@trust-proto/auth-node 0.1.0

package/dist/index.js

@@ -0,0 +1,1283 @@
+// src/liberion-auth.ts
+import { v1 as uuid, validate } from "uuid";
+import WebSocket2, { WebSocketServer } from "ws";
+import https from "https";
+import http from "http";
+import { encode as encode2, decode as decode2 } from "@msgpack/msgpack";
+
+// src/adapters/logger.ts
+var NoOpLogger = class {
+  info() {
+  }
+  warn() {
+  }
+  error() {
+  }
+};
+var ConsoleLogger = class {
+  prefix;
+  constructor(prefix = "[LiberionAuth]") {
+    this.prefix = prefix;
+  }
+  info(message, meta) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    if (meta && Object.keys(meta).length > 0) {
+      console.log(`${timestamp} ${this.prefix} INFO: ${message}`, meta);
+    } else {
+      console.log(`${timestamp} ${this.prefix} INFO: ${message}`);
+    }
+  }
+  warn(message, meta) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    if (meta && Object.keys(meta).length > 0) {
+      console.warn(`${timestamp} ${this.prefix} WARN: ${message}`, meta);
+    } else {
+      console.warn(`${timestamp} ${this.prefix} WARN: ${message}`);
+    }
+  }
+  error(message, meta) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    if (meta && Object.keys(meta).length > 0) {
+      console.error(`${timestamp} ${this.prefix} ERROR: ${message}`, meta);
+    } else {
+      console.error(`${timestamp} ${this.prefix} ERROR: ${message}`);
+    }
+  }
+};
+function createWinstonAdapter(winston) {
+  return {
+    info: (msg, meta) => winston.info(msg, meta),
+    warn: (msg, meta) => winston.warn(msg, meta),
+    error: (msg, meta) => winston.error(msg, meta)
+  };
+}
+function shortenAddress(address) {
+  if (!address || address.length < 10) return address ?? "";
+  return `${address.slice(0, 6)}...${address.slice(-4)}`;
+}
+
+// src/crypto/aes.ts
+import crypto from "crypto";
+var AES_CIPHER = "aes-256-cbc";
+function encryptBuffer(buffer, key) {
+  const hashedKey = crypto.createHash("sha256").update(key).digest("hex").substring(0, 32);
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv(
+    AES_CIPHER,
+    Buffer.from(hashedKey),
+    iv
+  );
+  const encrypted = Buffer.concat([cipher.update(buffer), cipher.final()]);
+  return Buffer.concat([iv, encrypted]);
+}
+function decryptBuffer(data, key) {
+  const hashedKey = crypto.createHash("sha256").update(key).digest("hex").substring(0, 32);
+  const iv = data.subarray(0, 16);
+  const encryptedData = data.subarray(16);
+  const decipher = crypto.createDecipheriv(AES_CIPHER, hashedKey, iv);
+  return Buffer.concat([decipher.update(encryptedData), decipher.final()]);
+}
+
+// src/crypto/signature.ts
+import { ml_dsa87 } from "@noble/post-quantum/ml-dsa.js";
+function normalizeToBytes(data) {
+  if (data instanceof Uint8Array) {
+    return data;
+  }
+  if (Buffer.isBuffer(data)) {
+    return new Uint8Array(data);
+  }
+  if (data instanceof ArrayBuffer) {
+    return new Uint8Array(data);
+  }
+  if (typeof data === "string") {
+    if (data.length % 2 === 0 && /^[0-9a-fA-F]*$/.test(data)) {
+      return new Uint8Array(Buffer.from(data, "hex"));
+    }
+    return new Uint8Array(Buffer.from(data, "utf8"));
+  }
+  throw new Error(`Invalid data type: ${typeof data}`);
+}
+function normalizeSignature(signature) {
+  if (signature instanceof Uint8Array) {
+    return signature;
+  }
+  if (Buffer.isBuffer(signature)) {
+    return new Uint8Array(signature);
+  }
+  if (signature instanceof ArrayBuffer) {
+    return new Uint8Array(signature);
+  }
+  if (typeof signature === "string") {
+    return new Uint8Array(Buffer.from(signature, "hex"));
+  }
+  throw new Error(`Invalid signature format: ${typeof signature}`);
+}
+function initUserCrypto(userToken, logger = new NoOpLogger()) {
+  logger.info("[initUserCrypto] Initializing user crypto with ML-DSA-87");
+  if (!userToken || !userToken.publicKeySign) {
+    throw new Error("Invalid user token: publicKeySign not found");
+  }
+  const dsaPublicKey = new Uint8Array(
+    Buffer.from(userToken.publicKeySign, "base64")
+  );
+  if (dsaPublicKey.length !== 2592) {
+    throw new Error(
+      `Invalid ML-DSA-87 public key size: expected 2592 bytes, got ${dsaPublicKey.length}`
+    );
+  }
+  let kemPublicKey = null;
+  if (userToken.publicKeyEncrypt) {
+    try {
+      const kemBuffer = Buffer.from(userToken.publicKeyEncrypt, "base64");
+      if (kemBuffer.length !== 1568) {
+        logger.warn(
+          `[initUserCrypto] Invalid ML-KEM-1024 public key size: expected 1568, got ${kemBuffer.length}`
+        );
+      } else {
+        kemPublicKey = new Uint8Array(kemBuffer);
+      }
+    } catch (ex) {
+      const error = ex;
+      logger.warn(
+        `[initUserCrypto] Failed to parse publicKeyEncrypt: ${error.message}`
+      );
+    }
+  }
+  const verifySignature = (msg, sig) => {
+    try {
+      const msgBytes = normalizeToBytes(msg);
+      const sigBytes = normalizeSignature(sig);
+      const isValid = ml_dsa87.verify(sigBytes, msgBytes, dsaPublicKey);
+      logger.info("[initUserCrypto.verifySignature] Verification result", {
+        isValid,
+        msgLength: msgBytes.length,
+        sigLength: sigBytes.length
+      });
+      return isValid;
