npm - api-ape - Versions diffs - 3.0.2 → 4.1.0 - Mend

api-ape 3.0.2 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (186) hide show

package/README.md +59 -572
package/client/README.md +73 -14
package/client/auth/crypto/aead.js +214 -0
package/client/auth/crypto/constants.js +32 -0
package/client/auth/crypto/encoding.js +104 -0
package/client/auth/crypto/files.md +27 -0
package/client/auth/crypto/kdf.js +217 -0
package/client/auth/crypto-utils.js +118 -0
package/client/auth/files.md +52 -0
package/client/auth/key-recovery.js +288 -0
package/client/auth/recovery/constants.js +37 -0
package/client/auth/recovery/files.md +23 -0
package/client/auth/recovery/key-derivation.js +61 -0
package/client/auth/recovery/sss-browser.js +189 -0
package/client/auth/share-storage.js +205 -0
package/client/auth/storage/constants.js +18 -0
package/client/auth/storage/db.js +132 -0
package/client/auth/storage/files.md +27 -0
package/client/auth/storage/keys.js +173 -0
package/client/auth/storage/shares.js +200 -0
package/client/browser.js +190 -23
package/client/connectSocket.js +418 -988
package/client/connection/README.md +23 -0
package/client/connection/fileDownload.js +256 -0
package/client/connection/fileHandling.js +450 -0
package/client/connection/fileUtils.js +346 -0
package/client/connection/files.md +71 -0
package/client/connection/messageHandler.js +105 -0
package/client/connection/network.js +350 -0
package/client/connection/proxy.js +233 -0
package/client/connection/sender.js +333 -0
package/client/connection/state.js +321 -0
package/client/connection/subscriptions.js +151 -0
package/client/files.md +53 -0
package/client/index.js +298 -142
package/client/transports/README.md +50 -0
package/client/transports/files.md +41 -0
package/client/transports/streamParser.js +195 -0
package/client/transports/streaming.js +555 -203
package/dist/ape.js +6 -1
package/dist/ape.js.map +4 -4
package/index.d.ts +38 -16
package/package.json +31 -6
package/server/README.md +272 -67
package/server/adapters/README.md +23 -14
package/server/adapters/files.md +68 -0
package/server/adapters/firebase.js +543 -160
package/server/adapters/index.js +362 -112
package/server/adapters/mongo.js +530 -140
package/server/adapters/postgres.js +534 -155
package/server/adapters/redis.js +508 -143
package/server/adapters/supabase.js +555 -186
package/server/client/README.md +43 -0
package/server/client/connection.js +586 -0
package/server/client/files.md +40 -0
package/server/client/index.js +342 -0
package/server/files.md +54 -0
package/server/index.js +322 -71
package/server/lib/README.md +26 -0
package/server/lib/broadcast/clients.js +219 -0
package/server/lib/broadcast/files.md +58 -0
package/server/lib/broadcast/index.js +57 -0
package/server/lib/broadcast/publishProxy.js +110 -0
package/server/lib/broadcast/pubsub.js +137 -0
package/server/lib/broadcast/sendProxy.js +103 -0
package/server/lib/bun.js +315 -99
package/server/lib/fileTransfer/README.md +63 -0
package/server/lib/fileTransfer/files.md +30 -0
package/server/lib/fileTransfer/streaming.js +435 -0
package/server/lib/fileTransfer.js +710 -326
package/server/lib/files.md +111 -0
package/server/lib/httpUtils.js +283 -0
package/server/lib/loader.js +208 -7
package/server/lib/longPolling/README.md +63 -0
package/server/lib/longPolling/files.md +44 -0
package/server/lib/longPolling/getHandler.js +365 -0
