dbsc-toolkit 1.0.1

package/dist/core/errors.js

@@ -0,0 +1,39 @@
+export class DbscProtocolError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = "DbscProtocolError";
+        this.code = code;
+    }
+}
+export class DbscVerificationError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = "DbscVerificationError";
+        this.code = code;
+    }
+}
+export class DbscStorageError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = "DbscStorageError";
+        this.code = code;
+    }
+}
+export const ErrorCodes = {
+    MISSING_RESPONSE_HEADER: "MISSING_RESPONSE_HEADER",
+    MALFORMED_JWS: "MALFORMED_JWS",
+    INVALID_JWK: "INVALID_JWK",
+    UNKNOWN_ALGORITHM: "UNKNOWN_ALGORITHM",
+    CHALLENGE_NOT_FOUND: "CHALLENGE_NOT_FOUND",
+    CHALLENGE_EXPIRED: "CHALLENGE_EXPIRED",
+    CHALLENGE_CONSUMED: "CHALLENGE_CONSUMED",
+    JTI_MISMATCH: "JTI_MISMATCH",
+    SIGNATURE_INVALID: "SIGNATURE_INVALID",
+    KEY_NOT_FOUND: "KEY_NOT_FOUND",
+    SESSION_NOT_FOUND: "SESSION_NOT_FOUND",
+    RATE_LIMITED: "RATE_LIMITED",
+};
+//# sourceMappingURL=errors.js.map

package/dist/core/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/core/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IACjC,IAAI,CAAS;IAEtB,YAAY,IAAY,EAAE,OAAe;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IACrC,IAAI,CAAS;IAEtB,YAAY,IAAY,EAAE,OAAe;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;QACpC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAChC,IAAI,CAAS;IAEtB,YAAY,IAAY,EAAE,OAAe;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,uBAAuB,EAAE,yBAAyB;IAClD,aAAa,EAAE,eAAe;IAC9B,WAAW,EAAE,aAAa;IAC1B,iBAAiB,EAAE,mBAAmB;IACtC,mBAAmB,EAAE,qBAAqB;IAC1C,iBAAiB,EAAE,mBAAmB;IACtC,kBAAkB,EAAE,oBAAoB;IACxC,YAAY,EAAE,cAAc;IAC5B,iBAAiB,EAAE,mBAAmB;IACtC,aAAa,EAAE,eAAe;IAC9B,iBAAiB,EAAE,mBAAmB;IACtC,YAAY,EAAE,cAAc;CACpB,CAAC"}

package/dist/core/fallback/hmac.d.ts

@@ -0,0 +1,9 @@
+export interface HmacSignalBundle {
+    userAgent: string;
+    acceptLanguage: string;
+    secureContext: boolean;
+}
+export declare function collectSignals(headers: Record<string, string | string[] | undefined>): HmacSignalBundle;
+export declare function generateHmacToken(signals: HmacSignalBundle, secret: Buffer): string;
+export declare function verifyHmacToken(token: string, signals: HmacSignalBundle, secret: Buffer): boolean;
+//# sourceMappingURL=hmac.d.ts.map

package/dist/core/fallback/hmac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hmac.d.ts","sourceRoot":"","sources":["../../../src/core/fallback/hmac.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GAAG,gBAAgB,CAMvG;AAQD,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAKnF;AAED,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,gBAAgB,EACzB,MAAM,EAAE,MAAM,GACb,OAAO,CAeT"}

package/dist/core/fallback/hmac.js

@@ -0,0 +1,37 @@
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+// This tier binds a cookie to a set of browser signals via HMAC.
+// It does NOT provide hardware-level binding. Use only when DBSC and WebAuthn
+// are both unavailable. Document this limitation to end users.
+const SIGNAL_SEPARATOR = "|";
+export function collectSignals(headers) {
+    return {
+        userAgent: headers["user-agent"] ?? "",
+        acceptLanguage: headers["accept-language"] ?? "",
+        secureContext: headers["x-forwarded-proto"] === "https",
+    };
+}
+function serializeSignals(bundle) {
+    return [bundle.userAgent, bundle.acceptLanguage, String(bundle.secureContext)].join(SIGNAL_SEPARATOR);
+}
+export function generateHmacToken(signals, secret) {
+    const nonce = randomBytes(16).toString("base64url");
+    const data = `${nonce}${SIGNAL_SEPARATOR}${serializeSignals(signals)}`;
+    const mac = createHmac("sha256", secret).update(data).digest("base64url");
+    return `${nonce}.${mac}`;
+}
+export function verifyHmacToken(token, signals, secret) {
+    const dot = token.indexOf(".");
+    if (dot === -1)
+        return false;
+    const nonce = token.slice(0, dot);
+    const providedMac = token.slice(dot + 1);
+    const data = `${nonce}${SIGNAL_SEPARATOR}${serializeSignals(signals)}`;
+    const expectedMac = createHmac("sha256", secret).update(data).digest("base64url");
+    try {
+        return timingSafeEqual(Buffer.from(providedMac), Buffer.from(expectedMac));
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=hmac.js.map

