npm - @sempdev/semp - Versions diffs - 0.4.3 - Mend

@sempdev/semp 0.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (559) hide show

package/LICENSE +21 -0
package/README.md +59 -0
package/dist/brief/address.d.ts +77 -0
package/dist/brief/address.d.ts.map +1 -0
package/dist/brief/address.js +217 -0
package/dist/brief/address.js.map +1 -0
package/dist/brief/brief.d.ts +75 -0
package/dist/brief/brief.d.ts.map +1 -0
package/dist/brief/brief.js +56 -0
package/dist/brief/brief.js.map +1 -0
package/dist/brief/index.d.ts +11 -0
package/dist/brief/index.d.ts.map +1 -0
package/dist/brief/index.js +11 -0
package/dist/brief/index.js.map +1 -0
package/dist/canonical/index.d.ts +8 -0
package/dist/canonical/index.d.ts.map +1 -0
package/dist/canonical/index.js +8 -0
package/dist/canonical/index.js.map +1 -0
package/dist/canonical/marshal.d.ts +35 -0
package/dist/canonical/marshal.d.ts.map +1 -0
package/dist/canonical/marshal.js +107 -0
package/dist/canonical/marshal.js.map +1 -0
package/dist/clockskew/index.d.ts +52 -0
package/dist/clockskew/index.d.ts.map +1 -0
package/dist/clockskew/index.js +62 -0
package/dist/clockskew/index.js.map +1 -0
package/dist/closure/closure.d.ts +106 -0
package/dist/closure/closure.d.ts.map +1 -0
package/dist/closure/closure.js +152 -0
package/dist/closure/closure.js.map +1 -0
package/dist/closure/driver.d.ts +103 -0
package/dist/closure/driver.d.ts.map +1 -0
package/dist/closure/driver.js +126 -0
package/dist/closure/driver.js.map +1 -0
package/dist/closure/index.d.ts +13 -0
package/dist/closure/index.d.ts.map +1 -0
package/dist/closure/index.js +13 -0
package/dist/closure/index.js.map +1 -0
package/dist/closure/store.d.ts +80 -0
package/dist/closure/store.d.ts.map +1 -0
package/dist/closure/store.js +89 -0
package/dist/closure/store.js.map +1 -0
package/dist/crypto/aead.d.ts +29 -0
package/dist/crypto/aead.d.ts.map +1 -0
package/dist/crypto/aead.js +48 -0
package/dist/crypto/aead.js.map +1 -0
package/dist/crypto/argon2.d.ts +20 -0
package/dist/crypto/argon2.d.ts.map +1 -0
package/dist/crypto/argon2.js +28 -0
package/dist/crypto/argon2.js.map +1 -0
package/dist/crypto/index.d.ts +14 -0
package/dist/crypto/index.d.ts.map +1 -0
package/dist/crypto/index.js +14 -0
package/dist/crypto/index.js.map +1 -0
package/dist/crypto/kdf.d.ts +96 -0
package/dist/crypto/kdf.d.ts.map +1 -0
package/dist/crypto/kdf.js +122 -0
package/dist/crypto/kdf.js.map +1 -0
package/dist/crypto/kem.d.ts +85 -0
package/dist/crypto/kem.d.ts.map +1 -0
package/dist/crypto/kem.js +130 -0
package/dist/crypto/kem.js.map +1 -0
package/dist/crypto/mac.d.ts +19 -0
package/dist/crypto/mac.d.ts.map +1 -0
package/dist/crypto/mac.js +32 -0
package/dist/crypto/mac.js.map +1 -0
package/dist/delivery/ack.d.ts +125 -0
package/dist/delivery/ack.d.ts.map +1 -0
package/dist/delivery/ack.js +141 -0
package/dist/delivery/ack.js.map +1 -0
package/dist/delivery/blocklist.d.ts +87 -0
package/dist/delivery/blocklist.d.ts.map +1 -0
package/dist/delivery/blocklist.js +107 -0
package/dist/delivery/blocklist.js.map +1 -0
package/dist/delivery/cancel.d.ts +60 -0
package/dist/delivery/cancel.d.ts.map +1 -0
package/dist/delivery/cancel.js +43 -0
package/dist/delivery/cancel.js.map +1 -0
package/dist/delivery/disposition.d.ts +106 -0
package/dist/delivery/disposition.d.ts.map +1 -0
package/dist/delivery/disposition.js +105 -0
package/dist/delivery/disposition.js.map +1 -0
package/dist/delivery/fetch.d.ts +59 -0
package/dist/delivery/fetch.d.ts.map +1 -0
package/dist/delivery/fetch.js +47 -0
package/dist/delivery/fetch.js.map +1 -0
package/dist/delivery/forwarder.d.ts +106 -0
package/dist/delivery/forwarder.d.ts.map +1 -0
package/dist/delivery/forwarder.js +251 -0
package/dist/delivery/forwarder.js.map +1 -0
package/dist/delivery/inbox.d.ts +42 -0
package/dist/delivery/inbox.d.ts.map +1 -0
package/dist/delivery/inbox.js +68 -0
package/dist/delivery/inbox.js.map +1 -0
package/dist/delivery/index.d.ts +31 -0
package/dist/delivery/index.d.ts.map +1 -0
package/dist/delivery/index.js +31 -0
package/dist/delivery/index.js.map +1 -0
package/dist/delivery/internalroute.d.ts +50 -0
package/dist/delivery/internalroute.d.ts.map +1 -0
package/dist/delivery/internalroute.js +23 -0
package/dist/delivery/internalroute.js.map +1 -0
package/dist/delivery/pipeline.d.ts +153 -0
package/dist/delivery/pipeline.d.ts.map +1 -0
package/dist/delivery/pipeline.js +356 -0
package/dist/delivery/pipeline.js.map +1 -0
package/dist/delivery/policy_state.d.ts +105 -0
package/dist/delivery/policy_state.d.ts.map +1 -0
package/dist/delivery/policy_state.js +293 -0
package/dist/delivery/policy_state.js.map +1 -0
package/dist/delivery/queue.d.ts +47 -0
package/dist/delivery/queue.d.ts.map +1 -0
package/dist/delivery/queue.js +33 -0
package/dist/delivery/queue.js.map +1 -0
package/dist/delivery/receipt.d.ts +137 -0
package/dist/delivery/receipt.d.ts.map +1 -0
package/dist/delivery/receipt.js +181 -0
package/dist/delivery/receipt.js.map +1 -0
package/dist/delivery/receipt_store.d.ts +81 -0
package/dist/delivery/receipt_store.d.ts.map +1 -0
package/dist/delivery/receipt_store.js +74 -0
package/dist/delivery/receipt_store.js.map +1 -0
package/dist/delivery/retry.d.ts +78 -0
package/dist/delivery/retry.d.ts.map +1 -0
package/dist/delivery/retry.js +132 -0
package/dist/delivery/retry.js.map +1 -0
package/dist/delivery/scheduler.d.ts +156 -0
package/dist/delivery/scheduler.d.ts.map +1 -0
package/dist/delivery/scheduler.js +349 -0
package/dist/delivery/scheduler.js.map +1 -0
package/dist/delivery/stage_partition.d.ts +87 -0
package/dist/delivery/stage_partition.d.ts.map +1 -0
package/dist/delivery/stage_partition.js +122 -0
package/dist/delivery/stage_partition.js.map +1 -0
package/dist/delivery/staged_runner.d.ts +100 -0
package/dist/delivery/staged_runner.d.ts.map +1 -0
package/dist/delivery/staged_runner.js +277 -0
package/dist/delivery/staged_runner.js.map +1 -0
package/dist/delivery/submission.d.ts +72 -0
package/dist/delivery/submission.d.ts.map +1 -0
package/dist/delivery/submission.js +58 -0
package/dist/delivery/submission.js.map +1 -0
package/dist/delivery/sync.d.ts +68 -0
package/dist/delivery/sync.d.ts.map +1 -0
package/dist/delivery/sync.js +99 -0
package/dist/delivery/sync.js.map +1 -0
package/dist/delivery/user_policy.d.ts +74 -0
package/dist/delivery/user_policy.d.ts.map +1 -0
package/dist/delivery/user_policy.js +140 -0
