@sempdev/semp 0.5.2 → 0.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (218) hide show
  1. package/dist/brief/address.d.ts +1 -1
  2. package/dist/brief/address.js +1 -1
  3. package/dist/brief/brief.d.ts +1 -1
  4. package/dist/brief/brief.js +1 -1
  5. package/dist/canonical/marshal.d.ts +2 -2
  6. package/dist/canonical/marshal.js +2 -2
  7. package/dist/closure/driver.d.ts +2 -2
  8. package/dist/closure/driver.js +1 -1
  9. package/dist/crypto/aead.d.ts +2 -2
  10. package/dist/crypto/aead.js +2 -2
  11. package/dist/crypto/kdf.d.ts +1 -1
  12. package/dist/crypto/kdf.js +1 -1
  13. package/dist/crypto/mac.d.ts +1 -1
  14. package/dist/crypto/mac.js +1 -1
  15. package/dist/delivery/ack.d.ts +5 -5
  16. package/dist/delivery/ack.js +6 -6
  17. package/dist/delivery/blocklist.d.ts +1 -1
  18. package/dist/delivery/blocklist.js +2 -2
  19. package/dist/delivery/device_sync.d.ts +26 -0
  20. package/dist/delivery/device_sync.d.ts.map +1 -0
  21. package/dist/delivery/device_sync.js +18 -0
  22. package/dist/delivery/device_sync.js.map +1 -0
  23. package/dist/delivery/disposition.d.ts +1 -1
  24. package/dist/delivery/fetch.d.ts +1 -1
  25. package/dist/delivery/fetch.js +1 -1
  26. package/dist/delivery/inbox.d.ts +2 -2
  27. package/dist/delivery/inbox.js +2 -2
  28. package/dist/delivery/index.d.ts +4 -0
  29. package/dist/delivery/index.d.ts.map +1 -1
  30. package/dist/delivery/index.js +4 -0
  31. package/dist/delivery/index.js.map +1 -1
  32. package/dist/delivery/persistent_silent.d.ts +70 -0
  33. package/dist/delivery/persistent_silent.d.ts.map +1 -0
  34. package/dist/delivery/persistent_silent.js +117 -0
  35. package/dist/delivery/persistent_silent.js.map +1 -0
  36. package/dist/delivery/pipeline.d.ts +4 -4
  37. package/dist/delivery/pipeline.js +2 -2
  38. package/dist/delivery/policy_state.d.ts +2 -2
  39. package/dist/delivery/policy_state.js +4 -4
  40. package/dist/delivery/receipt.d.ts +3 -3
  41. package/dist/delivery/receipt.js +3 -3
  42. package/dist/delivery/receipt_store.d.ts +1 -1
  43. package/dist/delivery/receipt_store.js +1 -1
  44. package/dist/delivery/retry.d.ts +2 -2
  45. package/dist/delivery/retry.js +2 -2
  46. package/dist/delivery/scheduler.d.ts +1 -1
  47. package/dist/delivery/scheduler.js +1 -1
  48. package/dist/delivery/stage_partition.d.ts +1 -1
  49. package/dist/delivery/stage_partition.js +1 -1
  50. package/dist/delivery/staged_runner.d.ts +1 -1
  51. package/dist/delivery/staged_runner.js +2 -2
  52. package/dist/delivery/status_message.d.ts +75 -0
  53. package/dist/delivery/status_message.d.ts.map +1 -0
  54. package/dist/delivery/status_message.js +109 -0
  55. package/dist/delivery/status_message.js.map +1 -0
  56. package/dist/delivery/upgrade_signal.d.ts +48 -0
  57. package/dist/delivery/upgrade_signal.d.ts.map +1 -0
  58. package/dist/delivery/upgrade_signal.js +48 -0
  59. package/dist/delivery/upgrade_signal.js.map +1 -0
  60. package/dist/discovery/configuration.d.ts +20 -1
  61. package/dist/discovery/configuration.d.ts.map +1 -1
  62. package/dist/discovery/configuration.js.map +1 -1
  63. package/dist/discovery/dns.d.ts +27 -1
  64. package/dist/discovery/dns.d.ts.map +1 -1
  65. package/dist/discovery/dns.js +37 -0
  66. package/dist/discovery/dns.js.map +1 -1
  67. package/dist/discovery/index.d.ts +2 -2
  68. package/dist/discovery/index.d.ts.map +1 -1
  69. package/dist/discovery/index.js +1 -1
  70. package/dist/discovery/index.js.map +1 -1
  71. package/dist/discovery/partition.d.ts +1 -1
  72. package/dist/discovery/partition.js +1 -1
  73. package/dist/discovery/resolver.d.ts +5 -5
  74. package/dist/discovery/resolver.js +5 -5
  75. package/dist/discovery/txt.d.ts +1 -1
  76. package/dist/discovery/txt.js +1 -1
  77. package/dist/enclosure/forwarding.d.ts +1 -1
  78. package/dist/enclosure/forwarding.js +1 -1
  79. package/dist/envelope/buckets.d.ts +2 -2
  80. package/dist/envelope/buckets.js +2 -2
  81. package/dist/envelope/compose.d.ts +2 -2
  82. package/dist/envelope/compose.js +4 -4
  83. package/dist/envelope/encode.d.ts +2 -2
  84. package/dist/envelope/encode.js +3 -3
  85. package/dist/envelope/open_verified.d.ts +1 -1
  86. package/dist/envelope/open_verified.js +1 -1
  87. package/dist/envelope/padding.d.ts +2 -2
  88. package/dist/envelope/padding.js +3 -3
  89. package/dist/envelope/verify.d.ts +1 -1
  90. package/dist/envelope/verify.js +1 -1
  91. package/dist/extensions/index.d.ts +1 -0
  92. package/dist/extensions/index.d.ts.map +1 -1
  93. package/dist/extensions/index.js +1 -0
  94. package/dist/extensions/index.js.map +1 -1
  95. package/dist/extensions/limits.d.ts +2 -2
  96. package/dist/extensions/limits.js +2 -2
  97. package/dist/extensions/validation_failure.d.ts +48 -0
  98. package/dist/extensions/validation_failure.d.ts.map +1 -0
  99. package/dist/extensions/validation_failure.js +25 -0
  100. package/dist/extensions/validation_failure.js.map +1 -0
  101. package/dist/handshake/abort.d.ts +1 -1
  102. package/dist/handshake/abort.js +1 -1
  103. package/dist/handshake/client_state.d.ts +5 -5
  104. package/dist/handshake/client_state.js +5 -5
  105. package/dist/handshake/confirm.d.ts +2 -2
  106. package/dist/handshake/confirm.js +2 -2
  107. package/dist/handshake/driver.d.ts +2 -2
  108. package/dist/handshake/driver.js +1 -1
  109. package/dist/handshake/federation.d.ts +6 -6
  110. package/dist/handshake/federation.js +5 -5
  111. package/dist/handshake/first_contact.d.ts +1 -1
  112. package/dist/handshake/first_contact.js +1 -1
  113. package/dist/handshake/identity.d.ts +1 -1
  114. package/dist/handshake/identity.js +1 -1
  115. package/dist/handshake/pow.js +1 -1
  116. package/dist/handshake/server_state.d.ts +3 -3
  117. package/dist/handshake/server_state.js +3 -3
  118. package/dist/index.d.ts +1 -1
  119. package/dist/index.js +1 -1
  120. package/dist/keys/compromise.d.ts +2 -2
  121. package/dist/keys/compromise.js +1 -1
  122. package/dist/keys/device_certificate.d.ts +3 -3
  123. package/dist/keys/device_certificate.js +4 -4
  124. package/dist/keys/key_revocation.d.ts +2 -2
  125. package/dist/keys/key_revocation.js +1 -1
  126. package/dist/keys/request.d.ts +17 -3
  127. package/dist/keys/request.d.ts.map +1 -1
  128. package/dist/keys/request.js.map +1 -1
  129. package/dist/keys/sign.d.ts +1 -1
  130. package/dist/keys/sign.js +1 -1
  131. package/dist/keys/signed.d.ts +3 -3
  132. package/dist/keys/signed.js +3 -3
  133. package/dist/keys/store.js +1 -1
  134. package/dist/largeattachment/crypto.d.ts +1 -1
  135. package/dist/largeattachment/crypto.js +2 -2
  136. package/dist/largeattachment/upload.d.ts +3 -3
  137. package/dist/largeattachment/upload.js +1 -1
  138. package/dist/migration/index.d.ts +1 -1
  139. package/dist/migration/index.d.ts.map +1 -1