package/server/lib/longPolling/postHandler.js +327 -0
package/server/lib/longPolling.js +174 -219
package/server/lib/main.js +369 -532
package/server/lib/runtimes/README.md +42 -0
package/server/lib/runtimes/bun.js +586 -0
package/server/lib/runtimes/files.md +56 -0
package/server/lib/runtimes/node.js +511 -0
package/server/lib/wiring.js +539 -98
package/server/lib/ws/README.md +35 -0
package/server/lib/ws/adapters/README.md +54 -0
package/server/lib/ws/adapters/bun.js +538 -170
package/server/lib/ws/adapters/deno.js +623 -149
package/server/lib/ws/adapters/files.md +42 -0
package/server/lib/ws/files.md +74 -0
package/server/lib/ws/frames.js +532 -154
package/server/lib/ws/index.js +207 -10
package/server/lib/ws/server.js +385 -92
package/server/lib/ws/socket.js +549 -181
package/server/lib/wsProvider.js +363 -89
package/server/plugins/binary.js +282 -0
package/server/security/README.md +92 -0
package/server/security/auth/README.md +319 -0
package/server/security/auth/adapters/files.md +95 -0
package/server/security/auth/adapters/ldap/constants.js +37 -0
package/server/security/auth/adapters/ldap/files.md +19 -0
package/server/security/auth/adapters/ldap/helpers.js +111 -0
package/server/security/auth/adapters/ldap.js +353 -0
package/server/security/auth/adapters/oauth2/constants.js +41 -0
package/server/security/auth/adapters/oauth2/files.md +19 -0
package/server/security/auth/adapters/oauth2/helpers.js +123 -0
package/server/security/auth/adapters/oauth2.js +273 -0
package/server/security/auth/adapters/opaque-handlers.js +314 -0
package/server/security/auth/adapters/opaque.js +205 -0
package/server/security/auth/adapters/saml/constants.js +52 -0
package/server/security/auth/adapters/saml/files.md +19 -0
package/server/security/auth/adapters/saml/helpers.js +74 -0
package/server/security/auth/adapters/saml.js +173 -0
package/server/security/auth/adapters/totp.js +703 -0
package/server/security/auth/adapters/webauthn.js +625 -0
package/server/security/auth/files.md +61 -0
package/server/security/auth/framework/constants.js +27 -0
package/server/security/auth/framework/files.md +23 -0
package/server/security/auth/framework/handlers.js +272 -0
package/server/security/auth/framework/socket-auth.js +177 -0
package/server/security/auth/handlers/auth-messages.js +143 -0
package/server/security/auth/handlers/files.md +28 -0
package/server/security/auth/index.js +290 -0
package/server/security/auth/mfa/crypto/aead.js +148 -0
package/server/security/auth/mfa/crypto/constants.js +35 -0
package/server/security/auth/mfa/crypto/files.md +27 -0
package/server/security/auth/mfa/crypto/kdf.js +120 -0
package/server/security/auth/mfa/crypto/utils.js +68 -0
package/server/security/auth/mfa/crypto-utils.js +80 -0
package/server/security/auth/mfa/files.md +77 -0
package/server/security/auth/mfa/ledger/constants.js +75 -0
package/server/security/auth/mfa/ledger/errors.js +73 -0
package/server/security/auth/mfa/ledger/files.md +23 -0
package/server/security/auth/mfa/ledger/share-record.js +32 -0
package/server/security/auth/mfa/ledger.js +255 -0
package/server/security/auth/mfa/recovery/constants.js +67 -0
package/server/security/auth/mfa/recovery/files.md +19 -0
package/server/security/auth/mfa/recovery/handlers.js +216 -0
package/server/security/auth/mfa/recovery.js +191 -0
package/server/security/auth/mfa/sss/constants.js +21 -0