package/dist/delivery/user_policy.js.map +1 -0
package/dist/discovery/cache.d.ts +37 -0
package/dist/discovery/cache.d.ts.map +1 -0
package/dist/discovery/cache.js +45 -0
package/dist/discovery/cache.js.map +1 -0
package/dist/discovery/configuration.d.ts +97 -0
package/dist/discovery/configuration.d.ts.map +1 -0
package/dist/discovery/configuration.js +146 -0
package/dist/discovery/configuration.js.map +1 -0
package/dist/discovery/dns.d.ts +56 -0
package/dist/discovery/dns.d.ts.map +1 -0
package/dist/discovery/dns.js +120 -0
package/dist/discovery/dns.js.map +1 -0
package/dist/discovery/domain_keys.d.ts +62 -0
package/dist/discovery/domain_keys.d.ts.map +1 -0
package/dist/discovery/domain_keys.js +89 -0
package/dist/discovery/domain_keys.js.map +1 -0
package/dist/discovery/index.d.ts +19 -0
package/dist/discovery/index.d.ts.map +1 -0
package/dist/discovery/index.js +19 -0
package/dist/discovery/index.js.map +1 -0
package/dist/discovery/lookup.d.ts +72 -0
package/dist/discovery/lookup.d.ts.map +1 -0
package/dist/discovery/lookup.js +121 -0
package/dist/discovery/lookup.js.map +1 -0
package/dist/discovery/onion.d.ts +34 -0
package/dist/discovery/onion.d.ts.map +1 -0
package/dist/discovery/onion.js +61 -0
package/dist/discovery/onion.js.map +1 -0
package/dist/discovery/partition.d.ts +96 -0
package/dist/discovery/partition.d.ts.map +1 -0
package/dist/discovery/partition.js +247 -0
package/dist/discovery/partition.js.map +1 -0
package/dist/discovery/resolver.d.ts +113 -0
package/dist/discovery/resolver.d.ts.map +1 -0
package/dist/discovery/resolver.js +176 -0
package/dist/discovery/resolver.js.map +1 -0
package/dist/discovery/txt.d.ts +39 -0
package/dist/discovery/txt.d.ts.map +1 -0
package/dist/discovery/txt.js +71 -0
package/dist/discovery/txt.js.map +1 -0
package/dist/enclosure/forwarding.d.ts +128 -0
package/dist/enclosure/forwarding.d.ts.map +1 -0
package/dist/enclosure/forwarding.js +119 -0
package/dist/enclosure/forwarding.js.map +1 -0
package/dist/enclosure/index.d.ts +11 -0
package/dist/enclosure/index.d.ts.map +1 -0
package/dist/enclosure/index.js +11 -0
package/dist/enclosure/index.js.map +1 -0
package/dist/envelope/buckets.d.ts +38 -0
package/dist/envelope/buckets.d.ts.map +1 -0
package/dist/envelope/buckets.js +73 -0
package/dist/envelope/buckets.js.map +1 -0
package/dist/envelope/canonical.d.ts +28 -0
package/dist/envelope/canonical.d.ts.map +1 -0
package/dist/envelope/canonical.js +54 -0
package/dist/envelope/canonical.js.map +1 -0
package/dist/envelope/compose.d.ts +171 -0
package/dist/envelope/compose.d.ts.map +1 -0
package/dist/envelope/compose.js +237 -0
package/dist/envelope/compose.js.map +1 -0
package/dist/envelope/encode.d.ts +41 -0
package/dist/envelope/encode.d.ts.map +1 -0
package/dist/envelope/encode.js +69 -0
package/dist/envelope/encode.js.map +1 -0
package/dist/envelope/index.d.ts +20 -0
package/dist/envelope/index.d.ts.map +1 -0
package/dist/envelope/index.js +20 -0
package/dist/envelope/index.js.map +1 -0
package/dist/envelope/open_any.d.ts +48 -0
package/dist/envelope/open_any.d.ts.map +1 -0
package/dist/envelope/open_any.js +81 -0
package/dist/envelope/open_any.js.map +1 -0
package/dist/envelope/open_verified.d.ts +59 -0
package/dist/envelope/open_verified.d.ts.map +1 -0
package/dist/envelope/open_verified.js +67 -0
package/dist/envelope/open_verified.js.map +1 -0
package/dist/envelope/padding.d.ts +55 -0
package/dist/envelope/padding.d.ts.map +1 -0
package/dist/envelope/padding.js +162 -0
package/dist/envelope/padding.js.map +1 -0
package/dist/envelope/rejection.d.ts +22 -0
package/dist/envelope/rejection.d.ts.map +1 -0
package/dist/envelope/rejection.js +30 -0
package/dist/envelope/rejection.js.map +1 -0
package/dist/envelope/sendtime.d.ts +49 -0
package/dist/envelope/sendtime.d.ts.map +1 -0
package/dist/envelope/sendtime.js +87 -0
package/dist/envelope/sendtime.js.map +1 -0
package/dist/envelope/verify.d.ts +29 -0
package/dist/envelope/verify.d.ts.map +1 -0
package/dist/envelope/verify.js +90 -0
package/dist/envelope/verify.js.map +1 -0
package/dist/extensions/index.d.ts +7 -0
package/dist/extensions/index.d.ts.map +1 -0
package/dist/extensions/index.js +7 -0
package/dist/extensions/index.js.map +1 -0
package/dist/extensions/limits.d.ts +101 -0
package/dist/extensions/limits.d.ts.map +1 -0
package/dist/extensions/limits.js +175 -0
package/dist/extensions/limits.js.map +1 -0
package/dist/handshake/abort.d.ts +49 -0
package/dist/handshake/abort.d.ts.map +1 -0
package/dist/handshake/abort.js +82 -0
package/dist/handshake/abort.js.map +1 -0
package/dist/handshake/capabilities.d.ts +46 -0
package/dist/handshake/capabilities.d.ts.map +1 -0
package/dist/handshake/capabilities.js +114 -0
package/dist/handshake/capabilities.js.map +1 -0
package/dist/handshake/client_state.d.ts +186 -0
package/dist/handshake/client_state.d.ts.map +1 -0
package/dist/handshake/client_state.js +520 -0
package/dist/handshake/client_state.js.map +1 -0
package/dist/handshake/confirm.d.ts +21 -0
package/dist/handshake/confirm.d.ts.map +1 -0
package/dist/handshake/confirm.js +27 -0
package/dist/handshake/confirm.js.map +1 -0
package/dist/handshake/driver.d.ts +126 -0
package/dist/handshake/driver.d.ts.map +1 -0
package/dist/handshake/driver.js +251 -0
package/dist/handshake/driver.js.map +1 -0
package/dist/handshake/federation.d.ts +365 -0
package/dist/handshake/federation.d.ts.map +1 -0
package/dist/handshake/federation.js +664 -0
package/dist/handshake/federation.js.map +1 -0
package/dist/handshake/first_contact.d.ts +57 -0
package/dist/handshake/first_contact.d.ts.map +1 -0
package/dist/handshake/first_contact.js +124 -0
package/dist/handshake/first_contact.js.map +1 -0
package/dist/handshake/identity.d.ts +101 -0
package/dist/handshake/identity.d.ts.map +1 -0
package/dist/handshake/identity.js +117 -0
package/dist/handshake/identity.js.map +1 -0
package/dist/handshake/index.d.ts +21 -0
package/dist/handshake/index.d.ts.map +1 -0
package/dist/handshake/index.js +21 -0
package/dist/handshake/index.js.map +1 -0
package/dist/handshake/messages.d.ts +176 -0
package/dist/handshake/messages.d.ts.map +1 -0
package/dist/handshake/messages.js +125 -0
package/dist/handshake/messages.js.map +1 -0
package/dist/handshake/pow.d.ts +53 -0
package/dist/handshake/pow.d.ts.map +1 -0
package/dist/handshake/pow.js +142 -0
package/dist/handshake/pow.js.map +1 -0