+    } catch (ex) {
+      const error = ex;
+      logger.error(
+        `[initUserCrypto.verifySignature] Error: ${error.message}`
+      );
+      return false;
+    }
+  };
+  logger.info("[initUserCrypto] Crypto initialized successfully", {
+    algorithm: "ML-DSA-87 + ML-KEM-1024",
+    dsaPublicKeySize: dsaPublicKey.length,
+    kemPublicKeySize: kemPublicKey?.length ?? 0,
+    hasEncryption: !!kemPublicKey
+  });
+  return {
+    dsaPublicKey,
+    kemPublicKey,
+    algorithm: "ML-DSA-87",
+    userToken,
+    verifySignature
+  };
+}
+function checkSignature(crypto2, data, signature, logger = new NoOpLogger()) {
+  logger.info("[checkSignature] Checking ML-DSA-87 signature");
+  if (!crypto2 || !crypto2.verifySignature) {
+    throw new Error("Invalid crypto instance: missing verifySignature method");
+  }
+  if (!data || !signature) {
+    throw new Error("Missing data or signature");
+  }
+  const msgBytes = normalizeToBytes(data);
+  const sigBytes = normalizeSignature(signature);
+  logger.info("[checkSignature] Data and signature normalized", {
+    dataLength: msgBytes.length,
+    signatureLength: sigBytes.length,
+    algorithm: crypto2.algorithm
+  });
+  if (sigBytes.length < 4500 || sigBytes.length > 4700) {
+    logger.warn("[checkSignature] Unexpected signature size", {
+      expected: "~4595 bytes (ML-DSA-87)",
+      actual: sigBytes.length
+    });
+  }
+  const isValid = crypto2.verifySignature(msgBytes, sigBytes);
+  if (!isValid) {
+    throw new Error("Invalid signature");
+  }
+  logger.info("[checkSignature] ML-DSA-87 signature verified successfully");
+  return true;
+}
+
+// src/blockchain/token-provider.ts
+import { Contract, JsonRpcProvider } from "ethers";
+
+// src/blockchain/constants.ts
+var PRODUCTION_CONFIG = {
+  RPC_ENDPOINT: "https://bc.liberion.com/rpc",
+  USER_CONTRACT_ADDRESS: "0xB0b23F79Bf023C97f0235BC0ffC5a8258C03fef9",
+  IPFS_GATEWAY: "https://secure.liberion.com",
+  TRUST_GATE_URL: "wss://gate.liberion.com"
+};
+var DEVELOPMENT_CONFIG = {
+  RPC_ENDPOINT: "https://bc.liberion.dev/rpc",
+  USER_CONTRACT_ADDRESS: "0xb584861f5760E9B04B7439c777246c5B82FE6Fff",
+  IPFS_GATEWAY: "https://secure.liberion.dev",
+  TRUST_GATE_URL: "wss://gate.liberion.dev"
+};
+function getNetworkConfig(env = "production") {
+  return env === "development" ? DEVELOPMENT_CONFIG : PRODUCTION_CONFIG;
+}
+var USER_CONTRACT_ABI = [
+  {
+    inputs: [
+      {
+        internalType: "address",
+        name: "tokenId",
+        type: "address"
+      }
+    ],
+    name: "tokenURI",
+    outputs: [
+      {
+        internalType: "string",
+        name: "",
+        type: "string"
+      }
+    ],
+    stateMutability: "view",
+    type: "function"
+  }
+];
+
+// src/blockchain/token-provider.ts
+var tokenCache = /* @__PURE__ */ new Map();
+var CACHE_TTL = 15 * 60 * 1e3;
+function extractIpfsHash(tokenURI) {
+  if (!tokenURI) {
+    throw new Error("tokenURI is empty");
+  }
+  if (tokenURI.startsWith("ipfs://")) {
+    return tokenURI.replace("ipfs://", "");
+  }
+  if (tokenURI.includes("/ipfs/")) {
+    const parts = tokenURI.split("/ipfs/");
+    return parts[1];
+  }
+  if (tokenURI.includes("liberion.com/")) {
+    const parts = tokenURI.split("/");
+    return parts[parts.length - 1];
+  }
+  return tokenURI;
+}
+async function fetchFromIPFS(ipfsHash, ipfsGateway, logger) {
+  const cached = tokenCache.get(ipfsHash);
+  if (cached && cached.expiry > Date.now()) {
+    logger.info("[fetchFromIPFS] Cache hit", { ipfsHash });
+    return cached.data;
+  }
+  const url = `${ipfsGateway}/${ipfsHash}`;
+  logger.info("[fetchFromIPFS] Fetching from IPFS", { url });
+  const response = await fetch(url, {
+    headers: {
+      Accept: "application/json"
+    }
+  });
+  if (!response.ok) {
+    throw new Error(`IPFS fetch failed: ${response.status} ${response.statusText}`);
+  }
+  const data = await response.json();
+  tokenCache.set(ipfsHash, {
+    data,
+    expiry: Date.now() + CACHE_TTL
+  });
+  logger.info("[fetchFromIPFS] Token fetched and cached", { ipfsHash });
+  return data;
+}
+async function getTokenFromIPFS(address, logger = new NoOpLogger(), networkConfig) {
+  const config = networkConfig ?? getNetworkConfig();
+  logger.info("[getTokenFromIPFS] Getting SNFT token from IPFS", { address: shortenAddress(address) });
+  const provider = new JsonRpcProvider(config.RPC_ENDPOINT);
+  const contract = new Contract(
+    config.USER_CONTRACT_ADDRESS,
+    USER_CONTRACT_ABI,
+    provider
+  );
+  const tokenURI = await contract.tokenURI(address);
+  logger.info("[getTokenFromIPFS] Token URI retrieved", {
+    address: shortenAddress(address),
+    tokenURI
+  });
+  const ipfsHash = extractIpfsHash(tokenURI);
+  logger.info("[getTokenFromIPFS] IPFS hash extracted", {
+    address: shortenAddress(address),
+    ipfsHash
+  });
+  const userToken = await fetchFromIPFS(ipfsHash, config.IPFS_GATEWAY, logger);
+  if (!userToken.publicKeySign || !userToken.publicKeyEncrypt) {
+    throw new Error("Invalid SNFT token structure: missing public keys");
+  }
+  logger.info("[getTokenFromIPFS] SNFT token fetched successfully", {
+    address: shortenAddress(address),
+    hasPublicKeySign: !!userToken.publicKeySign,