package/dist/core/fallback/hmac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hmac.js","sourceRoot":"","sources":["../../../src/core/fallback/hmac.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE,iEAAiE;AACjE,8EAA8E;AAC9E,+DAA+D;AAE/D,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAQ7B,MAAM,UAAU,cAAc,CAAC,OAAsD;IACnF,OAAO;QACL,SAAS,EAAG,OAAO,CAAC,YAAY,CAAY,IAAI,EAAE;QAClD,cAAc,EAAG,OAAO,CAAC,iBAAiB,CAAY,IAAI,EAAE;QAC5D,aAAa,EAAG,OAAO,CAAC,mBAAmB,CAAY,KAAK,OAAO;KACpE,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAwB;IAChD,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CACjF,gBAAgB,CACjB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,OAAyB,EAAE,MAAc;IACzE,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,IAAI,GAAG,GAAG,KAAK,GAAG,gBAAgB,GAAG,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;IACvE,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC1E,OAAO,GAAG,KAAK,IAAI,GAAG,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,KAAa,EACb,OAAyB,EACzB,MAAc;IAEd,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,GAAG,KAAK,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAE7B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAClC,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IAEzC,MAAM,IAAI,GAAG,GAAG,KAAK,GAAG,gBAAgB,GAAG,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;IACvE,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAElF,IAAI,CAAC;QACH,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/core/fallback/negotiate.d.ts

@@ -0,0 +1,9 @@
+import type { ProtectionTier } from "../types.js";
+export interface NegotiationContext {
+    acceptsDbsc: boolean;
+    supportsWebAuthn: boolean;
+    hmacAllowed: boolean;
+}
+export declare function negotiateTier(ctx: NegotiationContext): ProtectionTier;
+export declare function detectDbscSupport(headers: Record<string, string | string[] | undefined>): boolean;
+//# sourceMappingURL=negotiate.d.ts.map

package/dist/core/fallback/negotiate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"negotiate.d.ts","sourceRoot":"","sources":["../../../src/core/fallback/negotiate.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,OAAO,CAAC;IACrB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,WAAW,EAAE,OAAO,CAAC;CACtB;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,kBAAkB,GAAG,cAAc,CAKrE;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GAAG,OAAO,CAWjG"}

package/dist/core/fallback/negotiate.js

@@ -0,0 +1,22 @@
+export function negotiateTier(ctx) {
+    if (ctx.acceptsDbsc)
+        return "dbsc";
+    if (ctx.supportsWebAuthn)
+        return "webauthn";
+    if (ctx.hmacAllowed)
+        return "hmac";
+    return "none";
+}
+export function detectDbscSupport(headers) {
+    const secFetch = headers["sec-fetch-site"];
+    const ua = (headers["user-agent"] ?? "");
+    // Chrome 146+ on Windows carries DBSC support
+    // The definitive signal is whether the browser responds to Secure-Session-Registration
+    // This header is set by the server; we detect support by checking Chrome version
+    const chromeMatch = /Chrome\/(\d+)/.exec(ua);
+    if (!chromeMatch)
+        return false;
+    const version = parseInt(chromeMatch[1] ?? "0", 10);
+    return version >= 146 && !!secFetch;
+}
+//# sourceMappingURL=negotiate.js.map

package/dist/core/fallback/negotiate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"negotiate.js","sourceRoot":"","sources":["../../../src/core/fallback/negotiate.ts"],"names":[],"mappings":"AAQA,MAAM,UAAU,aAAa,CAAC,GAAuB;IACnD,IAAI,GAAG,CAAC,WAAW;QAAE,OAAO,MAAM,CAAC;IACnC,IAAI,GAAG,CAAC,gBAAgB;QAAE,OAAO,UAAU,CAAC;IAC5C,IAAI,GAAG,CAAC,WAAW;QAAE,OAAO,MAAM,CAAC;IACnC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,OAAsD;IACtF,MAAM,QAAQ,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC3C,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,CAAW,CAAC;IAEnD,8CAA8C;IAC9C,uFAAuF;IACvF,iFAAiF;IACjF,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7C,IAAI,CAAC,WAAW;QAAE,OAAO,KAAK,CAAC;IAC/B,MAAM,OAAO,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;IACpD,OAAO,OAAO,IAAI,GAAG,IAAI,CAAC,CAAC,QAAQ,CAAC;AACtC,CAAC"}

package/dist/core/fallback/webauthn.d.ts

@@ -0,0 +1,10 @@
+import { generateRegistrationOptions, verifyRegistrationResponse, generateAuthenticationOptions, verifyAuthenticationResponse, type VerifiedRegistrationResponse, type VerifyAuthenticationResponseOpts } from "@simplewebauthn/server";
+export interface WebAuthnRegistrationChallenge {
+    options: Awaited<ReturnType<typeof generateRegistrationOptions>>;
+    challenge: string;
+}
+export declare function generateWebAuthnRegistration(rpName: string, rpId: string, userId: string, userName: string): Promise<WebAuthnRegistrationChallenge>;
+export declare function verifyWebAuthnRegistration(response: Parameters<typeof verifyRegistrationResponse>[0]["response"], expectedChallenge: string, expectedOrigin: string, rpId: string): Promise<VerifiedRegistrationResponse>;
+export declare function generateWebAuthnAuthentication(rpId: string, allowedCredentialIds: string[]): Promise<Awaited<ReturnType<typeof generateAuthenticationOptions>>>;
+export declare function verifyWebAuthnAuthentication(opts: VerifyAuthenticationResponseOpts): Promise<Awaited<ReturnType<typeof verifyAuthenticationResponse>>>;
+//# sourceMappingURL=webauthn.d.ts.map

