@viewportai/daemon 0.5.3 → 0.6.0

package/dist/security/epoch-protocol.js

@@ -0,0 +1,285 @@
+import crypto from 'node:crypto';
+export const USER_EPOCH_SCHEMA = 'viewport.user_crypto_epoch/v1';
+export const TEAM_EPOCH_SCHEMA = 'viewport.team_crypto_epoch/v1';
+export const DEVICE_ENROLLMENT_SCHEMA = 'viewport.device_enrollment/v1';
+export const RESOURCE_GRANT_SCHEMA = 'viewport.resource_key_grant/v1';
+export const WRAPPED_KEY_ENVELOPE_SCHEMA = 'viewport.wrapped_key_envelope/v1';
+export const TRUSTED_EDGE_CRYPTO_PROTOCOL_HEADER = 'X-Viewport-Crypto-Protocol';
+export const TRUSTED_EDGE_CRYPTO_PROTOCOL_VERSION = 'viewport.trusted_edge_crypto/v2';
+const PRIVATE_JWK_FIELDS = new Set([
+    'd',
+    'p',
+    'q',
+    'dp',
+    'dq',
+    'qi',
+    'oth',
+    'k',
+    'x5c_private',
+    'hpkePrivateKey',
+    'privateKey',
+    'secretKey',
+]);
+export function canonicalJson(value) {
+    return JSON.stringify(canonicalize(value));
+}
+export function sha256Base64Url(value) {
+    return crypto.createHash('sha256').update(value).digest('base64url');
+}
+export function fingerprintPayload(value) {
+    return `sha256:${sha256Base64Url(canonicalJson(value))}`;
+}
+export function epochFingerprint(epoch) {
+    return fingerprintPayload({
+        schema: epoch.schema,
+        workspaceId: epoch.workspaceId,
+        subjectType: epoch.subjectType,
+        subjectId: epoch.subjectId,
+        epoch: epoch.epoch,
+        encryptionPublicKeyJwk: epoch.encryptionPublicKeyJwk,
+        signingPublicKeyJwk: epoch.signingPublicKeyJwk,
+        previousEpochFingerprint: epoch.previousEpochFingerprint ?? null,
+    });
+}
+export function deviceEnrollmentFingerprint(request) {
+    assertNoPrivateKeyMaterial(request.encryptionPublicKeyJwk);
+    assertNoPrivateKeyMaterial(request.signingPublicKeyJwk);
+    return fingerprintPayload({
+        schema: request.schema,
+        workspaceId: request.workspaceId,
+        deviceId: request.deviceId,
+        deviceLabel: request.deviceLabel,
+        encryptionPublicKeyJwk: request.encryptionPublicKeyJwk,
+        signingPublicKeyJwk: request.signingPublicKeyJwk,
+        nonce: request.nonce,
+    });
+}
+export function signDeviceEnrollmentRequest(input) {
+    const key = crypto.createPrivateKey({
+        key: input.signingPrivateKeyJwk,
+        format: 'jwk',
+    });
+    return {
+        payload: input.payload,
+        signature: crypto
+            .sign(null, Buffer.from(canonicalJson(input.payload)), key)
+            .toString('base64url'),
+    };
+}
+export function userEpochDeviceMaterializationPayload(input) {
+    return {
+        schema: 'viewport.user_epoch_device_materialization/v1',
+        workspaceId: input.workspaceId,
+        userId: input.userId,
+        enrollmentId: input.enrollmentId,
+        grantId: input.grantId,
+        userCryptoEpochId: input.userCryptoEpochId,
+        userEpochFingerprint: input.userEpochFingerprint,
+        recipientFingerprint: input.recipientFingerprint,
+    };
+}
+export function signUserEpochDeviceMaterialization(input) {
+    const key = crypto.createPrivateKey({
+        key: input.signingPrivateKeyJwk,
+        format: 'jwk',
+    });
+    return {
+        payload: input.payload,
+        signature: crypto
+            .sign(null, Buffer.from(canonicalJson(input.payload)), key)
+            .toString('base64url'),
+        signedByUserEpochFingerprint: input.signedByUserEpochFingerprint,
+    };
+}
+export function teamEpochMemberMaterializationPayload(input) {
+    return {
+        schema: 'viewport.team_epoch_member_materialization/v1',
+        workspaceId: input.workspaceId,
+        grantId: input.grantId,
+        teamCryptoEpochId: input.teamCryptoEpochId,
+        teamEpochFingerprint: input.teamEpochFingerprint,
+        recipientUserCryptoEpochId: input.recipientUserCryptoEpochId,
+        recipientUserEpochFingerprint: input.recipientUserEpochFingerprint,
+    };
+}
+export function signTeamEpochMemberMaterialization(input) {
+    const key = crypto.createPrivateKey({
+        key: input.signingPrivateKeyJwk,
+        format: 'jwk',
+    });
+    return {
+        payload: input.payload,
+        signature: crypto
+            .sign(null, Buffer.from(canonicalJson(input.payload)), key)
+            .toString('base64url'),
+        signedByTeamEpochFingerprint: input.signedByTeamEpochFingerprint,
+    };
+}
+export function contextGrantMaterializationPayload(input) {
+    return {
+        schema: 'viewport.context_vault_grant_materialization/v1',
+        workspaceId: input.workspaceId,
