
|
41
|
+
* prior identity private key.
|
|
42
|
+
*/
|
|
43
|
+
export interface SuccessorRecord {
|
|
44
|
+
type: typeof SuccessorRecordType;
|
|
45
|
+
version: string;
|
|
46
|
+
user_id: string;
|
|
47
|
+
prior_key_id: string;
|
|
48
|
+
new_key_id: string;
|
|
49
|
+
/** Base64. */
|
|
50
|
+
new_public_key: string;
|
|
51
|
+
/** ISO 8601 UTC. */
|
|
52
|
+
recovered_at: string;
|
|
53
|
+
recovery_signature: RecoverySignatureBlock;
|
|
54
|
+
new_key_signature: RecoverySignatureBlock;
|
|
55
|
+
domain_signature: RecoverySignatureBlock;
|
|
56
|
+
}
|
|
57
|
+
/** Embedded device-key block carried in each manifest contributor entry. */
|
|
58
|
+
export interface DeviceIdentityPubkey {
|
|
59
|
+
algorithm: string;
|
|
60
|
+
/** Base64. */
|
|
61
|
+
public_key: string;
|
|
62
|
+
key_id: string;
|
|
63
|
+
}
|
|
64
|
+
/** One device's binding to a Shamir share inside a manifest. */
|
|
65
|
+
export interface RecoveryContributor {
|
|
66
|
+
share_index: number;
|
|
67
|
+
device_id: string;
|
|
68
|
+
device_identity_pubkey: DeviceIdentityPubkey;
|
|
69
|
+
}
|
|
70
|
+
/**
|
|
71
|
+
* SEMP_RECOVERY_SET_MANIFEST per §5.2 — binds each Shamir share
|
|
72
|
+
* index to a specific device's identity public key.
|
|
73
|
+
*/
|
|
74
|
+
export interface RecoverySetManifest {
|
|
75
|
+
type: typeof RecoverySetManifestType;
|
|
76
|
+
version: string;
|
|
77
|
+
bundle_id: string;
|
|
78
|
+
threshold: number;
|
|
79
|
+
total_shares: number;
|
|
80
|
+
contributors: RecoveryContributor[];
|
|
81
|
+
/** ISO 8601 UTC. */
|
|
82
|
+
issued_at: string;
|
|
83
|
+
signature: RecoverySignatureBlock;
|
|
84
|
+
}
|
|
85
|
+
/**
|
|
86
|
+
* SEMP_RECOVERY_SHARE per §5.3 — one device's holding of a Shamir
|
|
87
|
+
* share, authenticated by the device's identity-key signature.
|
|
88
|
+
*/
|
|
89
|
+
export interface RecoveryShareRecord {
|
|
90
|
+
type: typeof RecoveryShareRecordType;
|
|
91
|
+
version: string;
|
|
92
|
+
bundle_id: string;
|
|
93
|
+
share_index: number;
|
|
94
|
+
device_id: string;
|
|
95
|
+
threshold: number;
|
|
96
|
+
total_shares: number;
|
|
97
|
+
/** Base64. */
|
|
98
|
+
share_value: string;
|
|
99
|
+
/** ISO 8601 UTC. */
|
|
100
|
+
issued_at: string;
|
|
101
|
+
device_signature: RecoverySignatureBlock;
|
|
102
|
+
}
|
|
103
|
+
/** KDF parameter block carried in a backup bundle per §2.1 / §2.5. */
|
|
