npm - @sempdev/semp - Versions diffs - 0.4.3 - Mend

@sempdev/semp 0.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (559) hide show

package/LICENSE +21 -0
package/README.md +59 -0
package/dist/brief/address.d.ts +77 -0
package/dist/brief/address.d.ts.map +1 -0
package/dist/brief/address.js +217 -0
package/dist/brief/address.js.map +1 -0
package/dist/brief/brief.d.ts +75 -0
package/dist/brief/brief.d.ts.map +1 -0
package/dist/brief/brief.js +56 -0
package/dist/brief/brief.js.map +1 -0
package/dist/brief/index.d.ts +11 -0
package/dist/brief/index.d.ts.map +1 -0
package/dist/brief/index.js +11 -0
package/dist/brief/index.js.map +1 -0
package/dist/canonical/index.d.ts +8 -0
package/dist/canonical/index.d.ts.map +1 -0
package/dist/canonical/index.js +8 -0
package/dist/canonical/index.js.map +1 -0
package/dist/canonical/marshal.d.ts +35 -0
package/dist/canonical/marshal.d.ts.map +1 -0
package/dist/canonical/marshal.js +107 -0
package/dist/canonical/marshal.js.map +1 -0
package/dist/clockskew/index.d.ts +52 -0
package/dist/clockskew/index.d.ts.map +1 -0
package/dist/clockskew/index.js +62 -0
package/dist/clockskew/index.js.map +1 -0
package/dist/closure/closure.d.ts +106 -0
package/dist/closure/closure.d.ts.map +1 -0
package/dist/closure/closure.js +152 -0
package/dist/closure/closure.js.map +1 -0
package/dist/closure/driver.d.ts +103 -0
package/dist/closure/driver.d.ts.map +1 -0
package/dist/closure/driver.js +126 -0
package/dist/closure/driver.js.map +1 -0
package/dist/closure/index.d.ts +13 -0
package/dist/closure/index.d.ts.map +1 -0
package/dist/closure/index.js +13 -0
package/dist/closure/index.js.map +1 -0
package/dist/closure/store.d.ts +80 -0
package/dist/closure/store.d.ts.map +1 -0
package/dist/closure/store.js +89 -0
package/dist/closure/store.js.map +1 -0
package/dist/crypto/aead.d.ts +29 -0
package/dist/crypto/aead.d.ts.map +1 -0
package/dist/crypto/aead.js +48 -0
package/dist/crypto/aead.js.map +1 -0
package/dist/crypto/argon2.d.ts +20 -0
package/dist/crypto/argon2.d.ts.map +1 -0
package/dist/crypto/argon2.js +28 -0
package/dist/crypto/argon2.js.map +1 -0
package/dist/crypto/index.d.ts +14 -0
package/dist/crypto/index.d.ts.map +1 -0
package/dist/crypto/index.js +14 -0
package/dist/crypto/index.js.map +1 -0
package/dist/crypto/kdf.d.ts +96 -0
package/dist/crypto/kdf.d.ts.map +1 -0
package/dist/crypto/kdf.js +122 -0
package/dist/crypto/kdf.js.map +1 -0
package/dist/crypto/kem.d.ts +85 -0
package/dist/crypto/kem.d.ts.map +1 -0
package/dist/crypto/kem.js +130 -0
package/dist/crypto/kem.js.map +1 -0
package/dist/crypto/mac.d.ts +19 -0
package/dist/crypto/mac.d.ts.map +1 -0
package/dist/crypto/mac.js +32 -0
package/dist/crypto/mac.js.map +1 -0
package/dist/delivery/ack.d.ts +125 -0
package/dist/delivery/ack.d.ts.map +1 -0
package/dist/delivery/ack.js +141 -0
package/dist/delivery/ack.js.map +1 -0
package/dist/delivery/blocklist.d.ts +87 -0
package/dist/delivery/blocklist.d.ts.map +1 -0
package/dist/delivery/blocklist.js +107 -0
package/dist/delivery/blocklist.js.map +1 -0
package/dist/delivery/cancel.d.ts +60 -0
package/dist/delivery/cancel.d.ts.map +1 -0
package/dist/delivery/cancel.js +43 -0
package/dist/delivery/cancel.js.map +1 -0
package/dist/delivery/disposition.d.ts +106 -0
package/dist/delivery/disposition.d.ts.map +1 -0
package/dist/delivery/disposition.js +105 -0
package/dist/delivery/disposition.js.map +1 -0
package/dist/delivery/fetch.d.ts +59 -0
package/dist/delivery/fetch.d.ts.map +1 -0
package/dist/delivery/fetch.js +47 -0
package/dist/delivery/fetch.js.map +1 -0
package/dist/delivery/forwarder.d.ts +106 -0
package/dist/delivery/forwarder.d.ts.map +1 -0
package/dist/delivery/forwarder.js +251 -0
package/dist/delivery/forwarder.js.map +1 -0
package/dist/delivery/inbox.d.ts +42 -0
package/dist/delivery/inbox.d.ts.map +1 -0
package/dist/delivery/inbox.js +68 -0
package/dist/delivery/inbox.js.map +1 -0
package/dist/delivery/index.d.ts +31 -0
package/dist/delivery/index.d.ts.map +1 -0
package/dist/delivery/index.js +31 -0
package/dist/delivery/index.js.map +1 -0
package/dist/delivery/internalroute.d.ts +50 -0
package/dist/delivery/internalroute.d.ts.map +1 -0
package/dist/delivery/internalroute.js +23 -0
package/dist/delivery/internalroute.js.map +1 -0
package/dist/delivery/pipeline.d.ts +153 -0
package/dist/delivery/pipeline.d.ts.map +1 -0
package/dist/delivery/pipeline.js +356 -0
package/dist/delivery/pipeline.js.map +1 -0
package/dist/delivery/policy_state.d.ts +105 -0
package/dist/delivery/policy_state.d.ts.map +1 -0
package/dist/delivery/policy_state.js +293 -0
package/dist/delivery/policy_state.js.map +1 -0
package/dist/delivery/queue.d.ts +47 -0
package/dist/delivery/queue.d.ts.map +1 -0
package/dist/delivery/queue.js +33 -0
package/dist/delivery/queue.js.map +1 -0
package/dist/delivery/receipt.d.ts +137 -0
package/dist/delivery/receipt.d.ts.map +1 -0
package/dist/delivery/receipt.js +181 -0
package/dist/delivery/receipt.js.map +1 -0
package/dist/delivery/receipt_store.d.ts +81 -0
package/dist/delivery/receipt_store.d.ts.map +1 -0
package/dist/delivery/receipt_store.js +74 -0
package/dist/delivery/receipt_store.js.map +1 -0
package/dist/delivery/retry.d.ts +78 -0
package/dist/delivery/retry.d.ts.map +1 -0
package/dist/delivery/retry.js +132 -0
package/dist/delivery/retry.js.map +1 -0
package/dist/delivery/scheduler.d.ts +156 -0
package/dist/delivery/scheduler.d.ts.map +1 -0
package/dist/delivery/scheduler.js +349 -0
package/dist/delivery/scheduler.js.map +1 -0
package/dist/delivery/stage_partition.d.ts +87 -0
package/dist/delivery/stage_partition.d.ts.map +1 -0
package/dist/delivery/stage_partition.js +122 -0
package/dist/delivery/stage_partition.js.map +1 -0
package/dist/delivery/staged_runner.d.ts +100 -0
package/dist/delivery/staged_runner.d.ts.map +1 -0
package/dist/delivery/staged_runner.js +277 -0
package/dist/delivery/staged_runner.js.map +1 -0
package/dist/delivery/submission.d.ts +72 -0
package/dist/delivery/submission.d.ts.map +1 -0
package/dist/delivery/submission.js +58 -0
package/dist/delivery/submission.js.map +1 -0
package/dist/delivery/sync.d.ts +68 -0
package/dist/delivery/sync.d.ts.map +1 -0
package/dist/delivery/sync.js +99 -0
package/dist/delivery/sync.js.map +1 -0
package/dist/delivery/user_policy.d.ts +74 -0
package/dist/delivery/user_policy.d.ts.map +1 -0
package/dist/delivery/user_policy.js +140 -0
package/dist/delivery/user_policy.js.map +1 -0
package/dist/discovery/cache.d.ts +37 -0
package/dist/discovery/cache.d.ts.map +1 -0