+        contextResourceId: input.contextResourceId,
+        grantEventId: input.grantEventId,
+        recipientName: input.recipientName,
+        keyEpoch: input.keyEpoch,
+    };
+}
+export function signContextGrantMaterialization(input) {
+    const key = crypto.createPrivateKey({
+        key: input.signingPrivateKeyJwk,
+        format: 'jwk',
+    });
+    return {
+        payload: input.payload,
+        signature: crypto
+            .sign(null, Buffer.from(canonicalJson(input.payload)), key)
+            .toString('base64url'),
+        signedByEpochFingerprint: input.signedByEpochFingerprint,
+    };
+}
+export function epochTransitionPayload(input) {
+    if (input.from.workspaceId !== input.to.workspaceId) {
+        throw new Error('Epoch transition workspace mismatch.');
+    }
+    if (input.from.subjectType !== input.to.subjectType ||
+        input.from.subjectId !== input.to.subjectId) {
+        throw new Error('Epoch transition subject mismatch.');
+    }
+    if (input.to.epoch !== input.from.epoch + 1) {
+        throw new Error('Epoch transition must advance by exactly one epoch.');
+    }
+    return {
+        schema: 'viewport.epoch_transition/v1',
+        workspaceId: input.from.workspaceId,
+        subjectType: input.from.subjectType,
+        subjectId: input.from.subjectId,
+        fromEpoch: input.from.epoch,
+        fromEpochFingerprint: epochFingerprint(input.from),
+        toEpoch: input.to.epoch,
+        toEpochFingerprint: epochFingerprint(input.to),
+        reason: input.reason,
+        createdAt: input.createdAt,
+    };
+}
+export function signEpochTransition(input) {
+    const key = crypto.createPrivateKey({
+        key: input.signingPrivateKeyJwk,
+        format: 'jwk',
+    });
+    const signature = crypto
+        .sign(null, Buffer.from(canonicalJson(input.payload)), key)
+        .toString('base64url');
+    return {
+        payload: input.payload,
+        signature,
+        signedByEpochFingerprint: input.signedByEpochFingerprint,
+    };
+}
+export function verifyEpochTransition(input) {
+    if (input.signed.signedByEpochFingerprint !== input.expectedFromEpochFingerprint)
+        return false;
+    if (input.signed.payload.fromEpochFingerprint !== input.expectedFromEpochFingerprint)
+        return false;
+    if (input.signed.payload.toEpochFingerprint !== input.expectedToEpochFingerprint)
+        return false;
+    const key = crypto.createPublicKey({
+        key: input.signingPublicKeyJwk,
+        format: 'jwk',
+    });
+    return crypto.verify(null, Buffer.from(canonicalJson(input.signed.payload)), key, Buffer.from(input.signed.signature, 'base64url'));
+}
+export function wrapJsonForX25519Recipient(input) {
+    assertNoPrivateKeyMaterial(input.recipientPublicKeyJwk);
+    const ephemeral = crypto.generateKeyPairSync('x25519');
+    const recipientPublicKey = crypto.createPublicKey({
+        key: input.recipientPublicKeyJwk,
+        format: 'jwk',
+    });
+    const sharedSecret = crypto.diffieHellman({
+        privateKey: ephemeral.privateKey,
+        publicKey: recipientPublicKey,
+    });
+    const aad = Buffer.from(canonicalJson(input.aad));
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', deriveWrapKey(sharedSecret), iv);
+    cipher.setAAD(aad);
+    const ciphertext = Buffer.concat([
+        cipher.update(Buffer.from(canonicalJson(input.payload))),
+        cipher.final(),
+    ]);
+    return {
+        schema: WRAPPED_KEY_ENVELOPE_SCHEMA,
+        alg: 'x25519-hkdf-sha256-aes-256-gcm',
+        ephemeralPublicKeyJwk: ephemeral.publicKey.export({ format: 'jwk' }),
+        iv: iv.toString('base64url'),
+        ciphertext: ciphertext.toString('base64url'),
+        tag: cipher.getAuthTag().toString('base64url'),
+        aadDigest: fingerprintPayload(input.aad),
+        createdAt: input.createdAt ?? new Date().toISOString(),
+    };
+}
+export function unwrapJsonFromX25519Envelope(input) {
+    if (input.envelope.schema !== WRAPPED_KEY_ENVELOPE_SCHEMA) {
+        throw new Error('Unsupported wrapped key envelope schema.');
+    }
+    if (input.envelope.alg !== 'x25519-hkdf-sha256-aes-256-gcm') {
+        throw new Error('Unsupported wrapped key envelope algorithm.');
+    }
+    const expectedAadDigest = fingerprintPayload(input.aad);
+    if (input.envelope.aadDigest !== expectedAadDigest) {
+        throw new Error('Wrapped key envelope AAD mismatch.');
+    }
+    const recipientPrivateKey = crypto.createPrivateKey({
+        key: input.recipientPrivateKeyJwk,
+        format: 'jwk',
+    });