  140. package/dist/migration/index.js +1 -1
  141. package/dist/migration/index.js.map +1 -1
  142. package/dist/migration/lockout.d.ts +2 -2
  143. package/dist/migration/lockout.js +2 -2
  144. package/dist/migration/migration.d.ts +6 -4
  145. package/dist/migration/migration.d.ts.map +1 -1
  146. package/dist/migration/migration.js +3 -3
  147. package/dist/migration/migration.js.map +1 -1
  148. package/dist/migration/notice.d.ts +31 -19
  149. package/dist/migration/notice.d.ts.map +1 -1
  150. package/dist/migration/notice.js +37 -71
  151. package/dist/migration/notice.js.map +1 -1
  152. package/dist/migration/orchestrate.d.ts +10 -10
  153. package/dist/migration/orchestrate.d.ts.map +1 -1
  154. package/dist/migration/orchestrate.js +23 -23
  155. package/dist/migration/orchestrate.js.map +1 -1
  156. package/dist/migration/sign.js +9 -9
  157. package/dist/migration/sign.js.map +1 -1
  158. package/dist/migration/types.d.ts +35 -29
  159. package/dist/migration/types.d.ts.map +1 -1
  160. package/dist/migration/types.js +5 -7
  161. package/dist/migration/types.js.map +1 -1
  162. package/dist/recovery/bundle_store.js +1 -1
  163. package/dist/recovery/sign.js +3 -3
  164. package/dist/recovery/types.d.ts +3 -3
  165. package/dist/reputation/abuse_report.d.ts +3 -3
  166. package/dist/reputation/abuse_report.js +2 -2
  167. package/dist/reputation/eligibility.d.ts +44 -0
  168. package/dist/reputation/eligibility.d.ts.map +1 -0
  169. package/dist/reputation/eligibility.js +58 -0
  170. package/dist/reputation/eligibility.js.map +1 -0
  171. package/dist/reputation/evidence.d.ts +47 -0
  172. package/dist/reputation/evidence.d.ts.map +1 -0
  173. package/dist/reputation/evidence.js +117 -0
  174. package/dist/reputation/evidence.js.map +1 -0
  175. package/dist/reputation/gossip_fetch.d.ts +2 -2
  176. package/dist/reputation/gossip_fetch.js +1 -1
  177. package/dist/reputation/index.d.ts +4 -1
  178. package/dist/reputation/index.d.ts.map +1 -1
  179. package/dist/reputation/index.js +4 -1
  180. package/dist/reputation/index.js.map +1 -1
  181. package/dist/reputation/pow.d.ts +1 -1
  182. package/dist/reputation/pow.js +1 -1
  183. package/dist/reputation/references.d.ts +51 -0
  184. package/dist/reputation/references.d.ts.map +1 -0
  185. package/dist/reputation/references.js +95 -0
  186. package/dist/reputation/references.js.map +1 -0
  187. package/dist/reputation/sign.d.ts +1 -1
  188. package/dist/reputation/sign.js +2 -2
  189. package/dist/reputation/types.d.ts +46 -2
  190. package/dist/reputation/types.d.ts.map +1 -1
  191. package/dist/reputation/types.js +14 -0
  192. package/dist/reputation/types.js.map +1 -1
  193. package/dist/reputation/whois.d.ts +1 -1
  194. package/dist/reputation/whois.js +1 -1
  195. package/dist/seal/wrap.d.ts +2 -2
  196. package/dist/seal/wrap.js +4 -4
  197. package/dist/session/dispatcher.d.ts +3 -3
  198. package/dist/session/dispatcher.js +1 -1
  199. package/dist/session/rekey_seal.d.ts +3 -3
  200. package/dist/session/rekey_seal.js +3 -3
  201. package/dist/session/session.d.ts +3 -3
  202. package/dist/session/session.js +3 -3
  203. package/dist/transparency/log.d.ts +1 -1
  204. package/dist/transparency/log.js +2 -2
  205. package/dist/transparency/types.d.ts +2 -2
  206. package/dist/transparency/types.js +1 -1
  207. package/dist/transport/h2.d.ts +33 -12
  208. package/dist/transport/h2.d.ts.map +1 -1
  209. package/dist/transport/h2.js +40 -13
  210. package/dist/transport/h2.js.map +1 -1
  211. package/dist/transport/index.d.ts +1 -1
  212. package/dist/transport/index.d.ts.map +1 -1
  213. package/dist/transport/index.js +1 -1
  214. package/dist/transport/index.js.map +1 -1
  215. package/dist/transport/memory.js +1 -1
  216. package/dist/transport/ws.d.ts +1 -1
  217. package/dist/transport/ws.js +1 -1
  218. package/package.json +1 -1
package/dist/reputation/evidence.d.ts ADDED
@@ -0,0 +1,47 @@
1
+ /**
2
+ * Evidence-hash binding helpers per REPUTATION.md §5.5.1.
3
+ *
4
+ * A SEMP_TRUST_OBSERVATION that claims `evidence_available: true`
5
+ * carries an `evidence_hash` over the bytes returned by
6
+ * `evidence_uri`. A consumer MUST verify the fetched bytes against
7
+ * the hash before treating the evidence as authoritative; a
8
+ * mismatch is equivalent to a signature failure.
9
+ *
10
+ * @module
11
+ */
12
+ import { type Observation } from "./types.js";
13
+ /** Sentinel error class returned on any evidence-hash divergence. */
14
+ export declare class EvidenceHashMismatchError extends Error {
15
+ constructor(message: string);
16
+ }
17
+ /** Sentinel error class returned on observation size violations. */
18
+ export declare class ObservationOversizedError extends Error {
19
+ constructor(message: string);
20
+ }
21
+ /**
22
+ * Enforce the §4.2 rules linking `evidence_available`,
23
+ * `evidence_uri`, and `evidence_hash`:
24
+ *
25
+ * - true -> both `evidence_uri` and `evidence_hash` MUST be present.
26
+ * - false -> both `evidence_uri` and `evidence_hash` MUST be absent.
27
+ *
28
+ * Throws with a descriptive message on any violation.
29
+ */
30
+ export declare function validateEvidenceFields(observation: Observation): void;
31
+ /**
32
+ * Verify that `evidence` hashes to the observation's
33
+ * `evidence_hash.value` under `evidence_hash.algorithm`. Throws
34
+ * {@link EvidenceHashMismatchError} on any divergence (algorithm
35
+ * unsupported, base64 decode failure, digest mismatch).
36
+ *
37
+ * Currently the only defined algorithm is "sha-256".
38
+ */
39
+ export declare function verifyEvidenceBytes(observation: Observation, evidence: Uint8Array): void;
40
+ /**
41
+ * Throw {@link ObservationOversizedError} when the canonical UTF-8
42
+ * JSON form of an observation exceeds {@link MaxObservationBytes}.
43
+ * Servers MUST run this before propagating a received observation
44
+ * per §4.6.1.
45
+ */
46
+ export declare function checkObservationSize(canonicalBytes: Uint8Array): void;
47
+ //# sourceMappingURL=evidence.d.ts.map
package/dist/reputation/evidence.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"evidence.d.ts","sourceRoot":"","sources":["../../src/reputation/evidence.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,EAAE,KAAK,WAAW,EAAuB,MAAM,YAAY,CAAC;AAEnE,qEAAqE;AACrE,qBAAa,yBAA0B,SAAQ,KAAK;gBACtC,OAAO,EAAE,MAAM;CAI5B;AAED,oEAAoE;AACpE,qBAAa,yBAA0B,SAAQ,KAAK;gBACtC,OAAO,EAAE,MAAM;CAI5B;AAED;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CAAC,WAAW,EAAE,WAAW,GAAG,IAAI,CAmCrE;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,WAAW,EAAE,WAAW,EACxB,QAAQ,EAAE,UAAU,GACnB,IAAI,CAoCN;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,cAAc,EAAE,UAAU,GAAG,IAAI,CAMrE"}
package/dist/reputation/evidence.js ADDED
@@ -0,0 +1,117 @@
1
+ /**
2
+ * Evidence-hash binding helpers per REPUTATION.md §5.5.1.