package/dist/handshake/resume_driver.d.ts +56 -0
package/dist/handshake/resume_driver.d.ts.map +1 -0
package/dist/handshake/resume_driver.js +75 -0
package/dist/handshake/resume_driver.js.map +1 -0
package/dist/handshake/server.d.ts +112 -0
package/dist/handshake/server.d.ts.map +1 -0
package/dist/handshake/server.js +247 -0
package/dist/handshake/server.js.map +1 -0
package/dist/handshake/server_state.d.ts +102 -0
package/dist/handshake/server_state.d.ts.map +1 -0
package/dist/handshake/server_state.js +278 -0
package/dist/handshake/server_state.js.map +1 -0
package/dist/index.d.ts +33 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +33 -0
package/dist/index.js.map +1 -0
package/dist/keys/compromise.d.ts +118 -0
package/dist/keys/compromise.d.ts.map +1 -0
package/dist/keys/compromise.js +218 -0
package/dist/keys/compromise.js.map +1 -0
package/dist/keys/device_certificate.d.ts +166 -0
package/dist/keys/device_certificate.d.ts.map +1 -0
package/dist/keys/device_certificate.js +328 -0
package/dist/keys/device_certificate.js.map +1 -0
package/dist/keys/device_records.d.ts +175 -0
package/dist/keys/device_records.d.ts.map +1 -0
package/dist/keys/device_records.js +418 -0
package/dist/keys/device_records.js.map +1 -0
package/dist/keys/directory_cache.d.ts +64 -0
package/dist/keys/directory_cache.d.ts.map +1 -0
package/dist/keys/directory_cache.js +98 -0
package/dist/keys/directory_cache.js.map +1 -0
package/dist/keys/directory_state.d.ts +79 -0
package/dist/keys/directory_state.d.ts.map +1 -0
package/dist/keys/directory_state.js +155 -0
package/dist/keys/directory_state.js.map +1 -0
package/dist/keys/index.d.ts +18 -0
package/dist/keys/index.d.ts.map +1 -0
package/dist/keys/index.js +18 -0
package/dist/keys/index.js.map +1 -0
package/dist/keys/key_revocation.d.ts +61 -0
package/dist/keys/key_revocation.d.ts.map +1 -0
package/dist/keys/key_revocation.js +88 -0
package/dist/keys/key_revocation.js.map +1 -0
package/dist/keys/request.d.ts +124 -0
package/dist/keys/request.d.ts.map +1 -0
package/dist/keys/request.js +130 -0
package/dist/keys/request.js.map +1 -0
package/dist/keys/sign.d.ts +49 -0
package/dist/keys/sign.d.ts.map +1 -0
package/dist/keys/sign.js +80 -0
package/dist/keys/sign.js.map +1 -0
package/dist/keys/signed.d.ts +80 -0
package/dist/keys/signed.d.ts.map +1 -0
package/dist/keys/signed.js +138 -0
package/dist/keys/signed.js.map +1 -0
package/dist/keys/store.d.ts +138 -0
package/dist/keys/store.d.ts.map +1 -0
package/dist/keys/store.js +107 -0
package/dist/keys/store.js.map +1 -0
package/dist/largeattachment/crypto.d.ts +47 -0
package/dist/largeattachment/crypto.d.ts.map +1 -0
package/dist/largeattachment/crypto.js +235 -0
package/dist/largeattachment/crypto.js.map +1 -0
package/dist/largeattachment/enclosure.d.ts +48 -0
package/dist/largeattachment/enclosure.d.ts.map +1 -0
package/dist/largeattachment/enclosure.js +102 -0
package/dist/largeattachment/enclosure.js.map +1 -0
package/dist/largeattachment/index.d.ts +15 -0
package/dist/largeattachment/index.d.ts.map +1 -0
package/dist/largeattachment/index.js +15 -0
package/dist/largeattachment/index.js.map +1 -0
package/dist/largeattachment/store.d.ts +36 -0
package/dist/largeattachment/store.d.ts.map +1 -0
package/dist/largeattachment/store.js +37 -0
package/dist/largeattachment/store.js.map +1 -0
package/dist/largeattachment/types.d.ts +56 -0
package/dist/largeattachment/types.d.ts.map +1 -0
package/dist/largeattachment/types.js +31 -0
package/dist/largeattachment/types.js.map +1 -0
package/dist/largeattachment/upload.d.ts +62 -0
package/dist/largeattachment/upload.d.ts.map +1 -0
package/dist/largeattachment/upload.js +166 -0
package/dist/largeattachment/upload.js.map +1 -0
package/dist/migration/index.d.ts +17 -0
package/dist/migration/index.d.ts.map +1 -0
package/dist/migration/index.js +17 -0
package/dist/migration/index.js.map +1 -0
package/dist/migration/lockout.d.ts +48 -0
package/dist/migration/lockout.d.ts.map +1 -0
package/dist/migration/lockout.js +57 -0
package/dist/migration/lockout.js.map +1 -0
package/dist/migration/migration.d.ts +48 -0
package/dist/migration/migration.d.ts.map +1 -0
package/dist/migration/migration.js +58 -0
package/dist/migration/migration.js.map +1 -0
package/dist/migration/notice.d.ts +33 -0
package/dist/migration/notice.d.ts.map +1 -0
package/dist/migration/notice.js +85 -0
package/dist/migration/notice.js.map +1 -0
package/dist/migration/orchestrate.d.ts +109 -0
package/dist/migration/orchestrate.d.ts.map +1 -0
package/dist/migration/orchestrate.js +212 -0
package/dist/migration/orchestrate.js.map +1 -0
package/dist/migration/publication_store.d.ts +34 -0
package/dist/migration/publication_store.d.ts.map +1 -0
package/dist/migration/publication_store.js +44 -0
package/dist/migration/publication_store.js.map +1 -0
package/dist/migration/sign.d.ts +65 -0
package/dist/migration/sign.d.ts.map +1 -0
package/dist/migration/sign.js +331 -0
package/dist/migration/sign.js.map +1 -0
package/dist/migration/types.d.ts +92 -0
package/dist/migration/types.d.ts.map +1 -0
package/dist/migration/types.js +26 -0
package/dist/migration/types.js.map +1 -0
package/dist/reasoncodes.d.ts +42 -0
package/dist/reasoncodes.d.ts.map +1 -0
package/dist/reasoncodes.js +80 -0
package/dist/reasoncodes.js.map +1 -0
package/dist/recovery/bundle.d.ts +34 -0
package/dist/recovery/bundle.d.ts.map +1 -0
package/dist/recovery/bundle.js +144 -0
package/dist/recovery/bundle.js.map +1 -0
package/dist/recovery/bundle_crypto.d.ts +60 -0
package/dist/recovery/bundle_crypto.d.ts.map +1 -0
package/dist/recovery/bundle_crypto.js +179 -0
package/dist/recovery/bundle_crypto.js.map +1 -0
package/dist/recovery/bundle_store.d.ts +57 -0
package/dist/recovery/bundle_store.d.ts.map +1 -0
package/dist/recovery/bundle_store.js +104 -0
package/dist/recovery/bundle_store.js.map +1 -0
package/dist/recovery/index.d.ts +19 -0
package/dist/recovery/index.d.ts.map +1 -0
package/dist/recovery/index.js +19 -0
package/dist/recovery/index.js.map +1 -0
package/dist/recovery/manifest_crosscheck.d.ts +59 -0
package/dist/recovery/manifest_crosscheck.d.ts.map +1 -0
package/dist/recovery/manifest_crosscheck.js +59 -0
package/dist/recovery/manifest_crosscheck.js.map +1 -0
package/dist/recovery/shamir.d.ts +51 -0
package/dist/recovery/shamir.d.ts.map +1 -0
package/dist/recovery/shamir.js +181 -0
package/dist/recovery/shamir.js.map +1 -0