package/dist/discovery/cache.js +45 -0
package/dist/discovery/cache.js.map +1 -0
package/dist/discovery/configuration.d.ts +97 -0
package/dist/discovery/configuration.d.ts.map +1 -0
package/dist/discovery/configuration.js +146 -0
package/dist/discovery/configuration.js.map +1 -0
package/dist/discovery/dns.d.ts +56 -0
package/dist/discovery/dns.d.ts.map +1 -0
package/dist/discovery/dns.js +120 -0
package/dist/discovery/dns.js.map +1 -0
package/dist/discovery/domain_keys.d.ts +62 -0
package/dist/discovery/domain_keys.d.ts.map +1 -0
package/dist/discovery/domain_keys.js +89 -0
package/dist/discovery/domain_keys.js.map +1 -0
package/dist/discovery/index.d.ts +19 -0
package/dist/discovery/index.d.ts.map +1 -0
package/dist/discovery/index.js +19 -0
package/dist/discovery/index.js.map +1 -0
package/dist/discovery/lookup.d.ts +72 -0
package/dist/discovery/lookup.d.ts.map +1 -0
package/dist/discovery/lookup.js +121 -0
package/dist/discovery/lookup.js.map +1 -0
package/dist/discovery/onion.d.ts +34 -0
package/dist/discovery/onion.d.ts.map +1 -0
package/dist/discovery/onion.js +61 -0
package/dist/discovery/onion.js.map +1 -0
package/dist/discovery/partition.d.ts +96 -0
package/dist/discovery/partition.d.ts.map +1 -0
package/dist/discovery/partition.js +247 -0
package/dist/discovery/partition.js.map +1 -0
package/dist/discovery/resolver.d.ts +113 -0
package/dist/discovery/resolver.d.ts.map +1 -0
package/dist/discovery/resolver.js +176 -0
package/dist/discovery/resolver.js.map +1 -0
package/dist/discovery/txt.d.ts +39 -0
package/dist/discovery/txt.d.ts.map +1 -0
package/dist/discovery/txt.js +71 -0
package/dist/discovery/txt.js.map +1 -0
package/dist/enclosure/forwarding.d.ts +128 -0
package/dist/enclosure/forwarding.d.ts.map +1 -0
package/dist/enclosure/forwarding.js +119 -0
package/dist/enclosure/forwarding.js.map +1 -0
package/dist/enclosure/index.d.ts +11 -0
package/dist/enclosure/index.d.ts.map +1 -0
package/dist/enclosure/index.js +11 -0
package/dist/enclosure/index.js.map +1 -0
package/dist/envelope/buckets.d.ts +38 -0
package/dist/envelope/buckets.d.ts.map +1 -0
package/dist/envelope/buckets.js +73 -0
package/dist/envelope/buckets.js.map +1 -0
package/dist/envelope/canonical.d.ts +28 -0
package/dist/envelope/canonical.d.ts.map +1 -0
package/dist/envelope/canonical.js +54 -0
package/dist/envelope/canonical.js.map +1 -0
package/dist/envelope/compose.d.ts +171 -0
package/dist/envelope/compose.d.ts.map +1 -0
package/dist/envelope/compose.js +237 -0
package/dist/envelope/compose.js.map +1 -0
package/dist/envelope/encode.d.ts +41 -0
package/dist/envelope/encode.d.ts.map +1 -0
package/dist/envelope/encode.js +69 -0
package/dist/envelope/encode.js.map +1 -0
package/dist/envelope/index.d.ts +20 -0
package/dist/envelope/index.d.ts.map +1 -0
package/dist/envelope/index.js +20 -0
package/dist/envelope/index.js.map +1 -0
package/dist/envelope/open_any.d.ts +48 -0
package/dist/envelope/open_any.d.ts.map +1 -0
package/dist/envelope/open_any.js +81 -0
package/dist/envelope/open_any.js.map +1 -0
package/dist/envelope/open_verified.d.ts +59 -0
package/dist/envelope/open_verified.d.ts.map +1 -0
package/dist/envelope/open_verified.js +67 -0
package/dist/envelope/open_verified.js.map +1 -0
package/dist/envelope/padding.d.ts +55 -0
package/dist/envelope/padding.d.ts.map +1 -0
package/dist/envelope/padding.js +162 -0
package/dist/envelope/padding.js.map +1 -0
package/dist/envelope/rejection.d.ts +22 -0
package/dist/envelope/rejection.d.ts.map +1 -0
package/dist/envelope/rejection.js +30 -0
package/dist/envelope/rejection.js.map +1 -0
package/dist/envelope/sendtime.d.ts +49 -0
package/dist/envelope/sendtime.d.ts.map +1 -0
package/dist/envelope/sendtime.js +87 -0
package/dist/envelope/sendtime.js.map +1 -0
package/dist/envelope/verify.d.ts +29 -0
package/dist/envelope/verify.d.ts.map +1 -0
package/dist/envelope/verify.js +90 -0
package/dist/envelope/verify.js.map +1 -0
package/dist/extensions/index.d.ts +7 -0
package/dist/extensions/index.d.ts.map +1 -0
package/dist/extensions/index.js +7 -0
package/dist/extensions/index.js.map +1 -0
package/dist/extensions/limits.d.ts +101 -0
package/dist/extensions/limits.d.ts.map +1 -0
package/dist/extensions/limits.js +175 -0
package/dist/extensions/limits.js.map +1 -0
package/dist/handshake/abort.d.ts +49 -0
package/dist/handshake/abort.d.ts.map +1 -0
package/dist/handshake/abort.js +82 -0
package/dist/handshake/abort.js.map +1 -0
package/dist/handshake/capabilities.d.ts +46 -0
package/dist/handshake/capabilities.d.ts.map +1 -0
package/dist/handshake/capabilities.js +114 -0
package/dist/handshake/capabilities.js.map +1 -0
package/dist/handshake/client_state.d.ts +186 -0
package/dist/handshake/client_state.d.ts.map +1 -0
package/dist/handshake/client_state.js +520 -0
package/dist/handshake/client_state.js.map +1 -0
package/dist/handshake/confirm.d.ts +21 -0
package/dist/handshake/confirm.d.ts.map +1 -0
package/dist/handshake/confirm.js +27 -0
package/dist/handshake/confirm.js.map +1 -0
package/dist/handshake/driver.d.ts +126 -0
package/dist/handshake/driver.d.ts.map +1 -0
package/dist/handshake/driver.js +251 -0
package/dist/handshake/driver.js.map +1 -0
package/dist/handshake/federation.d.ts +365 -0
package/dist/handshake/federation.d.ts.map +1 -0
package/dist/handshake/federation.js +664 -0
package/dist/handshake/federation.js.map +1 -0
package/dist/handshake/first_contact.d.ts +57 -0
package/dist/handshake/first_contact.d.ts.map +1 -0
package/dist/handshake/first_contact.js +124 -0
package/dist/handshake/first_contact.js.map +1 -0
package/dist/handshake/identity.d.ts +101 -0
package/dist/handshake/identity.d.ts.map +1 -0
package/dist/handshake/identity.js +117 -0
package/dist/handshake/identity.js.map +1 -0
package/dist/handshake/index.d.ts +21 -0
package/dist/handshake/index.d.ts.map +1 -0
package/dist/handshake/index.js +21 -0
package/dist/handshake/index.js.map +1 -0
package/dist/handshake/messages.d.ts +176 -0
package/dist/handshake/messages.d.ts.map +1 -0
package/dist/handshake/messages.js +125 -0
package/dist/handshake/messages.js.map +1 -0
package/dist/handshake/pow.d.ts +53 -0
package/dist/handshake/pow.d.ts.map +1 -0
package/dist/handshake/pow.js +142 -0
package/dist/handshake/pow.js.map +1 -0
package/dist/handshake/resume_driver.d.ts +56 -0
package/dist/handshake/resume_driver.d.ts.map +1 -0
package/dist/handshake/resume_driver.js +75 -0
package/dist/handshake/resume_driver.js.map +1 -0
package/dist/handshake/server.d.ts +112 -0