package/dist/core/fallback/webauthn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webauthn.d.ts","sourceRoot":"","sources":["../../../src/core/fallback/webauthn.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,2BAA2B,EAC3B,0BAA0B,EAC1B,6BAA6B,EAC7B,4BAA4B,EAE5B,KAAK,4BAA4B,EACjC,KAAK,gCAAgC,EACtC,MAAM,wBAAwB,CAAC;AAEhC,MAAM,WAAW,6BAA6B;IAC5C,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,2BAA2B,CAAC,CAAC,CAAC;IACjE,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAsB,4BAA4B,CAChD,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,6BAA6B,CAAC,CAkBxC;AAED,wBAAsB,0BAA0B,CAC9C,QAAQ,EAAE,UAAU,CAAC,OAAO,0BAA0B,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,EACtE,iBAAiB,EAAE,MAAM,EACzB,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,4BAA4B,CAAC,CAOvC;AAED,wBAAsB,8BAA8B,CAClD,IAAI,EAAE,MAAM,EACZ,oBAAoB,EAAE,MAAM,EAAE,GAC7B,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,6BAA6B,CAAC,CAAC,CAAC,CASpE;AAED,wBAAsB,4BAA4B,CAChD,IAAI,EAAE,gCAAgC,GACrC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,4BAA4B,CAAC,CAAC,CAAC,CAEnE"}

package/dist/core/fallback/webauthn.js

@@ -0,0 +1,41 @@
+import { generateRegistrationOptions, verifyRegistrationResponse, generateAuthenticationOptions, verifyAuthenticationResponse, } from "@simplewebauthn/server";
+export async function generateWebAuthnRegistration(rpName, rpId, userId, userName) {
+    const opts = {
+        rpName,
+        rpID: rpId,
+        userID: new TextEncoder().encode(userId),
+        userName,
+        authenticatorSelection: {
+            residentKey: "required",
+            userVerification: "preferred",
+        },
+        attestationType: "none",
+    };
+    const options = await generateRegistrationOptions(opts);
+    return {
+        options,
+        challenge: options.challenge,
+    };
+}
+export async function verifyWebAuthnRegistration(response, expectedChallenge, expectedOrigin, rpId) {
+    return verifyRegistrationResponse({
+        response,
+        expectedChallenge,
+        expectedOrigin,
+        expectedRPID: rpId,
+    });
+}
+export async function generateWebAuthnAuthentication(rpId, allowedCredentialIds) {
+    return generateAuthenticationOptions({
+        rpID: rpId,
+        allowCredentials: allowedCredentialIds.map((id) => ({
+            id,
+            transports: ["internal"],
+        })),
+        userVerification: "preferred",
+    });
+}
+export async function verifyWebAuthnAuthentication(opts) {
+    return verifyAuthenticationResponse(opts);
+}
+//# sourceMappingURL=webauthn.js.map

package/dist/core/fallback/webauthn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webauthn.js","sourceRoot":"","sources":["../../../src/core/fallback/webauthn.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,2BAA2B,EAC3B,0BAA0B,EAC1B,6BAA6B,EAC7B,4BAA4B,GAI7B,MAAM,wBAAwB,CAAC;AAOhC,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,MAAc,EACd,IAAY,EACZ,MAAc,EACd,QAAgB;IAEhB,MAAM,IAAI,GAAoC;QAC5C,MAAM;QACN,IAAI,EAAE,IAAI;QACV,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC;QACxC,QAAQ;QACR,sBAAsB,EAAE;YACtB,WAAW,EAAE,UAAU;YACvB,gBAAgB,EAAE,WAAW;SAC9B;QACD,eAAe,EAAE,MAAM;KACxB,CAAC;IAEF,MAAM,OAAO,GAAG,MAAM,2BAA2B,CAAC,IAAI,CAAC,CAAC;IACxD,OAAO;QACL,OAAO;QACP,SAAS,EAAE,OAAO,CAAC,SAAS;KAC7B,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,QAAsE,EACtE,iBAAyB,EACzB,cAAsB,EACtB,IAAY;IAEZ,OAAO,0BAA0B,CAAC;QAChC,QAAQ;QACR,iBAAiB;QACjB,cAAc;QACd,YAAY,EAAE,IAAI;KACnB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,IAAY,EACZ,oBAA8B;IAE9B,OAAO,6BAA6B,CAAC;QACnC,IAAI,EAAE,IAAI;QACV,gBAAgB,EAAE,oBAAoB,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;YAClD,EAAE;YACF,UAAU,EAAE,CAAC,UAAU,CAAC;SACzB,CAAC,CAAC;QACH,gBAAgB,EAAE,WAAW;KAC9B,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,IAAsC;IAEtC,OAAO,4BAA4B,CAAC,IAAI,CAAC,CAAC;AAC5C,CAAC"}