3
+ *
4
+ * A SEMP_TRUST_OBSERVATION that claims `evidence_available: true`
5
+ * carries an `evidence_hash` over the bytes returned by
6
+ * `evidence_uri`. A consumer MUST verify the fetched bytes against
7
+ * the hash before treating the evidence as authoritative; a
8
+ * mismatch is equivalent to a signature failure.
9
+ *
10
+ * @module
11
+ */
12
+ import { sha256 } from "@noble/hashes/sha2.js";
13
+ import { MaxObservationBytes } from "./types.js";
14
+ /** Sentinel error class returned on any evidence-hash divergence. */
15
+ export class EvidenceHashMismatchError extends Error {
16
+ constructor(message) {
17
+ super(message);
18
+ this.name = "EvidenceHashMismatchError";
19
+ }
20
+ }
21
+ /** Sentinel error class returned on observation size violations. */
22
+ export class ObservationOversizedError extends Error {
23
+ constructor(message) {
24
+ super(message);
25
+ this.name = "ObservationOversizedError";
26
+ }
27
+ }
28
+ /**
29
+ * Enforce the §4.2 rules linking `evidence_available`,
30
+ * `evidence_uri`, and `evidence_hash`:
31
+ *
32
+ * - true -> both `evidence_uri` and `evidence_hash` MUST be present.
33
+ * - false -> both `evidence_uri` and `evidence_hash` MUST be absent.
34
+ *
35
+ * Throws with a descriptive message on any violation.
36
+ */
37
+ export function validateEvidenceFields(observation) {
38
+ if (observation.evidence_available) {
39
+ if (observation.evidence_uri === undefined ||
40
+ observation.evidence_uri === "") {
41
+ throw new Error("reputation: evidence_available=true requires evidence_uri");
42
+ }
43
+ if (observation.evidence_hash === undefined) {
44
+ throw new Error("reputation: evidence_available=true requires evidence_hash");
45
+ }
46
+ if (observation.evidence_hash.algorithm === "" ||
47
+ observation.evidence_hash.value === "") {
48
+ throw new Error("reputation: evidence_hash requires algorithm and value");
49
+ }
50
+ return;
51
+ }
52
+ if (observation.evidence_uri !== undefined) {
53
+ throw new Error("reputation: evidence_available=false MUST NOT carry evidence_uri");
54
+ }
55
+ if (observation.evidence_hash !== undefined) {
56
+ throw new Error("reputation: evidence_available=false MUST NOT carry evidence_hash");
57
+ }
58
+ }
59
+ /**
60
+ * Verify that `evidence` hashes to the observation's
61
+ * `evidence_hash.value` under `evidence_hash.algorithm`. Throws
62
+ * {@link EvidenceHashMismatchError} on any divergence (algorithm
63
+ * unsupported, base64 decode failure, digest mismatch).
64
+ *
65
+ * Currently the only defined algorithm is "sha-256".
66
+ */
67
+ export function verifyEvidenceBytes(observation, evidence) {
68
+ if (observation.evidence_hash === undefined) {
69
+ throw new EvidenceHashMismatchError("reputation: observation has no evidence_hash");
70
+ }
71
+ let want;
72
+ try {
73
+ want = decodeBase64(observation.evidence_hash.value);
74
+ }
75
+ catch (err) {
76
+ throw new EvidenceHashMismatchError(`reputation: evidence_hash.value not base64: ${err instanceof Error ? err.message : String(err)}`);
77
+ }
78
+ let got;
79
+ switch (observation.evidence_hash.algorithm) {
80
+ case "sha-256":
81
+ got = sha256(evidence);
82
+ break;
83
+ default:
84
+ throw new EvidenceHashMismatchError(`reputation: unsupported evidence_hash algorithm "${observation.evidence_hash.algorithm}"`);
85
+ }
86
+ if (got.length !== want.length) {
87
+ throw new EvidenceHashMismatchError("reputation: evidence_hash length mismatch");
88
+ }
89
+ for (let i = 0; i < got.length; i++) {
90
+ if (got[i] !== want[i]) {
91
+ throw new EvidenceHashMismatchError("reputation: evidence_hash digest does not match fetched bytes");
92
+ }
93
+ }
94
+ }
95
+ /**
96
+ * Throw {@link ObservationOversizedError} when the canonical UTF-8
97
+ * JSON form of an observation exceeds {@link MaxObservationBytes}.
98
+ * Servers MUST run this before propagating a received observation
99
+ * per §4.6.1.
100
+ */
101
+ export function checkObservationSize(canonicalBytes) {
102
+ if (canonicalBytes.length > MaxObservationBytes) {
103
+ throw new ObservationOversizedError(`reputation: observation ${canonicalBytes.length} bytes exceeds 16 KiB cap`);
104
+ }
105
+ }
106
+ function decodeBase64(s) {
107
+ if (typeof Buffer !== "undefined") {
108
+ return new Uint8Array(Buffer.from(s, "base64"));
109
+ }
110
+ const bin = atob(s);
111
+ const out = new Uint8Array(bin.length);
112
+ for (let i = 0; i < bin.length; i++) {
113
+ out[i] = bin.charCodeAt(i);
114
+ }
115
+ return out;
116
+ }
117
+ //# sourceMappingURL=evidence.js.map
package/dist/reputation/evidence.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"evidence.js","sourceRoot":"","sources":["../../src/reputation/evidence.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAE/C,OAAO,EAAoB,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEnE,qEAAqE;AACrE,MAAM,OAAO,yBAA0B,SAAQ,KAAK;IAClD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;IAC1C,CAAC;CACF;AAED,oEAAoE;AACpE,MAAM,OAAO,yBAA0B,SAAQ,KAAK;IAClD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;IAC1C,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,sBAAsB,CAAC,WAAwB;IAC7D,IAAI,WAAW,CAAC,kBAAkB,EAAE,CAAC;QACnC,IACE,WAAW,CAAC,YAAY,KAAK,SAAS;YACtC,WAAW,CAAC,YAAY,KAAK,EAAE,EAC/B,CAAC;YACD,MAAM,IAAI,KAAK,CACb,2DAA2D,CAC5D,CAAC;QACJ,CAAC;QACD,IAAI,WAAW,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CACb,4DAA4D,CAC7D,CAAC;QACJ,CAAC;QACD,IACE,WAAW,CAAC,aAAa,CAAC,SAAS,KAAK,EAAE;YAC1C,WAAW,CAAC,aAAa,CAAC,KAAK,KAAK,EAAE,EACtC,CAAC;YACD,MAAM,IAAI,KAAK,CACb,wDAAwD,CACzD,CAAC;QACJ,CAAC;QACD,OAAO;IACT,CAAC;IACD,IAAI,WAAW,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QAC3C,MAAM,IAAI,KAAK,CACb,kEAAkE,CACnE,CAAC;IACJ,CAAC;IACD,IAAI,WAAW,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CACb,mEAAmE,CACpE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,WAAwB,EACxB,QAAoB;IAEpB,IAAI,WAAW,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAC5C,MAAM,IAAI,yBAAyB,CACjC,8CAA8C,CAC/C,CAAC;IACJ,CAAC;IACD,IAAI,IAAgB,CAAC;IACrB,IAAI,CAAC;QACH,IAAI,GAAG,YAAY,CAAC,WAAW,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,yBAAyB,CACjC,+CAA+C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAClG,CAAC;IACJ,CAAC;IACD,IAAI,GAAe,CAAC;IACpB,QAAQ,WAAW,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC;QAC5C,KAAK,SAAS;YACZ,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;YACvB,MAAM;QACR;YACE,MAAM,IAAI,yBAAyB,CACjC,oDAAoD,WAAW,CAAC,aAAa,CAAC,SAAS,GAAG,CAC3F,CAAC;IACN,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;QAC/B,MAAM,IAAI,yBAAyB,CACjC,2CAA2C,CAC5C,CAAC;IACJ,CAAC;IACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,yBAAyB,CACjC,+DAA+D,CAChE,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,cAA0B;IAC7D,IAAI,cAAc,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;QAChD,MAAM,IAAI,yBAAyB,CACjC,2BAA2B,cAAc,CAAC,MAAM,2BAA2B,CAC5E,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
package/dist/reputation/gossip_fetch.d.ts CHANGED
@@ -31,7 +31,7 @@ export interface FetchTrustObservationsOptions {
31
31
  /** Optional cancellation signal. */
32
32
  signal?: AbortSignal;
33
33
  /**
34
- * Per-request timeout in milliseconds. Defaults to 10 seconds
34
+ * Per-request timeout in milliseconds. Defaults to 10 seconds -
35
35
  * matches `discovery.fetchConfiguration`.