package/dist/handshake/server.d.ts.map +1 -0
package/dist/handshake/server.js +247 -0
package/dist/handshake/server.js.map +1 -0
package/dist/handshake/server_state.d.ts +102 -0
package/dist/handshake/server_state.d.ts.map +1 -0
package/dist/handshake/server_state.js +278 -0
package/dist/handshake/server_state.js.map +1 -0
package/dist/index.d.ts +33 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +33 -0
package/dist/index.js.map +1 -0
package/dist/keys/compromise.d.ts +118 -0
package/dist/keys/compromise.d.ts.map +1 -0
package/dist/keys/compromise.js +218 -0
package/dist/keys/compromise.js.map +1 -0
package/dist/keys/device_certificate.d.ts +166 -0
package/dist/keys/device_certificate.d.ts.map +1 -0
package/dist/keys/device_certificate.js +328 -0
package/dist/keys/device_certificate.js.map +1 -0
package/dist/keys/device_records.d.ts +175 -0
package/dist/keys/device_records.d.ts.map +1 -0
package/dist/keys/device_records.js +418 -0
package/dist/keys/device_records.js.map +1 -0
package/dist/keys/directory_cache.d.ts +64 -0
package/dist/keys/directory_cache.d.ts.map +1 -0
package/dist/keys/directory_cache.js +98 -0
package/dist/keys/directory_cache.js.map +1 -0
package/dist/keys/directory_state.d.ts +79 -0
package/dist/keys/directory_state.d.ts.map +1 -0
package/dist/keys/directory_state.js +155 -0
package/dist/keys/directory_state.js.map +1 -0
package/dist/keys/index.d.ts +18 -0
package/dist/keys/index.d.ts.map +1 -0
package/dist/keys/index.js +18 -0
package/dist/keys/index.js.map +1 -0
package/dist/keys/key_revocation.d.ts +61 -0
package/dist/keys/key_revocation.d.ts.map +1 -0
package/dist/keys/key_revocation.js +88 -0
package/dist/keys/key_revocation.js.map +1 -0
package/dist/keys/request.d.ts +124 -0
package/dist/keys/request.d.ts.map +1 -0
package/dist/keys/request.js +130 -0
package/dist/keys/request.js.map +1 -0
package/dist/keys/sign.d.ts +49 -0
package/dist/keys/sign.d.ts.map +1 -0
package/dist/keys/sign.js +80 -0
package/dist/keys/sign.js.map +1 -0
package/dist/keys/signed.d.ts +80 -0
package/dist/keys/signed.d.ts.map +1 -0
package/dist/keys/signed.js +138 -0
package/dist/keys/signed.js.map +1 -0
package/dist/keys/store.d.ts +138 -0
package/dist/keys/store.d.ts.map +1 -0
package/dist/keys/store.js +107 -0
package/dist/keys/store.js.map +1 -0
package/dist/largeattachment/crypto.d.ts +47 -0
package/dist/largeattachment/crypto.d.ts.map +1 -0
package/dist/largeattachment/crypto.js +235 -0
package/dist/largeattachment/crypto.js.map +1 -0
package/dist/largeattachment/enclosure.d.ts +48 -0
package/dist/largeattachment/enclosure.d.ts.map +1 -0
package/dist/largeattachment/enclosure.js +102 -0
package/dist/largeattachment/enclosure.js.map +1 -0
package/dist/largeattachment/index.d.ts +15 -0
package/dist/largeattachment/index.d.ts.map +1 -0
package/dist/largeattachment/index.js +15 -0
package/dist/largeattachment/index.js.map +1 -0
package/dist/largeattachment/store.d.ts +36 -0
package/dist/largeattachment/store.d.ts.map +1 -0
package/dist/largeattachment/store.js +37 -0
package/dist/largeattachment/store.js.map +1 -0
package/dist/largeattachment/types.d.ts +56 -0
package/dist/largeattachment/types.d.ts.map +1 -0
package/dist/largeattachment/types.js +31 -0
package/dist/largeattachment/types.js.map +1 -0
package/dist/largeattachment/upload.d.ts +62 -0
package/dist/largeattachment/upload.d.ts.map +1 -0
package/dist/largeattachment/upload.js +166 -0
package/dist/largeattachment/upload.js.map +1 -0
package/dist/migration/index.d.ts +17 -0
package/dist/migration/index.d.ts.map +1 -0
package/dist/migration/index.js +17 -0
package/dist/migration/index.js.map +1 -0
package/dist/migration/lockout.d.ts +48 -0
package/dist/migration/lockout.d.ts.map +1 -0
package/dist/migration/lockout.js +57 -0
package/dist/migration/lockout.js.map +1 -0
package/dist/migration/migration.d.ts +48 -0
package/dist/migration/migration.d.ts.map +1 -0
package/dist/migration/migration.js +58 -0
package/dist/migration/migration.js.map +1 -0
package/dist/migration/notice.d.ts +33 -0
package/dist/migration/notice.d.ts.map +1 -0
package/dist/migration/notice.js +85 -0
package/dist/migration/notice.js.map +1 -0
package/dist/migration/orchestrate.d.ts +109 -0
package/dist/migration/orchestrate.d.ts.map +1 -0
package/dist/migration/orchestrate.js +212 -0
package/dist/migration/orchestrate.js.map +1 -0
package/dist/migration/publication_store.d.ts +34 -0
package/dist/migration/publication_store.d.ts.map +1 -0
package/dist/migration/publication_store.js +44 -0
package/dist/migration/publication_store.js.map +1 -0
package/dist/migration/sign.d.ts +65 -0
package/dist/migration/sign.d.ts.map +1 -0
package/dist/migration/sign.js +331 -0
package/dist/migration/sign.js.map +1 -0
package/dist/migration/types.d.ts +92 -0
package/dist/migration/types.d.ts.map +1 -0
package/dist/migration/types.js +26 -0
package/dist/migration/types.js.map +1 -0
package/dist/reasoncodes.d.ts +42 -0
package/dist/reasoncodes.d.ts.map +1 -0
package/dist/reasoncodes.js +80 -0
package/dist/reasoncodes.js.map +1 -0
package/dist/recovery/bundle.d.ts +34 -0
package/dist/recovery/bundle.d.ts.map +1 -0
package/dist/recovery/bundle.js +144 -0
package/dist/recovery/bundle.js.map +1 -0
package/dist/recovery/bundle_crypto.d.ts +60 -0
package/dist/recovery/bundle_crypto.d.ts.map +1 -0
package/dist/recovery/bundle_crypto.js +179 -0
package/dist/recovery/bundle_crypto.js.map +1 -0
package/dist/recovery/bundle_store.d.ts +57 -0
package/dist/recovery/bundle_store.d.ts.map +1 -0
package/dist/recovery/bundle_store.js +104 -0
package/dist/recovery/bundle_store.js.map +1 -0
package/dist/recovery/index.d.ts +19 -0
package/dist/recovery/index.d.ts.map +1 -0
package/dist/recovery/index.js +19 -0
package/dist/recovery/index.js.map +1 -0
package/dist/recovery/manifest_crosscheck.d.ts +59 -0
package/dist/recovery/manifest_crosscheck.d.ts.map +1 -0
package/dist/recovery/manifest_crosscheck.js +59 -0
package/dist/recovery/manifest_crosscheck.js.map +1 -0
package/dist/recovery/shamir.d.ts +51 -0
package/dist/recovery/shamir.d.ts.map +1 -0
package/dist/recovery/shamir.js +181 -0
package/dist/recovery/shamir.js.map +1 -0
package/dist/recovery/sign.d.ts +61 -0
package/dist/recovery/sign.d.ts.map +1 -0
package/dist/recovery/sign.js +359 -0
package/dist/recovery/sign.js.map +1 -0
package/dist/recovery/types.d.ts +180 -0
package/dist/recovery/types.d.ts.map +1 -0
package/dist/recovery/types.js +31 -0
package/dist/recovery/types.js.map +1 -0
package/dist/reputation/abuse_report.d.ts +62 -0