package/dist/core/index.d.ts

@@ -0,0 +1,14 @@
+export type { ProtectionTier, BoundKey, Session, Challenge, RegistrationProof, RefreshProof, StorageAdapter, RateLimiter, DbscOptions, AnyTelemetryEvent, TelemetryEvent, RegistrationEvent, RefreshEvent, VerificationFailureEvent, SessionStolenEvent, FallbackTierEvent, } from "./types.js";
+export { DbscProtocolError, DbscVerificationError, DbscStorageError, ErrorCodes } from "./errors.js";
+export { validateJwk, detectAlgorithm } from "./crypto/jwk.js";
+export { verifyDbscJws, parseRegistrationJws } from "./crypto/jws.js";
+export { generateJti, issueChallenge } from "./protocol/challenge.js";
+export { buildRegistrationHeader, buildChallengeHeader, parseSessionResponseHeader, buildSessionIdCookie, readSessionResponseHeader, REGISTRATION_HEADER, RESPONSE_HEADER, CHALLENGE_HEADER, LEGACY_REGISTRATION_HEADER, LEGACY_RESPONSE_HEADER, LEGACY_CHALLENGE_HEADER, } from "./protocol/headers.js";
+export { handleRegistration } from "./protocol/registration.js";
+export { handleRefresh } from "./protocol/refresh.js";
+export { negotiateTier, detectDbscSupport } from "./fallback/negotiate.js";
+export { generateWebAuthnRegistration, verifyWebAuthnRegistration, generateWebAuthnAuthentication, verifyWebAuthnAuthentication, } from "./fallback/webauthn.js";
+export { collectSignals, generateHmacToken, verifyHmacToken } from "./fallback/hmac.js";
+export { NoopRateLimiter } from "./ratelimit/interface.js";
+export { emit } from "./telemetry/hooks.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/core/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,cAAc,EACd,QAAQ,EACR,OAAO,EACP,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,cAAc,EACd,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,cAAc,EACd,iBAAiB,EACjB,YAAY,EACZ,wBAAwB,EACxB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAErG,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEtE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACtE,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,0BAA0B,EAC1B,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,0BAA0B,EAC1B,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC3E,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,EAC1B,8BAA8B,EAC9B,4BAA4B,GAC7B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAExF,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/core/index.js

@@ -0,0 +1,13 @@
+export { DbscProtocolError, DbscVerificationError, DbscStorageError, ErrorCodes } from "./errors.js";
+export { validateJwk, detectAlgorithm } from "./crypto/jwk.js";
+export { verifyDbscJws, parseRegistrationJws } from "./crypto/jws.js";
+export { generateJti, issueChallenge } from "./protocol/challenge.js";
+export { buildRegistrationHeader, buildChallengeHeader, parseSessionResponseHeader, buildSessionIdCookie, readSessionResponseHeader, REGISTRATION_HEADER, RESPONSE_HEADER, CHALLENGE_HEADER, LEGACY_REGISTRATION_HEADER, LEGACY_RESPONSE_HEADER, LEGACY_CHALLENGE_HEADER, } from "./protocol/headers.js";
+export { handleRegistration } from "./protocol/registration.js";
+export { handleRefresh } from "./protocol/refresh.js";
+export { negotiateTier, detectDbscSupport } from "./fallback/negotiate.js";
+export { generateWebAuthnRegistration, verifyWebAuthnRegistration, generateWebAuthnAuthentication, verifyWebAuthnAuthentication, } from "./fallback/webauthn.js";
+export { collectSignals, generateHmacToken, verifyHmacToken } from "./fallback/hmac.js";
+export { NoopRateLimiter } from "./ratelimit/interface.js";
+export { emit } from "./telemetry/hooks.js";
+//# sourceMappingURL=index.js.map

package/dist/core/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAmBA,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAErG,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEtE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACtE,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,0BAA0B,EAC1B,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,0BAA0B,EAC1B,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC3E,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,EAC1B,8BAA8B,EAC9B,4BAA4B,GAC7B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAExF,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/core/protocol/challenge.d.ts

@@ -0,0 +1,4 @@
+import type { Challenge, StorageAdapter } from "../types.js";
+export declare function generateJti(): string;
+export declare function issueChallenge(sessionId: string, storage: StorageAdapter, ttlMs?: number): Promise<Challenge>;
+//# sourceMappingURL=challenge.d.ts.map

package/dist/core/protocol/challenge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge.d.ts","sourceRoot":"","sources":["../../../src/core/protocol/challenge.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAI7D,wBAAgB,WAAW,IAAI,MAAM,CAEpC;AAED,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,cAAc,EACvB,KAAK,GAAE,MAAuB,GAC7B,OAAO,CAAC,SAAS,CAAC,CAWpB"}