+    hasPublicKeyEncrypt: !!userToken.publicKeyEncrypt,
+    hasAssets: !!userToken.assets
+  });
+  return userToken;
+}
+function clearTokenCache() {
+  tokenCache.clear();
+}
+
+// src/protocol/trust-gate-client.ts
+import WebSocket from "ws";
+import { encode, decode } from "@msgpack/msgpack";
+var TrustGateClient = class {
+  address;
+  timeout;
+  ws = null;
+  pendingRequests = /* @__PURE__ */ new Map();
+  requestId = 0;
+  connectionTimeout = null;
+  logger;
+  constructor(options) {
+    this.address = options.address;
+    this.timeout = options.timeout ?? 1e4;
+    this.logger = options.logger ?? new NoOpLogger();
+  }
+  /**
+   * Opens WebSocket connection
+   */
+  async open() {
+    this.logger.info(`[TrustGateClient] Attempting to connect to ${this.address}`);
+    return new Promise((resolve, reject) => {
+      try {
+        this.ws = new WebSocket(this.address);
+        this.ws.on("open", () => {
+          if (this.connectionTimeout) {
+            clearTimeout(this.connectionTimeout);
+          }
+          this.logger.info(`[TrustGateClient] Connected to ${this.address}`);
+          resolve();
+        });
+        this.ws.on("message", (data) => {
+          try {
+            const message = decode(data);
+            this.handleMessage(message);
+          } catch (ex) {
+            const error = ex;
+            this.logger.error(
+              `[TrustGateClient] Failed to decode message: ${error.message}`
+            );
+          }
+        });
+        this.ws.on("close", (code) => {
+          this.logger.info(
+            `[TrustGateClient] Connection closed with code ${code}`
+          );
+          this.pendingRequests.forEach((request, id) => {
+            request.reject(new Error(`Connection closed with code ${code}`));
+            this.pendingRequests.delete(id);
+          });
+        });
+        this.ws.on("error", (error) => {
+          if (this.connectionTimeout) {
+            clearTimeout(this.connectionTimeout);
+          }
+          this.logger.error("[TrustGateClient] Connection error", {
+            message: error.message,
+            code: error.code,
+            address: this.address
+          });
+          const enhancedError = new Error(
+            `Failed to connect to Trust Gate Server at ${this.address}: ${error.message}`
+          );
+          enhancedError.code = error.code;
+          reject(enhancedError);
+        });
+        this.connectionTimeout = setTimeout(() => {
+          if (this.ws && this.ws.readyState !== WebSocket.OPEN) {
+            this.ws.terminate();
+            this.logger.error("[TrustGateClient] Connection timeout", {
+              address: this.address,
+              timeout: this.timeout
+            });
+            reject(
+              new Error(
+                `Connection timeout: Trust Gate Server at ${this.address} did not respond within ${this.timeout}ms`
+              )
+            );
+          }
+        }, this.timeout);
+      } catch (ex) {
+        reject(ex);
+      }
+    });
+  }
+  /**
+   * Sends message and waits for response
+   */
+  send(data) {
+    if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
+      return Promise.reject(new Error("WebSocket is not open"));
+    }
+    return new Promise((resolve, reject) => {
+      const requestId = ++this.requestId;
+      const timeout = setTimeout(() => {
+        this.pendingRequests.delete(requestId);
+        reject(new Error("Request timeout"));
+      }, 3e4);
+      this.pendingRequests.set(requestId, {
+        resolve,
+        reject,
+        timeout
+      });
+      const message = encode({ ...data, _requestId: requestId });
+      this.ws.send(message);
+    });
+  }
+  /**
+   * Handles incoming message
+   */
+  handleMessage(message) {
+    const requestId = message._requestId;
+    if (!requestId) {
+      this.logger.warn(
+        "[TrustGateClient] Received message without requestId",
+        message
+      );
+      return;
+    }
+    const pending = this.pendingRequests.get(requestId);
+    if (!pending) {
+      this.logger.warn(
+        `[TrustGateClient] No pending request for id ${requestId}`
+      );
+      return;
+    }
+    clearTimeout(pending.timeout);
+    this.pendingRequests.delete(requestId);
+    if (message._ === "error") {
+      pending.reject(
+        new Error(message.message || "Unknown error")
+      );
+    } else {
+      pending.resolve(message);
+    }
+  }
+  /**
+   * Closes WebSocket connection
+   */
+  close() {
+    if (this.connectionTimeout) {
+      clearTimeout(this.connectionTimeout);
+    }
+    if (this.ws) {
+      this.ws.close();
+      this.ws = null;
+    }
+  }
+  /**
+   * Creates authorization task via Trust Gate Server
+   */
+  async createTask(params) {
+    const response = await this.send({
+      _: "task_init",
+      projectId: params.projectId,
+      scenarioId: params.scenarioId,
+      clientKey: params.clientKey
+    });
+    if (response.status !== "ok") {
+      throw new Error(response.message || "Task creation failed");
+    }
+    return {
+      linkWeb: response.linkWeb,
+      taskId: response.taskId
+    };
+  }
+};
+
+// src/protocol/constants.ts