package/dist/recovery/sign.d.ts +61 -0
package/dist/recovery/sign.d.ts.map +1 -0
package/dist/recovery/sign.js +359 -0
package/dist/recovery/sign.js.map +1 -0
package/dist/recovery/types.d.ts +180 -0
package/dist/recovery/types.d.ts.map +1 -0
package/dist/recovery/types.js +31 -0
package/dist/recovery/types.js.map +1 -0
package/dist/reputation/abuse_report.d.ts +62 -0
package/dist/reputation/abuse_report.d.ts.map +1 -0
package/dist/reputation/abuse_report.js +111 -0
package/dist/reputation/abuse_report.js.map +1 -0
package/dist/reputation/bucketize.d.ts +31 -0
package/dist/reputation/bucketize.d.ts.map +1 -0
package/dist/reputation/bucketize.js +77 -0
package/dist/reputation/bucketize.js.map +1 -0
package/dist/reputation/gossip.d.ts +24 -0
package/dist/reputation/gossip.d.ts.map +1 -0
package/dist/reputation/gossip.js +64 -0
package/dist/reputation/gossip.js.map +1 -0
package/dist/reputation/gossip_fetch.d.ts +64 -0
package/dist/reputation/gossip_fetch.d.ts.map +1 -0
package/dist/reputation/gossip_fetch.js +114 -0
package/dist/reputation/gossip_fetch.js.map +1 -0
package/dist/reputation/index.d.ts +20 -0
package/dist/reputation/index.d.ts.map +1 -0
package/dist/reputation/index.js +20 -0
package/dist/reputation/index.js.map +1 -0
package/dist/reputation/observation_store.d.ts +67 -0
package/dist/reputation/observation_store.d.ts.map +1 -0
package/dist/reputation/observation_store.js +171 -0
package/dist/reputation/observation_store.js.map +1 -0
package/dist/reputation/pow.d.ts +91 -0
package/dist/reputation/pow.d.ts.map +1 -0
package/dist/reputation/pow.js +209 -0
package/dist/reputation/pow.js.map +1 -0
package/dist/reputation/sign.d.ts +40 -0
package/dist/reputation/sign.d.ts.map +1 -0
package/dist/reputation/sign.js +202 -0
package/dist/reputation/sign.js.map +1 -0
package/dist/reputation/types.d.ts +133 -0
package/dist/reputation/types.d.ts.map +1 -0
package/dist/reputation/types.js +33 -0
package/dist/reputation/types.js.map +1 -0
package/dist/reputation/whois.d.ts +25 -0
package/dist/reputation/whois.d.ts.map +1 -0
package/dist/reputation/whois.js +20 -0
package/dist/reputation/whois.js.map +1 -0
package/dist/seal/index.d.ts +8 -0
package/dist/seal/index.d.ts.map +1 -0
package/dist/seal/index.js +8 -0
package/dist/seal/index.js.map +1 -0
package/dist/seal/wrap.d.ts +74 -0
package/dist/seal/wrap.d.ts.map +1 -0
package/dist/seal/wrap.js +213 -0
package/dist/seal/wrap.js.map +1 -0
package/dist/session/dispatcher.d.ts +65 -0
package/dist/session/dispatcher.d.ts.map +1 -0
package/dist/session/dispatcher.js +96 -0
package/dist/session/dispatcher.js.map +1 -0
package/dist/session/index.d.ts +15 -0
package/dist/session/index.d.ts.map +1 -0
package/dist/session/index.js +15 -0
package/dist/session/index.js.map +1 -0
package/dist/session/rekey.d.ts +108 -0
package/dist/session/rekey.d.ts.map +1 -0
package/dist/session/rekey.js +207 -0
package/dist/session/rekey.js.map +1 -0
package/dist/session/rekey_seal.d.ts +66 -0
package/dist/session/rekey_seal.d.ts.map +1 -0
package/dist/session/rekey_seal.js +153 -0
package/dist/session/rekey_seal.js.map +1 -0
package/dist/session/resume.d.ts +125 -0
package/dist/session/resume.d.ts.map +1 -0
package/dist/session/resume.js +263 -0
package/dist/session/resume.js.map +1 -0
package/dist/session/session.d.ts +136 -0
package/dist/session/session.d.ts.map +1 -0
package/dist/session/session.js +188 -0
package/dist/session/session.js.map +1 -0
package/dist/transparency/index.d.ts +13 -0
package/dist/transparency/index.d.ts.map +1 -0
package/dist/transparency/index.js +13 -0
package/dist/transparency/index.js.map +1 -0
package/dist/transparency/log.d.ts +61 -0
package/dist/transparency/log.d.ts.map +1 -0
package/dist/transparency/log.js +133 -0
package/dist/transparency/log.js.map +1 -0
package/dist/transparency/merkle.d.ts +59 -0
package/dist/transparency/merkle.d.ts.map +1 -0
package/dist/transparency/merkle.js +314 -0
package/dist/transparency/merkle.js.map +1 -0
package/dist/transparency/sign.d.ts +48 -0
package/dist/transparency/sign.d.ts.map +1 -0
package/dist/transparency/sign.js +140 -0
package/dist/transparency/sign.js.map +1 -0
package/dist/transparency/types.d.ts +97 -0
package/dist/transparency/types.d.ts.map +1 -0
package/dist/transparency/types.js +25 -0
package/dist/transparency/types.js.map +1 -0
package/dist/transport/h2.d.ts +163 -0
package/dist/transport/h2.d.ts.map +1 -0
package/dist/transport/h2.js +397 -0
package/dist/transport/h2.js.map +1 -0
package/dist/transport/index.d.ts +15 -0
package/dist/transport/index.d.ts.map +1 -0
package/dist/transport/index.js +15 -0
package/dist/transport/index.js.map +1 -0
package/dist/transport/memory.d.ts +21 -0
package/dist/transport/memory.d.ts.map +1 -0
package/dist/transport/memory.js +112 -0
package/dist/transport/memory.js.map +1 -0
package/dist/transport/transport.d.ts +54 -0
package/dist/transport/transport.d.ts.map +1 -0
package/dist/transport/transport.js +20 -0
package/dist/transport/transport.js.map +1 -0
package/dist/transport/ws.d.ts +40 -0
package/dist/transport/ws.d.ts.map +1 -0
package/dist/transport/ws.js +204 -0
package/dist/transport/ws.js.map +1 -0
package/package.json +147 -0

package/dist/session/rekey.js ADDED Viewed

@@ -0,0 +1,207 @@
+/**
+ * Rekey driver per SESSION.md §3.3.
+ *
+ * Both peers can initiate. The flow:
+ *
+ *   1. Initiator generates a new ephemeral X25519 keypair + a
+ *      32-byte rekey nonce. Builds RekeyInit, seals under the
+ *      current session's directional keys, sends.
+ *   2. Responder receives + opens the sealed init. Generates its
+ *      own new ephemeral + a 32-byte responder nonce + a new
+ *      session_id. Computes the new shared secret via X25519,
+ *      derives the five new session keys via HKDF-SHA-512 with
+ *      salt = rekey_nonce || responder_nonce.
+ *   3. Responder builds RekeyAccepted, seals under the current
+ *      session's directional keys, sends.
+ *   4. Both call session.applyRekey() to swap in the new keys
+ *      and new session_id atomically.
+ *
+ * On rejection (session_expired, rekey_unsupported, rate_limited),
+ * the responder sends a sealed RekeyRejected; the caller sees a
+ * RekeyRejectedError.
+ *
+ * Rekey messages carry no separate identity signature: receiving
+ * a valid sealed message is itself authentication, since only a
+ * holder of the live session keys can forge one.