104
|
+
export interface BundleKDF {
|
|
105
|
+
algorithm: string;
|
|
106
|
+
/** Base64 salt. */
|
|
107
|
+
salt: string;
|
|
108
|
+
memory_kb: number;
|
|
109
|
+
iterations: number;
|
|
110
|
+
parallelism: number;
|
|
111
|
+
}
|
|
112
|
+
/** Public half of the deterministic recovery key pair per §3.3. */
|
|
113
|
+
export interface RecoveryVerifyPK {
|
|
114
|
+
algorithm: string;
|
|
115
|
+
/** Base64. */
|
|
116
|
+
public_key: string;
|
|
117
|
+
}
|
|
118
|
+
/** Inner identity-key block carried in {@link BundlePayload} per §2.3. */
|
|
119
|
+
export interface IdentityKey {
|
|
120
|
+
algorithm: string;
|
|
121
|
+
/** Base64-encoded public key. */
|
|
122
|
+
public_key: string;
|
|
123
|
+
/** Base64-encoded private key. */
|
|
124
|
+
private_key: string;
|
|
125
|
+
/** ISO 8601 UTC. */
|
|
126
|
+
created: string;
|
|
127
|
+
/** ISO 8601 UTC; absent when the key does not expire. */
|
|
128
|
+
expires?: string;
|
|
129
|
+
}
|
|
130
|
+
/** Inner encryption-key block carried in {@link BundlePayload} per §2.3. */
|
|
131
|
+
export interface EncryptionKey {
|
|
132
|
+
algorithm: string;
|
|
133
|
+
key_id: string;
|
|
134
|
+
/** Base64-encoded public key. */
|
|
135
|
+
public_key: string;
|
|
136
|
+
/** Base64-encoded private key. */
|
|
137
|
+
private_key: string;
|
|
138
|
+
/** ISO 8601 UTC. */
|
|
139
|
+
created: string;
|
|
140
|
+
/** ISO 8601 UTC; absent when the key does not expire. */
|
|
141
|
+
expires?: string;
|
|
142
|
+
/** ISO 8601 UTC; null when the key is still current. */
|
|
143
|
+
superseded_at?: string | null;
|
|
144
|
+
}
|
|
145
|
+
/**
|
|
146
|
+
* Plaintext shape of {@link BackupBundle.encrypted_payload} per
|
|
147
|
+
* §2.3. Includes superseded + revoked encryption keys so envelopes
|
|
148
|
+
* sealed under any historical key remain decryptable after recovery.
|
|
149
|
+
*/
|
|
150
|
+
export interface BundlePayload {
|
|
151
|
+
identity_key: IdentityKey;
|
|
152
|
+
encryption_keys: EncryptionKey[];
|
|
153
|
+
/** Accumulated SEMP_DELIVERY_RECEIPT objects (§2.3.1). */
|
|
154
|
+
receipts?: unknown[];
|
|
155
|
+
/** Application-defined metadata. */
|
|
156
|
+
metadata?: Record<string, unknown>;
|
|
157
|
+
}
|
|
158
|
+
/**
|
|
159
|
+
* SEMP_BACKUP_BUNDLE per §2.1. Signed by the user's currently active
|
|
160
|
+
* identity private key under the SEMP-RECOVERY-BUNDLE: prefix.
