dbsc-toolkit 1.5.0 → 2.0.0

package/README.md

@@ -5,21 +5,36 @@
 [![License](https://img.shields.io/npm/l/dbsc-toolkit.svg)](./LICENSE)
 [![Node](https://img.shields.io/node/v/dbsc-toolkit.svg)](https://nodejs.org)
 
-Server-side implementation of [Device Bound Session Credentials](https://w3c.github.io/webappsec-dbsc/) (DBSC) for Node.js.
+Server-side implementation of [Device Bound Session Credentials](https://w3c.github.io/webappsec-dbsc/) (DBSC) for Node.js, with a silent Web Crypto polyfill for browsers that don't ship DBSC natively.
 
-DBSC is a W3C draft that binds session cookies to a hardware-resident private key inside the browser. A stolen cookie is useless without that key — which never leaves the user's device.
+DBSC binds session cookies to a hardware-resident private key inside the browser. A stolen cookie is useless without that key — which never leaves the user's device. Chromium 145+ does this natively. Firefox, Safari, and older Chromium browsers get the same cryptographic refresh-signing protection via a Web Crypto polyfill that activates automatically after login.
 
-Chromium 145+ supports DBSC natively — that includes Chrome, Edge, Brave, Opera, Arc, Vivaldi, and any other Chromium-based browser. Works across Windows (TPM 2.0), macOS Apple Silicon (Secure Enclave on M1/M2/M3/M4+), and Android (Keystore). This library handles the server side. Verified end-to-end against Chrome 147 on Windows with a real TPM 2.0.
+| Browser | Tier | Key location |
+|---------|------|--------------|
+| Chromium 145+ (Chrome, Edge, Brave, Opera, Arc, Vivaldi) | `dbsc` | TPM / Secure Enclave / Android Keystore |
+| Firefox, Safari, older Chromium | `bound` | Browser keystore (non-extractable Web Crypto key) |
 
-**New here?** Read [HOW-IT-WORKS.md](./HOW-IT-WORKS.md) first. It walks through the threat model, the on-the-wire protocol, where the library fits in your app, and tier semantics in ~15 minutes. Skip it only if you already know DBSC.
+Both tiers defeat the entire "stolen cookie replayed from another device" class of attack. `dbsc` additionally defeats infostealer malware reading the browser profile directory — the `bound` polyfill key is software-bound.
+
+Verified end-to-end against Chrome 147 on Windows with a real TPM 2.0.
+
+**New here?** Read [HOW-IT-WORKS.md](./HOW-IT-WORKS.md) first.
 
 ## Live demo
 
 Try it: <https://dbsc-toolkit.onrender.com/>
 
-Open in any Chromium-based browser version 145+ (Chrome, Edge, Brave, Opera), click **Login**, then **Check session** — `tier` reads `"dbsc"` once the hardware-backed key is bound. The demo uses a 60-second bound-cookie TTL so refresh kicks in fast — watch DevTools Network for the automatic `POST /dbsc/refresh` after the cookie expires. Use **Clear cookies** to reset and replay the flow. Source in [examples/express/](./examples/express/).
+Sign up, log in, then click **Check session**:
+- On Chromium 145+ you land on `tier: "dbsc"` within a second of login.
+- On Firefox/Safari/older Chromium you land on `tier: "bound"` within ~3 seconds (the polyfill activates silently).
+
+The demo uses a 60-second bound-cookie TTL so refresh fires fast — watch DevTools Network for `POST /dbsc/refresh` (native) or `POST /dbsc-bound/refresh` (polyfill) after the cookie expires. Source in [examples/express/](./examples/express/).
+
+The demo runs on `RedisStorage` (Upstash) by default, so sessions survive deploys, cold starts, and laptop reboots. Locally without `REDIS_URL`, it falls back to `MemoryStorage` — fine for one terminal session, wiped on every restart.
 
-> Heads up: the demo runs on in-memory storage. Render restarts wipe sessions, so if "Check session" returns `not authenticated` after a while, the instance probably restarted — click **Login** again.
+Two protected routes show the gating pattern: `/profile` requires `tier === "dbsc"` specifically (TPM-only flows); `/profile-soft` accepts either `"dbsc"` or `"bound"`.
+
+> **Hitting `not authenticated` after a few login/logout cycles?** That's Chrome's DBSC quota — the browser's anti-abuse throttle. The demo surfaces it explicitly now (red banner + reason text in the response). To recover: `chrome://settings/clearBrowserData` → Last hour → Cookies and site data → clear, or open an Incognito window. The quota is per `(browser install, origin)`, so production users (who log in once and stay logged in) essentially never trip it.
 
 ## Install
 
@@ -70,6 +85,17 @@ app.listen(3000);
 
 `app.use(dbsc(...))` mounts `POST /dbsc/registration` and `POST /dbsc/refresh` automatically — Chrome drives both, your code never sees them. `bindSession()` is the one-liner you add to your login route: it writes the session row, issues a challenge, builds the registration header (both legacy + new names), and sets the two short-lived cookies Chrome needs to complete binding.
 