+var COMMAND_ACTIVATE = "activate";
+var COMMAND_READY = "ready";
+var COMMAND_AUTH = "auth";
+var COMMAND_AUTH_RESULT = "auth_result";
+var COMMAND_AUTH_INIT = "auth_init";
+var COMMAND_ACTIVATED = "activated";
+var COMMAND_AUTH_DECLINED = "declined";
+var COMMAND_AUTH_TIMEOUT = "timeout";
+var COMMAND_RECONNECT = "reconnect";
+var COMMAND_CONNECTION_FAILED = "connection_failed";
+var COMMAND_ERROR = "error";
+var COMMAND_HEALTH = "health";
+var SOCKET_PING_TIMEOUT = 3e4;
+var AUTHORIZATION_TIME_FRAME = 10 * 60 * 1e3;
+var DEFAULT_PORT = 31313;
+var STATUS = {
+  OK: "ok",
+  FAILED: "error"
+};
+var DECLINE_REASON = {
+  USER: "user_declined",
+  TIMEOUT: "timeout",
+  ERROR: "error",
+  UNKNOWN: "unknown"
+};
+
+// src/liberion-auth.ts
+var LiberionAuth = class {
+  logger;
+  projectId;
+  secretCode;
+  networkConfig;
+  sessions = {};
+  interval = null;
+  // Callbacks
+  onHello;
+  onSuccess;
+  onDecline;
+  // Static command exports for compatibility
+  static COMMAND_AUTH = COMMAND_AUTH;
+  static COMMAND_READY = COMMAND_READY;
+  constructor(config) {
+    this.logger = config.logger ?? (config.debug ? new ConsoleLogger() : new NoOpLogger());
+    if (!validate(config.projectId)) {
+      this.logger.error(
+        "[LiberionAuth] Invalid projectId (should be UUID string)"
+      );
+      throw new Error("Invalid projectId: must be a valid UUID");
+    }
+    this.projectId = config.projectId;
+    this.secretCode = config.secretCode;
+    this.networkConfig = getNetworkConfig(config.environment);
+    this.onHello = config.onHello;
+    this.onSuccess = config.onSuccess;
+    this.onDecline = config.onDecline;
+    const port = config.port ?? DEFAULT_PORT;
+    const server = config.ssl ? https.createServer(config.ssl) : http.createServer();
+    this.logger.info(
+      `[LiberionAuth] Starting ws${config.ssl ? "s" : ""} server on port ${port}`
+    );
+    const wsServer = new WebSocketServer({ server });
+    server.listen(port);
+    wsServer.on("connection", (socket) => {
+      const ws = socket;
+      this.newClient(ws);
+      ws.on("message", (data) => {
+        this.request(ws, data);
+      });
+      ws.on("close", (code) => {
+        this.handleClose(ws, code);
+      });
+      ws.isAlive = true;
+      ws.on("pong", () => {
+        ws.isAlive = true;
+      });
+    });
+    this.interval = setInterval(() => {
+      wsServer.clients.forEach((socket) => {
+        const ws = socket;
+        if (ws.isAlive === false) {
+          return ws.terminate();
+        }
+        ws.isAlive = false;
+        ws.ping();
+      });
+    }, SOCKET_PING_TIMEOUT);
+    wsServer.on("close", () => {
+      if (this.interval) {
+        clearInterval(this.interval);
+      }
+    });
+  }
+  encode(data) {
+    return Buffer.from(encode2(data));
+  }
+  decode(data) {
+    return decode2(data);
+  }
+  async request(client, data) {
+    try {
+      const response = await this.readMessage(client, data);
+      if (response) {
+        this.send(client, response);
+      }
+    } catch (error) {
+      const err = error;
+      this.logger.error(`[LiberionAuth] Request error: ${err.message}`);
+      this.errorResponse(client, err.message);
+      this.finalizeSession(client.clientId);
+    }
+  }
+  send(client, data) {
+    if (client.readyState === WebSocket2.OPEN) {
+      client.send(this.encode(data));
+    }
+  }
+  async readMessage(client, rawData) {
+    let data;
+    try {
+      data = this.decode(rawData);
+    } catch (error) {
+      return this.errorResponse(client, "Invalid message format");
+    }
+    const command = data._;
+    switch (command) {
+      case COMMAND_AUTH_INIT:
+        return this.responseInit(client, data);
+      case COMMAND_ACTIVATE:
+        return this.responseActivate(
+          client,
+          data.data,
+          data._requestId
+        );
+      case COMMAND_AUTH:
+        return this.responseAuth(client, data);
+      case COMMAND_AUTH_DECLINED:
+        return this.responseDeclined(client, data);
+      case COMMAND_HEALTH:
+        return { status: STATUS.OK };
+      case COMMAND_RECONNECT:
+        return this.responseReconnect(client, data);
+      default:
+        return this.errorResponse(client, `Unknown command: ${command}`);
+    }
+  }
+  newClient(client) {
+    const clientId = uuid();
+    const sessionId = uuid();
+    this.sessions[clientId] = {
+      client,
+      sessionId,
+      address: null,
+      clientSessionId: null,
+      isBrowserSession: false
+    };
+    client.clientId = clientId;
+    this.logger.info("[LiberionAuth] New client connected", {
+      clientId,
+      activeSessions: Object.keys(this.sessions).length
+    });
+    setTimeout(() => {
+      if (this.sessions[clientId]) {
+        this.finalizeSession(clientId, true);
+      }
+    }, AUTHORIZATION_TIME_FRAME);
+  }
+  handleClose(client, code) {
+    const isNormal = code === 1e3 || code === 1001;
+    client.isAlive = false;
+    const session = this.sessions[client.clientId];
+    if (!session) {
+      this.logger.info("[LiberionAuth] Socket closed, session already cleaned", {
+        clientId: client.clientId,
+        code
+      });
+      return;