+    const ephemeralPublicKey = crypto.createPublicKey({
+        key: input.envelope.ephemeralPublicKeyJwk,
+        format: 'jwk',
+    });
+    const sharedSecret = crypto.diffieHellman({
+        privateKey: recipientPrivateKey,
+        publicKey: ephemeralPublicKey,
+    });
+    const decipher = crypto.createDecipheriv('aes-256-gcm', deriveWrapKey(sharedSecret), Buffer.from(input.envelope.iv, 'base64url'));
+    decipher.setAAD(Buffer.from(canonicalJson(input.aad)));
+    decipher.setAuthTag(Buffer.from(input.envelope.tag, 'base64url'));
+    const plaintext = Buffer.concat([
+        decipher.update(Buffer.from(input.envelope.ciphertext, 'base64url')),
+        decipher.final(),
+    ]);
+    return JSON.parse(plaintext.toString('utf8'));
+}
+export function assertNoPrivateKeyMaterial(value, path = '$') {
+    if (Array.isArray(value)) {
+        value.forEach((item, index) => assertNoPrivateKeyMaterial(item, `${path}[${index}]`));
+        return;
+    }
+    if (!value || typeof value !== 'object')
+        return;
+    for (const [key, child] of Object.entries(value)) {
+        if (PRIVATE_JWK_FIELDS.has(key)) {
+            throw new Error(`Private key material is not allowed at ${path}.${key}.`);
+        }
+        assertNoPrivateKeyMaterial(child, `${path}.${key}`);
+    }
+}
+function deriveWrapKey(sharedSecret) {
+    return Buffer.from(crypto.hkdfSync('sha256', sharedSecret, Buffer.from('viewport-wrapped-key-envelope-salt-v1'), Buffer.from('viewport-wrapped-key-envelope/v1'), 32));
+}
+function canonicalize(value) {
+    if (Array.isArray(value))
+        return value.map((item) => canonicalize(item));
+    if (!value || typeof value !== 'object')
+        return value;
+    return Object.keys(value)
+        .sort()
+        .reduce((acc, key) => {
+        const child = value[key];
+        if (child !== undefined)
+            acc[key] = canonicalize(child);
+        return acc;
+    }, {});
+}
+//# sourceMappingURL=epoch-protocol.js.map

package/dist/security/epoch-protocol.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"epoch-protocol.js","sourceRoot":"","sources":["../../src/security/epoch-protocol.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,MAAM,CAAC,MAAM,iBAAiB,GAAG,+BAA+B,CAAC;AACjE,MAAM,CAAC,MAAM,iBAAiB,GAAG,+BAA+B,CAAC;AACjE,MAAM,CAAC,MAAM,wBAAwB,GAAG,+BAA+B,CAAC;AACxE,MAAM,CAAC,MAAM,qBAAqB,GAAG,gCAAgC,CAAC;AACtE,MAAM,CAAC,MAAM,2BAA2B,GAAG,kCAAkC,CAAC;AAC9E,MAAM,CAAC,MAAM,mCAAmC,GAAG,4BAA4B,CAAC;AAChF,MAAM,CAAC,MAAM,oCAAoC,GAAG,iCAAiC,CAAC;AA0HtF,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,GAAG;IACH,GAAG;IACH,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,KAAK;IACL,GAAG;IACH,aAAa;IACb,gBAAgB;IAChB,YAAY;IACZ,WAAW;CACZ,CAAC,CAAC;AAEH,MAAM,UAAU,aAAa,CAAC,KAAc;IAC1C,OAAO,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAsB;IACpD,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAgB;IACjD,OAAO,UAAU,eAAe,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,KAAsB;IACrD,OAAO,kBAAkB,CAAC;QACxB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;QACpD,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;QAC9C,wBAAwB,EAAE,KAAK,CAAC,wBAAwB,IAAI,IAAI;KACjE,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,OAAgC;IAC1E,0BAA0B,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC3D,0BAA0B,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACxD,OAAO,kBAAkB,CAAC;QACxB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,sBAAsB,EAAE,OAAO,CAAC,sBAAsB;QACtD,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;QAChD,KAAK,EAAE,OAAO,CAAC,KAAK;KACrB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,KAG3C;IACC,MAAM,GAAG,GAAG,MAAM,CAAC,gBAAgB,CAAC;QAClC,GAAG,EAAE,KAAK,CAAC,oBAAyC;QACpD,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,SAAS,EAAE,MAAM;aACd,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,GAAG,CAAC;aAC1D,QAAQ,CAAC,WAAW,CAAC;KACzB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qCAAqC,CAAC,KAQrD;IACC,OAAO;QACL,MAAM,EAAE,+CAA+C;QACvD,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,YAAY,EAAE,KAAK,CAAC,YAAY;QAChC,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;QAC1C,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;QAChD,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;KACjD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kCAAkC,CAAC,KAIlD;IACC,MAAM,GAAG,GAAG,MAAM,CAAC,gBAAgB,CAAC;QAClC,GAAG,EAAE,KAAK,CAAC,oBAAyC;QACpD,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,SAAS,EAAE,MAAM;aACd,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,GAAG,CAAC;aAC1D,QAAQ,CAAC,WAAW,CAAC;QACxB,4BAA4B,EAAE,KAAK,CAAC,4BAA4B;KACjE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qCAAqC,CAAC,KAOrD;IACC,OAAO;QACL,MAAM,EAAE,+CAA+C;QACvD,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;QAC1C,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;QAChD,0BAA0B,EAAE,KAAK,CAAC,0BAA0B;QAC5D,6BAA6B,EAAE,KAAK,CAAC,6BAA6B;KACnE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kCAAkC,CAAC,KAIlD;IACC,MAAM,GAAG,GAAG,MAAM,CAAC,gBAAgB,CAAC;QAClC,GAAG,EAAE,KAAK,CAAC,oBAAyC;QACpD,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,SAAS,EAAE,MAAM;aACd,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,GAAG,CAAC;aAC1D,QAAQ,CAAC,WAAW,CAAC;QACxB,4BAA4B,EAAE,KAAK,CAAC,4BAA4B;KACjE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kCAAkC,CAAC,KAMlD;IACC,OAAO;QACL,MAAM,EAAE,iDAAiD;QACzD,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;QAC1C,YAAY,EAAE,KAAK,CAAC,YAAY;QAChC,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,QAAQ,EAAE,KAAK,CAAC,QAAQ;KACzB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,+BAA+B,CAAC,KAI/C;IACC,MAAM,GAAG,GAAG,MAAM,CAAC,gBAAgB,CAAC;QAClC,GAAG,EAAE,KAAK,CAAC,oBAAyC;QACpD,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,SAAS,EAAE,MAAM;aACd,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,GAAG,CAAC;aAC1D,QAAQ,CAAC,WAAW,CAAC;QACxB,wBAAwB,EAAE,KAAK,CAAC,wBAAwB;KACzD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,KAKtC;IACC,IAAI,KAAK,CAAC,IAAI,CAAC,WAAW,KAAK,KAAK,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IACD,IACE,KAAK,CAAC,IAAI,CAAC,WAAW,KAAK,KAAK,CAAC,EAAE,CAAC,WAAW;QAC/C,KAAK,CAAC,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EAAE,CAAC,SAAS,EAC3C,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,KAAK,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IAED,OAAO;QACL,MAAM,EAAE,8BAA8B;QACtC,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW;QACnC,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW;QACnC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS;QAC/B,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,KAAK;QAC3B,oBAAoB,EAAE,gBAAgB,CAAC,KAAK,CAAC,IAAI,CAAC;QAClD,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC,KAAK;QACvB,kBAAkB,EAAE,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9C,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,SAAS,EAAE,KAAK,CAAC,SAAS;KAC3B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAInC;IACC,MAAM,GAAG,GAAG,MAAM,CAAC,gBAAgB,CAAC;QAClC,GAAG,EAAE,KAAK,CAAC,oBAAyC;QACpD,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,MAAM;SACrB,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,GAAG,CAAC;SAC1D,QAAQ,CAAC,WAAW,CAAC,CAAC;IACzB,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,SAAS;QACT,wBAAwB,EAAE,KAAK,CAAC,wBAAwB;KACzD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,KAKrC;IACC,IAAI,KAAK,CAAC,MAAM,CAAC,wBAAwB,KAAK,KAAK,CAAC,4BAA4B;QAAE,OAAO,KAAK,CAAC;IAC/F,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,oBAAoB,KAAK,KAAK,CAAC,4BAA4B;QAClF,OAAO,KAAK,CAAC;IACf,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,kBAAkB,KAAK,KAAK,CAAC,0BAA0B;QAAE,OAAO,KAAK,CAAC;IAC/F,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,CAAC;QACjC,GAAG,EAAE,KAAK,CAAC,mBAAwC;QACnD,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,OAAO,MAAM,CAAC,MAAM,CAClB,IAAI,EACJ,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,EAChD,GAAG,EACH,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,CACjD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,KAK1C;IACC,0BAA0B,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,MAAM,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACvD,MAAM,kBAAkB,GAAG,MAAM,CAAC,eAAe,CAAC;QAChD,GAAG,EAAE,KAAK,CAAC,qBAA0C;QACrD,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,MAAM,CAAC,aAAa,CAAC;QACxC,UAAU,EAAE,SAAS,CAAC,UAAU;QAChC,SAAS,EAAE,kBAAkB;KAC9B,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;IAClD,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,aAAa,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC;IACrF,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACnB,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC;QAC/B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QACxD,MAAM,CAAC,KAAK,EAAE;KACf,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,2BAA2B;QACnC,GAAG,EAAE,gCAAgC;QACrC,qBAAqB,EAAE,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAc;QACjF,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC5B,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC5C,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC9C,SAAS,EAAE,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC;QACxC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACvD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,KAI5C;IACC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,KAAK,2BAA2B,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,KAAK,gCAAgC,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IACD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxD,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,KAAK,iBAAiB,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,mBAAmB,GAAG,MAAM,CAAC,gBAAgB,CAAC;QAClD,GAAG,EAAE,KAAK,CAAC,sBAA2C;QACtD,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,MAAM,kBAAkB,GAAG,MAAM,CAAC,eAAe,CAAC;QAChD,GAAG,EAAE,KAAK,CAAC,QAAQ,CAAC,qBAA0C;QAC9D,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,MAAM,CAAC,aAAa,CAAC;QACxC,UAAU,EAAE,mBAAmB;QAC/B,SAAS,EAAE,kBAAkB;KAC9B,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CACtC,aAAa,EACb,aAAa,CAAC,YAAY,CAAC,EAC3B,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,EAAE,WAAW,CAAC,CAC5C,CAAC;IACF,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACvD,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC;IAClE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QACpE,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC;IACH,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAc,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,KAAgB,EAAE,IAAI,GAAG,GAAG;IACrE,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,0BAA0B,CAAC,IAAI,EAAE,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC;QACtF,OAAO;IACT,CAAC;IACD,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO;IAEhD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,IAAI,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,0CAA0C,IAAI,IAAI,GAAG,GAAG,CAAC,CAAC;QAC5E,CAAC;QACD,0BAA0B,CAAC,KAAK,EAAE,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,YAAoB;IACzC,OAAO,MAAM,CAAC,IAAI,CAChB,MAAM,CAAC,QAAQ,CACb,QAAQ,EACR,YAAY,EACZ,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,EACpD,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,EAC/C,EAAE,CACH,CACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;IACzE,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAEtD,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;SACtB,IAAI,EAAE;SACN,MAAM,CAA0B,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC5C,MAAM,KAAK,GAAI,KAAiC,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,KAAK,KAAK,SAAS;YAAE,GAAG,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QACxD,OAAO,GAAG,CAAC;IACb,CAAC,EAAE,EAAE,CAAC,CAAC;AACX,CAAC"}

package/dist/security/epoch-public-pins.d.ts

@@ -0,0 +1,19 @@
+import { type JsonValue } from './epoch-protocol.js';
+import { type LocalPublicEpochPin } from './epoch-store.js';
+export interface PublicEpochForPinning {
+    platformEpochId: string;
+    workspaceId: string;
+    subjectType: 'user' | 'team';
+    subjectId: string;
+    epoch: number;
+    schema: 'viewport.user_crypto_epoch/v1' | 'viewport.team_crypto_epoch/v1';
+    fingerprint: string;
+    encryptionPublicKeyJwk: JsonValue;
+    signingPublicKeyJwk: JsonValue;
+    previousEpochFingerprint?: string | null;
+    continuityPayload?: JsonValue | null;
+    continuitySignature?: string | null;
+    signedByEpochFingerprint?: string | null;
+}
+export declare function validateAndPinPublicEpoch(epoch: PublicEpochForPinning, home?: string): Promise<LocalPublicEpochPin>;
+//# sourceMappingURL=epoch-public-pins.d.ts.map

package/dist/security/epoch-public-pins.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"epoch-public-pins.d.ts","sourceRoot":"","sources":["../../src/security/epoch-public-pins.ts"],"names":[],"mappings":"AACA,OAAO,EAKL,KAAK,SAAS,EAEf,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAGL,KAAK,mBAAmB,EACzB,MAAM,kBAAkB,CAAC;AAE1B,MAAM,WAAW,qBAAqB;IACpC,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,+BAA+B,GAAG,+BAA+B,CAAC;IAC1E,WAAW,EAAE,MAAM,CAAC;IACpB,sBAAsB,EAAE,SAAS,CAAC;IAClC,mBAAmB,EAAE,SAAS,CAAC;IAC/B,wBAAwB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzC,iBAAiB,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC;IACrC,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,wBAAwB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1C;AAED,wBAAsB,yBAAyB,CAC7C,KAAK,EAAE,qBAAqB,EAC5B,IAAI,SAAc,GACjB,OAAO,CAAC,mBAAmB,CAAC,CAoD9B"}

package/dist/security/epoch-public-pins.js

@@ -0,0 +1,129 @@
+import { configDir } from '../core/config.js';
+import { epochFingerprint, verifyEpochTransition, } from './epoch-protocol.js';
+import { getLocalPublicEpochPin, upsertLocalPublicEpochPin, } from './epoch-store.js';
+export async function validateAndPinPublicEpoch(epoch, home = configDir()) {