+Call `bindSession()` after you have verified the user's credentials — in the login route, or in a signup route that auto-logs the user in. Calling it in a bare signup that does not establish an authenticated session is not useful: there is no session to bind yet.
+
+### The registration race after login
+
+Chrome posts to `/dbsc/registration` *after* the login response returns. The handshake includes TPM key generation, JWS signing, and a network round-trip, so it commonly takes 300 ms to 1.5 s — sometimes longer on a cold device. If the page immediately requests `/me` or `/payment` and gates on `tier === "dbsc"`, the check can land before registration completes and report `tier: "none"` even on a fully supported browser. Two ways to absorb this on the client:
+
+- **Status indicator with short polling.** After a successful login, poll a low-cost endpoint (`/me` works) every 500 ms for up to ~8 s — long enough to cover both native DBSC and the bound-polyfill activation window. Stop when `tier !== "none"`; show a small "Session bound" badge. The live demo uses this pattern — see `pollDbscReady` in [examples/express/src/server.js](./examples/express/src/server.js).
+- **One-shot auto-retry on the first call after login.** If a tier-gated request returns `tier: "none"` within the first few seconds of a fresh login, wait ~1 s and retry once. Cheap, invisible to the user, and avoids the false demotion entirely.
+
+For server-driven flows (a payment route called from a server redirect immediately after login), either pattern works. The race only matters when the very first authenticated request is also a tier check; routine browsing past the first second is unaffected.
+
 A full demo with `/me`, `/logout`, and `/clear-cookies` is in [examples/express/src/server.js](./examples/express/src/server.js).
 
 ## Adding DBSC to an existing app
@@ -85,12 +111,12 @@ Full integration story, per-route policy table, and rollout timeline in [docs/in
 
 | Import | What it is |
 |--------|------------|
-| `dbsc-toolkit` | Core types, crypto, protocol functions |
+| `dbsc-toolkit` | Core types, crypto, protocol functions (native DBSC + bound polyfill) |
 | `dbsc-toolkit/express` | Express middleware |
 | `dbsc-toolkit/fastify` | Fastify plugin |
 | `dbsc-toolkit/hono` | Hono middleware |
 | `dbsc-toolkit/nextjs` | Next.js App Router middleware + handlers |
-| `dbsc-toolkit/client` | Browser SDK for fallback paths |
+| `dbsc-toolkit/client` | Browser SDK — `initBoundDbsc()` for the polyfill |
 | `dbsc-toolkit/storage/memory` | In-memory storage (dev/test) |
 | `dbsc-toolkit/storage/redis` | Redis storage |
 | `dbsc-toolkit/storage/postgres` | Postgres storage |
@@ -99,51 +125,55 @@ Tree-shaking eliminates anything you don't import.
 
 ## How a verified flow looks
 
+On Chromium 145+:
+
 1. User hits `POST /login`. Server creates a session, issues a challenge, sets `Secure-Session-Registration` response header and two short-lived cookies (`__Host-dbsc-reg`, `__Host-dbsc-challenge`).
 2. The browser immediately POSTs to `/dbsc/registration` with `Secure-Session-Response: <jws>`. The JWS carries the device public key signed by the matching private key (held in the platform's hardware key store).
-3. Middleware verifies the JWS, stores the public key bound to the session, sets `__Host-dbsc-session` cookie, returns DBSC session config JSON.
-4. From now on, every refresh cycle (default 10 min) the browser signs a fresh challenge with the hardware-resident key. A copied cookie cannot pass refresh — the attacker has no key.
+3. Middleware verifies the JWS, stores the public key bound to the session, sets `__Host-dbsc-session` cookie. `tier` is now `"dbsc"`.
+4. Every refresh cycle (default 10 min) the browser signs a fresh challenge with the hardware-resident key. A copied cookie cannot pass refresh — the attacker has no key.
 
-`tier` on `res.locals.dbsc` reads `"dbsc"` once registration completes.
+On Firefox / Safari / older Chromium (with the `initBoundDbsc()` client SDK loaded on the page):
 
-For a complete walk-through of the protocol with every header value and timing detail, see [HOW-IT-WORKS.md](./HOW-IT-WORKS.md).
+1. Same `/login` response — the registration headers are sent, but the browser ignores them.
+2. After a 3-second probe (waiting in case native DBSC is just slow), the client SDK generates a non-extractable ECDSA P-256 keypair via Web Crypto, exports the public key, and POSTs to `/dbsc-bound/registration` with the signed challenge.
+3. Middleware verifies the signature against the JWK, stores the public key, sets `__Host-dbsc-session`. `tier` is now `"bound"`.
+4. Every refresh cycle the SDK calls `/dbsc-bound/refresh` with a fresh signature. A copied cookie alone has no key in IndexedDB on the attacker's machine, so refresh fails.
+
+For the complete protocol walk-through with every header value and timing detail, see [HOW-IT-WORKS.md](./HOW-IT-WORKS.md). The bound polyfill protocol is documented in [docs/bound-polyfill.md](./docs/bound-polyfill.md).
 