package/server/security/auth/mfa/sss/files.md +23 -0
package/server/security/auth/mfa/sss/gf256.js +103 -0
package/server/security/auth/mfa/sss/serialization.js +82 -0
package/server/security/auth/mfa/sss.js +161 -0
package/server/security/auth/mfa/two-of-three/constants.js +58 -0
package/server/security/auth/mfa/two-of-three/files.md +23 -0
package/server/security/auth/mfa/two-of-three/handlers.js +241 -0
package/server/security/auth/mfa/two-of-three/helpers.js +71 -0
package/server/security/auth/mfa/two-of-three.js +136 -0
package/server/security/auth/nonce-manager.js +89 -0
package/server/security/auth/state-machine-mfa.js +269 -0
package/server/security/auth/state-machine.js +257 -0
package/server/security/extractRootDomain.js +144 -16
package/server/security/files.md +51 -0
package/server/security/origin.js +197 -15
package/server/security/reply.js +274 -16
package/server/socket/README.md +119 -0
package/server/socket/authMiddleware.js +299 -0
package/server/socket/files.md +86 -0
package/server/socket/open.js +154 -8
package/server/socket/pluginHooks.js +334 -0
package/server/socket/receive.js +184 -224
package/server/socket/receiveContext.js +117 -0
package/server/socket/send.js +416 -78
package/server/socket/tagUtils.js +402 -0
package/server/utils/README.md +19 -0
package/server/utils/deepRequire.js +255 -30
package/server/utils/files.md +57 -0
package/server/utils/genId.js +182 -20
package/server/utils/parseUserAgent.js +313 -251
package/server/utils/userAgent/README.md +65 -0
package/server/utils/userAgent/files.md +46 -0
package/server/utils/userAgent/patterns.js +545 -0
package/utils/README.md +21 -0
package/utils/files.md +66 -0
package/utils/jss/README.md +21 -0
package/utils/jss/decode.js +471 -0
package/utils/jss/encode.js +312 -0
package/utils/jss/files.md +68 -0
package/utils/jss/plugins.js +210 -0
package/utils/jss.js +219 -273
package/utils/messageHash.js +238 -35
package/dist/api-ape.min.js +0 -2
package/dist/api-ape.min.js.map +0 -7
package/server/client.js +0 -311
package/server/lib/broadcast.js +0 -146

package/server/security/auth/nonce-manager.js ADDED Viewed

@@ -0,0 +1,89 @@
+/**
+ * @fileoverview Nonce Manager for api-ape Authentication
+ *
+ * Handles single-use server nonce generation, validation, and consumption.
+ *
+ * @module server/security/auth/nonce-manager
+ * @see {@link module:server/security/auth/state-machine} for the main state machine
+ */
+const crypto = require("crypto");
+/**
+ * Create nonce management functions
+ *
+ * @param {Object} deps - Dependencies
+ * @param {number} deps.nonceExpiry - Nonce expiry time in ms
+ * @param {Object} deps.AuthError - Error code enum
+ * @returns {Object} Nonce management functions
+ */
+function createNonceManager(deps) {
+  const { nonceExpiry, AuthError } = deps;
+  const usedNonces = new Set();
+  const pendingNonces = new Map();
+  /**
+   * Generate a single-use server nonce
+   * @param {number} [length=32] - Nonce length in bytes
+   * @returns {Object} Nonce info { nonce, expiresAt }
+   */
+  function generateNonce(length = 32) {
+    const nonce = crypto.randomBytes(length).toString("base64url");
+    const expiresAt = Date.now() + nonceExpiry;
+    pendingNonces.set(nonce, { expiresAt, used: false });
+    setTimeout(() => {
+      pendingNonces.delete(nonce);
+    }, nonceExpiry + 1000);
+    return { nonce, expiresAt };