36
36
  */
37
37
  timeoutMs?: number;
@@ -52,7 +52,7 @@ export interface FetchTrustObservationsOptions {
52
52
  * return the parsed envelope.
53
53
  *
54
54
  * Per-observation signatures inside `result.observations` are NOT
55
- * verified callers walk those and call
55
+ * verified - callers walk those and call
56
56
  * {@link "./sign".verifyObservation} on each, because different
57
57
  * observations in the same envelope MAY be signed under different
58
58
  * key_ids (e.g. after a key rotation).
package/dist/reputation/gossip_fetch.js CHANGED
@@ -31,7 +31,7 @@ export const TrustGossipMaxBytes = 1 * 1024 * 1024;
31
31
  * return the parsed envelope.
32
32
  *
33
33
  * Per-observation signatures inside `result.observations` are NOT
34
- * verified callers walk those and call
34
+ * verified - callers walk those and call
35
35
  * {@link "./sign".verifyObservation} on each, because different
36
36
  * observations in the same envelope MAY be signed under different
37
37
  * key_ids (e.g. after a key rotation).
package/dist/reputation/index.d.ts CHANGED
@@ -8,7 +8,10 @@
8
8
  *
9
9
  * @module
10
10
  */
11
- export { type AbuseCategory, type AbuseReport, type Assessment, type DisclosureAuthorization, type DisclosureScope, type Evidence, type GossipHash, type Metrics, type Observation, type ReputationSignature, type SealedEnvelopeEvidence, type TrustObservations, type Window, AbuseReportType, MaxMetricBucket, ObservationType, ObservationsEnvelopeType, PublicationPath, Version, isKnownAbuseCategory, } from "./types.js";
11
+ export { type AbuseCategory, type AbuseReport, type Assessment, type DisclosureAuthorization, type DisclosureScope, type Evidence, type EvidenceHash, type GossipHash, type Metrics, type Observation, type ReputationSignature, type SealedEnvelopeEvidence, type TrustObservations, type Window, AbuseReportType, MaxEvidenceBytes, MaxMetricBucket, MaxObservationBytes, ObservationType, ObservationsEnvelopeType, PublicationPath, Version, isKnownAbuseCategory, } from "./types.js";
12
+ export { EvidenceHashMismatchError, ObservationOversizedError, checkObservationSize, validateEvidenceFields, verifyEvidenceBytes, } from "./evidence.js";
13
+ export { MinPublishVolumeEnvelopes, allMetricsZero, eligibleForPublication, meetsPublishVolume, } from "./eligibility.js";
14
+ export { type ReferenceEntry, type References, ReferencesPrefix, ReferencesType, ReferencesVersion, signReferences, validateReferences, verifyReferences, } from "./references.js";
12
15
  export { applyBucketing, bucketize, dedupeAbuseCategories, } from "./bucketize.js";
13
16
  export { SignatureAlgorithmEd25519, authAllowsBrief, authAllowsEnclosure, signDisclosureAuthorization, signObservation, signTrustObservations, validateAbuseReport, verifyDisclosureAuthorization, verifyObservation, verifyTrustObservations, } from "./sign.js";
14
17
  export { type Score, ObservationStore, classifyScore, } from "./observation_store.js";
package/dist/reputation/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/reputation/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,WAAW,EAChB,KAAK,UAAU,EACf,KAAK,uBAAuB,EAC5B,KAAK,eAAe,EACpB,KAAK,QAAQ,EACb,KAAK,UAAU,EACf,KAAK,OAAO,EACZ,KAAK,WAAW,EAChB,KAAK,mBAAmB,EACxB,KAAK,sBAAsB,EAC3B,KAAK,iBAAiB,EACtB,KAAK,MAAM,EACX,eAAe,EACf,eAAe,EACf,eAAe,EACf,wBAAwB,EACxB,eAAe,EACf,OAAO,EACP,oBAAoB,GACrB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,cAAc,EACd,SAAS,EACT,qBAAqB,GACtB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,yBAAyB,EACzB,eAAe,EACf,mBAAmB,EACnB,2BAA2B,EAC3B,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,6BAA6B,EAC7B,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,KAAK,KAAK,EACV,gBAAgB,EAChB,aAAa,GACd,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEhD,OAAO,EACL,KAAK,YAAY,EACjB,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,qBAAqB,EACrB,gBAAgB,EAChB,uBAAuB,EACvB,cAAc,GACf,MAAM,UAAU,CAAC;AAElB,OAAO,EACL,KAAK,KAAK,EACV,cAAc,EACd,WAAW,GACZ,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAClB,cAAc,EACd,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,KAAK,6BAA6B,EAClC,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/reputation/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,WAAW,EAChB,KAAK,UAAU,EACf,KAAK,uBAAuB,EAC5B,KAAK,eAAe,EACpB,KAAK,QAAQ,EACb,KAAK,YAAY,EACjB,KAAK,UAAU,EACf,KAAK,OAAO,EACZ,KAAK,WAAW,EAChB,KAAK,mBAAmB,EACxB,KAAK,sBAAsB,EAC3B,KAAK,iBAAiB,EACtB,KAAK,MAAM,EACX,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,mBAAmB,EACnB,eAAe,EACf,wBAAwB,EACxB,eAAe,EACf,OAAO,EACP,oBAAoB,GACrB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,oBAAoB,EACpB,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,yBAAyB,EACzB,cAAc,EACd,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,UAAU,EACf,gBAAgB,EAChB,cAAc,EACd,iBAAiB,EACjB,cAAc,EACd,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,cAAc,EACd,SAAS,EACT,qBAAqB,GACtB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,yBAAyB,EACzB,eAAe,EACf,mBAAmB,EACnB,2BAA2B,EAC3B,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,6BAA6B,EAC7B,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,KAAK,KAAK,EACV,gBAAgB,EAChB,aAAa,GACd,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEhD,OAAO,EACL,KAAK,YAAY,EACjB,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,qBAAqB,EACrB,gBAAgB,EAChB,uBAAuB,EACvB,cAAc,GACf,MAAM,UAAU,CAAC;AAElB,OAAO,EACL,KAAK,KAAK,EACV,cAAc,EACd,WAAW,GACZ,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAClB,cAAc,EACd,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,KAAK,6BAA6B,EAClC,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC"}
package/dist/reputation/index.js CHANGED
@@ -8,7 +8,10 @@
8
8
  *
9
9
  * @module
10
10
  */
11
- export { AbuseReportType, MaxMetricBucket, ObservationType, ObservationsEnvelopeType, PublicationPath, Version, isKnownAbuseCategory, } from "./types.js";
11
+ export { AbuseReportType, MaxEvidenceBytes, MaxMetricBucket, MaxObservationBytes, ObservationType, ObservationsEnvelopeType, PublicationPath, Version, isKnownAbuseCategory, } from "./types.js";
12
+ export { EvidenceHashMismatchError, ObservationOversizedError, checkObservationSize, validateEvidenceFields, verifyEvidenceBytes, } from "./evidence.js";
13
+ export { MinPublishVolumeEnvelopes, allMetricsZero, eligibleForPublication, meetsPublishVolume, } from "./eligibility.js";
14
+ export { ReferencesPrefix, ReferencesType, ReferencesVersion, signReferences, validateReferences, verifyReferences, } from "./references.js";
12
15
  export { applyBucketing, bucketize, dedupeAbuseCategories, } from "./bucketize.js";
13
16
  export { SignatureAlgorithmEd25519, authAllowsBrief, authAllowsEnclosure, signDisclosureAuthorization, signObservation, signTrustObservations, validateAbuseReport, verifyDisclosureAuthorization, verifyObservation, verifyTrustObservations, } from "./sign.js";
14
17
  export { ObservationStore, classifyScore, } from "./observation_store.js";