package/dist/core/protocol/challenge.js

@@ -0,0 +1,18 @@
+import { randomBytes } from "node:crypto";
+const DEFAULT_TTL_MS = 5 * 60 * 1000;
+export function generateJti() {
+    return randomBytes(32).toString("base64url");
+}
+export async function issueChallenge(sessionId, storage, ttlMs = DEFAULT_TTL_MS) {
+    const now = Date.now();
+    const challenge = {
+        jti: generateJti(),
+        sessionId,
+        createdAt: now,
+        expiresAt: now + ttlMs,
+        consumed: false,
+    };
+    await storage.setChallenge(challenge);
+    return challenge;
+}
+//# sourceMappingURL=challenge.js.map

package/dist/core/protocol/challenge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge.js","sourceRoot":"","sources":["../../../src/core/protocol/challenge.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG1C,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAErC,MAAM,UAAU,WAAW;IACzB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,OAAuB,EACvB,QAAgB,cAAc;IAE9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,SAAS,GAAc;QAC3B,GAAG,EAAE,WAAW,EAAE;QAClB,SAAS;QACT,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG,GAAG,KAAK;QACtB,QAAQ,EAAE,KAAK;KAChB,CAAC;IACF,MAAM,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;IACtC,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/core/protocol/headers.d.ts

@@ -0,0 +1,21 @@
+export interface RegistrationHeaderOptions {
+    algorithm?: "ES256" | "RS256";
+    refreshPath: string;
+    challenge: string;
+    cookieName?: string;
+}
+export declare function buildRegistrationHeader(opts: RegistrationHeaderOptions): string;
+export declare function buildChallengeHeader(jti: string): string;
+export declare function parseSessionResponseHeader(raw: string): string;
+export declare function buildSessionIdCookie(sessionId: string, opts: {
+    secure: boolean;
+    sameSite: string;
+}): string;
+export declare const REGISTRATION_HEADER = "Secure-Session-Registration";
+export declare const RESPONSE_HEADER = "Secure-Session-Response";
+export declare const CHALLENGE_HEADER = "Secure-Session-Challenge";
+export declare const LEGACY_REGISTRATION_HEADER = "Sec-Session-Registration";
+export declare const LEGACY_RESPONSE_HEADER = "Sec-Session-Response";
+export declare const LEGACY_CHALLENGE_HEADER = "Sec-Session-Challenge";
+export declare function readSessionResponseHeader(headers: Record<string, string | string[] | undefined>): string | undefined;
+//# sourceMappingURL=headers.d.ts.map

package/dist/core/protocol/headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../../src/core/protocol/headers.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,yBAAyB;IACxC,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,yBAAyB,GAAG,MAAM,CAK/E;AAED,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAExD;AAED,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC1C,MAAM,CAKR;AAED,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,eAAe,4BAA4B,CAAC;AACzD,eAAO,MAAM,gBAAgB,6BAA6B,CAAC;AAE3D,eAAO,MAAM,0BAA0B,6BAA6B,CAAC;AACrE,eAAO,MAAM,sBAAsB,yBAAyB,CAAC;AAC7D,eAAO,MAAM,uBAAuB,0BAA0B,CAAC;AAE/D,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GACrD,MAAM,GAAG,SAAS,CAIpB"}

package/dist/core/protocol/headers.js

@@ -0,0 +1,33 @@
+export function buildRegistrationHeader(opts) {
+    const alg = opts.algorithm ?? "ES256";
+    const parts = [`(${alg})`, `path="${opts.refreshPath}"`, `challenge="${opts.challenge}"`];
+    if (opts.cookieName)
+        parts.push(`id="${opts.cookieName}"`);
+    return parts.join(";");
+}
+export function buildChallengeHeader(jti) {
+    return `"${jti}"`;
+}
+export function parseSessionResponseHeader(raw) {
+    return raw.trim();
+}
+export function buildSessionIdCookie(sessionId, opts) {
+    const parts = [`__Secure-Session-Id=${sessionId}`, "HttpOnly", "Path=/"];
+    if (opts.secure)
+        parts.push("Secure");
+    parts.push(`SameSite=${opts.sameSite}`);
+    return parts.join("; ");
+}
+export const REGISTRATION_HEADER = "Secure-Session-Registration";
+export const RESPONSE_HEADER = "Secure-Session-Response";
+export const CHALLENGE_HEADER = "Secure-Session-Challenge";
+export const LEGACY_REGISTRATION_HEADER = "Sec-Session-Registration";
+export const LEGACY_RESPONSE_HEADER = "Sec-Session-Response";
+export const LEGACY_CHALLENGE_HEADER = "Sec-Session-Challenge";
+export function readSessionResponseHeader(headers) {
+    const v = headers["secure-session-response"] ?? headers["sec-session-response"];
+    if (Array.isArray(v))
+        return v[0];
+    return v;
+}
+//# sourceMappingURL=headers.js.map