|
|
161
|
+
*/
|
|
162
|
+
export interface BackupBundle {
|
|
163
|
+
type: typeof BundleType;
|
|
164
|
+
version: string;
|
|
165
|
+
user_id: string;
|
|
166
|
+
bundle_id: string;
|
|
167
|
+
/** ISO 8601 UTC. */
|
|
168
|
+
created_at: string;
|
|
169
|
+
/** Bundle id this one supersedes; nullable. */
|
|
170
|
+
supersedes: string | null;
|
|
171
|
+
kdf: BundleKDF;
|
|
172
|
+
payload_algorithm: string;
|
|
173
|
+
/** Base64 24-byte XChaCha20-Poly1305 nonce. */
|
|
174
|
+
payload_nonce: string;
|
|
175
|
+
/** Base64 AEAD output. */
|
|
176
|
+
encrypted_payload: string;
|
|
177
|
+
recovery_verify_pk: RecoveryVerifyPK;
|
|
178
|
+
signature: RecoverySignatureBlock;
|
|
179
|
+
}
|
|
180
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/recovery/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,sDAAsD;AACtD,eAAO,MAAM,mBAAmB,mBAAmB,CAAC;AACpD,eAAO,MAAM,uBAAuB,+BAA+B,CAAC;AACpE,eAAO,MAAM,uBAAuB,wBAAwB,CAAC;AAC7D,eAAO,MAAM,UAAU,uBAAuB,CAAC;AAC/C,eAAO,MAAM,aAAa,UAAU,CAAC;AAErC,uDAAuD;AACvD,eAAO,MAAM,qBAAqB,2BAA2B,CAAC;AAC9D,eAAO,MAAM,sBAAsB,4BAA4B,CAAC;AAChE,eAAO,MAAM,4BAA4B,yBAAyB,CAAC;AACnE,eAAO,MAAM,oBAAoB,0BAA0B,CAAC;AAE5D,uEAAuE;AACvE,eAAO,MAAM,yBAAyB,YAAY,CAAC;AAEnD,2EAA2E;AAC3E,eAAO,MAAM,iBAAiB,uBAAuB,CAAC;AAEtD,qCAAqC;AACrC,eAAO,MAAM,oBAAoB,aAAa,CAAC;AAE/C,0CAA0C;AAC1C,eAAO,MAAM,cAAc,QAAS,CAAC;AACrC,eAAO,MAAM,gBAAgB,IAAI,CAAC;AAClC,eAAO,MAAM,iBAAiB,IAAI,CAAC;AACnC,eAAO,MAAM,eAAe,KAAK,CAAC;AAClC,eAAO,MAAM,sBAAsB,SAAU,CAAC;AAC9C,eAAO,MAAM,wBAAwB,IAAI,CAAC;AAC1C,eAAO,MAAM,yBAAyB,IAAI,CAAC;AAE3C,gCAAgC;AAChC,MAAM,WAAW,sBAAsB;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,OAAO,mBAAmB,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc;IACd,cAAc,EAAE,MAAM,CAAC;IACvB,oBAAoB;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,sBAAsB,CAAC;IAC3C,iBAAiB,EAAE,sBAAsB,CAAC;IAC1C,gBAAgB,EAAE,sBAAsB,CAAC;CAC1C;AAED,4EAA4E;AAC5E,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,gEAAgE;AAChE,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,sBAAsB,EAAE,oBAAoB,CAAC;CAC9C;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,OAAO,uBAAuB,CAAC;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,mBAAmB,EAAE,CAAC;IACpC,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,sBAAsB,CAAC;CACnC;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,OAAO,uBAAuB,CAAC;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,sBAAsB,CAAC;CAC1C;AAED,sEAAsE;AACtE,MAAM,WAAW,SAAS;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,mEAAmE;AACnE,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc;IACd,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,0EAA0E;AAC1E,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,iCAAiC;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,yDAAyD;IACzD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,4EAA4E;AAC5E,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,iCAAiC;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,yDAAyD;IACzD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wDAAwD;IACxD,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AAED;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,WAAW,CAAC;IAC1B,eAAe,EAAE,aAAa,EAAE,CAAC;IACjC,0DAA0D;IAC1D,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAC;IACrB,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,OAAO,UAAU,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,oBAAoB;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,+CAA+C;IAC/C,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,GAAG,EAAE,SAAS,CAAC;IACf,iBAAiB,EAAE,MAAM,CAAC;IAC1B,+CAA+C;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,0BAA0B;IAC1B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,gBAAgB,CAAC;IACrC,SAAS,EAAE,sBAAsB,CAAC;CACnC"}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Wire-record types for SEMP account recovery per RECOVERY.md.