+  }
+  /**
+   * Validate and consume a nonce
+   * @param {string} nonce - The nonce to validate
+   * @returns {boolean} True if valid
+   * @throws {Error} If nonce is expired, reused, or invalid
+   */
+  function consumeNonce(nonce) {
+    if (usedNonces.has(nonce)) {
+      const err = new Error("Nonce already used");
+      err.code = AuthError.NONCE_REUSED;
+      throw err;
+    }
+    const nonceInfo = pendingNonces.get(nonce);
+    if (!nonceInfo) {
+      const err = new Error("Invalid or expired nonce");
+      err.code = AuthError.NONCE_EXPIRED;
+      throw err;
+    }
+    if (Date.now() > nonceInfo.expiresAt) {
+      pendingNonces.delete(nonce);
+      const err = new Error("Nonce expired");
+      err.code = AuthError.NONCE_EXPIRED;
+      throw err;
+    }
+    pendingNonces.delete(nonce);
+    usedNonces.add(nonce);
+    setTimeout(() => {
+      usedNonces.delete(nonce);
+    }, nonceExpiry * 2);
+    return true;
+  }
+  /**
+   * Clear all pending nonces
+   */
+  function clearPendingNonces() {
+    pendingNonces.clear();
+  }
+  return {
+    generateNonce,
+    consumeNonce,
+    clearPendingNonces,
+  };
+}
+module.exports = {
+  createNonceManager,
+};

package/server/security/auth/state-machine-mfa.js ADDED Viewed

@@ -0,0 +1,269 @@
+/**
+ * @fileoverview MFA Elevation Module for api-ape Server
+ *
+ * Provides MFA (Multi-Factor Authentication) elevation functions
+ * and Key Recovery (2-of-3 Tier 3) elevation for the authentication state machine.
+ *
+ * @module server/security/auth/state-machine-mfa
+ * @see {@link module:server/security/auth/state-machine} for the main state machine
+ */
+/**
+ * Create MFA elevation functions
+ *
+ * @param {Object} deps - Dependencies
+ * @param {Function} deps.getState - Get current state function
+ * @param {Function} deps.getTier - Get current tier function
+ * @param {Function} deps.transition - State transition function
+ * @param {Function} deps.generateNonce - Nonce generator
+ * @param {Function} deps.getPrincipal - Get principal function
+ * @param {Function} deps.setPrincipal - Set principal function
+ * @param {Object} deps.AuthState - State enum
+ * @param {Object} deps.AuthTier - Tier enum
+ * @param {Object} deps.AuthError - Error enum
+ * @returns {Object} MFA functions
+ */
+function createMFAFunctions(deps) {
+  const {
+    getState,
+    getTier,
+    transition,
+    generateNonce,
+    getPrincipal,
+    setPrincipal,
+    AuthState,
+    AuthTier,
+    AuthError,
+  } = deps;
+  // Track pending key recovery challenges
+  let pendingKeyRecovery = null;
+  /**
+   * Start MFA elevation flow
+   *
+   * @param {string[]} methods - Available MFA methods
+   * @throws {Error} If not at Tier 1
+   * @returns {Object} MFA challenge info
+   */
+  function startMFA(methods) {
+    const state = getState();
+    if (state.state !== AuthState.AUTHENTICATED) {
+      const err = new Error("Must be authenticated before MFA");
+      err.code = AuthError.INVALID_TRANSITION;
+      throw err;
+    }
+    transition(AuthState.MFA_PENDING);
+    return {
+      state: AuthState.MFA_PENDING,
+      methods,
+      challenge: generateNonce(),
+    };
+  }
+  /**
+   * Complete MFA elevation
+   *
+   * @param {string} method - MFA method used
+   * @returns {Object} Elevation result
+   */
+  function completeMFA(method) {
+    const state = getState();