+    const descriptor = publicEpochDescriptor(epoch);
+    const computedFingerprint = epochFingerprint(descriptor);
+    if (computedFingerprint !== epoch.fingerprint) {
+        throw new Error(`Fetched ${epoch.subjectType} epoch fingerprint mismatch for ${epoch.subjectId}.`);
+    }
+    const previous = await getLocalPublicEpochPin({
+        workspaceId: epoch.workspaceId,
+        subjectType: epoch.subjectType,
+        subjectId: epoch.subjectId,
+    }, home);
+    if (previous) {
+        if (epoch.epoch < previous.epoch) {
+            throw new Error(`Fetched ${epoch.subjectType} epoch rollback for ${epoch.subjectId}: ${epoch.epoch} < ${previous.epoch}.`);
+        }
+        if (epoch.epoch === previous.epoch && epoch.fingerprint !== previous.fingerprint) {
+            throw new Error(`Fetched ${epoch.subjectType} epoch replacement for ${epoch.subjectId} requires signed continuity.`);
+        }
+        if (epoch.epoch > previous.epoch) {
+            assertSignedContinuity({ previous, next: epoch });
+        }
+    }
+    return upsertLocalPublicEpochPin({
+        workspaceId: epoch.workspaceId,
+        subjectType: epoch.subjectType,
+        subjectId: epoch.subjectId,
+        platformEpochId: epoch.platformEpochId,
+        epoch: epoch.epoch,
+        schema: epoch.schema,
+        fingerprint: epoch.fingerprint,
+        encryptionPublicKeyJwk: epoch.encryptionPublicKeyJwk,
+        signingPublicKeyJwk: epoch.signingPublicKeyJwk,
+        previousEpochFingerprint: epoch.previousEpochFingerprint ?? null,
+        continuityPayload: epoch.continuityPayload ?? null,
+        continuitySignature: epoch.continuitySignature ?? null,
+        signedByEpochFingerprint: epoch.signedByEpochFingerprint ?? null,
+    }, home);
+}
+function assertSignedContinuity(input) {
+    if (input.next.previousEpochFingerprint !== input.previous.fingerprint) {
+        throw new Error(`Fetched ${input.next.subjectType} epoch ${input.next.epoch} does not continue from pinned epoch ${input.previous.epoch}.`);
+    }
+    if (!input.next.continuityPayload || !input.next.continuitySignature) {
+        throw new Error(`Fetched ${input.next.subjectType} epoch ${input.next.epoch} is missing signed continuity.`);
+    }
+    const signed = {
+        payload: epochTransitionPayload(input.next.continuityPayload),
+        signature: input.next.continuitySignature,
+        signedByEpochFingerprint: input.next.signedByEpochFingerprint ?? input.next.previousEpochFingerprint ?? '',
+    };
+    const ok = verifyEpochTransition({
+        signed,
+        signingPublicKeyJwk: input.previous.signingPublicKeyJwk,
+        expectedFromEpochFingerprint: input.previous.fingerprint,
+        expectedToEpochFingerprint: input.next.fingerprint,
+    });
+    if (!ok) {
+        throw new Error(`Fetched ${input.next.subjectType} epoch ${input.next.epoch} continuity signature is invalid.`);
+    }
+}
+function publicEpochDescriptor(epoch) {
+    return {
+        schema: epoch.schema,
+        workspaceId: epoch.workspaceId,
+        subjectType: epoch.subjectType,
+        subjectId: epoch.subjectId,
+        epoch: epoch.epoch,
+        encryptionPublicKeyJwk: epoch.encryptionPublicKeyJwk,
+        signingPublicKeyJwk: epoch.signingPublicKeyJwk,
+        previousEpochFingerprint: epoch.previousEpochFingerprint ?? null,
+        createdAt: 'pinning-fingerprint-input',
+    };
+}
+function epochTransitionPayload(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        throw new Error('Epoch continuity payload must be an object.');
+    }
+    const data = value;
+    return {
+        schema: 'viewport.epoch_transition/v1',
+        workspaceId: stringField(data, 'workspaceId'),
+        subjectType: subjectTypeField(data, 'subjectType'),
+        subjectId: stringField(data, 'subjectId'),
+        fromEpoch: numberField(data, 'fromEpoch'),
+        fromEpochFingerprint: stringField(data, 'fromEpochFingerprint'),
+        toEpoch: numberField(data, 'toEpoch'),
+        toEpochFingerprint: stringField(data, 'toEpochFingerprint'),
+        reason: reasonField(data, 'reason'),
+        createdAt: stringField(data, 'createdAt'),
+    };
+}
+function stringField(value, field) {
+    const child = value[field];
+    if (typeof child !== 'string' || child.trim() === '') {
+        throw new Error(`Epoch continuity payload missing ${field}.`);
+    }
+    return child;
+}
+function numberField(value, field) {
+    const child = value[field];
+    if (typeof child !== 'number') {