|
|
3
|
+
*
|
|
4
|
+
* @module
|
|
5
|
+
*/
|
|
6
|
+
/** Wire-level type discriminators per RECOVERY.md. */
|
|
7
|
+
export const SuccessorRecordType = "SEMP_SUCCESSOR";
|
|
8
|
+
export const RecoverySetManifestType = "SEMP_RECOVERY_SET_MANIFEST";
|
|
9
|
+
export const RecoveryShareRecordType = "SEMP_RECOVERY_SHARE";
|
|
10
|
+
export const BundleType = "SEMP_BACKUP_BUNDLE";
|
|
11
|
+
export const RecordVersion = "1.0.0";
|
|
12
|
+
/** Domain-separation prefixes per ENVELOPE.md §4.3. */
|
|
13
|
+
export const SuccessorRecordPrefix = "SEMP-SUCCESSOR-RECORD:";
|
|
14
|
+
export const RecoveryManifestPrefix = "SEMP-RECOVERY-MANIFEST:";
|
|
15
|
+
export const RecoveryShareSignaturePrefix = "SEMP-RECOVERY-SHARE:";
|
|
16
|
+
export const RecoveryBundlePrefix = "SEMP-RECOVERY-BUNDLE:";
|
|
17
|
+
/** Only signature algorithm currently defined for recovery records. */
|
|
18
|
+
export const SignatureAlgorithmEd25519 = "ed25519";
|
|
19
|
+
/** Bundle payload AEAD per §2.5: xchacha20-poly1305 with 24-byte nonce. */
|
|
20
|
+
export const BundlePayloadAEAD = "xchacha20-poly1305";
|
|
21
|
+
/** Bundle KDF per §2.5: Argon2id. */
|
|
22
|
+
export const KDFAlgorithmArgon2id = "argon2id";
|
|
23
|
+
/** Argon2id parameter floors per §2.5. */
|
|
24
|
+
export const MinKDFMemoryKB = 65_536;
|
|
25
|
+
export const MinKDFIterations = 2;
|
|
26
|
+
export const MinKDFParallelism = 1;
|
|
27
|
+
export const MinKDFSaltBytes = 16;
|
|
28
|
+
export const RecommendedKDFMemoryKB = 262_144;
|
|
29
|
+
export const RecommendedKDFIterations = 3;
|
|
30
|
+
export const RecommendedKDFParallelism = 4;
|
|
31
|
+
//# sourceMappingURL=types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/recovery/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,sDAAsD;AACtD,MAAM,CAAC,MAAM,mBAAmB,GAAG,gBAAgB,CAAC;AACpD,MAAM,CAAC,MAAM,uBAAuB,GAAG,4BAA4B,CAAC;AACpE,MAAM,CAAC,MAAM,uBAAuB,GAAG,qBAAqB,CAAC;AAC7D,MAAM,CAAC,MAAM,UAAU,GAAG,oBAAoB,CAAC;AAC/C,MAAM,CAAC,MAAM,aAAa,GAAG,OAAO,CAAC;AAErC,uDAAuD;AACvD,MAAM,CAAC,MAAM,qBAAqB,GAAG,wBAAwB,CAAC;AAC9D,MAAM,CAAC,MAAM,sBAAsB,GAAG,yBAAyB,CAAC;AAChE,MAAM,CAAC,MAAM,4BAA4B,GAAG,sBAAsB,CAAC;AACnE,MAAM,CAAC,MAAM,oBAAoB,GAAG,uBAAuB,CAAC;AAE5D,uEAAuE;AACvE,MAAM,CAAC,MAAM,yBAAyB,GAAG,SAAS,CAAC;AAEnD,2EAA2E;AAC3E,MAAM,CAAC,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;AAEtD,qCAAqC;AACrC,MAAM,CAAC,MAAM,oBAAoB,GAAG,UAAU,CAAC;AAE/C,0CAA0C;AAC1C,MAAM,CAAC,MAAM,cAAc,GAAG,MAAM,CAAC;AACrC,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAClC,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC;AACnC,MAAM,CAAC,MAAM,eAAe,GAAG,EAAE,CAAC;AAClC,MAAM,CAAC,MAAM,sBAAsB,GAAG,OAAO,CAAC;AAC9C,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,CAAC;AAC1C,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC"}
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SEMP_ABUSE_REPORT compose helpers per REPUTATION.md §3.2 / §3.5 /
|
|
3
|
+
* §3.7.