package/dist/reputation/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/reputation/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAcL,eAAe,EACf,eAAe,EACf,eAAe,EACf,wBAAwB,EACxB,eAAe,EACf,OAAO,EACP,oBAAoB,GACrB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,cAAc,EACd,SAAS,EACT,qBAAqB,GACtB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,yBAAyB,EACzB,eAAe,EACf,mBAAmB,EACnB,2BAA2B,EAC3B,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,6BAA6B,EAC7B,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,WAAW,CAAC;AAEnB,OAAO,EAEL,gBAAgB,EAChB,aAAa,GACd,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEhD,OAAO,EAEL,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,qBAAqB,EACrB,gBAAgB,EAChB,uBAAuB,EACvB,cAAc,GACf,MAAM,UAAU,CAAC;AAElB,OAAO,EAEL,cAAc,EACd,WAAW,GACZ,MAAM,YAAY,CAAC;AAEpB,OAAO,EAGL,cAAc,EACd,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAEL,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/reputation/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAeL,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,mBAAmB,EACnB,eAAe,EACf,wBAAwB,EACxB,eAAe,EACf,OAAO,EACP,oBAAoB,GACrB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,oBAAoB,EACpB,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,yBAAyB,EACzB,cAAc,EACd,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAGL,gBAAgB,EAChB,cAAc,EACd,iBAAiB,EACjB,cAAc,EACd,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,cAAc,EACd,SAAS,EACT,qBAAqB,GACtB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,yBAAyB,EACzB,eAAe,EACf,mBAAmB,EACnB,2BAA2B,EAC3B,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,6BAA6B,EAC7B,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,WAAW,CAAC;AAEnB,OAAO,EAEL,gBAAgB,EAChB,aAAa,GACd,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEhD,OAAO,EAEL,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,qBAAqB,EACrB,gBAAgB,EAChB,uBAAuB,EACvB,cAAc,GACf,MAAM,UAAU,CAAC;AAElB,OAAO,EAEL,cAAc,EACd,WAAW,GACZ,MAAM,YAAY,CAAC;AAEpB,OAAO,EAGL,cAAc,EACd,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAEL,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC"}
package/dist/reputation/pow.d.ts CHANGED
@@ -58,7 +58,7 @@ export declare function difficultyForAssessment(a: Assessment | ""): number;
58
58
  * `ttlMs <= 0` is replaced with {@link DefaultChallengeTTLMs}.
59
59
  */
60
60
  export declare function issueChallenge(difficulty: number, ttlMs?: number, rand?: (n: number) => Uint8Array): PoWChallenge;
61
- /** Base64-encoded challenge prefix what the wire carries. */
61
+ /** Base64-encoded challenge prefix - what the wire carries. */
62
62
  export declare function challengePrefixBase64(c: PoWChallenge): string;
63
63
  /**
64
64
  * Tracks issued + redeemed challenges; prevents replay per §8.3.4.
package/dist/reputation/pow.js CHANGED
@@ -75,7 +75,7 @@ export function issueChallenge(difficulty, ttlMs, rand = defaultRand) {
75
75
  expires: new Date(Date.now() + ttl),
76
76
  };
77
77
  }
78
- /** Base64-encoded challenge prefix what the wire carries. */
78
+ /** Base64-encoded challenge prefix - what the wire carries. */
79
79
  export function challengePrefixBase64(c) {
80
80
  if (typeof Buffer !== "undefined") {
81
81
  return Buffer.from(c.prefix).toString("base64");
package/dist/reputation/references.d.ts ADDED
@@ -0,0 +1,51 @@
1
+ /**
2
+ * SEMP_REPUTATION_REFERENCES document per
3
+ * draft-gokce-semp-delivery §12.2.
4
+ *
5
+ * Lists third-party observers a subject domain points peers at
6
+ * when they want to cross-check the subject's reputation. The
7
+ * subject domain signs the document with its domain signing key
8
+ * under the SEMP-REPUTATION-REFERENCES: prefix; consumers verify
9
+ * against the published domain key.
10
+ *
11
+ * @module
12
+ */
13
+ import type { Assessment, ReputationSignature } from "./types.js";
14
+ /** Wire-level type discriminator. */
15
+ export declare const ReferencesType = "SEMP_REPUTATION_REFERENCES";
16
+ /** Wire-level version. */
17
+ export declare const ReferencesVersion = "1.0.0";
18
+ /** Domain-separation prefix for SEMP_REPUTATION_REFERENCES signatures. */
19
+ export declare const ReferencesPrefix = "SEMP-REPUTATION-REFERENCES:";
20
+ /** Single observer reference. */
21
+ export interface ReferenceEntry {
22
+ observer: string;
23
+ uri: string;
24
+ /** ISO 8601 UTC. */
25
+ fetched_at: string;
26
+ /** Optional cached classification hint; informational. */
27
+ assessment?: Assessment;
28
+ }
29
+ /** SEMP_REPUTATION_REFERENCES record per §12.2. */
30
+ export interface References {
31
+ type: typeof ReferencesType;
32
+ version: string;
33
+ domain: string;
34
+ references: ReferenceEntry[];
35
+ /** ISO 8601 UTC. */
36
+ timestamp: string;
37
+ signature: ReputationSignature;
38
+ }
39
+ /**
40
+ * Sign `r.signature` with the subject domain's signing key under
41
+ * the SEMP-REPUTATION-REFERENCES: prefix. Mutates r in place and
42
+ * returns the base64 signature value.
43
+ */
44
+ export declare function signReferences(r: References, domainPriv: Uint8Array, domainKeyId: string): string;
45
+ /** Verify `r.signature` against the subject domain's public key. */
46
+ export declare function verifyReferences(r: References, domainPub: Uint8Array): boolean;
47
+ /** Structural validation per §12.2. */
48
+ export declare function validateReferences(r: References, opts?: {
49
+ skipSignatureCheck?: boolean;
50
+ }): void;
51
+ //# sourceMappingURL=references.d.ts.map
package/dist/reputation/references.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"references.d.ts","sourceRoot":"","sources":["../../src/reputation/references.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,KAAK,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAElE,qCAAqC;AACrC,eAAO,MAAM,cAAc,+BAA+B,CAAC;AAE3D,0BAA0B;AAC1B,eAAO,MAAM,iBAAiB,UAAU,CAAC;AAEzC,0EAA0E;AAC1E,eAAO,MAAM,gBAAgB,gCAAgC,CAAC;AAE9D,iCAAiC;AACjC,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,oBAAoB;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,0DAA0D;IAC1D,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB;AAED,mDAAmD;AACnD,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,OAAO,cAAc,CAAC;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,cAAc,EAAE,CAAC;IAC7B,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,mBAAmB,CAAC;CAChC;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAC5B,CAAC,EAAE,UAAU,EACb,UAAU,EAAE,UAAU,EACtB,WAAW,EAAE,MAAM,GAClB,MAAM,CAsBR;AAED,oEAAoE;AACpE,wBAAgB,gBAAgB,CAC9B,CAAC,EAAE,UAAU,EACb,SAAS,EAAE,UAAU,GACpB,OAAO,CAYT;AAED,uCAAuC;AACvC,wBAAgB,kBAAkB,CAChC,CAAC,EAAE,UAAU,EACb,IAAI,GAAE;IAAE,kBAAkB,CAAC,EAAE,OAAO,CAAA;CAAO,GAC1C,IAAI,CAiCN"}
package/dist/reputation/references.js ADDED
@@ -0,0 +1,95 @@
1
+ /**
2
+ * SEMP_REPUTATION_REFERENCES document per
3
+ * draft-gokce-semp-delivery §12.2.
4
+ *
5
+ * Lists third-party observers a subject domain points peers at
6
+ * when they want to cross-check the subject's reputation. The
7
+ * subject domain signs the document with its domain signing key
8
+ * under the SEMP-REPUTATION-REFERENCES: prefix; consumers verify
9
+ * against the published domain key.