package/dist/core/protocol/headers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"headers.js","sourceRoot":"","sources":["../../../src/core/protocol/headers.ts"],"names":[],"mappings":"AAOA,MAAM,UAAU,uBAAuB,CAAC,IAA+B;IACrE,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC;IACtC,MAAM,KAAK,GAAG,CAAC,IAAI,GAAG,GAAG,EAAE,SAAS,IAAI,CAAC,WAAW,GAAG,EAAE,cAAc,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC;IAC1F,IAAI,IAAI,CAAC,UAAU;QAAE,KAAK,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;IAC3D,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,GAAW;IAC9C,OAAO,IAAI,GAAG,GAAG,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,GAAW;IACpD,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,SAAiB,EACjB,IAA2C;IAE3C,MAAM,KAAK,GAAG,CAAC,uBAAuB,SAAS,EAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IACzE,IAAI,IAAI,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtC,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IACxC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,CAAC,MAAM,mBAAmB,GAAG,6BAA6B,CAAC;AACjE,MAAM,CAAC,MAAM,eAAe,GAAG,yBAAyB,CAAC;AACzD,MAAM,CAAC,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAE3D,MAAM,CAAC,MAAM,0BAA0B,GAAG,0BAA0B,CAAC;AACrE,MAAM,CAAC,MAAM,sBAAsB,GAAG,sBAAsB,CAAC;AAC7D,MAAM,CAAC,MAAM,uBAAuB,GAAG,uBAAuB,CAAC;AAE/D,MAAM,UAAU,yBAAyB,CACvC,OAAsD;IAEtD,MAAM,CAAC,GAAG,OAAO,CAAC,yBAAyB,CAAC,IAAI,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAChF,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IAClC,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/core/protocol/refresh.d.ts

@@ -0,0 +1,8 @@
+import type { RefreshProof, StorageAdapter } from "../types.js";
+export interface RefreshRequest {
+    sessionId: string;
+    secSessionResponseHeader: string | undefined;
+    expectedJti: string;
+}
+export declare function handleRefresh(req: RefreshRequest, storage: StorageAdapter): Promise<RefreshProof>;
+//# sourceMappingURL=refresh.d.ts.map

package/dist/core/protocol/refresh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../../src/core/protocol/refresh.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAEhE,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,wBAAwB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7C,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,aAAa,CACjC,GAAG,EAAE,cAAc,EACnB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CA6CvB"}

package/dist/core/protocol/refresh.js

@@ -0,0 +1,37 @@
+import { verifyDbscJws } from "../crypto/jws.js";
+import { DbscProtocolError, DbscVerificationError, ErrorCodes } from "../errors.js";
+export async function handleRefresh(req, storage) {
+    if (!req.secSessionResponseHeader) {
+        throw new DbscProtocolError(ErrorCodes.MISSING_RESPONSE_HEADER, "Secure-Session-Response header is required for refresh");
+    }
+    const key = await storage.getBoundKey(req.sessionId);
+    if (!key) {
+        throw new DbscVerificationError(ErrorCodes.KEY_NOT_FOUND, "no bound key for session");
+    }
+    const challenge = await storage.getChallenge(req.expectedJti);
+    if (!challenge) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_NOT_FOUND, "challenge not found");
+    }
+    if (challenge.consumed) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_CONSUMED, "challenge already consumed");
+    }
+    if (Date.now() > challenge.expiresAt) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_EXPIRED, "challenge expired");
+    }
+    const token = req.secSessionResponseHeader.trim();
+    await verifyDbscJws(token, key.jwk, req.expectedJti);
+    const consumed = await storage.consumeChallenge(req.expectedJti);
+    if (!consumed) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_CONSUMED, "challenge already consumed");
+    }
+    const session = await storage.getSession(req.sessionId);
+    if (session) {
+        await storage.setSession({ ...session, lastRefreshAt: Date.now() });
+    }
+    return {
+        sessionId: req.sessionId,
+        jti: req.expectedJti,
+        verified: true,
+    };
+}
+//# sourceMappingURL=refresh.js.map

package/dist/core/protocol/refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../../src/core/protocol/refresh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AASpF,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAmB,EACnB,OAAuB;IAEvB,IAAI,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAClC,MAAM,IAAI,iBAAiB,CACzB,UAAU,CAAC,uBAAuB,EAClC,wDAAwD,CACzD,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,aAAa,EACxB,0BAA0B,CAC3B,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC;IACzF,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,wBAAwB,CAAC,IAAI,EAAE,CAAC;IAClD,MAAM,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;IAErD,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACjE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACxD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,OAAO,CAAC,UAAU,CAAC,EAAE,GAAG,OAAO,EAAE,aAAa,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACtE,CAAC;IAED,OAAO;QACL,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,GAAG,EAAE,GAAG,CAAC,WAAW;QACpB,QAAQ,EAAE,IAAI;KACf,CAAC;AACJ,CAAC"}

package/dist/core/protocol/registration.d.ts

@@ -0,0 +1,11 @@
+import type { BoundKey, StorageAdapter } from "../types.js";
+export interface RegistrationRequest {
+    sessionId: string;
+    secSessionResponseHeader: string | undefined;
+    expectedJti: string;
+}
+export interface RegistrationResult {
+    boundKey: BoundKey;
+}
+export declare function handleRegistration(req: RegistrationRequest, storage: StorageAdapter): Promise<RegistrationResult>;
+//# sourceMappingURL=registration.d.ts.map

package/dist/core/protocol/registration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registration.d.ts","sourceRoot":"","sources":["../../../src/core/protocol/registration.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE5D,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,wBAAwB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7C,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,mBAAmB,EACxB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,kBAAkB,CAAC,CA8C7B"}