package/dist/reputation/abuse_report.d.ts.map +1 -0
package/dist/reputation/abuse_report.js +111 -0
package/dist/reputation/abuse_report.js.map +1 -0
package/dist/reputation/bucketize.d.ts +31 -0
package/dist/reputation/bucketize.d.ts.map +1 -0
package/dist/reputation/bucketize.js +77 -0
package/dist/reputation/bucketize.js.map +1 -0
package/dist/reputation/gossip.d.ts +24 -0
package/dist/reputation/gossip.d.ts.map +1 -0
package/dist/reputation/gossip.js +64 -0
package/dist/reputation/gossip.js.map +1 -0
package/dist/reputation/gossip_fetch.d.ts +64 -0
package/dist/reputation/gossip_fetch.d.ts.map +1 -0
package/dist/reputation/gossip_fetch.js +114 -0
package/dist/reputation/gossip_fetch.js.map +1 -0
package/dist/reputation/index.d.ts +20 -0
package/dist/reputation/index.d.ts.map +1 -0
package/dist/reputation/index.js +20 -0
package/dist/reputation/index.js.map +1 -0
package/dist/reputation/observation_store.d.ts +67 -0
package/dist/reputation/observation_store.d.ts.map +1 -0
package/dist/reputation/observation_store.js +171 -0
package/dist/reputation/observation_store.js.map +1 -0
package/dist/reputation/pow.d.ts +91 -0
package/dist/reputation/pow.d.ts.map +1 -0
package/dist/reputation/pow.js +209 -0
package/dist/reputation/pow.js.map +1 -0
package/dist/reputation/sign.d.ts +40 -0
package/dist/reputation/sign.d.ts.map +1 -0
package/dist/reputation/sign.js +202 -0
package/dist/reputation/sign.js.map +1 -0
package/dist/reputation/types.d.ts +133 -0
package/dist/reputation/types.d.ts.map +1 -0
package/dist/reputation/types.js +33 -0
package/dist/reputation/types.js.map +1 -0
package/dist/reputation/whois.d.ts +25 -0
package/dist/reputation/whois.d.ts.map +1 -0
package/dist/reputation/whois.js +20 -0
package/dist/reputation/whois.js.map +1 -0
package/dist/seal/index.d.ts +8 -0
package/dist/seal/index.d.ts.map +1 -0
package/dist/seal/index.js +8 -0
package/dist/seal/index.js.map +1 -0
package/dist/seal/wrap.d.ts +74 -0
package/dist/seal/wrap.d.ts.map +1 -0
package/dist/seal/wrap.js +213 -0
package/dist/seal/wrap.js.map +1 -0
package/dist/session/dispatcher.d.ts +65 -0
package/dist/session/dispatcher.d.ts.map +1 -0
package/dist/session/dispatcher.js +96 -0
package/dist/session/dispatcher.js.map +1 -0
package/dist/session/index.d.ts +15 -0
package/dist/session/index.d.ts.map +1 -0
package/dist/session/index.js +15 -0
package/dist/session/index.js.map +1 -0
package/dist/session/rekey.d.ts +108 -0
package/dist/session/rekey.d.ts.map +1 -0
package/dist/session/rekey.js +207 -0
package/dist/session/rekey.js.map +1 -0
package/dist/session/rekey_seal.d.ts +66 -0
package/dist/session/rekey_seal.d.ts.map +1 -0
package/dist/session/rekey_seal.js +153 -0
package/dist/session/rekey_seal.js.map +1 -0
package/dist/session/resume.d.ts +125 -0
package/dist/session/resume.d.ts.map +1 -0
package/dist/session/resume.js +263 -0
package/dist/session/resume.js.map +1 -0
package/dist/session/session.d.ts +136 -0
package/dist/session/session.d.ts.map +1 -0
package/dist/session/session.js +188 -0
package/dist/session/session.js.map +1 -0
package/dist/transparency/index.d.ts +13 -0
package/dist/transparency/index.d.ts.map +1 -0
package/dist/transparency/index.js +13 -0
package/dist/transparency/index.js.map +1 -0
package/dist/transparency/log.d.ts +61 -0
package/dist/transparency/log.d.ts.map +1 -0
package/dist/transparency/log.js +133 -0
package/dist/transparency/log.js.map +1 -0
package/dist/transparency/merkle.d.ts +59 -0
package/dist/transparency/merkle.d.ts.map +1 -0
package/dist/transparency/merkle.js +314 -0
package/dist/transparency/merkle.js.map +1 -0
package/dist/transparency/sign.d.ts +48 -0
package/dist/transparency/sign.d.ts.map +1 -0
package/dist/transparency/sign.js +140 -0
package/dist/transparency/sign.js.map +1 -0
package/dist/transparency/types.d.ts +97 -0
package/dist/transparency/types.d.ts.map +1 -0
package/dist/transparency/types.js +25 -0
package/dist/transparency/types.js.map +1 -0
package/dist/transport/h2.d.ts +163 -0
package/dist/transport/h2.d.ts.map +1 -0
package/dist/transport/h2.js +397 -0
package/dist/transport/h2.js.map +1 -0
package/dist/transport/index.d.ts +15 -0
package/dist/transport/index.d.ts.map +1 -0
package/dist/transport/index.js +15 -0
package/dist/transport/index.js.map +1 -0
package/dist/transport/memory.d.ts +21 -0
package/dist/transport/memory.d.ts.map +1 -0
package/dist/transport/memory.js +112 -0
package/dist/transport/memory.js.map +1 -0
package/dist/transport/transport.d.ts +54 -0
package/dist/transport/transport.d.ts.map +1 -0
package/dist/transport/transport.js +20 -0
package/dist/transport/transport.js.map +1 -0
package/dist/transport/ws.d.ts +40 -0
package/dist/transport/ws.d.ts.map +1 -0
package/dist/transport/ws.js +204 -0
package/dist/transport/ws.js.map +1 -0
package/package.json +147 -0

package/dist/seal/wrap.js ADDED Viewed

@@ -0,0 +1,213 @@
+/**
+ * Seal-layer key wrap per ENVELOPE.md §4.4.1.
+ *
+ * The wrap protects a fresh symmetric key (K_brief or K_enclosure)
+ * for one recipient. The construction is HPKE-Base style:
+ *
+ *   1. KEM: encapsulate against the recipient's public key. For
+ *      X25519 the encapsulation generates a fresh ephemeral and
+ *      computes ECDH; for Kyber768+X25519 hybrid both halves run
+ *      in parallel.
+ *   2. KDF: HKDF-SHA-512 over the shared secret with salt
+ *      `kemCt || recipientPub` and info "SEMP-v1-wrap".
+ *   3. AEAD: zero nonce, recipient pub as AAD, plaintext = the
+ *      symmetric key being wrapped. The zero nonce is safe because
+ *      the wrap key is unique per call (fresh ephemeral feeds
+ *      into the KDF).
+ *
+ * Output: `kemCt || aeadCt`, base64-encoded.
+ *
+ * @module
+ */
+import { aeadOpen, aeadSeal, hybridDecapsulate, Kyber768CiphertextSize, Kyber768PublicKeySize, kyber768EncapsulateDeterministic, newHKDFSHA512, x25519Agree, x25519PublicKey, X25519Size, } from "../crypto/index.js";
+/** HKDF info context for the wrap-key expansion. */
+export const WrapInfo = "SEMP-v1-wrap";
+/**
+ * Unwrap a wrapped symmetric key per §4.4.1. Reverses the wrap
+ * computation: split kemCt from aeadCt by AEAD-overhead size,
+ * decapsulate, derive wrap_key, AEAD-open.
+ *
+ * @param suite negotiated suite that produced the wrap.
+ * @param recipientPrivateKey for X25519: 32 bytes; for hybrid:
+ *   2432 bytes (kyberPriv || x25519Priv per §4.4.1).
+ * @param recipientPublicKey for X25519: 32 bytes; for hybrid:
+ *   1216 bytes (kyberPub || x25519Pub per §4.4.1).