+    if (state.state !== AuthState.MFA_PENDING) {
+      const err = new Error("Not in MFA pending state");
+      err.code = AuthError.INVALID_TRANSITION;
+      throw err;
+    }
+    transition(AuthState.ELEVATED);
+    const principal = getPrincipal();
+    principal.elevatedAt = Date.now();
+    principal.mfaMethod = method;
+    setPrincipal(principal);
+    return {
+      state: AuthState.ELEVATED,
+      tier: getTier(),
+      principal,
+    };
+  }
+  /**
+   * Get current auth state snapshot
+   * @returns {Object} Current state info
+   */
+  function getStateSnapshot() {
+    const state = getState();
+    const principal = getPrincipal();
+    const tier = getTier();
+    return {
+      state: state.state,
+      tier,
+      principal: principal ? { ...principal } : null,
+      isAuthenticated: tier >= AuthTier.BASIC,
+      isElevated: tier >= AuthTier.ELEVATED,
+      isHighSecurity: tier >= AuthTier.HIGH_SECURITY,
+      keyRecoveryPending: pendingKeyRecovery !== null,
+    };
+  }
+  // ============================================================
+  // Key Recovery (2-of-3 Tier 3) Functions
+  // ============================================================
+  /**
+   * Start key recovery elevation flow
+   * Requires ELEVATED tier (Tier 2)
+   *
+   * @param {Object} options - Key recovery options
+   * @param {string[]} options.factors - Available factors ['oauth', 'webauthn', 'totp']
+   * @returns {Object} Key recovery challenge info
+   * @throws {Error} If not at ELEVATED tier
+   */
+  function startKeyRecovery(options = {}) {
+    const state = getState();
+    // Can start from AUTHENTICATED or ELEVATED
+    if (state.state !== AuthState.ELEVATED && state.state !== AuthState.AUTHENTICATED) {
+      const err = new Error("Must be authenticated or elevated before key recovery");
+      err.code = AuthError.INVALID_TRANSITION;
+      throw err;
+    }
+    // If starting from AUTHENTICATED, automatically elevate for key recovery
+    // This handles direct Tier 1 -> Tier 3 path
+    if (state.state === AuthState.AUTHENTICATED) {
+      // Key recovery can start from AUTHENTICATED per VALID_TRANSITIONS
+    }
+    transition(AuthState.KEY_RECOVERY_PENDING);
+    const challenge = generateNonce();
+    pendingKeyRecovery = {
+      challenge,
+      startedAt: Date.now(),
+      factors: options.factors || ['oauth', 'webauthn', 'totp'],
+      verifiedFactors: [],
+    };
+    return {
+      state: AuthState.KEY_RECOVERY_PENDING,
+      challenge,
+      factors: pendingKeyRecovery.factors,
+    };
+  }
+  /**
+   * Complete key recovery with proof
+   *
+   * @param {Object} params - Completion parameters
+   * @param {string} params.proof - HMAC proof that client reconstructed K_user
+   * @param {string[]} params.usedFactors - The two factors used for recovery
+   * @returns {Object} Elevation result
+   * @throws {Error} If not in KEY_RECOVERY_PENDING state or proof invalid
+   */
+  function completeKeyRecovery(params) {
+    const { proof, usedFactors } = params;
+    const state = getState();
+    if (state.state !== AuthState.KEY_RECOVERY_PENDING) {
+      const err = new Error("Not in key recovery pending state");
+      err.code = AuthError.INVALID_TRANSITION;
+      throw err;
+    }
+    if (!pendingKeyRecovery) {
+      const err = new Error("No pending key recovery challenge");