+ *
+ * @module
+ */
+import { marshal as canonicalMarshal } from "../canonical/index.js";
+import { deriveRekeyKeys, newHKDFSHA512, x25519Agree, x25519PublicKey, } from "../crypto/index.js";
+import { fingerprint } from "../keys/index.js";
+import { openRekeyMessage, sealRekeyMessage, } from "./rekey_seal.js";
+/** Error thrown when the responder rejects a rekey attempt. */
+export class RekeyRejectedError extends Error {
+    reasonCode;
+    reason;
+    constructor(reasonCode, reason) {
+        super(`rekey rejected: ${reasonCode}${reason !== undefined ? ` (${reason})` : ""}`);
+        this.reasonCode = reasonCode;
+        this.reason = reason;
+    }
+}
+/**
+ * Initiate a rekey. The session installs new keys + a new
+ * session_id on success and resolves with the new session_id.
+ *
+ * @throws RekeyRejectedError when the responder sends a sealed
+ * RekeyRejected.
+ */
+export async function rekeyClient(session, options = {}) {
+    const direction = directionFromRole(session.role);
+    const oppositeDir = otherDirection(direction);
+    // Step 1: build + send RekeyInit.
+    const ephPriv = options.ephemeralPriv ?? randomBytes(32);
+    const ephPub = x25519PublicKey(ephPriv);
+    const rekeyNonce = options.rekeyNonce ?? randomBytes(32);
+    const init = {
+        type: "SEMP_REKEY",
+        step: "rekey-init",
+        version: "1.0.0",
+        session_id: session.sessionId,
+        new_ephemeral_key: {
+            algorithm: "x25519-chacha20-poly1305",
+            key: base64Encode(ephPub),
+            key_id: fingerprint(ephPub),
+        },
+        rekey_nonce: base64Encode(rekeyNonce),
+    };
+    const sealed = sealRekeyMessage(session, direction, canonicalMarshal(init));
+    await session.send(new TextEncoder().encode(JSON.stringify(sealed)));
+    // Step 2: receive + open the response.
+    const respBytes = await session.receive();
+    if (respBytes === null) {
+        throw new Error("rekey: connection closed waiting for response");
+    }
+    const wrapper = JSON.parse(new TextDecoder().decode(respBytes));
+    if (wrapper.type !== "SEMP_REKEY") {
+        throw new Error(`rekey: expected SEMP_REKEY, got ${wrapper.type}`);
+    }
+    if (wrapper.direction !== oppositeDir) {
+        throw new Error(`rekey: expected response direction=${oppositeDir}, got ${wrapper.direction}`);
+    }
+    const respPlain = openRekeyMessage(session, wrapper);
+    const respBody = JSON.parse(new TextDecoder().decode(respPlain));
+    // Discriminate on `step` defensively; the wire body could carry
+    // either an accepted or rejected outcome.
+    const step = respBody.step;
+    if (step === "rekey-rejected") {
+        const r = respBody;
+        throw new RekeyRejectedError(r.reason_code, r.reason);
+    }
+    if (step !== "rekey-accepted") {
+        throw new Error(`rekey: expected step=rekey-accepted, got ${step}`);
+    }
+    const accepted = respBody;
+    // Step 3: derive + apply new keys.
+    const responderPub = base64Decode(accepted.new_ephemeral_key.key);
+    const sharedSecret = x25519Agree(ephPriv, responderPub);
+    const responderNonce = base64Decode(accepted.responder_nonce);
+    const kdf = newHKDFSHA512();
+    const newKeys = deriveRekeyKeys(kdf, sharedSecret, rekeyNonce, responderNonce);
+    session.applyRekey({
+        newSessionId: accepted.new_session_id,
+        newKeys,
+    });
+    return accepted.new_session_id;
+}
+/**
+ * Respond to a rekey. Reads one sealed message off the session
+ * transport, validates it as a RekeyInit, derives new keys,
+ * sends a sealed RekeyAccepted, and applies the rekey to the
+ * session. Resolves with the new session_id.
+ *
+ * Production callers wire this into their session-message
+ * dispatcher: when an inbound SEMP_REKEY arrives, route the
+ * sealed bytes here.
+ */
+export async function rekeyServer(session, options) {
+    const initDir = directionFromRole(otherRole(session.role));
+    const respDir = otherDirection(initDir);
+    // Step 1: receive + open the init.
+    const initBytes = await session.receive();
+    if (initBytes === null) {
+        throw new Error("rekey: connection closed waiting for init");
+    }
+    const wrapper = JSON.parse(new TextDecoder().decode(initBytes));
+    if (wrapper.type !== "SEMP_REKEY") {
+        throw new Error(`rekey: expected SEMP_REKEY, got ${wrapper.type}`);
+    }
+    if (wrapper.direction !== initDir) {
+        throw new Error(`rekey: expected init direction=${initDir}, got ${wrapper.direction}`);
+    }
+    const initPlain = openRekeyMessage(session, wrapper);
+    const init = JSON.parse(new TextDecoder().decode(initPlain));
+    if (init.step !== "rekey-init") {
+        throw new Error(`rekey: expected step=rekey-init, got ${init.step}`);
+    }
+    // Step 2: ephemeral + responder nonce + new session_id.
+    const ephPriv = options.ephemeralPriv ?? randomBytes(32);
+    const ephPub = x25519PublicKey(ephPriv);
+    const responderNonce = options.responderNonce ?? randomBytes(32);
+    const newSessionId = options.generateSessionId();
+    // Step 3: derive new keys.
+    const initiatorPub = base64Decode(init.new_ephemeral_key.key);
+    const rekeyNonce = base64Decode(init.rekey_nonce);
+    const sharedSecret = x25519Agree(ephPriv, initiatorPub);
+    const kdf = newHKDFSHA512();
+    const newKeys = deriveRekeyKeys(kdf, sharedSecret, rekeyNonce, responderNonce);
+    // Step 4: build + send RekeyAccepted.
+    const accepted = {
+        type: "SEMP_REKEY",
+        step: "rekey-accepted",
+        version: "1.0.0",
+        session_id: session.sessionId,
+        new_session_id: newSessionId,
+        new_ephemeral_key: {
+            algorithm: "x25519-chacha20-poly1305",
+            key: base64Encode(ephPub),
+            key_id: fingerprint(ephPub),
+        },
+        rekey_nonce: init.rekey_nonce,
+        responder_nonce: base64Encode(responderNonce),
+    };
+    const sealedResp = sealRekeyMessage(session, respDir, canonicalMarshal(accepted));
+    await session.send(new TextEncoder().encode(JSON.stringify(sealedResp)));
+    // Step 5: apply rekey.