+ * @param wrappedB64 base64 of (kemCt || aeadCt).
+ */
+export function unwrap(suite, recipientPrivateKey, recipientPublicKey, wrappedB64) {
+    if (recipientPrivateKey.length === 0) {
+        throw new Error("seal: empty recipient private key");
+    }
+    if (recipientPublicKey.length === 0) {
+        throw new Error("seal: empty recipient public key");
+    }
+    const raw = base64Decode(wrappedB64);
+    const aead = suiteAEAD(suite);
+    // For both currently defined suites the wrapped symmetric key
+    // is 32 bytes (the AEAD key length); AEAD overhead is 16 bytes
+    // (Poly1305 tag); so aead_ct length is 48 bytes regardless of
+    // the K being wrapped.
+    const aeadCTLen = 32 + 16;
+    if (raw.length < aeadCTLen) {
+        throw new Error("seal: wrapped key truncated");
+    }
+    const kemCTLen = raw.length - aeadCTLen;
+    const kemCT = raw.slice(0, kemCTLen);
+    const aeadCT = raw.slice(kemCTLen);
+    const sharedSecret = decapsulate(suite, kemCT, recipientPrivateKey);
+    // KDF: salt = kemCt || recipientPublicKey, info = SEMP-v1-wrap.
+    const salt = concat(kemCT, recipientPublicKey);
+    const kdf = newHKDFSHA512();
+    const prk = kdf.extract(salt, sharedSecret);
+    const wrapKey = kdf.expand(prk, new TextEncoder().encode(WrapInfo), 32);
+    // AEAD: zero nonce, recipientPublicKey as AAD. The seal AEAD is
+    // ChaCha20-Poly1305 (12-byte nonce) regardless of suite — only
+    // the KEM is post-quantum on the PQ side. The `suite`-derived
+    // `aead` here is unused but kept for signature parity.
+    void aead;
+    const nonce = new Uint8Array(12);
+    return aeadOpen("chacha20-poly1305", wrapKey, nonce, aeadCT, recipientPublicKey);
+}
+/**
+ * Wrap `symmetricKey` for the given recipient under the negotiated
+ * suite. Production code path: uses the platform CSPRNG to generate
+ * a fresh ephemeral every call, which is what the §4.4.1 wrap
+ * construction requires — wrap-key uniqueness is what makes the
+ * zero-nonce AEAD safe.
+ *
+ * For deterministic byte-level reproducibility (vectors, audits),
+ * use {@link wrapWithRandomness} instead and pass pinned
+ * ephemeral inputs.
+ */
+export function wrap(suite, recipientPublicKey, symmetricKey) {
+    switch (suite) {
+        case "x25519-chacha20-poly1305": {
+            const ephPriv = randomBytes(X25519Size);
+            return wrapWithRandomness(suite, recipientPublicKey, symmetricKey, {
+                ephemeralX25519Priv: ephPriv,
+            });
+        }
+        case "pq-kyber768-x25519": {
+            const ephPriv = randomBytes(X25519Size);
+            const kyberM = randomBytes(32);
+            return wrapWithRandomness(suite, recipientPublicKey, symmetricKey, {
+                ephemeralX25519Priv: ephPriv,
+                kyberEncapsRandomnessM: kyberM,
+            });
+        }
+    }
+}
+/**
+ * Deterministic wrap for vector reproduction and audits. Production
+ * code MUST use {@link wrap} (which sources fresh entropy) — a
+ * deterministic wrap that leaks `ephemeralX25519Priv` reduces to
+ * "the adversary has the wrap key". Exposed here only because
+ * cross-language vectors pin these inputs.
+ *
+ * Returns base64(kemCt || aeadCt) per ENVELOPE.md §4.4.1.
+ */
+export function wrapWithRandomness(suite, recipientPublicKey, symmetricKey, randomness) {
+    const { kemCT, sharedSecret } = encapsulate(suite, recipientPublicKey, randomness);
+    // KDF: salt = kemCt || recipientPublicKey, info = SEMP-v1-wrap.
+    const salt = concat(kemCT, recipientPublicKey);
+    const kdf = newHKDFSHA512();
+    const prk = kdf.extract(salt, sharedSecret);
+    const wrapKey = kdf.expand(prk, new TextEncoder().encode(WrapInfo), 32);
+    // AEAD: zero nonce, recipientPublicKey as AAD. Always
+    // ChaCha20-Poly1305 (12-byte nonce) regardless of suite — only
+    // the KEM is post-quantum on the PQ side.
+    const nonce = new Uint8Array(12);
+    const aeadCT = aeadSeal("chacha20-poly1305", wrapKey, nonce, symmetricKey, recipientPublicKey);
+    const wrapped = concat(kemCT, aeadCT);
+    return base64Encode(wrapped);
+}
+function encapsulate(suite, recipientPublicKey, randomness) {
+    switch (suite) {
+        case "x25519-chacha20-poly1305": {
+            // X25519 KEM: kemCT is the sender's ephemeral pub; shared
+            // secret is ECDH(ephPriv, recipientPub).
+            if (recipientPublicKey.length !== X25519Size) {
+                throw new Error(`seal: x25519 recipient pub must be ${X25519Size} bytes`);
+            }
+            const ephPub = x25519PublicKey(randomness.ephemeralX25519Priv);
+            const shared = x25519Agree(randomness.ephemeralX25519Priv, recipientPublicKey);
+            return { kemCT: ephPub, sharedSecret: shared };
+        }
+        case "pq-kyber768-x25519": {
+            // Hybrid: kyber half (encapsulate against recipient kyber pub
+            // with pinned m) + x25519 half (ephemeral ECDH against
+            // recipient x25519 pub). Wire layout: kyberCt || x25519EphPub
+            // for the ciphertext, kyberSS || x25519SS for the secret.
+            if (randomness.kyberEncapsRandomnessM === undefined) {
+                throw new Error("seal: PQ wrap requires kyberEncapsRandomnessM");
+            }
+            const kyberPub = recipientPublicKey.slice(0, Kyber768PublicKeySize);
+            const xPub = recipientPublicKey.slice(Kyber768PublicKeySize);
+            const { ciphertext: kyberCt, sharedSecret: kyberSS } = kyber768EncapsulateDeterministic(kyberPub, randomness.kyberEncapsRandomnessM);
+            const xEphPub = x25519PublicKey(randomness.ephemeralX25519Priv);
+            const xSS = x25519Agree(randomness.ephemeralX25519Priv, xPub);
+            const kemCT = new Uint8Array(Kyber768CiphertextSize + X25519Size);
+            kemCT.set(kyberCt, 0);
+            kemCT.set(xEphPub, Kyber768CiphertextSize);
+            const shared = new Uint8Array(64);
+            shared.set(kyberSS, 0);
+            shared.set(xSS, 32);
+            return { kemCT, sharedSecret: shared };
+        }
+    }
+}
+function decapsulate(suite, kemCT, recipientPrivateKey) {
+    switch (suite) {
+        case "x25519-chacha20-poly1305":
+            // KEM ciphertext is the sender's ephemeral public key (32B);
+            // shared secret = ECDH(localPriv, ephPub).
+            if (kemCT.length !== 32) {
+                throw new Error(`seal: x25519 kemCT must be 32 bytes, got ${kemCT.length}`);
+            }
+            return x25519Agree(recipientPrivateKey, kemCT);
+        case "pq-kyber768-x25519":
+            return hybridDecapsulate(kemCT, recipientPrivateKey);
+    }
+}
+function suiteAEAD(suite) {
+    switch (suite) {
+        case "x25519-chacha20-poly1305":
+            return "chacha20-poly1305";
+        case "pq-kyber768-x25519":
+            return "xchacha20-poly1305";
+    }
+}
+function concat(a, b) {
+    const out = new Uint8Array(a.length + b.length);
+    out.set(a, 0);
+    out.set(b, a.length);
+    return out;
+}
+function base64Decode(s) {
+    if (typeof Buffer !== "undefined") {
+        return new Uint8Array(Buffer.from(s, "base64"));
+    }
+    const bin = atob(s);
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) {
+        out[i] = bin.charCodeAt(i);
+    }
+    return out;
+}
+function base64Encode(b) {
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(b).toString("base64");
+    }
+    let bin = "";
+    for (let i = 0; i < b.length; i++) {
+        bin += String.fromCharCode(b[i] ?? 0);
+    }
+    return btoa(bin);
+}
+function randomBytes(n) {
+    const out = new Uint8Array(n);
+    // Web Crypto is available in Node >= 19 and every modern browser.