+      err.code = AuthError.INVALID_TRANSITION;
+      throw err;
+    }
+    if (!proof || typeof proof !== 'string') {
+      const err = new Error("Invalid key recovery proof");
+      err.code = AuthError.INVALID_PROOF;
+      throw err;
+    }
+    if (!Array.isArray(usedFactors) || usedFactors.length !== 2) {
+      const err = new Error("Must use exactly 2 factors for key recovery");
+      err.code = AuthError.INVALID_PROOF;
+      throw err;
+    }
+    // Note: Actual proof verification happens in the two-of-three adapter
+    // The state machine just manages the state transitions
+    transition(AuthState.HIGH_SECURITY);
+    const principal = getPrincipal();
+    principal.highSecurityAt = Date.now();
+    principal.keyRecoveryFactors = usedFactors;
+    principal.tier = AuthTier.HIGH_SECURITY;
+    setPrincipal(principal);
+    // Clear pending recovery
+    pendingKeyRecovery = null;
+    return {
+      state: AuthState.HIGH_SECURITY,
+      tier: getTier(),
+      principal,
+    };
+  }
+  /**
+   * Cancel pending key recovery
+   * Returns to ELEVATED state
+   *
+   * @returns {Object} New state info
+   */
+  function cancelKeyRecovery() {
+    const state = getState();
+    if (state.state !== AuthState.KEY_RECOVERY_PENDING) {
+      const err = new Error("No key recovery in progress");
+      err.code = AuthError.INVALID_TRANSITION;
+      throw err;
+    }
+    transition(AuthState.ELEVATED);
+    pendingKeyRecovery = null;
+    return {
+      state: AuthState.ELEVATED,
+      tier: getTier(),
+    };
+  }
+  /**
+   * Get pending key recovery status
+   * @returns {Object|null} Pending recovery info or null
+   */
+  function getKeyRecoveryStatus() {
+    if (!pendingKeyRecovery) return null;
+    return {
+      challenge: pendingKeyRecovery.challenge,
+      factors: pendingKeyRecovery.factors,
+      startedAt: pendingKeyRecovery.startedAt,
+      verifiedFactors: pendingKeyRecovery.verifiedFactors,
+    };
+  }
+  return {
+    startMFA,
+    completeMFA,
+    getStateSnapshot,
+    // Key recovery functions
+    startKeyRecovery,
+    completeKeyRecovery,
+    cancelKeyRecovery,
+    getKeyRecoveryStatus,
+  };
+}
+module.exports = {
+  createMFAFunctions,
+};

package/server/security/auth/state-machine.js ADDED Viewed

@@ -0,0 +1,257 @@
+/**
+ * @fileoverview Authentication State Machine for api-ape Server
+ *
+ * Manages authentication state transitions for WebSocket connections.
+ * Enforces the tiered authentication model with no-downgrade rules.
+ *
+ * @module server/security/auth/state-machine
+ */
+/** @enum {string} */
+const AuthState = {
+  GUEST: "GUEST",
+  AUTHENTICATING: "AUTHENTICATING",
+  AUTHENTICATED: "AUTHENTICATED",
+  MFA_PENDING: "MFA_PENDING",
+  ELEVATED: "ELEVATED",
+  KEY_RECOVERY_PENDING: "KEY_RECOVERY_PENDING",
+  HIGH_SECURITY: "HIGH_SECURITY",
+};
+/** @enum {number} */
+const AuthTier = { GUEST: 0, BASIC: 1, ELEVATED: 2, HIGH_SECURITY: 3 };
+const STATE_TO_TIER = {
+  [AuthState.GUEST]: AuthTier.GUEST,
+  [AuthState.AUTHENTICATING]: AuthTier.GUEST,
+  [AuthState.AUTHENTICATED]: AuthTier.BASIC,
+  [AuthState.MFA_PENDING]: AuthTier.BASIC,
+  [AuthState.ELEVATED]: AuthTier.ELEVATED,
+  [AuthState.KEY_RECOVERY_PENDING]: AuthTier.ELEVATED,
+  [AuthState.HIGH_SECURITY]: AuthTier.HIGH_SECURITY,
+};
+const VALID_TRANSITIONS = {