+    session.applyRekey({ newSessionId, newKeys });
+    return newSessionId;
+}
+// ---------------------------------------------------------------------------
+// Helpers
+function directionFromRole(role) {
+    return role === "client" ? "c2s" : "s2c";
+}
+function otherDirection(d) {
+    return d === "c2s" ? "s2c" : "c2s";
+}
+function otherRole(r) {
+    return r === "client" ? "server" : "client";
+}
+function randomBytes(n) {
+    const out = new Uint8Array(n);
+    globalThis.crypto.getRandomValues(out);
+    return out;
+}
+function base64Encode(b) {
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(b).toString("base64");
+    }
+    let bin = "";
+    for (let i = 0; i < b.length; i++) {
+        bin += String.fromCharCode(b[i] ?? 0);
+    }
+    return btoa(bin);
+}
+function base64Decode(s) {
+    if (typeof Buffer !== "undefined") {
+        return new Uint8Array(Buffer.from(s, "base64"));
+    }
+    const bin = atob(s);
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) {
+        out[i] = bin.charCodeAt(i);
+    }
+    return out;
+}
+//# sourceMappingURL=rekey.js.map

package/dist/session/rekey.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rekey.js","sourceRoot":"","sources":["../../src/session/rekey.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,OAAO,IAAI,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACpE,OAAO,EACL,eAAe,EACf,aAAa,EACb,WAAW,EACX,eAAe,GAChB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAG/C,OAAO,EAEL,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAkCzB,+DAA+D;AAC/D,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAClC,UAAU,CAAS;IACnB,MAAM,CAAqB;IACpC,YAAY,UAAkB,EAAE,MAA0B;QACxD,KAAK,CAAC,mBAAmB,UAAU,GAAG,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpF,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AAUD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAgB,EAChB,UAA8B,EAAE;IAEhC,MAAM,SAAS,GAAG,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,MAAM,WAAW,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IAE9C,kCAAkC;IAClC,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC;IACzD,MAAM,IAAI,GAAc;QACtB,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,OAAO;QAChB,UAAU,EAAE,OAAO,CAAC,SAAS;QAC7B,iBAAiB,EAAE;YACjB,SAAS,EAAE,0BAA0B;YACrC,GAAG,EAAE,YAAY,CAAC,MAAM,CAAC;YACzB,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC;SAC5B;QACD,WAAW,EAAE,YAAY,CAAC,UAAU,CAAC;KACtC,CAAC;IACF,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,EAAE,SAAS,EAAE,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;IAC5E,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAErE,uCAAuC;IACvC,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC;IAC1C,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAgB,CAAC;IAC/E,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,mCAAmC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,KAAK,WAAW,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,sCAAsC,WAAW,SAAS,OAAO,CAAC,SAAS,EAAE,CAC9E,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAE9C,CAAC;IAElB,gEAAgE;IAChE,0CAA0C;IAC1C,MAAM,IAAI,GAAI,QAA6B,CAAC,IAAI,CAAC;IACjD,IAAI,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,QAAyB,CAAC;QACpC,MAAM,IAAI,kBAAkB,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IACxD,CAAC;IACD,IAAI,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,4CAA4C,IAAI,EAAE,CAAC,CAAC;IACtE,CAAC;IACD,MAAM,QAAQ,GAAG,QAAyB,CAAC;IAE3C,mCAAmC;IACnC,MAAM,YAAY,GAAG,YAAY,CAAC,QAAQ,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAClE,MAAM,YAAY,GAAG,WAAW,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IACxD,MAAM,cAAc,GAAG,YAAY,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;IAC9D,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;IAE/E,OAAO,CAAC,UAAU,CAAC;QACjB,YAAY,EAAE,QAAQ,CAAC,cAAc;QACrC,OAAO;KACR,CAAC,CAAC;IACH,OAAO,QAAQ,CAAC,cAAc,CAAC;AACjC,CAAC;AAYD;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAgB,EAChB,OAA2B;IAE3B,MAAM,OAAO,GAAG,iBAAiB,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAExC,mCAAmC;IACnC,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC;IAC1C,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAgB,CAAC;IAC/E,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,mCAAmC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,kCAAkC,OAAO,SAAS,OAAO,CAAC,SAAS,EAAE,CACtE,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAc,CAAC;IAC1E,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,wCAAwC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,wDAAwD;IACxD,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC;IACjE,MAAM,YAAY,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAEjD,2BAA2B;IAC3B,MAAM,YAAY,GAAG,YAAY,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAClD,MAAM,YAAY,GAAG,WAAW,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;IAE/E,sCAAsC;IACtC,MAAM,QAAQ,GAAkB;QAC9B,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,OAAO;QAChB,UAAU,EAAE,OAAO,CAAC,SAAS;QAC7B,cAAc,EAAE,YAAY;QAC5B,iBAAiB,EAAE;YACjB,SAAS,EAAE,0BAA0B;YACrC,GAAG,EAAE,YAAY,CAAC,MAAM,CAAC;YACzB,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC;SAC5B;QACD,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,eAAe,EAAE,YAAY,CAAC,cAAc,CAAC;KAC9C,CAAC;IACF,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IAClF,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAEzE,uBAAuB;IACvB,OAAO,CAAC,UAAU,CAAC,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC,CAAC;IAC9C,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,8EAA8E;AAC9E,UAAU;AAEV,SAAS,iBAAiB,CAAC,IAAyB;IAClD,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC;AAC3C,CAAC;AAED,SAAS,cAAc,CAAC,CAAgB;IACtC,OAAO,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC;AACrC,CAAC;AAED,SAAS,SAAS,CAAC,CAAsB;IACvC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;AAC9C,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9B,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,YAAY,CAAC,CAAa;IACjC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;AACnB,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/session/rekey_seal.d.ts ADDED Viewed

@@ -0,0 +1,66 @@
+/**
+ * Sealed-rekey wire format per SESSION.md §3.2.
+ *
+ * Rekey messages are AEAD-encrypted under the CURRENT session's
+ * directional keys. Receiving a valid sealed rekey is itself the
+ * authentication — only a holder of the live session keys can
+ * forge one — so the rekey messages carry no separate identity
+ * signature.
+ *
+ * Wire shape:
+ *
+ *   {
+ *     "type":      "SEMP_REKEY",
+ *     "sealed":    true,
+ *     "direction": "c2s" | "s2c",
+ *     "version":   "1.0.0",
+ *     "session_id": "<current session_id>",
+ *     "nonce":     "<base64 12-byte AEAD nonce>",
+ *     "ciphertext":"<base64 AEAD ciphertext (RekeyInit/Accepted/Rejected JSON)>"
+ *   }
+ *
+ * AEAD: ChaCha20-Poly1305 (12-byte nonce). The AAD is a
+ * length-prefixed concatenation of:
+ *
+ *   AAD = LP(direction) || LP(session_id) || LP(directional_mac_key)
+ *
+ * where LP(x) prepends a 4-byte big-endian length to x. Mixing the
+ * MAC key into the AAD ensures that compromising the encryption
+ * key alone is insufficient — an attacker would also need the MAC
+ * key, which satisfies the spec's "MACed under the MAC key"
+ * requirement.
+ *
+ * @module
+ */
+import type { Session } from "./session.js";
+/** Wire shape of a sealed rekey message. */
+export interface SealedRekey {
+    type: "SEMP_REKEY";
+    sealed: true;
+    direction: "c2s" | "s2c";
+    version: "1.0.0";
+    session_id: string;
+    nonce: string;
+    ciphertext: string;
+}
+/**
+ * Seal a rekey-message body. The body is the canonical JSON of
+ * RekeyInit / RekeyAccepted / RekeyRejected. Returns the wire
+ * envelope.
+ *
+ * @param session the CURRENT session (pre-rekey).
+ * @param direction "c2s" if the caller is the side that sent INIT
+ *   in the original handshake (or for federation: the side that
+ *   opened the connection); "s2c" otherwise.
+ * @param plaintext the canonical message body bytes.
+ * @param nonce optional 12-byte nonce; production callers omit
+ *   this and let the function source fresh entropy.
+ */
+export declare function sealRekeyMessage(session: Session, direction: "c2s" | "s2c", plaintext: Uint8Array, nonce?: Uint8Array): SealedRekey;
+/**
+ * Open a sealed rekey message. Returns the plaintext body bytes.
+ * Throws on tag mismatch, direction mismatch, or session_id
+ * mismatch.
+ */
+export declare function openRekeyMessage(session: Session, msg: SealedRekey): Uint8Array;
+//# sourceMappingURL=rekey_seal.d.ts.map

package/dist/session/rekey_seal.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rekey_seal.d.ts","sourceRoot":"","sources":["../../src/session/rekey_seal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,4CAA4C;AAC5C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,YAAY,CAAC;IACnB,MAAM,EAAE,IAAI,CAAC;IACb,SAAS,EAAE,KAAK,GAAG,KAAK,CAAC;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,KAAK,GAAG,KAAK,EACxB,SAAS,EAAE,UAAU,EACrB,KAAK,CAAC,EAAE,UAAU,GACjB,WAAW,CAiBb;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,WAAW,GAAG,UAAU,CAiB/E"}

package/dist/session/rekey_seal.js ADDED Viewed

@@ -0,0 +1,153 @@
+/**
+ * Sealed-rekey wire format per SESSION.md §3.2.