+    globalThis.crypto.getRandomValues(out);
+    return out;
+}
+//# sourceMappingURL=wrap.js.map

package/dist/seal/wrap.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"wrap.js","sourceRoot":"","sources":["../../src/seal/wrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAEL,QAAQ,EACR,QAAQ,EACR,iBAAiB,EACjB,sBAAsB,EACtB,qBAAqB,EACrB,gCAAgC,EAChC,aAAa,EACb,WAAW,EACX,eAAe,EACf,UAAU,GACX,MAAM,oBAAoB,CAAC;AAE5B,oDAAoD;AACpD,MAAM,CAAC,MAAM,QAAQ,GAAG,cAAc,CAAC;AAKvC;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,MAAM,CACpB,KAAY,EACZ,mBAA+B,EAC/B,kBAA8B,EAC9B,UAAkB;IAElB,IAAI,mBAAmB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IAErC,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,8DAA8D;IAC9D,+DAA+D;IAC/D,8DAA8D;IAC9D,uBAAuB;IACvB,MAAM,SAAS,GAAG,EAAE,GAAG,EAAE,CAAC;IAC1B,IAAI,GAAG,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IACD,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,SAAS,CAAC;IACxC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IACrC,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAEnC,MAAM,YAAY,GAAG,WAAW,CAAC,KAAK,EAAE,KAAK,EAAE,mBAAmB,CAAC,CAAC;IAEpE,gEAAgE;IAChE,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,EAAE,kBAAkB,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC;IAExE,gEAAgE;IAChE,+DAA+D;IAC/D,8DAA8D;IAC9D,uDAAuD;IACvD,KAAK,IAAI,CAAC;IACV,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,OAAO,QAAQ,CAAC,mBAAmB,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,CAAC,CAAC;AACnF,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,IAAI,CAClB,KAAY,EACZ,kBAA8B,EAC9B,YAAwB;IAExB,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,0BAA0B,CAAC,CAAC,CAAC;YAChC,MAAM,OAAO,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;YACxC,OAAO,kBAAkB,CAAC,KAAK,EAAE,kBAAkB,EAAE,YAAY,EAAE;gBACjE,mBAAmB,EAAE,OAAO;aAC7B,CAAC,CAAC;QACL,CAAC;QACD,KAAK,oBAAoB,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;YACxC,MAAM,MAAM,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;YAC/B,OAAO,kBAAkB,CAAC,KAAK,EAAE,kBAAkB,EAAE,YAAY,EAAE;gBACjE,mBAAmB,EAAE,OAAO;gBAC5B,sBAAsB,EAAE,MAAM;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAgBD;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAChC,KAAY,EACZ,kBAA8B,EAC9B,YAAwB,EACxB,UAA0B;IAE1B,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,GAAG,WAAW,CACzC,KAAK,EACL,kBAAkB,EAClB,UAAU,CACX,CAAC;IAEF,gEAAgE;IAChE,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,EAAE,kBAAkB,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC;IAExE,sDAAsD;IACtD,+DAA+D;IAC/D,0CAA0C;IAC1C,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,QAAQ,CACrB,mBAAmB,EACnB,OAAO,EACP,KAAK,EACL,YAAY,EACZ,kBAAkB,CACnB,CAAC;IAEF,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACtC,OAAO,YAAY,CAAC,OAAO,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,WAAW,CAClB,KAAY,EACZ,kBAA8B,EAC9B,UAA0B;IAE1B,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,0BAA0B,CAAC,CAAC,CAAC;YAChC,0DAA0D;YAC1D,yCAAyC;YACzC,IAAI,kBAAkB,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;gBAC7C,MAAM,IAAI,KAAK,CACb,sCAAsC,UAAU,QAAQ,CACzD,CAAC;YACJ,CAAC;YACD,MAAM,MAAM,GAAG,eAAe,CAAC,UAAU,CAAC,mBAAmB,CAAC,CAAC;YAC/D,MAAM,MAAM,GAAG,WAAW,CACxB,UAAU,CAAC,mBAAmB,EAC9B,kBAAkB,CACnB,CAAC;YACF,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;QACjD,CAAC;QACD,KAAK,oBAAoB,CAAC,CAAC,CAAC;YAC1B,8DAA8D;YAC9D,uDAAuD;YACvD,8DAA8D;YAC9D,0DAA0D;YAC1D,IAAI,UAAU,CAAC,sBAAsB,KAAK,SAAS,EAAE,CAAC;gBACpD,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;YACnE,CAAC;YACD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC,EAAE,qBAAqB,CAAC,CAAC;YACpE,MAAM,IAAI,GAAG,kBAAkB,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;YAC7D,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,GAClD,gCAAgC,CAAC,QAAQ,EAAE,UAAU,CAAC,sBAAsB,CAAC,CAAC;YAChF,MAAM,OAAO,GAAG,eAAe,CAAC,UAAU,CAAC,mBAAmB,CAAC,CAAC;YAChE,MAAM,GAAG,GAAG,WAAW,CAAC,UAAU,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC;YAE9D,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,sBAAsB,GAAG,UAAU,CAAC,CAAC;YAClE,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACtB,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,sBAAsB,CAAC,CAAC;YAE3C,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YAClC,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACvB,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YAEpB,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;QACzC,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAClB,KAAY,EACZ,KAAiB,EACjB,mBAA+B;IAE/B,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,0BAA0B;YAC7B,6DAA6D;YAC7D,2CAA2C;YAC3C,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CACb,4CAA4C,KAAK,CAAC,MAAM,EAAE,CAC3D,CAAC;YACJ,CAAC;YACD,OAAO,WAAW,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;QACjD,KAAK,oBAAoB;YACvB,OAAO,iBAAiB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,KAAY;IAC7B,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,0BAA0B;YAC7B,OAAO,mBAAmB,CAAC;QAC7B,KAAK,oBAAoB;YACvB,OAAO,oBAAoB,CAAC;IAChC,CAAC;AACH,CAAC;AAED,SAAS,MAAM,CAAC,CAAa,EAAE,CAAa;IAC1C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;IAChD,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACd,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IACrB,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,YAAY,CAAC,CAAa;IACjC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;AACnB,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9B,kEAAkE;IAClE,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/session/dispatcher.d.ts ADDED Viewed

@@ -0,0 +1,65 @@
+/**
+ * Session message dispatcher.
+ *
+ * Reads frames off a Session's transport in a loop, parses the
+ * outermost `type` field, and routes each frame to the matching
+ * caller-supplied handler. Designed for the long-running phase
+ * after a successful handshake — when the wire carries a mix of
+ * envelopes, sealed rekey messages, key-fetch requests, etc.
+ *
+ * The dispatcher does NOT verify envelope signatures or open
+ * sealed payloads itself; those are concerns of the per-type
+ * handlers. Its job is solely message-type fan-out and lifecycle.
+ *
+ * @module
+ */
+import type { Session } from "./session.js";
+/** Handlers registered on a {@link runDispatcher} call. */
+export interface DispatchHandlers {
+    /**
+     * Sealed rekey message. The dispatcher reads the bytes off the
+     * transport and invokes this with the JSON object (already
+     * parsed). Production callers route through {@link "./rekey".rekeyServer}
+     * by feeding the bytes back through their own transport-level
+     * input — see the dispatcher example in the README.