10
+ *
11
+ * @module
12
+ */
13
+ import { signSignedDoc, verifySignedDoc } from "../keys/index.js";
14
+ /** Wire-level type discriminator. */
15
+ export const ReferencesType = "SEMP_REPUTATION_REFERENCES";
16
+ /** Wire-level version. */
17
+ export const ReferencesVersion = "1.0.0";
18
+ /** Domain-separation prefix for SEMP_REPUTATION_REFERENCES signatures. */
19
+ export const ReferencesPrefix = "SEMP-REPUTATION-REFERENCES:";
20
+ /**
21
+ * Sign `r.signature` with the subject domain's signing key under
22
+ * the SEMP-REPUTATION-REFERENCES: prefix. Mutates r in place and
23
+ * returns the base64 signature value.
24
+ */
25
+ export function signReferences(r, domainPriv, domainKeyId) {
26
+ if (domainKeyId === "") {
27
+ throw new Error("reputation: empty domain key_id");
28
+ }
29
+ if (r.type === "") {
30
+ r.type = ReferencesType;
31
+ }
32
+ if (r.version === "") {
33
+ r.version = ReferencesVersion;
34
+ }
35
+ validateReferences(r, { skipSignatureCheck: true });
36
+ r.signature.algorithm = "ed25519";
37
+ r.signature.key_id = domainKeyId;
38
+ r.signature.value = "";
39
+ const { signedJSON, signatureB64 } = signSignedDoc({
40
+ preSignJSON: r,
41
+ seed: domainPriv,
42
+ signaturePath: "signature.value",
43
+ prefix: ReferencesPrefix,
44
+ });
45
+ r.signature.value = signedJSON.signature.value;
46
+ return signatureB64;
47
+ }
48
+ /** Verify `r.signature` against the subject domain's public key. */
49
+ export function verifyReferences(r, domainPub) {
50
+ validateReferences(r);
51
+ if (r.signature.value === "") {
52
+ return false;
53
+ }
54
+ const { ok } = verifySignedDoc({
55
+ signedJSON: r,
56
+ publicKey: domainPub,
57
+ signaturePath: "signature.value",
58
+ prefix: ReferencesPrefix,
59
+ });
60
+ return ok;
61
+ }
62
+ /** Structural validation per §12.2. */
63
+ export function validateReferences(r, opts = {}) {
64
+ if (r.type !== ReferencesType) {
65
+ throw new Error(`reputation: references type ${JSON.stringify(r.type)}, want ${ReferencesType}`);
66
+ }
67
+ if (r.version === "") {
68
+ throw new Error("reputation: references missing version");
69
+ }
70
+ if (r.domain === "") {
71
+ throw new Error("reputation: references missing domain");
72
+ }
73
+ if (r.timestamp === "") {
74
+ throw new Error("reputation: references missing timestamp");
75
+ }
76
+ for (let i = 0; i < r.references.length; i++) {
77
+ const e = r.references[i];
78
+ if (e === undefined) {
79
+ continue;
80
+ }
81
+ if (e.observer === "") {
82
+ throw new Error(`reputation: references[${i}] missing observer`);
83
+ }
84
+ if (e.uri === "") {
85
+ throw new Error(`reputation: references[${i}] missing uri`);
86
+ }
87
+ if (e.fetched_at === "") {
88
+ throw new Error(`reputation: references[${i}] missing fetched_at`);
89
+ }
90
+ }
91
+ if (!opts.skipSignatureCheck && r.signature === undefined) {
92
+ throw new Error("reputation: references missing signature");
93
+ }
94
+ }
95
+ //# sourceMappingURL=references.js.map
package/dist/reputation/references.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"references.js","sourceRoot":"","sources":["../../src/reputation/references.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAIlE,qCAAqC;AACrC,MAAM,CAAC,MAAM,cAAc,GAAG,4BAA4B,CAAC;AAE3D,0BAA0B;AAC1B,MAAM,CAAC,MAAM,iBAAiB,GAAG,OAAO,CAAC;AAEzC,0EAA0E;AAC1E,MAAM,CAAC,MAAM,gBAAgB,GAAG,6BAA6B,CAAC;AAuB9D;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAC5B,CAAa,EACb,UAAsB,EACtB,WAAmB;IAEnB,IAAI,WAAW,KAAK,EAAE,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IACD,IAAK,CAAC,CAAC,IAAe,KAAK,EAAE,EAAE,CAAC;QAC9B,CAAC,CAAC,IAAI,GAAG,cAAc,CAAC;IAC1B,CAAC;IACD,IAAI,CAAC,CAAC,OAAO,KAAK,EAAE,EAAE,CAAC;QACrB,CAAC,CAAC,OAAO,GAAG,iBAAiB,CAAC;IAChC,CAAC;IACD,kBAAkB,CAAC,CAAC,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC,CAAC,SAAS,CAAC,SAAS,GAAG,SAAS,CAAC;IAClC,CAAC,CAAC,SAAS,CAAC,MAAM,GAAG,WAAW,CAAC;IACjC,CAAC,CAAC,SAAS,CAAC,KAAK,GAAG,EAAE,CAAC;IACvB,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,aAAa,CAAC;QACjD,WAAW,EAAE,CAAuC;QACpD,IAAI,EAAE,UAAU;QAChB,aAAa,EAAE,iBAAiB;QAChC,MAAM,EAAE,gBAAgB;KACzB,CAAC,CAAC;IACH,CAAC,CAAC,SAAS,CAAC,KAAK,GAAI,UAAU,CAAC,SAA+B,CAAC,KAAK,CAAC;IACtE,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,oEAAoE;AACpE,MAAM,UAAU,gBAAgB,CAC9B,CAAa,EACb,SAAqB;IAErB,kBAAkB,CAAC,CAAC,CAAC,CAAC;IACtB,IAAI,CAAC,CAAC,SAAS,CAAC,KAAK,KAAK,EAAE,EAAE,CAAC;QAC7B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,EAAE,EAAE,EAAE,GAAG,eAAe,CAAC;QAC7B,UAAU,EAAE,CAAuC;QACnD,SAAS,EAAE,SAAS;QACpB,aAAa,EAAE,iBAAiB;QAChC,MAAM,EAAE,gBAAgB;KACzB,CAAC,CAAC;IACH,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,uCAAuC;AACvC,MAAM,UAAU,kBAAkB,CAChC,CAAa,EACb,OAAyC,EAAE;IAE3C,IAAI,CAAC,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CACb,+BAA+B,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,cAAc,EAAE,CAChF,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,CAAC,OAAO,KAAK,EAAE,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,CAAC,CAAC,SAAS,KAAK,EAAE,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,MAAM,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC1B,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;YACpB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,oBAAoB,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,CAAC,CAAC,GAAG,KAAK,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,eAAe,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,CAAC,CAAC,UAAU,KAAK,EAAE,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,sBAAsB,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC"}
package/dist/reputation/sign.d.ts CHANGED
@@ -2,7 +2,7 @@
2
2
  * Sign / verify primitives for reputation wire records per
3
3
  * REPUTATION.md §4.2 + §3.5 + §5.
4
4
  *
5
- * Reputation records use a NO-PREFIX signing input the canonical
5
+ * Reputation records use a NO-PREFIX signing input - the canonical
6
6
  * bytes with `signature.value` elided are signed directly under
7
7
  * Ed25519. Other SEMP records use SEMP-* domain-separation
8
8
  * prefixes (registered in ENVELOPE.md §4.3) but reputation ones do
package/dist/reputation/sign.js CHANGED
@@ -2,7 +2,7 @@
2
2
  * Sign / verify primitives for reputation wire records per
3
3
  * REPUTATION.md §4.2 + §3.5 + §5.