+ *
+ * Rekey messages are AEAD-encrypted under the CURRENT session's
+ * directional keys. Receiving a valid sealed rekey is itself the
+ * authentication — only a holder of the live session keys can
+ * forge one — so the rekey messages carry no separate identity
+ * signature.
+ *
+ * Wire shape:
+ *
+ *   {
+ *     "type":      "SEMP_REKEY",
+ *     "sealed":    true,
+ *     "direction": "c2s" | "s2c",
+ *     "version":   "1.0.0",
+ *     "session_id": "<current session_id>",
+ *     "nonce":     "<base64 12-byte AEAD nonce>",
+ *     "ciphertext":"<base64 AEAD ciphertext (RekeyInit/Accepted/Rejected JSON)>"
+ *   }
+ *
+ * AEAD: ChaCha20-Poly1305 (12-byte nonce). The AAD is a
+ * length-prefixed concatenation of:
+ *
+ *   AAD = LP(direction) || LP(session_id) || LP(directional_mac_key)
+ *
+ * where LP(x) prepends a 4-byte big-endian length to x. Mixing the
+ * MAC key into the AAD ensures that compromising the encryption
+ * key alone is insufficient — an attacker would also need the MAC
+ * key, which satisfies the spec's "MACed under the MAC key"
+ * requirement.
+ *
+ * @module
+ */
+import { aeadOpen, aeadSeal } from "../crypto/index.js";
+/**
+ * Seal a rekey-message body. The body is the canonical JSON of
+ * RekeyInit / RekeyAccepted / RekeyRejected. Returns the wire
+ * envelope.
+ *
+ * @param session the CURRENT session (pre-rekey).
+ * @param direction "c2s" if the caller is the side that sent INIT
+ *   in the original handshake (or for federation: the side that
+ *   opened the connection); "s2c" otherwise.
+ * @param plaintext the canonical message body bytes.
+ * @param nonce optional 12-byte nonce; production callers omit
+ *   this and let the function source fresh entropy.
+ */
+export function sealRekeyMessage(session, direction, plaintext, nonce) {
+    const { encKey, macKey } = pickRekeyKeys(session, direction);
+    const n = nonce ?? randomBytes(12);
+    if (n.length !== 12) {
+        throw new Error(`sealRekeyMessage: nonce must be 12 bytes, got ${n.length}`);
+    }
+    const aad = rekeyAAD(direction, session.sessionId, macKey);
+    const ct = aeadSeal("chacha20-poly1305", encKey, n, plaintext, aad);
+    return {
+        type: "SEMP_REKEY",
+        sealed: true,
+        direction,
+        version: "1.0.0",
+        session_id: session.sessionId,
+        nonce: base64Encode(n),
+        ciphertext: base64Encode(ct),
+    };
+}
+/**
+ * Open a sealed rekey message. Returns the plaintext body bytes.
+ * Throws on tag mismatch, direction mismatch, or session_id
+ * mismatch.
+ */
+export function openRekeyMessage(session, msg) {
+    if (msg.type !== "SEMP_REKEY") {
+        throw new Error(`openRekeyMessage: type=${msg.type}, want SEMP_REKEY`);
+    }
+    if (!msg.sealed) {
+        throw new Error("openRekeyMessage: cleartext rekey not supported");
+    }
+    if (msg.session_id !== session.sessionId) {
+        throw new Error(`openRekeyMessage: session_id ${msg.session_id} does not match current ${session.sessionId}`);
+    }
+    const { encKey, macKey } = pickRekeyKeys(session, msg.direction);
+    const nonce = base64Decode(msg.nonce);
+    const ct = base64Decode(msg.ciphertext);
+    const aad = rekeyAAD(msg.direction, session.sessionId, macKey);
+    return aeadOpen("chacha20-poly1305", encKey, nonce, ct, aad);
+}
+/**
+ * Pick the (encryption_key, mac_key) pair for the given
+ * direction, mirroring semp-go's session.pickRekeyKeys. The
+ * session keys are owned by both endpoints, so the same
+ * (direction, sessionId) pair selects the same pair on both sides.
+ */
+function pickRekeyKeys(session, direction) {
+    switch (direction) {
+        case "c2s":
+            return { encKey: session.keys.encC2S, macKey: session.keys.macC2S };
+        case "s2c":
+            return { encKey: session.keys.encS2C, macKey: session.keys.macS2C };
+    }
+}
+/**
+ * Length-prefixed AAD per the rekey wire format. Each component
+ * is preceded by a 4-byte big-endian length so an attacker can't
+ * shift the boundary between fields.
+ */
+function rekeyAAD(direction, sessionId, macKey) {
+    const dirBytes = new TextEncoder().encode(direction);
+    const idBytes = new TextEncoder().encode(sessionId);
+    const total = 4 + dirBytes.length + 4 + idBytes.length + 4 + macKey.length;
+    const out = new Uint8Array(total);
+    let off = 0;
+    off = appendLP(out, off, dirBytes);
+    off = appendLP(out, off, idBytes);
+    appendLP(out, off, macKey);
+    return out;
+}
+function appendLP(buf, off, b) {
+    const n = b.length;
+    buf[off++] = (n >>> 24) & 0xff;
+    buf[off++] = (n >>> 16) & 0xff;
+    buf[off++] = (n >>> 8) & 0xff;
+    buf[off++] = n & 0xff;
+    buf.set(b, off);
+    return off + n;
+}
+function randomBytes(n) {
+    const out = new Uint8Array(n);
+    globalThis.crypto.getRandomValues(out);
+    return out;
+}
+function base64Encode(b) {
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(b).toString("base64");
+    }
+    let bin = "";
+    for (let i = 0; i < b.length; i++) {
+        bin += String.fromCharCode(b[i] ?? 0);
+    }
+    return btoa(bin);
+}
+function base64Decode(s) {
+    if (typeof Buffer !== "undefined") {
+        return new Uint8Array(Buffer.from(s, "base64"));
+    }
+    const bin = atob(s);
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) {
+        out[i] = bin.charCodeAt(i);
+    }
+    return out;
+}
+//# sourceMappingURL=rekey_seal.js.map

package/dist/session/rekey_seal.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rekey_seal.js","sourceRoot":"","sources":["../../src/session/rekey_seal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAcxD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAgB,EAChB,SAAwB,EACxB,SAAqB,EACrB,KAAkB;IAElB,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAC7D,MAAM,CAAC,GAAG,KAAK,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC;IACnC,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC/E,CAAC;IACD,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC3D,MAAM,EAAE,GAAG,QAAQ,CAAC,mBAAmB,EAAE,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;IACpE,OAAO;QACL,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,IAAI;QACZ,SAAS;QACT,OAAO,EAAE,OAAO;QAChB,UAAU,EAAE,OAAO,CAAC,SAAS;QAC7B,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC;QACtB,UAAU,EAAE,YAAY,CAAC,EAAE,CAAC;KAC7B,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAgB,EAAE,GAAgB;IACjE,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,CAAC,IAAI,mBAAmB,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IACD,IAAI,GAAG,CAAC,UAAU,KAAK,OAAO,CAAC,SAAS,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CACb,gCAAgC,GAAG,CAAC,UAAU,2BAA2B,OAAO,CAAC,SAAS,EAAE,CAC7F,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,OAAO,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC;IACjE,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC/D,OAAO,QAAQ,CAAC,mBAAmB,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;GAKG;AACH,SAAS,aAAa,CACpB,OAAgB,EAChB,SAAwB;IAExB,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,KAAK;YACR,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACtE,KAAK,KAAK;YACR,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;IACxE,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,QAAQ,CAAC,SAAiB,EAAE,SAAiB,EAAE,MAAkB;IACxE,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,KAAK,GAAG,CAAC,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC;IAC3E,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,GAAG,GAAG,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;IACnC,GAAG,GAAG,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;IAClC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;IAC3B,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,QAAQ,CAAC,GAAe,EAAE,GAAW,EAAE,CAAa;IAC3D,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IACnB,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC;IAC/B,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC;IAC/B,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC;IAC9B,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;IACtB,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAChB,OAAO,GAAG,GAAG,CAAC,CAAC;AACjB,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9B,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,YAAY,CAAC,CAAa;IACjC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;AACnB,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/session/resume.d.ts ADDED Viewed

@@ -0,0 +1,125 @@
+/**
+ * Session resumption driver per HANDSHAKE.md §2.8 / SESSION.md §2.7.