+  [AuthState.GUEST]: [AuthState.AUTHENTICATING],
+  [AuthState.AUTHENTICATING]: [AuthState.GUEST, AuthState.AUTHENTICATED],
+  [AuthState.AUTHENTICATED]: [AuthState.MFA_PENDING, AuthState.KEY_RECOVERY_PENDING],
+  [AuthState.MFA_PENDING]: [AuthState.AUTHENTICATED, AuthState.ELEVATED],
+  [AuthState.ELEVATED]: [AuthState.KEY_RECOVERY_PENDING],
+  [AuthState.KEY_RECOVERY_PENDING]: [AuthState.ELEVATED, AuthState.HIGH_SECURITY],
+  [AuthState.HIGH_SECURITY]: [],
+};
+/** @enum {string} */
+const AuthError = {
+  INVALID_TRANSITION: "INVALID_TRANSITION",
+  AUTH_IN_PROGRESS: "AUTH_IN_PROGRESS",
+  ALREADY_AUTHENTICATED: "ALREADY_AUTHENTICATED",
+  AUTH_TIMEOUT: "AUTH_TIMEOUT",
+  INVALID_PROOF: "INVALID_PROOF",
+  NONCE_EXPIRED: "NONCE_EXPIRED",
+  NONCE_REUSED: "NONCE_REUSED",
+  RATE_LIMITED: "RATE_LIMITED",
+  USER_NOT_FOUND: "USER_NOT_FOUND",
+  NO_DOWNGRADE: "NO_DOWNGRADE",
+};
+const DEFAULT_CONFIG = {
+  authTimeout: 60000,
+  maxAttempts: 5,
+  lockoutDuration: 300000,
+  nonceExpiry: 30000,
+};
+/**
+ * Create an authentication state manager for a socket
+ * @param {Object} [config={}] - Configuration options
+ * @returns {Object} Auth state manager
+ */
+function createAuthStateMachine(config = {}) {
+  const cfg = { ...DEFAULT_CONFIG, ...config };
+  let state = AuthState.GUEST;
+  let principal = null;
+  let attempts = 0;
+  let lockoutUntil = 0;
+  let authTimeoutTimer = null;
+  const { createNonceManager } = require("./nonce-manager");
+  const nonceManager = createNonceManager({ nonceExpiry: cfg.nonceExpiry, AuthError });
+  /** @returns {number} */
+  function getTier() { return STATE_TO_TIER[state]; }
+  /**
+   * @param {string} from
+   * @param {string} to
+   * @returns {boolean}
+   */
+  function isValidTransition(from, to) {
+    return (VALID_TRANSITIONS[from] || []).includes(to);
+  }
+  /**
+   * @param {string} newState
+   * @returns {string}
+   */
+  function transition(newState) {
+    if (!isValidTransition(state, newState)) {
+      const err = new Error(`Invalid transition: ${state} -> ${newState}`);
+      err.code = AuthError.INVALID_TRANSITION;
+      throw err;
+    }
+    const oldTier = getTier();
+    const newTier = STATE_TO_TIER[newState];
+    if (newTier < oldTier && newState !== AuthState.GUEST) {
+      const err = new Error(`Cannot downgrade from tier ${oldTier} to ${newTier}`);
+      err.code = AuthError.NO_DOWNGRADE;
+      throw err;
+    }
+    const oldState = state;
+    state = newState;
+    return oldState;
+  }
+  /** @returns {boolean} */
+  function isLockedOut() {
+    if (lockoutUntil === 0) return false;
+    if (Date.now() >= lockoutUntil) { lockoutUntil = 0; attempts = 0; return false; }
+    return true;
+  }
+  /** @returns {Object} */
+  function recordFailedAttempt() {
+    attempts++;
+    if (attempts >= cfg.maxAttempts) lockoutUntil = Date.now() + cfg.lockoutDuration;
+    return {
+      attempts,
+      maxAttempts: cfg.maxAttempts,
+      lockedOut: isLockedOut(),
+      lockoutRemaining: lockoutUntil > 0 ? lockoutUntil - Date.now() : 0,
+    };
+  }
+  /** Reset attempt counter (called on successful auth) */
+  function resetAttempts() { attempts = 0; lockoutUntil = 0; }
+  /**
+   * @param {string} method
+   * @returns {Object}
+   */
+  function startAuth(method) {
+    if (isLockedOut()) {
+      const err = new Error("Too many authentication attempts");