+     */
+    onRekey?: (frame: Uint8Array, parsed: unknown) => Promise<void> | void;
+    /** A wire envelope (`type: SEMP_ENVELOPE`). */
+    onEnvelope?: (frame: Uint8Array, parsed: unknown) => Promise<void> | void;
+    /** A SEMP_KEYS request or response. */
+    onKeys?: (frame: Uint8Array, parsed: unknown) => Promise<void> | void;
+    /** A SEMP_DISCOVERY response delivered over an in-session channel. */
+    onDiscovery?: (frame: Uint8Array, parsed: unknown) => Promise<void> | void;
+    /** A SEMP_DELIVERY_ACK or SEMP_DELIVERY_RECEIPT. */
+    onDelivery?: (frame: Uint8Array, parsed: unknown) => Promise<void> | void;
+    /**
+     * Any frame whose `type` field doesn't match a registered
+     * handler. The default behavior (when this handler is not
+     * supplied) is to silently drop unknown types per the protocol
+     * forward-compatibility rule. Logging-level callers register
+     * this hook to surface unknowns at WARN.
+     */
+    onUnknown?: (type: string, frame: Uint8Array) => Promise<void> | void;
+    /**
+     * Invoked on a non-fatal error inside a handler. The dispatcher
+     * loop continues — the caller MUST decide whether to close the
+     * session. If this is not supplied, handler errors are swallowed.
+     */
+    onHandlerError?: (err: Error, type: string) => void;
+    /**
+     * Invoked on a fatal transport / parse error. The dispatcher
+     * exits its loop after calling this. If not supplied, the loop
+     * exits silently on fatal errors and {@link runDispatcher}
+     * resolves.
+     */
+    onFatal?: (err: Error) => void;
+}
+/**
+ * Run the dispatcher loop. Resolves when the session closes
+ * cleanly (peer EOF) OR after a fatal error has been surfaced
+ * to {@link DispatchHandlers.onFatal}. Does NOT close the
+ * session; the caller decides whether to call `session.close()`
+ * after this resolves.
+ */
+export declare function runDispatcher(session: Session, handlers: DispatchHandlers): Promise<void>;
+//# sourceMappingURL=dispatcher.d.ts.map

package/dist/session/dispatcher.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dispatcher.d.ts","sourceRoot":"","sources":["../../src/session/dispatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,2DAA2D;AAC3D,MAAM,WAAW,gBAAgB;IAC/B;;;;;;OAMG;IACH,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAEvE,+CAA+C;IAC/C,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAE1E,uCAAuC;IACvC,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAEtE,sEAAsE;IACtE,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAE3E,oDAAoD;IACpD,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAE1E;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAEtE;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IAEpD;;;;;OAKG;IACH,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,IAAI,CAAC;CAChC;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,gBAAgB,GACzB,OAAO,CAAC,IAAI,CAAC,CAuCf"}

package/dist/session/dispatcher.js ADDED Viewed

@@ -0,0 +1,96 @@
+/**
+ * Session message dispatcher.
+ *
+ * Reads frames off a Session's transport in a loop, parses the
+ * outermost `type` field, and routes each frame to the matching
+ * caller-supplied handler. Designed for the long-running phase
+ * after a successful handshake — when the wire carries a mix of
+ * envelopes, sealed rekey messages, key-fetch requests, etc.
+ *
+ * The dispatcher does NOT verify envelope signatures or open
+ * sealed payloads itself; those are concerns of the per-type
+ * handlers. Its job is solely message-type fan-out and lifecycle.
+ *
+ * @module
+ */
+/**
+ * Run the dispatcher loop. Resolves when the session closes
+ * cleanly (peer EOF) OR after a fatal error has been surfaced
+ * to {@link DispatchHandlers.onFatal}. Does NOT close the
+ * session; the caller decides whether to call `session.close()`
+ * after this resolves.
+ */
+export async function runDispatcher(session, handlers) {
+    while (true) {
+        let frame;
+        try {
+            frame = await session.receive();
+        }
+        catch (err) {
+            handlers.onFatal?.(err instanceof Error ? err : new Error(String(err)));
+            return;
+        }
+        if (frame === null) {
+            // Clean EOF.
+            return;
+        }
+        let parsed;
+        try {
+            parsed = JSON.parse(new TextDecoder().decode(frame));
+        }
+        catch (err) {
+            handlers.onFatal?.(new Error(`dispatcher: malformed frame: ${err instanceof Error ? err.message : String(err)}`));
+            return;
+        }
+        const type = typeof parsed.type === "string"
+            ? parsed.type
+            : "";
+        try {
+            await dispatchOne(type, frame, parsed, handlers);
+        }
+        catch (err) {
+            handlers.onHandlerError?.(err instanceof Error ? err : new Error(String(err)), type);
+            // Continue the loop; handler errors are non-fatal by default.
+        }
+    }
+}
+async function dispatchOne(type, frame, parsed, handlers) {
+    switch (type) {
+        case "SEMP_REKEY":
+            if (handlers.onRekey !== undefined) {
+                await handlers.onRekey(frame, parsed);
+                return;
+            }
+            break;
+        case "SEMP_ENVELOPE":
+            if (handlers.onEnvelope !== undefined) {
+                await handlers.onEnvelope(frame, parsed);
+                return;
+            }
+            break;
+        case "SEMP_KEYS":
+            if (handlers.onKeys !== undefined) {
+                await handlers.onKeys(frame, parsed);
+                return;
+            }
+            break;
+        case "SEMP_DISCOVERY":
+            if (handlers.onDiscovery !== undefined) {
+                await handlers.onDiscovery(frame, parsed);
+                return;
+            }
+            break;
+        case "SEMP_DELIVERY_ACK":
+        case "SEMP_DELIVERY_RECEIPT":
+            if (handlers.onDelivery !== undefined) {
+                await handlers.onDelivery(frame, parsed);
+                return;
+            }
+            break;
+    }
+    if (handlers.onUnknown !== undefined) {
+        await handlers.onUnknown(type, frame);
+    }
+    // else silently drop, per protocol forward-compatibility.
+}
+//# sourceMappingURL=dispatcher.js.map

package/dist/session/dispatcher.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dispatcher.js","sourceRoot":"","sources":["../../src/session/dispatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAoDH;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAgB,EAChB,QAA0B;IAE1B,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,KAAwB,CAAC;QAC7B,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC;QAClC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,QAAQ,CAAC,OAAO,EAAE,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACxE,OAAO;QACT,CAAC;QACD,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,aAAa;YACb,OAAO;QACT,CAAC;QAED,IAAI,MAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,QAAQ,CAAC,OAAO,EAAE,CAChB,IAAI,KAAK,CACP,gCAAgC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACnF,CACF,CAAC;YACF,OAAO;QACT,CAAC;QACD,MAAM,IAAI,GAAG,OAAQ,MAA6B,CAAC,IAAI,KAAK,QAAQ;YAClE,CAAC,CAAE,MAA2B,CAAC,IAAI;YACnC,CAAC,CAAC,EAAE,CAAC;QAEP,IAAI,CAAC;YACH,MAAM,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QACnD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,QAAQ,CAAC,cAAc,EAAE,CACvB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EACnD,IAAI,CACL,CAAC;YACF,8DAA8D;QAChE,CAAC;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,IAAY,EACZ,KAAiB,EACjB,MAAe,EACf,QAA0B;IAE1B,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,YAAY;YACf,IAAI,QAAQ,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;gBACnC,MAAM,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBACtC,OAAO;YACT,CAAC;YACD,MAAM;QACR,KAAK,eAAe;YAClB,IAAI,QAAQ,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;gBACtC,MAAM,QAAQ,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBACzC,OAAO;YACT,CAAC;YACD,MAAM;QACR,KAAK,WAAW;YACd,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAClC,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBACrC,OAAO;YACT,CAAC;YACD,MAAM;QACR,KAAK,gBAAgB;YACnB,IAAI,QAAQ,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;gBACvC,MAAM,QAAQ,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBAC1C,OAAO;YACT,CAAC;YACD,MAAM;QACR,KAAK,mBAAmB,CAAC;QACzB,KAAK,uBAAuB;YAC1B,IAAI,QAAQ,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;gBACtC,MAAM,QAAQ,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBACzC,OAAO;YACT,CAAC;YACD,MAAM;IACV,CAAC;IACD,IAAI,QAAQ,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACrC,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACxC,CAAC;IACD,0DAA0D;AAC5D,CAAC"}

package/dist/session/index.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Session lifecycle layer per `SESSION.md`. Holds the post-handshake
+ * keys, TTL, transport, and permission set; lifts the runClient
+ * result into a usable session object.