+    }
+    const shouldPreserve = session.isBrowserSession && !session.authResult;
+    this.logger.info("[LiberionAuth] WebSocket closed", {
+      clientId: client.clientId,
+      code,
+      isNormal,
+      shouldPreserve
+    });
+    if (shouldPreserve) {
+      if (!isNormal) {
+        this.logger.warn("[LiberionAuth] Browser abnormal close, session preserved", {
+          clientId: client.clientId,
+          code
+        });
+      }
+      this.logger.info("[LiberionAuth] Browser session preserved for reconnect", {
+        clientId: client.clientId,
+        sessionId: session.sessionId
+      });
+      return;
+    }
+    if (!isNormal) {
+      this.responseFailed(client, { _: COMMAND_CONNECTION_FAILED });
+    }
+    delete this.sessions[client.clientId];
+  }
+  async responseInit(client, data) {
+    const session = this.sessions[client.clientId];
+    this.logger.info("[LiberionAuth] Browser requesting QR code", {
+      clientId: client.clientId,
+      sessionId: session.sessionId
+    });
+    const token = encryptBuffer(
+      Buffer.from(session.sessionId),
+      this.secretCode
+    );
+    let trustGateClient = null;
+    try {
+      this.logger.info("[LiberionAuth] Connecting to Trust Gate Server", {
+        url: this.networkConfig.TRUST_GATE_URL
+      });
+      trustGateClient = new TrustGateClient({
+        address: this.networkConfig.TRUST_GATE_URL,
+        logger: this.logger
+      });
+      await trustGateClient.open();
+      const result = await trustGateClient.createTask({
+        projectId: this.projectId,
+        clientKey: token.toString("base64")
+      });
+      this.logger.info("[LiberionAuth] Task created successfully", {
+        linkWeb: result.linkWeb,
+        taskId: result.taskId
+      });
+      session.isBrowserSession = true;
+      return {
+        _: data._,
+        linkWeb: result.linkWeb,
+        sessionId: session.sessionId
+      };
+    } catch (ex) {
+      const error = ex;
+      this.logger.error("[LiberionAuth] responseInit failed", {
+        message: error.message
+      });
+      let userMessage;
+      if (error.message.includes("timeout")) {
+        userMessage = "Authorization service timeout. Please try again.";
+      } else if (error.message.includes("Failed to connect")) {
+        userMessage = "Authorization service unavailable. Please try again later.";
+      } else {
+        userMessage = "Authorization service error. Please contact support.";
+      }
+      throw new Error(userMessage);
+    } finally {
+      trustGateClient?.close();
+    }
+  }
+  async responseActivate(client, encryptedData, requestId) {
+    const decrypted = decryptBuffer(Buffer.from(encryptedData), this.secretCode);
+    const { address, sessionId } = this.decode(decrypted);
+    const session = this.findSession("sessionId", sessionId);
+    if (!session) {
+      this.logger.error("[LiberionAuth] Session not found for activation", {
+        address: shortenAddress(address),
+        sessionId
+      });
+      return this.errorResponse(client, "Session not found", requestId);
+    }
+    if (session.address) {
+      this.logger.warn("[LiberionAuth] Session already activated", {
+        existingAddress: shortenAddress(session.address),
+        newAddress: shortenAddress(address)
+      });
+      return this.errorResponse(client, "Session already activated", requestId);
+    }
+    this.logger.info("[LiberionAuth] Activating session", {
+      address: shortenAddress(address),
+      sessionId
+    });
+    session.address = address;
+    session.clientSessionId = uuid();
+    const isRegistered = this.onHello ? await this.onHello(address) : false;
+    const responseData = encryptBuffer(
+      this.encode({ clientSessionId: session.clientSessionId, isRegistered }),
+      this.secretCode
+    );
+    this.finalResponse(client, {
+      _: COMMAND_READY,
+      data: responseData,
+      _requestId: requestId
+    });
+    const browserClient = session.client;
+    if (browserClient?.readyState === WebSocket2.OPEN) {
+      this.send(browserClient, { _: COMMAND_ACTIVATED });
+      this.logger.info("[LiberionAuth] ACTIVATED sent to browser", { address: shortenAddress(address) });
+    }
+    return void 0;
+  }
+  async responseAuth(client, data) {
+    const { address, payload, signature, fields } = data;
+    if (!address || !payload || !signature || !fields) {
+      return this.errorResponse(client, "Missing required parameters");
+    }
+    let session = null;
+    try {
+      const decryptedPayload = decryptBuffer(
+        Buffer.from(payload),
+        this.secretCode
+      );
+      const { clientSessionId } = this.decode(decryptedPayload);
+      if (!clientSessionId || !validate(clientSessionId)) {
+        throw new Error("Invalid clientSessionId");
+      }
+      session = this.findSession("clientSessionId", clientSessionId);
+      if (!session) {
+        return this.errorResponse(client, "Session not found");
+      }
+      const userToken = await getTokenFromIPFS(address, this.logger, this.networkConfig);
+      const crypto2 = initUserCrypto(userToken, this.logger);
+      checkSignature(crypto2, payload, signature, this.logger);
+      const result = this.onSuccess ? await this.onSuccess({ address, fields }) : { token: void 0 };
+      this.logger.info("[LiberionAuth] Auth successful", {
+        address: shortenAddress(address),
+        hasToken: !!result.token
+      });
+      this.finalResponse(client, {
+        _: result.error ? STATUS.FAILED : COMMAND_AUTH,
+        message: result.error || "welcome"
+      });
+      if (result.token) {
+        session.authResult = { token: result.token };
+      }
+      const browserClient = session.client;
+      if (browserClient?.readyState === WebSocket2.OPEN) {
+        this.finalResponse(browserClient, {
+          _: result.error ? STATUS.FAILED : COMMAND_AUTH_RESULT,
+          message: result.error || "welcome",
+          payload: { token: result.token }
+        });
+      }
+      return void 0;
+    } catch (ex) {
+      const error = ex;
+      this.logger.error(`[LiberionAuth] Auth failed: ${error.message}`);
+      if (session) {
+        const browserClient = session.client;
+        if (browserClient?.readyState === WebSocket2.OPEN) {
+          this.errorResponse(browserClient, error.message);
+        }
+      }
+      return this.errorResponse(client, error.message);
+    }
+  }
+  responseDeclined(client, data) {
+    const { payload } = data;
+    let clientSessionId;
+    let browserSession = null;
+    if (payload) {
+      try {
+        const decryptedPayload = decryptBuffer(
+          Buffer.from(payload),
+          this.secretCode
+        );
+        const decoded = this.decode(decryptedPayload);
+        clientSessionId = decoded.clientSessionId;
+        if (clientSessionId && validate(clientSessionId)) {
+          browserSession = this.findSession("clientSessionId", clientSessionId);
+        }
+      } catch (ex) {
+        this.logger.error("[LiberionAuth] Failed to decrypt decline payload", {
+          error: ex.message
+        });
+      }
+    }
+    if (browserSession) {
+      this.logger.info("[LiberionAuth] Wallet declined, notifying browser", {
+        clientSessionId,
+        address: shortenAddress(browserSession.address)
+      });
+      const browserClient = browserSession.client;
+      if (browserClient?.readyState === WebSocket2.OPEN) {
+        this.send(browserClient, {
+          _: COMMAND_AUTH_DECLINED,
+          message: "Authorization declined"
+        });
+      } else {
+        browserSession.declineResult = { message: "Authorization declined" };
+        this.logger.info("[LiberionAuth] Browser offline, decline stored", {
+          clientSessionId
+        });
+      }
+      if (this.onDecline) {
+        this.onDecline({
+          address: browserSession.address,
+          reason: DECLINE_REASON.USER,
+          message: "Authorization declined",
+          declinedBy: "wallet",
+          sessionId: browserSession.sessionId
+        }).catch((ex) => {
+          this.logger.error(`[LiberionAuth] onDecline error: ${ex.message}`);
+        });
+      }
+      this.finalResponse(client, {
+        _: COMMAND_AUTH_DECLINED,
+        message: "Authorization declined"
+      });
+      return void 0;
+    }
+    this.logger.error("[LiberionAuth] Browser session not found for decline", {
+      clientSessionId,
+      hasPayload: !!payload
+    });
+    return this.responseFailed(client, data);
+  }
+  responseReconnect(client, data) {
+    const sessionId = data.sessionId;
+    if (!sessionId) {
+      return this.errorResponse(client, "sessionId required");
+    }
+    const existingSession = this.findSession("sessionId", sessionId);
+    if (!existingSession) {
+      return this.errorResponse(client, "session_not_found");
+    }
+    const oldClientId = Object.keys(this.sessions).find(
+      (k) => this.sessions[k] === existingSession
+    );
+    this.logger.info("[LiberionAuth] Reconnecting session", {
+      sessionId,
+      oldClientId,
+      newClientId: client.clientId,
+      hasAuthResult: !!existingSession.authResult
+    });
+    existingSession.client = client;
+    if (oldClientId) {
+      delete this.sessions[oldClientId];
+    }
+    this.sessions[client.clientId] = existingSession;
+    if (existingSession.authResult) {
+      this.send(client, {
+        _: COMMAND_AUTH_RESULT,
+        message: "welcome",
+        payload: existingSession.authResult
+      });
+    }
+    if (existingSession.declineResult) {
+      this.send(client, {
+        _: COMMAND_AUTH_DECLINED,
+        message: existingSession.declineResult.message
+      });
+      this.logger.info("[LiberionAuth] Sent stored decline", { sessionId });
+    }
+    let status;
+    if (existingSession.authResult) {
+      status = "completed";
+    } else if (existingSession.declineResult) {
+      status = "declined";
+    } else if (existingSession.address) {
+      status = "activated";
+    } else {
+      status = "waiting";
+    }
+    return {
+      _: COMMAND_RECONNECT,
+      status
+    };
+  }
+  responseFailed(client, data) {
+    const session = this.sessions[client.clientId];
+    if (!session) {
+      return this.errorResponse(client, "Session not found");
+    }
+    const command = data._;
+    const message = data.message || "Authorization declined";