package/dist/core/protocol/registration.js

@@ -0,0 +1,40 @@
+import { parseRegistrationJws } from "../crypto/jws.js";
+import { DbscProtocolError, DbscVerificationError, ErrorCodes } from "../errors.js";
+export async function handleRegistration(req, storage) {
+    if (!req.secSessionResponseHeader) {
+        throw new DbscProtocolError(ErrorCodes.MISSING_RESPONSE_HEADER, "Secure-Session-Response header is required");
+    }
+    const token = req.secSessionResponseHeader.trim();
+    const { jwk, algorithm, claims } = await parseRegistrationJws(token);
+    const challenge = await storage.getChallenge(req.expectedJti);
+    if (!challenge) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_NOT_FOUND, "challenge not found");
+    }
+    if (challenge.consumed) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_CONSUMED, "challenge already consumed");
+    }
+    if (Date.now() > challenge.expiresAt) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_EXPIRED, "challenge expired");
+    }
+    if (claims.jti !== req.expectedJti) {
+        throw new DbscVerificationError(ErrorCodes.JTI_MISMATCH, "jti does not match challenge");
+    }
+    const consumed = await storage.consumeChallenge(req.expectedJti);
+    if (!consumed) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_CONSUMED, "challenge already consumed");
+    }
+    const now = Date.now();
+    const boundKey = {
+        sessionId: req.sessionId,
+        jwk,
+        createdAt: now,
+        algorithm,
+    };
+    await storage.setBoundKey(boundKey);
+    const session = await storage.getSession(req.sessionId);
+    if (session) {
+        await storage.setSession({ ...session, tier: "dbsc", lastRefreshAt: now });
+    }
+    return { boundKey };
+}
+//# sourceMappingURL=registration.js.map

package/dist/core/protocol/registration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registration.js","sourceRoot":"","sources":["../../../src/core/protocol/registration.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAapF,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,GAAwB,EACxB,OAAuB;IAEvB,IAAI,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAClC,MAAM,IAAI,iBAAiB,CACzB,UAAU,CAAC,uBAAuB,EAClC,4CAA4C,CAC7C,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,wBAAwB,CAAC,IAAI,EAAE,CAAC;IAClD,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,MAAM,oBAAoB,CAAC,KAAK,CAAC,CAAC;IAErE,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC;IACzF,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IACrF,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,GAAG,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,YAAY,EAAE,8BAA8B,CAAC,CAAC;IAC3F,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACjE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,QAAQ,GAAa;QACzB,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,GAAG;QACH,SAAS,EAAE,GAAG;QACd,SAAS;KACV,CAAC;IAEF,MAAM,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAEpC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACxD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,OAAO,CAAC,UAAU,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,EAAE,CAAC,CAAC;IAC7E,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC"}

package/dist/core/ratelimit/interface.d.ts

@@ -0,0 +1,7 @@
+import type { RateLimiter } from "../types.js";
+export declare class NoopRateLimiter implements RateLimiter {
+    checkRegistration(_ip: string): Promise<boolean>;
+    checkRefresh(_ip: string, _sessionId: string): Promise<boolean>;
+    recordFailure(_ip: string, _sessionId?: string): Promise<void>;
+}
+//# sourceMappingURL=interface.d.ts.map

package/dist/core/ratelimit/interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface.d.ts","sourceRoot":"","sources":["../../../src/core/ratelimit/interface.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG/C,qBAAa,eAAgB,YAAW,WAAW;IAC3C,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIhD,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI/D,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CACrE"}

package/dist/core/ratelimit/interface.js

@@ -0,0 +1,11 @@
+// Default no-op limiter. Replace with a real implementation in production.
+export class NoopRateLimiter {
+    async checkRegistration(_ip) {
+        return true;
+    }
+    async checkRefresh(_ip, _sessionId) {
+        return true;
+    }
+    async recordFailure(_ip, _sessionId) { }
+}
+//# sourceMappingURL=interface.js.map

package/dist/core/ratelimit/interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface.js","sourceRoot":"","sources":["../../../src/core/ratelimit/interface.ts"],"names":[],"mappings":"AAEA,2EAA2E;AAC3E,MAAM,OAAO,eAAe;IAC1B,KAAK,CAAC,iBAAiB,CAAC,GAAW;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAW,EAAE,UAAkB;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAW,EAAE,UAAmB,IAAkB,CAAC;CACxE"}

package/dist/core/telemetry/hooks.d.ts

@@ -0,0 +1,4 @@
+import type { AnyTelemetryEvent } from "../types.js";
+export type EventHandler = (event: AnyTelemetryEvent) => void;
+export declare function emit(handler: EventHandler | undefined, event: AnyTelemetryEvent): void;
+//# sourceMappingURL=hooks.d.ts.map

package/dist/core/telemetry/hooks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hooks.d.ts","sourceRoot":"","sources":["../../../src/core/telemetry/hooks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,MAAM,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;AAE9D,wBAAgB,IAAI,CAAC,OAAO,EAAE,YAAY,GAAG,SAAS,EAAE,KAAK,EAAE,iBAAiB,GAAG,IAAI,CAOtF"}