4
4
  *
5
- * Reputation records use a NO-PREFIX signing input the canonical
5
+ * Reputation records use a NO-PREFIX signing input - the canonical
6
6
  * bytes with `signature.value` elided are signed directly under
7
7
  * Ed25519. Other SEMP records use SEMP-* domain-separation
8
8
  * prefixes (registered in ENVELOPE.md §4.3) but reputation ones do
@@ -126,7 +126,7 @@ export function authAllowsEnclosure(auth) {
126
126
  return auth.scope === "enclosure_only" || auth.scope === "brief_and_enclosure";
127
127
  }
128
128
  // ---------------------------------------------------------------------------
129
- // AbuseReport sent over an authenticated session, no own signature
129
+ // AbuseReport - sent over an authenticated session, no own signature
130
130
  /** Structural validation of an {@link AbuseReport} per §3.2. Throws on first violation. */
131
131
  export function validateAbuseReport(r) {
132
132
  if (r.type !== "SEMP_ABUSE_REPORT") {
package/dist/reputation/types.d.ts CHANGED
@@ -12,8 +12,16 @@ export declare const Version = "1.0.0";
12
12
  export declare const PublicationPath = "/.well-known/semp/reputation/";
13
13
  /** Assessment classification per §4.6. */
14
14
  export type Assessment = "trusted" | "neutral" | "suspicious" | "hostile";
15
- /** Abuse category per §3.4 + ERRORS.md §9. */
16
- export type AbuseCategory = "spam" | "harassment" | "phishing" | "malware" | "protocol_abuse" | "impersonation" | "other";
15
+ /**
16
+ * Abuse category per §3.4 + ERRORS.md §9.
17
+ *
18
+ * `observation_record_abuse` covers misbehavior in the trust-
19
+ * gossip observation records themselves: oversized records,
20
+ * evidence-hash mismatches, hostile or non-conforming evidence_uri
21
+ * content, fabricated metrics, and systematic publication of
22
+ * unverifiable assessments.
23
+ */
24
+ export type AbuseCategory = "spam" | "harassment" | "phishing" | "malware" | "protocol_abuse" | "impersonation" | "observation_record_abuse" | "other";
17
25
  /**
18
26
  * Report whether `c` is one of the categories defined in §3.4.
19
27
  * Unknown categories are permitted for forward compatibility.
@@ -44,6 +52,19 @@ export interface Metrics {
44
52
  }
45
53
  /** Cap applied by Bucketize: counts at/above this clamp here. */
46
54
  export declare const MaxMetricBucket: number;
55
+ /**
56
+ * Binds the bytes returned by an observation's `evidence_uri` to
57
+ * the signed observation record per REPUTATION.md §4.2 / §5.5.1.
58
+ * Consumers MUST compute the digest of the fetched bytes under
59
+ * `algorithm` and MUST treat a mismatch as a verification failure
60
+ * equivalent to a signature failure.
61
+ */
62
+ export interface EvidenceHash {
63
+ /** Digest algorithm identifier. "sha-256" is the only value currently defined. */
64
+ algorithm: string;
65
+ /** Base64-encoded digest of the evidence bytes. */
66
+ value: string;
67
+ }
47
68
  /** Single signed observation record per §4.2. */
48
69
  export interface Observation {
49
70
  type: typeof ObservationType;
@@ -55,7 +76,17 @@ export interface Observation {
55
76
  metrics: Metrics;
56
77
  assessment: Assessment;
57
78
  evidence_available: boolean;
79
+ /**
80
+ * URL where evidence can be fetched. REQUIRED when
81
+ * `evidence_available` is true; MUST be absent when false.
82
+ */
58
83
  evidence_uri?: string;
84
+ /**
85
+ * Digest binding fetched evidence to the signed observation per
86
+ * §5.5.1. REQUIRED when `evidence_available` is true; MUST be
87
+ * absent when false.
88
+ */
89
+ evidence_hash?: EvidenceHash;
59
90
  /** ISO 8601 UTC. */
60
91
  timestamp: string;
61
92
  /** ISO 8601 UTC hard expiry. */
@@ -64,6 +95,19 @@ export interface Observation {
64
95
  /** Always emitted (even when empty) so canonical bytes are stable. */
65
96
  extensions: Record<string, unknown>;
66
97
  }
98
+ /**
99
+ * §4.6.1 hard upper bound on the canonical UTF-8 JSON form of a
100
+ * single SEMP_TRUST_OBSERVATION record. Servers MUST reject larger
101
+ * records as malformed and MUST NOT propagate them.
102
+ */
103
+ export declare const MaxObservationBytes = 16384;
104
+ /**
105
+ * §5.5.2 RECOMMENDED upper bound on a single evidence-fetch
106
+ * response body. Operators MAY tighten further via local
107
+ * configuration; consumers MUST cap their fetch at a
108
+ * locally-configured limit.
109
+ */
110
+ export declare const MaxEvidenceBytes: number;
67
111
  /** Publication envelope carrying a list of observations per §5.1. */
68
112
  export interface TrustObservations {
69
113
  type: typeof ObservationsEnvelopeType;
package/dist/reputation/types.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/reputation/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,+CAA+C;AAC/C,eAAO,MAAM,eAAe,2BAA2B,CAAC;AACxD,eAAO,MAAM,wBAAwB,4BAA4B,CAAC;AAClE,eAAO,MAAM,eAAe,sBAAsB,CAAC;AACnD,eAAO,MAAM,OAAO,UAAU,CAAC;AAE/B,0CAA0C;AAC1C,eAAO,MAAM,eAAe,kCAAkC,CAAC;AAE/D,0CAA0C;AAC1C,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,SAAS,GAAG,YAAY,GAAG,SAAS,CAAC;AAE1E,8CAA8C;AAC9C,MAAM,MAAM,aAAa,GACrB,MAAM,GACN,YAAY,GACZ,UAAU,GACV,SAAS,GACT,gBAAgB,GAChB,eAAe,GACf,OAAO,CAAC;AAEZ;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,MAAM,GAAG,CAAC,IAAI,aAAa,CAalE;AAED,gCAAgC;AAChC,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,8CAA8C;AAC9C,MAAM,WAAW,MAAM;IACrB,oBAAoB;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,oBAAoB;IACpB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,uDAAuD;AACvD,MAAM,WAAW,OAAO;IACtB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,aAAa,EAAE,CAAC;IACnC,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,iEAAiE;AACjE,eAAO,MAAM,eAAe,QAAU,CAAC;AAEvC,iDAAiD;AACjD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,OAAO,eAAe,CAAC;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;IACvB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gCAAgC;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,mBAAmB,CAAC;IAC/B,sEAAsE;IACtE,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,qEAAqE;AACrE,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,OAAO,wBAAwB,CAAC;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,uBAAuB;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,2EAA2E;IAC3E,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,WAAW,EAAE,CAAC;IAC5B,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,mBAAmB,CAAC;CAChC;AAED,uCAAuC;AACvC,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,oBAAoB;IACpB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,iCAAiC;AACjC,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,gBAAgB,GAChB,qBAAqB,CAAC;AAE1B,sFAAsF;AACtF,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,oBAAoB;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,eAAe,CAAC;IACvB,SAAS,EAAE,mBAAmB,CAAC;CAChC;AAED,uDAAuD;AACvD,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9C,wBAAwB,CAAC,EAAE,uBAAuB,CAAC;CACpD;AAED,6CAA6C;AAC7C,MAAM,MAAM,QAAQ,GAChB;IACE,IAAI,EAAE,mBAAmB,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gCAAgC;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GACD;IACE,IAAI,EAAE,iBAAiB,CAAC;IACxB,SAAS,EAAE,sBAAsB,EAAE,CAAC;CACrC,CAAC;AAEN,0CAA0C;AAC1C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,OAAO,eAAe,CAAC;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,aAAa,GAAG,MAAM,CAAC;IACjC,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,QAAQ,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC"}