+      err.code = AuthError.RATE_LIMITED;
+      err.lockoutRemaining = lockoutUntil - Date.now();
+      throw err;
+    }
+    if (state === AuthState.AUTHENTICATING) {
+      const err = new Error("Authentication already in progress");
+      err.code = AuthError.AUTH_IN_PROGRESS;
+      throw err;
+    }
+    if (getTier() >= AuthTier.BASIC) {
+      const err = new Error("Already authenticated");
+      err.code = AuthError.ALREADY_AUTHENTICATED;
+      throw err;
+    }
+    transition(AuthState.AUTHENTICATING);
+    authTimeoutTimer = setTimeout(() => {
+      if (state === AuthState.AUTHENTICATING) transition(AuthState.GUEST);
+    }, cfg.authTimeout);
+    return { state, method };
+  }
+  /**
+   * @param {Object} principalData
+   * @returns {Object}
+   */
+  function completeAuth(principalData) {
+    if (state !== AuthState.AUTHENTICATING) {
+      const err = new Error("Not in authenticating state");
+      err.code = AuthError.INVALID_TRANSITION;
+      throw err;
+    }
+    if (authTimeoutTimer) { clearTimeout(authTimeoutTimer); authTimeoutTimer = null; }
+    principal = {
+      userId: principalData.userId,
+      roles: principalData.roles || [],
+      permissions: principalData.permissions || {},
+      authenticatedAt: Date.now(),
+    };
+    transition(AuthState.AUTHENTICATED);
+    resetAttempts();
+    return { state, tier: getTier(), principal };
+  }
+  /**
+   * @param {string} reason
+   * @returns {Object}
+   */
+  function failAuth(reason) {
+    if (authTimeoutTimer) { clearTimeout(authTimeoutTimer); authTimeoutTimer = null; }
+    if (state === AuthState.AUTHENTICATING) transition(AuthState.GUEST);
+    return { state, reason, ...recordFailedAttempt() };
+  }
+  const { createMFAFunctions } = require("./state-machine-mfa");
+  const mfaFunctions = createMFAFunctions({
+    getState: () => ({ state }),
+    getTier,
+    transition,
+    generateNonce: nonceManager.generateNonce,
+    getPrincipal: () => principal,
+    setPrincipal: (p) => { principal = p; },
+    AuthState,
+    AuthTier,
+    AuthError,
+  });
+  /** @returns {Object} */
+  function getState() {
+    return {
+      state,
+      tier: getTier(),
+      principal: principal ? { ...principal } : null,
+      isAuthenticated: getTier() >= AuthTier.BASIC,
+      isElevated: getTier() >= AuthTier.ELEVATED,
+      isHighSecurity: getTier() >= AuthTier.HIGH_SECURITY,
+    };
+  }
+  /** Clean up resources (call on socket close) */
+  function cleanup() {
+    if (authTimeoutTimer) { clearTimeout(authTimeoutTimer); authTimeoutTimer = null; }
+    nonceManager.clearPendingNonces();
+  }
+  return {
+    getState,
+    getTier,
+    startAuth,
+    completeAuth,
+    failAuth,
+    startMFA: mfaFunctions.startMFA,
+    completeMFA: mfaFunctions.completeMFA,
+    // Key recovery (2-of-3 Tier 3) functions
+    startKeyRecovery: mfaFunctions.startKeyRecovery,
+    completeKeyRecovery: mfaFunctions.completeKeyRecovery,
+    cancelKeyRecovery: mfaFunctions.cancelKeyRecovery,
+    getKeyRecoveryStatus: mfaFunctions.getKeyRecoveryStatus,
+    generateNonce: nonceManager.generateNonce,
+    consumeNonce: nonceManager.consumeNonce,
+    isLockedOut,
+    cleanup,
+    AuthState,
+    AuthTier,
+    AuthError,
+  };
+}
+module.exports = {
+  createAuthStateMachine,
+  AuthState,
+  AuthTier,
+  AuthError,
+  DEFAULT_CONFIG,
+};