|
|
4
|
+
*
|
|
5
|
+
* Abuse reports flow user → home-server over an authenticated
|
|
6
|
+
* session — the handshake identifies the reporting user so the
|
|
7
|
+
* report itself does NOT carry its own signature. The report's
|
|
8
|
+
* evidence MAY include decrypted envelope fragments, in which case
|
|
9
|
+
* an embedded {@link DisclosureAuthorization} signed by the
|
|
10
|
+
* affected user is required per §3.5 + §3.7.
|
|
11
|
+
*
|
|
12
|
+
* @module
|
|
13
|
+
*/
|
|
14
|
+
import { type AbuseCategory, type AbuseReport, type DisclosureAuthorization, type Evidence } from "./types.js";
|
|
15
|
+
/** Inputs to {@link newAbuseReport}. */
|
|
16
|
+
export interface AbuseReportInput {
|
|
17
|
+
/** ULID for the report. */
|
|
18
|
+
id: string;
|
|
19
|
+
reporter: string;
|
|
20
|
+
reported_domain: string;
|
|
21
|
+
reported_address?: string;
|
|
22
|
+
category: AbuseCategory | string;
|
|
23
|
+
evidence: Evidence;
|
|
24
|
+
description?: string;
|
|
25
|
+
extensions?: Record<string, unknown>;
|
|
26
|
+
/** Optional clock; defaults to `() => new Date()`. */
|
|
27
|
+
nowFn?: () => Date;
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Construct a SEMP_ABUSE_REPORT with `type` / `version` /
|
|
31
|
+
* `timestamp` / `extensions` pre-populated.
|
|
32
|
+
*
|
|
33
|
+
* Throws when required fields are missing.
|
|
34
|
+
*/
|
|
35
|
+
export declare function newAbuseReport(input: AbuseReportInput): AbuseReport;
|
|
36
|
+
/**
|
|
37
|
+
* Lookup hook used by {@link validateEvidence} to resolve a user's
|
|
38
|
+
* identity public key. Returning `null` means "unknown user" —
|
|
39
|
+
* callers MUST treat that as a §3.7 verification failure.
|
|
40
|
+
*/
|
|
41
|
+
export type UserKeyLookup = (user: string) => Promise<Uint8Array | null>;
|
|
42
|
+
/**
|
|
43
|
+
* Walk an evidence payload and enforce the §3.7 rule: decrypted
|
|
44
|
+
* content requires a valid {@link DisclosureAuthorization} signed
|
|
45
|
+
* by the affected user.
|
|
46
|
+
*
|
|
47
|
+
* Metadata-only evidence is always acceptable — postmark + seal
|
|
48
|
+
* data is verifiable from the sender's published domain key without
|
|
49
|
+
* disclosing user content.
|
|
50
|
+
*
|
|
51
|
+
* Sealed evidence with disclosed brief / enclosure requires:
|
|
52
|
+
*
|
|
53
|
+
* 1. An embedded `disclosure_authorization`;
|
|
54
|
+
* 2. The authorization's `scope` covers what's actually disclosed;
|
|
55
|
+
* 3. The authorization's signature verifies under the affected
|
|
56
|
+
* user's identity public key.
|
|
57
|
+
*
|
|
58
|
+
* Throws on the first violation.
|
|
59
|
+
*/
|
|
60
|
+
export declare function validateEvidence(ev: Evidence, userKeyLookup: UserKeyLookup | null): Promise<void>;
|
|
61
|
+
export type { DisclosureAuthorization };
|
|
62
|
+
//# sourceMappingURL=abuse_report.d.ts.map
|