+    let reason;
+    switch (command) {
+      case COMMAND_AUTH_DECLINED:
+        reason = DECLINE_REASON.USER;
+        break;
+      case COMMAND_AUTH_TIMEOUT:
+        reason = DECLINE_REASON.TIMEOUT;
+        break;
+      case COMMAND_CONNECTION_FAILED:
+      case COMMAND_ERROR:
+        reason = DECLINE_REASON.ERROR;
+        break;
+      default:
+        reason = DECLINE_REASON.UNKNOWN;
+    }
+    const isBrowser = session.client === client && session.isBrowserSession;
+    this.logger.info("[LiberionAuth] Authorization declined", {
+      sessionId: session.sessionId,
+      address: shortenAddress(session.address),
+      reason,
+      declinedBy: isBrowser ? "browser" : "wallet"
+    });
+    if (this.onDecline) {
+      this.onDecline({
+        address: session.address,
+        reason,
+        message,
+        declinedBy: isBrowser ? "browser" : "wallet",
+        sessionId: session.sessionId
+      }).catch((ex) => {
+        this.logger.error(`[LiberionAuth] onDecline error: ${ex.message}`);
+      });
+    }
+    this.finalResponse(client, { _: command, message });
+    return void 0;
+  }
+  errorResponse(client, error, requestId) {
+    this.logger.error("[LiberionAuth] Sending error", {
+      clientId: client.clientId,
+      error
+    });
+    this.finalResponse(client, {
+      _: COMMAND_ERROR,
+      message: error,
+      ...requestId && { _requestId: requestId }
+    });
+    return false;
+  }
+  finalResponse(client, data) {
+    if (client.readyState === WebSocket2.OPEN) {
+      this.send(client, data);
+    }
+    this.closeClient(client);
+  }
+  finalizeSession(clientId, isTimeout = false) {
+    const session = this.sessions[clientId];
+    if (!session) return;
+    if (isTimeout) {
+      this.responseFailed(session.client, {
+        _: COMMAND_AUTH_TIMEOUT,
+        message: "Authorization timeout"
+      });
+    } else {
+      this.closeClient(session.client);
+    }
+  }
+  closeClient(client) {
+    delete this.sessions[client.clientId];
+    client?.terminate();
+  }
+  findSession(paramName, searchValue) {
+    for (const key of Object.keys(this.sessions)) {
+      if (this.sessions[key][paramName] === searchValue) {
+        return this.sessions[key];
+      }
+    }
+    return null;
+  }
+};
+
+// src/crypto/pq-crypto.ts
+import { ml_kem1024 } from "@noble/post-quantum/ml-kem.js";
+import { ml_dsa87 as ml_dsa872 } from "@noble/post-quantum/ml-dsa.js";
+import { webcrypto } from "crypto";
+import sodium from "libsodium-wrappers";
+var { subtle } = webcrypto;
+var PROTOCOL_AAD = new TextEncoder().encode("PQv1");
+var PQCrypto = class {
+  logger;
+  // Trust Gate keys (generated from seed)
+  // Note: kemPrivateKey kept for potential future decryption support
+  _kemPrivateKey = null;
+  kemPublicKey = null;
+  dsaPrivateKey = null;
+  dsaPublicKey = null;
+  // Peer (User/Wallet) public keys
+  peerKEMPublicKey = null;
+  peerDSAPublicKey = null;
+  constructor(logger) {
+    this.logger = logger ?? new NoOpLogger();
+  }
+  /**
+   * Generate Trust Gate session keys from cryptographic seed
+   * @param seed - Random seed (at least 96 bytes: 64 for ML-KEM + 32 for ML-DSA)
+   */
+  async generateKeysFromSeed(seed) {
+    try {
+      if (seed.length < 96) {
+        throw new Error(
+          `Seed too short: expected at least 96 bytes (64 for KEM + 32 for DSA), got ${seed.length}`
+        );
+      }
+      const kemSeed = seed.slice(0, 64);
+      const kemKeys = ml_kem1024.keygen(kemSeed);
+      this.kemPublicKey = kemKeys.publicKey;
+      this._kemPrivateKey = kemKeys.secretKey;
+      const dsaSeed = seed.slice(64, 96);
+      const dsaKeys = ml_dsa872.keygen(dsaSeed);
+      this.dsaPublicKey = dsaKeys.publicKey;
+      this.dsaPrivateKey = dsaKeys.secretKey;
+      this.logger.info("[PQCrypto] Keys generated successfully", {
+        kemPublicKeySize: this.kemPublicKey.length,
+        dsaPublicKeySize: this.dsaPublicKey.length
+      });
+    } catch (ex) {
+      const error = ex;
+      this.logger.error(`[PQCrypto] Failed to generate keys: ${error.message}`);
+      throw new Error(`Failed to generate PQ keys: ${error.message}`);
+    }
+  }
+  /**
+   * Import peer's (user) public keys for encryption and verification
+   * @param kemPublicKey - ML-KEM-1024 public key (1568 bytes)
+   * @param dsaPublicKey - ML-DSA-87 public key (2592 bytes)
+   */
+  importPeerPublicKeys(kemPublicKey, dsaPublicKey) {
+    try {
+      this.peerKEMPublicKey = new Uint8Array(kemPublicKey);
+      this.peerDSAPublicKey = new Uint8Array(dsaPublicKey);
+      if (this.peerKEMPublicKey.length !== 1568) {
+        throw new Error(
+          `Invalid ML-KEM-1024 public key size: expected 1568, got ${this.peerKEMPublicKey.length}`
+        );
+      }
+      if (this.peerDSAPublicKey.length !== 2592) {
+        throw new Error(
+          `Invalid ML-DSA-87 public key size: expected 2592, got ${this.peerDSAPublicKey.length}`
+        );
+      }
+      this.logger.info("[PQCrypto] Peer public keys imported", {
+        kemKeySize: this.peerKEMPublicKey.length,
+        dsaKeySize: this.peerDSAPublicKey.length
+      });
+    } catch (ex) {
+      const error = ex;