+ *
+ * Resume condenses the full handshake into ONE round trip:
+ *
+ *   client -> server  step=resume     (client_eph + client_nonce +
+ *                                      resumption_ticket from prior session)
+ *   server -> client  step=accepted   (server_eph + server_nonce +
+ *                                      new session_id + new ticket +
+ *                                      server_signature)
+ *
+ * Both peers derive new session keys by mixing the FRESH X25519
+ * shared secret with the K_resumption secret retained from the
+ * previous session. The retained secret proves continuity of
+ * identity, so no separate identity proof is required.
+ *
+ * Production callers use this when they want a low-latency
+ * reconnect after a brief disconnection. If the server has lost
+ * the session state (or the ticket has expired), the server
+ * MUST respond with step=rejected and the client falls back to
+ * a full {@link "../handshake/driver".runClient} handshake.
+ *
+ * @module
+ */
+import { type ResumptionTicket } from "../handshake/messages.js";
+import type { Transport } from "../transport/index.js";
+import { Session } from "./session.js";
+/** Wire shape of step=resume (unsigned). */
+export interface ResumeRequest {
+    type: "SEMP_HANDSHAKE";
+    step: "resume";
+    party: "client";
+    version: "1.0.0";
+    nonce: string;
+    resumption_ticket: string;
+    client_ephemeral_key: {
+        algorithm: string;
+        key: string;
+        key_id: string;
+    };
+    transport: string;
+    extensions: Record<string, unknown>;
+}
+/** Wire shape of step=accepted in the resume flow (signed). */
+export interface ResumeAccepted {
+    type: "SEMP_HANDSHAKE";
+    step: "accepted";
+    party: "server";
+    version: "1.0.0";
+    session_id: string;
+    session_ttl: number;
+    server_nonce: string;
+    server_ephemeral_key: {
+        algorithm: string;
+        key: string;
+        key_id: string;
+    };
+    resumption_ticket: ResumptionTicket;
+    server_signature: string;
+    extensions: Record<string, unknown>;
+}
+export interface ResumeClientConfig {
+    /** Server domain signing public key (32-byte Ed25519). */
+    serverDomainPub: Uint8Array;
+    /** Transport identifier echoed in the resume request. */
+    transport: string;
+    /** K_resumption from the prior session. */
+    kResumption: Uint8Array;
+    /** Opaque resumption_ticket value from the prior session. */
+    resumptionTicket: string;
+    /** Optional pinned ephemeral private (32 bytes) for tests. */
+    clientEphemeralPriv?: Uint8Array;
+    /** Optional pinned 32-byte client nonce for tests. */
+    clientNonce?: Uint8Array;
+    /** Optional extensions to advertise. */
+    extensions?: Record<string, unknown>;
+}
+/**
+ * Drive the client side of a resume. Resolves with a fresh
+ * {@link Session} on success; throws {@link HandshakeRejectedError}
+ * if the server rejects.
+ */
+export declare function resumeClient(transport: Transport, config: ResumeClientConfig): Promise<Session>;
+/** Outcome of a ticket lookup performed by the server. */
+export type TicketLookupResult = {
+    ok: true;
+    /** K_resumption retained from the prior session. */
+    kResumption: Uint8Array;
+    /** Permissions to grant on the resumed session. */
+    permissions: ReadonlyArray<string>;
+} | {
+    ok: false;
+    reasonCode: string;
+    reason?: string;
+};
+export interface ResumeServerConfig {
+    /** 32-byte Ed25519 secret seed for the server domain signing key. */
+    serverDomainSigningSeed: Uint8Array;
+    /**
+     * Look up the resumption_ticket from the request. Production
+     * servers route through a per-process cache + transparent
+     * persistence layer; tests pass an in-memory map.
+     */
+    lookupTicket: (ticket: string) => Promise<TicketLookupResult> | TicketLookupResult;
+    /** Mint a fresh resumption_ticket for the new session. */
+    generateNewTicket: () => ResumptionTicket;
+    /** Mint a fresh session_id for the new session. */
+    generateSessionId: () => string;
+    /** Session TTL in seconds. */
+    sessionTTL: number;
+    /** Optional extensions echoed in the accepted message. */
+    acceptedExtensions?: Record<string, unknown>;
+    /** Optional pinned ephemeral private for tests. */
+    serverEphemeralPriv?: Uint8Array;
+    /** Optional pinned 32-byte server nonce for tests. */
+    serverNonce?: Uint8Array;
+}
+/**
+ * Drive the server side of a resume. Reads the resume request,
+ * looks up the ticket, generates a fresh ephemeral + nonce + new
+ * session_id, builds and signs the accepted response, and returns
+ * a Session.
+ */
+export declare function resumeServer(transport: Transport, config: ResumeServerConfig): Promise<Session>;
+//# sourceMappingURL=resume.d.ts.map

package/dist/session/resume.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"resume.d.ts","sourceRoot":"","sources":["../../src/session/resume.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAUH,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAEvD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,4CAA4C;AAC5C,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,gBAAgB,CAAC;IACvB,IAAI,EAAE,QAAQ,CAAC;IACf,KAAK,EAAE,QAAQ,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oBAAoB,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACzE,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,+DAA+D;AAC/D,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,gBAAgB,CAAC;IACvB,IAAI,EAAE,UAAU,CAAC;IACjB,KAAK,EAAE,QAAQ,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACzE,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAKD,MAAM,WAAW,kBAAkB;IACjC,0DAA0D;IAC1D,eAAe,EAAE,UAAU,CAAC;IAC5B,yDAAyD;IACzD,SAAS,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,WAAW,EAAE,UAAU,CAAC;IACxB,6DAA6D;IAC7D,gBAAgB,EAAE,MAAM,CAAC;IACzB,8DAA8D;IAC9D,mBAAmB,CAAC,EAAE,UAAU,CAAC;IACjC,sDAAsD;IACtD,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,wCAAwC;IACxC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED;;;;GAIG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,SAAS,EACpB,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,OAAO,CAAC,CAWlB;AA6FD,0DAA0D;AAC1D,MAAM,MAAM,kBAAkB,GAC1B;IACE,EAAE,EAAE,IAAI,CAAC;IACT,oDAAoD;IACpD,WAAW,EAAE,UAAU,CAAC;IACxB,mDAAmD;IACnD,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CACpC,GACD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvD,MAAM,WAAW,kBAAkB;IACjC,qEAAqE;IACrE,uBAAuB,EAAE,UAAU,CAAC;IACpC;;;;OAIG;IACH,YAAY,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,CAAC,GAAG,kBAAkB,CAAC;IACnF,0DAA0D;IAC1D,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;IAC1C,mDAAmD;IACnD,iBAAiB,EAAE,MAAM,MAAM,CAAC;IAChC,8BAA8B;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,0DAA0D;IAC1D,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,mDAAmD;IACnD,mBAAmB,CAAC,EAAE,UAAU,CAAC;IACjC,sDAAsD;IACtD,WAAW,CAAC,EAAE,UAAU,CAAC;CAC1B;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,SAAS,EACpB,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,OAAO,CAAC,CAWlB"}