+ *
+ * Future slices: rekey, resume, sequence-number tracking.
+ *
+ * @module
+ */
+export { type RekeyApply, type Role, type SessionConfig, Session, } from "./session.js";
+export { type SealedRekey, openRekeyMessage, sealRekeyMessage, } from "./rekey_seal.js";
+export { type RekeyAccepted, type RekeyClientOptions, type RekeyInit, type RekeyRejected, type RekeyServerOptions, RekeyRejectedError, rekeyClient, rekeyServer, } from "./rekey.js";
+export { type ResumeAccepted, type ResumeClientConfig, type ResumeRequest, type ResumeServerConfig, type TicketLookupResult, resumeClient, resumeServer, } from "./resume.js";
+export { type DispatchHandlers, runDispatcher } from "./dispatcher.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/session/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,KAAK,UAAU,EACf,KAAK,IAAI,EACT,KAAK,aAAa,EAClB,OAAO,GACR,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,KAAK,WAAW,EAChB,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,kBAAkB,EAClB,WAAW,EACX,WAAW,GACZ,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,YAAY,EACZ,YAAY,GACb,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,gBAAgB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/session/index.js ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Session lifecycle layer per `SESSION.md`. Holds the post-handshake
+ * keys, TTL, transport, and permission set; lifts the runClient
+ * result into a usable session object.
+ *
+ * Future slices: rekey, resume, sequence-number tracking.
+ *
+ * @module
+ */
+export { Session, } from "./session.js";
+export { openRekeyMessage, sealRekeyMessage, } from "./rekey_seal.js";
+export { RekeyRejectedError, rekeyClient, rekeyServer, } from "./rekey.js";
+export { resumeClient, resumeServer, } from "./resume.js";
+export { runDispatcher } from "./dispatcher.js";
+//# sourceMappingURL=index.js.map

package/dist/session/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAIL,OAAO,GACR,MAAM,cAAc,CAAC;AACtB,OAAO,EAEL,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAML,kBAAkB,EAClB,WAAW,EACX,WAAW,GACZ,MAAM,YAAY,CAAC;AACpB,OAAO,EAML,YAAY,EACZ,YAAY,GACb,MAAM,aAAa,CAAC;AACrB,OAAO,EAAyB,aAAa,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/session/rekey.d.ts ADDED Viewed

@@ -0,0 +1,108 @@
+/**
+ * Rekey driver per SESSION.md §3.3.
+ *
+ * Both peers can initiate. The flow:
+ *
+ *   1. Initiator generates a new ephemeral X25519 keypair + a
+ *      32-byte rekey nonce. Builds RekeyInit, seals under the
+ *      current session's directional keys, sends.
+ *   2. Responder receives + opens the sealed init. Generates its
+ *      own new ephemeral + a 32-byte responder nonce + a new
+ *      session_id. Computes the new shared secret via X25519,
+ *      derives the five new session keys via HKDF-SHA-512 with
+ *      salt = rekey_nonce || responder_nonce.
+ *   3. Responder builds RekeyAccepted, seals under the current
+ *      session's directional keys, sends.
+ *   4. Both call session.applyRekey() to swap in the new keys
+ *      and new session_id atomically.
+ *
+ * On rejection (session_expired, rekey_unsupported, rate_limited),
+ * the responder sends a sealed RekeyRejected; the caller sees a
+ * RekeyRejectedError.
+ *
+ * Rekey messages carry no separate identity signature: receiving
+ * a valid sealed message is itself authentication, since only a
+ * holder of the live session keys can forge one.
+ *
+ * @module
+ */
+import type { Session } from "./session.js";
+/** Rekey-init message (decrypted body). */
+export interface RekeyInit {
+    type: "SEMP_REKEY";
+    step: "rekey-init";
+    version: "1.0.0";
+    session_id: string;
+    new_ephemeral_key: {
+        algorithm: string;
+        key: string;
+        key_id: string;
+    };
+    rekey_nonce: string;
+}
+/** Rekey-accepted message (decrypted body). */
+export interface RekeyAccepted {
+    type: "SEMP_REKEY";
+    step: "rekey-accepted";
+    version: "1.0.0";
+    session_id: string;
+    new_session_id: string;
+    new_ephemeral_key: {
+        algorithm: string;
+        key: string;
+        key_id: string;
+    };
+    rekey_nonce: string;
+    responder_nonce: string;
+}
+/** Rekey-rejected message (decrypted body). */
+export interface RekeyRejected {
+    type: "SEMP_REKEY";
+    step: "rekey-rejected";
+    version: "1.0.0";
+    session_id: string;
+    reason_code: string;
+    reason?: string;
+}
+/** Error thrown when the responder rejects a rekey attempt. */
+export declare class RekeyRejectedError extends Error {
+    readonly reasonCode: string;
+    readonly reason: string | undefined;
+    constructor(reasonCode: string, reason: string | undefined);
+}
+/** Inputs to the initiator side of rekey (deterministic-friendly). */
+export interface RekeyClientOptions {
+    /** Optional pinned ephemeral private (32 bytes) for tests. */
+    ephemeralPriv?: Uint8Array;
+    /** Optional pinned 32-byte rekey nonce for tests. */
+    rekeyNonce?: Uint8Array;
+}
+/**
+ * Initiate a rekey. The session installs new keys + a new
+ * session_id on success and resolves with the new session_id.
+ *
+ * @throws RekeyRejectedError when the responder sends a sealed
+ * RekeyRejected.
+ */
+export declare function rekeyClient(session: Session, options?: RekeyClientOptions): Promise<string>;
+/** Inputs to the responder side of rekey (deterministic-friendly). */
+export interface RekeyServerOptions {
+    /** Optional pinned ephemeral private for tests. */
+    ephemeralPriv?: Uint8Array;
+    /** Optional pinned 32-byte responder nonce for tests. */
+    responderNonce?: Uint8Array;
+    /** Generator for the new session_id. Required for production. */
+    generateSessionId: () => string;
+}
+/**
+ * Respond to a rekey. Reads one sealed message off the session
+ * transport, validates it as a RekeyInit, derives new keys,
+ * sends a sealed RekeyAccepted, and applies the rekey to the
+ * session. Resolves with the new session_id.
+ *
+ * Production callers wire this into their session-message
+ * dispatcher: when an inbound SEMP_REKEY arrives, route the
+ * sealed bytes here.
+ */
+export declare function rekeyServer(session: Session, options: RekeyServerOptions): Promise<string>;
+//# sourceMappingURL=rekey.d.ts.map

package/dist/session/rekey.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rekey.d.ts","sourceRoot":"","sources":["../../src/session/rekey.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAWH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAO5C,2CAA2C;AAC3C,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,YAAY,CAAC;IACnB,IAAI,EAAE,YAAY,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACtE,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,+CAA+C;AAC/C,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,YAAY,CAAC;IACnB,IAAI,EAAE,gBAAgB,CAAC;IACvB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACtE,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,+CAA+C;AAC/C,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,YAAY,CAAC;IACnB,IAAI,EAAE,gBAAgB,CAAC;IACvB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,+DAA+D;AAC/D,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;gBACxB,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,SAAS;CAK3D;AAED,sEAAsE;AACtE,MAAM,WAAW,kBAAkB;IACjC,8DAA8D;IAC9D,aAAa,CAAC,EAAE,UAAU,CAAC;IAC3B,qDAAqD;IACrD,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB;AAED;;;;;;GAMG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,MAAM,CAAC,CAkEjB;AAED,sEAAsE;AACtE,MAAM,WAAW,kBAAkB;IACjC,mDAAmD;IACnD,aAAa,CAAC,EAAE,UAAU,CAAC;IAC3B,yDAAyD;IACzD,cAAc,CAAC,EAAE,UAAU,CAAC;IAC5B,iEAAiE;IACjE,iBAAiB,EAAE,MAAM,MAAM,CAAC;CACjC;AAED;;;;;;;;;GASG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,MAAM,CAAC,CA0DjB"}