+      this.logger.error(`[PQCrypto] Failed to import peer keys: ${error.message}`);
+      throw new Error(`Failed to import peer public keys: ${error.message}`);
+    }
+  }
+  /**
+   * Hybrid encryption: ML-KEM + XChaCha20-Poly1305 + ML-DSA signature
+   * Matches client format: version + header + sigLen + signature + cipherText + nonce + ct
+   * @param message - Data to encrypt
+   * @returns Encrypted package in client-compatible format
+   */
+  async encrypt(message) {
+    try {
+      await sodium.ready;
+      if (!this.peerKEMPublicKey) {
+        throw new Error("Peer KEM public key not imported");
+      }
+      if (!this.dsaPrivateKey) {
+        throw new Error("DSA private key not generated");
+      }
+      const messageBytes = message instanceof Uint8Array ? message : new Uint8Array(message);
+      this.logger.info("[PQCrypto] Starting hybrid encryption", {
+        messageSize: messageBytes.length
+      });
+      const { cipherText: kemCiphertext, sharedSecret } = ml_kem1024.encapsulate(
+        this.peerKEMPublicKey
+      );
+      this.logger.info("[PQCrypto] ML-KEM encapsulation complete", {
+        ciphertextSize: kemCiphertext.length,
+        // 1568 bytes
+        sharedSecretSize: sharedSecret.length
+        // 32 bytes
+      });
+      const secretKeyRaw = await subtle.deriveBits(
+        {
+          name: "HKDF",
+          hash: "SHA-256",
+          salt: PROTOCOL_AAD,
+          info: PROTOCOL_AAD
+        },
+        await subtle.importKey("raw", sharedSecret, { name: "HKDF" }, false, [
+          "deriveBits"
+        ]),
+        256
+      );
+      sharedSecret.fill(0);
+      const versionBuf = new Uint8Array([1]);
+      const header = new Uint8Array(4);
+      new DataView(header.buffer).setUint32(0, kemCiphertext.length, false);
+      const aad = new Uint8Array(PROTOCOL_AAD.length + 1 + 4);
+      aad.set(PROTOCOL_AAD, 0);
+      aad.set(versionBuf, PROTOCOL_AAD.length);
+      aad.set(header, PROTOCOL_AAD.length + 1);
+      const keyBytes = new Uint8Array(secretKeyRaw);
+      const nonce = webcrypto.getRandomValues(
+        new Uint8Array(sodium.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES)
+      );
+      const ct = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(
+        messageBytes,
+        aad,
+        null,
+        nonce,
+        keyBytes
+      );
+      this.logger.info("[PQCrypto] XChaCha20-Poly1305 encryption complete", {
+        nonceSize: nonce.length,
+        // 24 bytes
+        encryptedSize: ct.length
+        // message + 16 bytes tag
+      });
+      const signature = ml_dsa872.sign(kemCiphertext, this.dsaPrivateKey);
+      this.logger.info("[PQCrypto] ML-DSA signature created", {
+        signatureSize: signature.length
+        // ~4627 bytes
+      });
+      const sigLenBuf = new Uint8Array(4);
+      new DataView(sigLenBuf.buffer).setUint32(0, signature.length, false);
+      const result = new Uint8Array(
+        1 + 4 + 4 + signature.length + kemCiphertext.length + nonce.length + ct.length
+      );
+      let offset = 0;
+      result.set(versionBuf, offset);
+      offset += 1;
+      result.set(header, offset);
+      offset += 4;
+      result.set(sigLenBuf, offset);
+      offset += 4;
+      result.set(signature, offset);
+      offset += signature.length;
+      result.set(kemCiphertext, offset);
+      offset += kemCiphertext.length;
+      result.set(nonce, offset);
+      offset += nonce.length;
+      result.set(ct, offset);
+      keyBytes.fill(0);
+      new Uint8Array(secretKeyRaw).fill(0);
+      this.logger.info("[PQCrypto] Hybrid encryption complete", {
+        totalSize: result.length,
+        breakdown: {
+          version: 1,
+          header: 4,
+          sigLen: 4,
+          signature: signature.length,
+          kemCiphertext: kemCiphertext.length,
+          nonce: nonce.length,
+          ct: ct.length
+        }
+      });
+      return Buffer.from(result);
+    } catch (ex) {
+      const error = ex;
+      this.logger.error(`[PQCrypto] Encryption failed: ${error.message}`);
+      throw new Error(`PQ encryption failed: ${error.message}`);
+    }
+  }
+  /**
+   * Check if keys have been generated
+   */
+  hasKeys() {
+    return !!(this.kemPublicKey && this.dsaPublicKey && this._kemPrivateKey);
+  }
+  /**
+   * Export Trust Gate public keys (for sending to client)
+   * @returns Object with publicKeyEncrypt and publicKeySign as Buffers
+   */
+  exportKeys() {
+    if (!this.kemPublicKey || !this.dsaPublicKey) {
+      throw new Error("Keys not generated yet");
+    }
+    return {
+      publicKeyEncrypt: Buffer.from(this.kemPublicKey),
+      publicKeySign: Buffer.from(this.dsaPublicKey)
+    };
+  }
+};
+export {
+  COMMAND_ACTIVATED,
+  COMMAND_AUTH,
+  COMMAND_AUTH_DECLINED,
+  COMMAND_AUTH_RESULT,
+  COMMAND_AUTH_TIMEOUT,
+  COMMAND_ERROR,
+  COMMAND_READY,
+  ConsoleLogger,
+  DECLINE_REASON,
+  DEFAULT_PORT,
+  LiberionAuth,
+  NoOpLogger,
+  PQCrypto,
+  STATUS,
+  USER_CONTRACT_ABI,
+  checkSignature,
+  clearTokenCache,
+  createWinstonAdapter,
+  decryptBuffer,
+  encryptBuffer,
+  extractIpfsHash,
+  getNetworkConfig,
+  getTokenFromIPFS,
+  initUserCrypto,
+  shortenAddress
+};