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/reputation/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,+CAA+C;AAC/C,eAAO,MAAM,eAAe,2BAA2B,CAAC;AACxD,eAAO,MAAM,wBAAwB,4BAA4B,CAAC;AAClE,eAAO,MAAM,eAAe,sBAAsB,CAAC;AACnD,eAAO,MAAM,OAAO,UAAU,CAAC;AAE/B,0CAA0C;AAC1C,eAAO,MAAM,eAAe,kCAAkC,CAAC;AAE/D,0CAA0C;AAC1C,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,SAAS,GAAG,YAAY,GAAG,SAAS,CAAC;AAE1E;;;;;;;;GAQG;AACH,MAAM,MAAM,aAAa,GACrB,MAAM,GACN,YAAY,GACZ,UAAU,GACV,SAAS,GACT,gBAAgB,GAChB,eAAe,GACf,0BAA0B,GAC1B,OAAO,CAAC;AAEZ;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,MAAM,GAAG,CAAC,IAAI,aAAa,CAclE;AAED,gCAAgC;AAChC,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,8CAA8C;AAC9C,MAAM,WAAW,MAAM;IACrB,oBAAoB;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,oBAAoB;IACpB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,uDAAuD;AACvD,MAAM,WAAW,OAAO;IACtB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,aAAa,EAAE,CAAC;IACnC,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,iEAAiE;AACjE,eAAO,MAAM,eAAe,QAAU,CAAC;AAEvC;;;;;;GAMG;AACH,MAAM,WAAW,YAAY;IAC3B,kFAAkF;IAClF,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,KAAK,EAAE,MAAM,CAAC;CACf;AAED,iDAAiD;AACjD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,OAAO,eAAe,CAAC;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;IACvB,kBAAkB,EAAE,OAAO,CAAC;IAC5B;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,aAAa,CAAC,EAAE,YAAY,CAAC;IAC7B,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gCAAgC;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,mBAAmB,CAAC;IAC/B,sEAAsE;IACtE,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,QAAQ,CAAC;AAEzC;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,QAAc,CAAC;AAE5C,qEAAqE;AACrE,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,OAAO,wBAAwB,CAAC;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,uBAAuB;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,2EAA2E;IAC3E,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,WAAW,EAAE,CAAC;IAC5B,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,mBAAmB,CAAC;CAChC;AAED,uCAAuC;AACvC,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,oBAAoB;IACpB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,iCAAiC;AACjC,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,gBAAgB,GAChB,qBAAqB,CAAC;AAE1B,sFAAsF;AACtF,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,oBAAoB;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,eAAe,CAAC;IACvB,SAAS,EAAE,mBAAmB,CAAC;CAChC;AAED,uDAAuD;AACvD,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9C,wBAAwB,CAAC,EAAE,uBAAuB,CAAC;CACpD;AAED,6CAA6C;AAC7C,MAAM,MAAM,QAAQ,GAChB;IACE,IAAI,EAAE,mBAAmB,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gCAAgC;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GACD;IACE,IAAI,EAAE,iBAAiB,CAAC;IACxB,SAAS,EAAE,sBAAsB,EAAE,CAAC;CACrC,CAAC;AAEN,0CAA0C;AAC1C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,OAAO,eAAe,CAAC;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,aAAa,GAAG,MAAM,CAAC;IACjC,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,QAAQ,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC"}
package/dist/reputation/types.js CHANGED
@@ -22,6 +22,7 @@ export function isKnownAbuseCategory(c) {
22
22
  case "malware":
23
23
  case "protocol_abuse":
24
24
  case "impersonation":
25
+ case "observation_record_abuse":
25
26
  case "other":
26
27
  return true;
27
28
  default:
@@ -30,4 +31,17 @@ export function isKnownAbuseCategory(c) {
30
31
  }
31
32
  /** Cap applied by Bucketize: counts at/above this clamp here. */
32
33
  export const MaxMetricBucket = 1 << 20;
34
+ /**
35
+ * §4.6.1 hard upper bound on the canonical UTF-8 JSON form of a
36
+ * single SEMP_TRUST_OBSERVATION record. Servers MUST reject larger
37
+ * records as malformed and MUST NOT propagate them.
38
+ */
39
+ export const MaxObservationBytes = 16384;
40
+ /**
41
+ * §5.5.2 RECOMMENDED upper bound on a single evidence-fetch
42
+ * response body. Operators MAY tighten further via local
43
+ * configuration; consumers MUST cap their fetch at a
44
+ * locally-configured limit.
45
+ */
46
+ export const MaxEvidenceBytes = 1024 * 1024;
33
47
  //# sourceMappingURL=types.js.map
package/dist/reputation/types.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/reputation/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,+CAA+C;AAC/C,MAAM,CAAC,MAAM,eAAe,GAAG,wBAAwB,CAAC;AACxD,MAAM,CAAC,MAAM,wBAAwB,GAAG,yBAAyB,CAAC;AAClE,MAAM,CAAC,MAAM,eAAe,GAAG,mBAAmB,CAAC;AACnD,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,0CAA0C;AAC1C,MAAM,CAAC,MAAM,eAAe,GAAG,+BAA+B,CAAC;AAe/D;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,CAAS;IAC5C,QAAQ,CAAC,EAAE,CAAC;QACV,KAAK,MAAM,CAAC;QACZ,KAAK,YAAY,CAAC;QAClB,KAAK,UAAU,CAAC;QAChB,KAAK,SAAS,CAAC;QACf,KAAK,gBAAgB,CAAC;QACtB,KAAK,eAAe,CAAC;QACrB,KAAK,OAAO;YACV,OAAO,IAAI,CAAC;QACd;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AA4BD,iEAAiE;AACjE,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,IAAI,EAAE,CAAC"}
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/reputation/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,+CAA+C;AAC/C,MAAM,CAAC,MAAM,eAAe,GAAG,wBAAwB,CAAC;AACxD,MAAM,CAAC,MAAM,wBAAwB,GAAG,yBAAyB,CAAC;AAClE,MAAM,CAAC,MAAM,eAAe,GAAG,mBAAmB,CAAC;AACnD,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,0CAA0C;AAC1C,MAAM,CAAC,MAAM,eAAe,GAAG,+BAA+B,CAAC;AAwB/D;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,CAAS;IAC5C,QAAQ,CAAC,EAAE,CAAC;QACV,KAAK,MAAM,CAAC;QACZ,KAAK,YAAY,CAAC;QAClB,KAAK,UAAU,CAAC;QAChB,KAAK,SAAS,CAAC;QACf,KAAK,gBAAgB,CAAC;QACtB,KAAK,eAAe,CAAC;QACrB,KAAK,0BAA0B,CAAC;QAChC,KAAK,OAAO;YACV,OAAO,IAAI,CAAC;QACd;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AA4BD,iEAAiE;AACjE,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,IAAI,EAAE,CAAC;AA+CvC;;;;GAIG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,KAAK,CAAC;AAEzC;;;;;GAKG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,GAAG,IAAI,CAAC"}
package/dist/reputation/whois.d.ts CHANGED
@@ -1,7 +1,7 @@
1
1
  /**
2
2
  * WHOIS hooks per REPUTATION.md §2.1.
3
3
  *
4
- * Operators supply their own WHOIS implementation there is no de
4
+ * Operators supply their own WHOIS implementation - there is no de
5
5
  * facto WHOIS library that is both reliable and free of rate limits,
6
6
  * so this is intentionally pluggable.
7
7
  *
package/dist/reputation/whois.js CHANGED
@@ -1,7 +1,7 @@
1
1
  /**
2
2
  * WHOIS hooks per REPUTATION.md §2.1.
3
3
  *
4
- * Operators supply their own WHOIS implementation there is no de
4
+ * Operators supply their own WHOIS implementation - there is no de
5
5
  * facto WHOIS library that is both reliable and free of rate limits,
6
6
  * so this is intentionally pluggable.
7
7
  *
package/dist/seal/wrap.d.ts CHANGED
@@ -40,7 +40,7 @@ export declare function unwrap(suite: Suite, recipientPrivateKey: Uint8Array, re
40
40
  * Wrap `symmetricKey` for the given recipient under the negotiated
41
41
  * suite. Production code path: uses the platform CSPRNG to generate
42
42
  * a fresh ephemeral every call, which is what the §4.4.1 wrap
43
- * construction requires wrap-key uniqueness is what makes the
43
+ * construction requires - wrap-key uniqueness is what makes the
44
44
  * zero-nonce AEAD safe.
45
45
  *
46
46
  * For deterministic byte-level reproducibility (vectors, audits),
@@ -63,7 +63,7 @@ export interface WrapRandomness {
63
63
  }
64
64
  /**
65
65
  * Deterministic wrap for vector reproduction and audits. Production
66
- * code MUST use {@link wrap} (which sources fresh entropy) a
66
+ * code MUST use {@link wrap} (which sources fresh entropy) - a
67
67
  * deterministic wrap that leaks `ephemeralX25519Priv` reduces to
68
68
  * "the adversary has the wrap key". Exposed here only because
69
69
  * cross-language vectors pin these inputs.