+        throw new Error(`Epoch continuity payload missing numeric ${field}.`);
+    }
+    return child;
+}
+function subjectTypeField(value, field) {
+    const child = stringField(value, field);
+    if (child !== 'user' && child !== 'team') {
+        throw new Error(`Epoch continuity payload has unsupported ${field}.`);
+    }
+    return child;
+}
+function reasonField(value, field) {
+    const child = stringField(value, field);
+    if (child === 'initial' ||
+        child === 'device_enrolled' ||
+        child === 'device_revoked' ||
+        child === 'member_added' ||
+        child === 'member_revoked' ||
+        child === 'manual_rotation' ||
+        child === 'recovery') {
+        return child;
+    }
+    throw new Error(`Epoch continuity payload has unsupported ${field}.`);
+}
+//# sourceMappingURL=epoch-public-pins.js.map

package/dist/security/epoch-public-pins.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"epoch-public-pins.js","sourceRoot":"","sources":["../../src/security/epoch-public-pins.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EACL,gBAAgB,EAChB,qBAAqB,GAKtB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,sBAAsB,EACtB,yBAAyB,GAE1B,MAAM,kBAAkB,CAAC;AAkB1B,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,KAA4B,EAC5B,IAAI,GAAG,SAAS,EAAE;IAElB,MAAM,UAAU,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAChD,MAAM,mBAAmB,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;IACzD,IAAI,mBAAmB,KAAK,KAAK,CAAC,WAAW,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,WAAW,KAAK,CAAC,WAAW,mCAAmC,KAAK,CAAC,SAAS,GAAG,CAClF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,sBAAsB,CAC3C;QACE,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,SAAS,EAAE,KAAK,CAAC,SAAS;KAC3B,EACD,IAAI,CACL,CAAC;IAEF,IAAI,QAAQ,EAAE,CAAC;QACb,IAAI,KAAK,CAAC,KAAK,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CACb,WAAW,KAAK,CAAC,WAAW,uBAAuB,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,KAAK,MAAM,QAAQ,CAAC,KAAK,GAAG,CAC1G,CAAC;QACJ,CAAC;QACD,IAAI,KAAK,CAAC,KAAK,KAAK,QAAQ,CAAC,KAAK,IAAI,KAAK,CAAC,WAAW,KAAK,QAAQ,CAAC,WAAW,EAAE,CAAC;YACjF,MAAM,IAAI,KAAK,CACb,WAAW,KAAK,CAAC,WAAW,0BAA0B,KAAK,CAAC,SAAS,8BAA8B,CACpG,CAAC;QACJ,CAAC;QACD,IAAI,KAAK,CAAC,KAAK,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAC;YACjC,sBAAsB,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,OAAO,yBAAyB,CAC9B;QACE,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,eAAe,EAAE,KAAK,CAAC,eAAe;QACtC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;QACpD,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;QAC9C,wBAAwB,EAAE,KAAK,CAAC,wBAAwB,IAAI,IAAI;QAChE,iBAAiB,EAAE,KAAK,CAAC,iBAAiB,IAAI,IAAI;QAClD,mBAAmB,EAAE,KAAK,CAAC,mBAAmB,IAAI,IAAI;QACtD,wBAAwB,EAAE,KAAK,CAAC,wBAAwB,IAAI,IAAI;KACjE,EACD,IAAI,CACL,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,KAG/B;IACC,IAAI,KAAK,CAAC,IAAI,CAAC,wBAAwB,KAAK,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QACvE,MAAM,IAAI,KAAK,CACb,WAAW,KAAK,CAAC,IAAI,CAAC,WAAW,UAAU,KAAK,CAAC,IAAI,CAAC,KAAK,wCAAwC,KAAK,CAAC,QAAQ,CAAC,KAAK,GAAG,CAC3H,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,iBAAiB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACrE,MAAM,IAAI,KAAK,CACb,WAAW,KAAK,CAAC,IAAI,CAAC,WAAW,UAAU,KAAK,CAAC,IAAI,CAAC,KAAK,gCAAgC,CAC5F,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAA0B;QACpC,OAAO,EAAE,sBAAsB,CAAC,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC;QAC7D,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,mBAAmB;QACzC,wBAAwB,EACtB,KAAK,CAAC,IAAI,CAAC,wBAAwB,IAAI,KAAK,CAAC,IAAI,CAAC,wBAAwB,IAAI,EAAE;KACnF,CAAC;IACF,MAAM,EAAE,GAAG,qBAAqB,CAAC;QAC/B,MAAM;QACN,mBAAmB,EAAE,KAAK,CAAC,QAAQ,CAAC,mBAAmB;QACvD,4BAA4B,EAAE,KAAK,CAAC,QAAQ,CAAC,WAAW;QACxD,0BAA0B,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW;KACnD,CAAC,CAAC;IACH,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,IAAI,KAAK,CACb,WAAW,KAAK,CAAC,IAAI,CAAC,WAAW,UAAU,KAAK,CAAC,IAAI,CAAC,KAAK,mCAAmC,CAC/F,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,KAA4B;IACzD,OAAO;QACL,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;QACpD,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;QAC9C,wBAAwB,EAAE,KAAK,CAAC,wBAAwB,IAAI,IAAI;QAChE,SAAS,EAAE,2BAA2B;KACvC,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAgB;IAC9C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IACD,MAAM,IAAI,GAAG,KAAkC,CAAC;IAChD,OAAO;QACL,MAAM,EAAE,8BAA8B;QACtC,WAAW,EAAE,WAAW,CAAC,IAAI,EAAE,aAAa,CAAC;QAC7C,WAAW,EAAE,gBAAgB,CAAC,IAAI,EAAE,aAAa,CAAC;QAClD,SAAS,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;QACzC,SAAS,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;QACzC,oBAAoB,EAAE,WAAW,CAAC,IAAI,EAAE,sBAAsB,CAAC;QAC/D,OAAO,EAAE,WAAW,CAAC,IAAI,EAAE,SAAS,CAAC;QACrC,kBAAkB,EAAE,WAAW,CAAC,IAAI,EAAE,oBAAoB,CAAC;QAC3D,MAAM,EAAE,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC;QACnC,SAAS,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;KAC1C,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,KAAgC,EAAE,KAAa;IAClE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACrD,MAAM,IAAI,KAAK,CAAC,oCAAoC,KAAK,GAAG,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,KAAgC,EAAE,KAAa;IAClE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,4CAA4C,KAAK,GAAG,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAgC,EAAE,KAAa;IACvE,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACxC,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,4CAA4C,KAAK,GAAG,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAClB,KAAgC,EAChC,KAAa;IAEb,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACxC,IACE,KAAK,KAAK,SAAS;QACnB,KAAK,KAAK,iBAAiB;QAC3B,KAAK,KAAK,gBAAgB;QAC1B,KAAK,KAAK,cAAc;QACxB,KAAK,KAAK,gBAAgB;QAC1B,KAAK,KAAK,iBAAiB;QAC3B,KAAK,KAAK,UAAU,EACpB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,4CAA4C,KAAK,GAAG,CAAC,CAAC;AACxE,CAAC"}

package/dist/security/epoch-recovery.d.ts

@@ -0,0 +1,56 @@
+import { transportFetch } from '../cli/network.js';
+import { type LocalUserCryptoEpoch } from './epoch-store.js';
+import { type JsonValue } from './epoch-protocol.js';
+import { type CryptoEpochSyncTarget } from './epoch-sync.js';
+export declare const USER_EPOCH_RECOVERY_BACKUP_SCHEMA = "viewport.user_epoch_recovery_backup/v1";
+declare const USER_EPOCH_RECOVERY_ENVELOPE_SCHEMA = "viewport.user_epoch_recovery_envelope/v1";
+declare const RECOVERY_KDF = "scrypt-sha256/v1";
+interface UserKeyBackupResponse {
+    id: string;
+    workspace_id: string;
+    user_id: number | string;
+    user_crypto_epoch_id: string;
+    schema: typeof USER_EPOCH_RECOVERY_BACKUP_SCHEMA;
+    status: string;
+    kdf: typeof RECOVERY_KDF;
+    kdf_params: RecoveryKdfParams;
+    encrypted_payload: RecoveryEnvelope;
+    created_at?: string | null;
+}
+interface RecoveryKdfParams {
+    salt: string;
+    keyLength: number;
+    N: number;
+    r: number;
+    p: number;
+}
+interface RecoveryEnvelope {
+    schema: typeof USER_EPOCH_RECOVERY_ENVELOPE_SCHEMA;
+    alg: 'aes-256-gcm';
+    aad: JsonValue;
+    iv: string;
+    ciphertext: string;
+    tag: string;
+    aadDigest: string;
+    createdAt: string;
+}
+export declare function generateUserEpochRecoveryKey(): string;
+export declare function createUserEpochRecoveryBackup(options: {
+    target: CryptoEpochSyncTarget;
+    recoveryKey: string;
+    home?: string;
+    fetchImpl?: typeof transportFetch;
+}): Promise<UserKeyBackupResponse>;
+export declare function restoreUserEpochFromRecoveryBackup(options: {
+    target: CryptoEpochSyncTarget;
+    recoveryKey: string;
+    home?: string;
+    fetchImpl?: typeof transportFetch;
+}): Promise<{
+    backup: UserKeyBackupResponse;
+    restoredEpoch: LocalUserCryptoEpoch;
+    rotatedEpoch: LocalUserCryptoEpoch;
+    rotatedBackup: UserKeyBackupResponse;
+}>;
+export {};
+//# sourceMappingURL=epoch-recovery.d.ts.map

package/dist/security/epoch-recovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"epoch-recovery.d.ts","sourceRoot":"","sources":["../../src/security/epoch-recovery.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD,OAAO,EAGL,KAAK,oBAAoB,EAC1B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAKL,KAAK,SAAS,EACf,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAyB,KAAK,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAEpF,eAAO,MAAM,iCAAiC,2CAA2C,CAAC;AAE1F,QAAA,MAAM,mCAAmC,6CAA6C,CAAC;AACvF,QAAA,MAAM,YAAY,qBAAqB,CAAC;AAWxC,UAAU,qBAAqB;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,MAAM,EAAE,OAAO,iCAAiC,CAAC;IACjD,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,OAAO,YAAY,CAAC;IACzB,UAAU,EAAE,iBAAiB,CAAC;IAC9B,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,UAAU,iBAAiB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;CACX;AAED,UAAU,gBAAgB;IACxB,MAAM,EAAE,OAAO,mCAAmC,CAAC;IACnD,GAAG,EAAE,aAAa,CAAC;IACnB,GAAG,EAAE,SAAS,CAAC;IACf,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,4BAA4B,IAAI,MAAM,CAErD;AAED,wBAAsB,6BAA6B,CAAC,OAAO,EAAE;IAC3D,MAAM,EAAE,qBAAqB,CAAC;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAkDjC;AAED,wBAAsB,kCAAkC,CAAC,OAAO,EAAE;IAChE,MAAM,EAAE,qBAAqB,CAAC;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IACV,MAAM,EAAE,qBAAqB,CAAC;IAC9B,aAAa,EAAE,oBAAoB,CAAC;IACpC,YAAY,EAAE,oBAAoB,CAAC;IACnC,aAAa,EAAE,qBAAqB,CAAC;CACtC,CAAC,CAqCD"}