package/dist/core/telemetry/hooks.js

@@ -0,0 +1,11 @@
+export function emit(handler, event) {
+    if (!handler)
+        return;
+    try {
+        handler(event);
+    }
+    catch {
+        // telemetry failures must never crash the auth path
+    }
+}
+//# sourceMappingURL=hooks.js.map

package/dist/core/telemetry/hooks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hooks.js","sourceRoot":"","sources":["../../../src/core/telemetry/hooks.ts"],"names":[],"mappings":"AAIA,MAAM,UAAU,IAAI,CAAC,OAAiC,EAAE,KAAwB;IAC9E,IAAI,CAAC,OAAO;QAAE,OAAO;IACrB,IAAI,CAAC;QACH,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,oDAAoD;IACtD,CAAC;AACH,CAAC"}

package/dist/core/testing/memory-storage-stub.d.ts

@@ -0,0 +1,18 @@
+import type { StorageAdapter, Session, BoundKey, Challenge } from "../types.js";
+export declare class MemoryStorage implements StorageAdapter {
+    private sessions;
+    private keys;
+    private challenges;
+    getSession(id: string): Promise<Session | null>;
+    setSession(session: Session): Promise<void>;
+    deleteSession(id: string): Promise<void>;
+    getBoundKey(sessionId: string): Promise<BoundKey | null>;
+    setBoundKey(key: BoundKey): Promise<void>;
+    deleteBoundKey(sessionId: string): Promise<void>;
+    getChallenge(jti: string): Promise<Challenge | null>;
+    setChallenge(challenge: Challenge): Promise<void>;
+    consumeChallenge(jti: string): Promise<boolean>;
+    revokeSession(sessionId: string): Promise<void>;
+    revokeAllForUser(userId: string): Promise<void>;
+}
+//# sourceMappingURL=memory-storage-stub.d.ts.map

package/dist/core/testing/memory-storage-stub.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memory-storage-stub.d.ts","sourceRoot":"","sources":["../../../src/core/testing/memory-storage-stub.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAEhF,qBAAa,aAAc,YAAW,cAAc;IAClD,OAAO,CAAC,QAAQ,CAA8B;IAC9C,OAAO,CAAC,IAAI,CAA+B;IAC3C,OAAO,CAAC,UAAU,CAAgC;IAE5C,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAI/C,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAI3C,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKxC,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAIxD,WAAW,CAAC,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzC,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhD,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAIpD,YAAY,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjD,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAO/C,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAK/C,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAQtD"}

package/dist/core/testing/memory-storage-stub.js

@@ -0,0 +1,50 @@
+export class MemoryStorage {
+    sessions = new Map();
+    keys = new Map();
+    challenges = new Map();
+    async getSession(id) {
+        return this.sessions.get(id) ?? null;
+    }
+    async setSession(session) {
+        this.sessions.set(session.id, session);
+    }
+    async deleteSession(id) {
+        this.sessions.delete(id);
+        this.keys.delete(id);
+    }
+    async getBoundKey(sessionId) {
+        return this.keys.get(sessionId) ?? null;
+    }
+    async setBoundKey(key) {
+        this.keys.set(key.sessionId, key);
+    }
+    async deleteBoundKey(sessionId) {
+        this.keys.delete(sessionId);
+    }
+    async getChallenge(jti) {
+        return this.challenges.get(jti) ?? null;
+    }
+    async setChallenge(challenge) {
+        this.challenges.set(challenge.jti, challenge);
+    }
+    async consumeChallenge(jti) {
+        const ch = this.challenges.get(jti);
+        if (!ch || ch.consumed)
+            return false;
+        ch.consumed = true;
+        return true;
+    }
+    async revokeSession(sessionId) {
+        this.sessions.delete(sessionId);
+        this.keys.delete(sessionId);
+    }
+    async revokeAllForUser(userId) {
+        for (const [id, sess] of this.sessions.entries()) {
+            if (sess.userId === userId) {
+                this.sessions.delete(id);
+                this.keys.delete(id);
+            }
+        }
+    }
+}
+//# sourceMappingURL=memory-storage-stub.js.map

package/dist/core/testing/memory-storage-stub.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"memory-storage-stub.js","sourceRoot":"","sources":["../../../src/core/testing/memory-storage-stub.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,aAAa;IAChB,QAAQ,GAAG,IAAI,GAAG,EAAmB,CAAC;IACtC,IAAI,GAAG,IAAI,GAAG,EAAoB,CAAC;IACnC,UAAU,GAAG,IAAI,GAAG,EAAqB,CAAC;IAElD,KAAK,CAAC,UAAU,CAAC,EAAU;QACzB,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAAgB;QAC/B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,EAAU;QAC5B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,SAAiB;QACjC,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAa;QAC7B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,SAAiB;QACpC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAW;QAC5B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,SAAoB;QACrC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,GAAW;QAChC,MAAM,EAAE,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QACrC,EAAE,CAAC,QAAQ,GAAG,IAAI,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,MAAc;QACnC,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;YACjD,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC3B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBACzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;IACH,CAAC;CACF"}