 ## Using the tier to actually defend
 
-Setting up the middleware does not protect anything on its own. The library does the negotiation and gives you a tier; **enforcing it is your responsibility**. The pattern:
+Setting up the middleware does not protect anything on its own. The library exposes a tier; **enforcing it is your responsibility**.
+
+Most routes should gate on `tier !== "none"`:
 
 ```ts
-app.get("/payment", (req, res) => {
-  if (res.locals.dbsc.tier !== "dbsc") {
-    return res.status(403).json({ error: "hardware-bound session required" });
+app.get("/dashboard", (req, res) => {
+  if (res.locals.dbsc.tier === "none") {
+    return res.status(403).json({ error: "session not bound" });
   }
-  // safe to process payment
+  // safe — request is bound to a hardware-resident or browser-resident key
 });
 ```
 
-If you skip the tier check, a stolen cookie still works. The cookie reaches your server, the session record exists, your code happily proceeds — DBSC bought you nothing. The whole point is the demotion: when a cookie is replayed without the hardware-signed proof, tier drops to `"none"` (or stays at the lower fallback tier) and your gate refuses the request.
-
-Suggested handling per tier in a real application:
-
-- `tier === "dbsc"`: full access. Payments, account changes, anything sensitive.
-- `tier === "webauthn"`: most access. Hardware-bound via platform authenticator.
-- `tier === "hmac"`: read-only or low-risk actions. The binding is best-effort.
-- `tier === "none"`: treat as unauthenticated. Force re-login, revoke the session, log a `session_stolen` candidate, depending on context.
-
-Putting this in a single middleware keeps it consistent:
+For genuinely sensitive routes where you want the TPM-backed guarantee specifically (defeats infostealer malware, not just remote cookie theft), gate on `"dbsc"`:
 
 ```ts
-function requireDbsc(req, res, next) {
+app.post("/payment", (req, res) => {
   if (res.locals.dbsc.tier !== "dbsc") {
-    return res.status(401).json({ error: "re-authenticate" });
+    return res.status(403).json({ error: "hardware-bound session required" });
   }
-  next();
-}
-
-app.post("/payment", requireDbsc, handler);
-app.post("/account/email", requireDbsc, handler);
+});
 ```
 
+If you skip the tier check entirely, a stolen cookie works just like before — the library bought you nothing. The whole point is the demotion: when a cookie is replayed without a valid refresh signature, tier drops to `"none"` and your gate refuses the request.
+
+Tier handling at a glance:
+
+- `tier === "dbsc"`: hardware-bound via TPM / Secure Enclave / Android Keystore. Full access.
+- `tier === "bound"`: software-bound via Web Crypto + IndexedDB. Defeats XSS, network capture, and cookie paste-to-other-machine. Does not defeat infostealer malware on the user's device.
+- `tier === "none"`: treat as unauthenticated for any route you care about. Force re-login, log a `session_stolen` candidate, depending on context.
+
 See [docs/security/best-practices.md](./docs/security/best-practices.md) for the full tier-policy guidance.
 
 ## Local testing
@@ -186,16 +216,13 @@ const result = await handleRefresh({
 
 ## Protection tiers
 
-The library negotiates the strongest available binding per session:
-
-| Tier | Mechanism | Protection |
-|------|-----------|------------|
-| `dbsc` | Hardware-backed key, Chromium 145+ | Hardware binding — exfiltrated cookie is useless |
-| `webauthn` | Platform authenticator | Hardware binding via platform authenticator |
-| `hmac` | HMAC + browser signals | Best-effort context binding, not hardware |
-| `none` | Standard cookie | No additional binding |
+| Tier | Mechanism | Protects against |
+|------|-----------|------------------|
+| `dbsc` | Native W3C DBSC, key in TPM / Secure Enclave / Android Keystore | Cookie theft (XSS, network, logs, paste-to-other-browser) **and** infostealer malware reading the browser profile |
+| `bound` | Web Crypto polyfill, non-extractable ECDSA P-256 key in IndexedDB | Cookie theft. Does not defeat infostealer malware on the user's machine. |
+| `none` | Plain cookie | Nothing the cookie itself doesn't already do |
 
-The tier is available at `res.locals.dbsc.tier` (Express), `c.get("dbsc").tier` (Hono — legacy `c.get("dbscTier")` still works in 1.x, removed in 2.0.0), `req.dbsc.tier` (Fastify), and via `getDbscSession()` (Next.js). Use it to apply different authorization policies per tier — for example, block payment flows when `tier !== "dbsc"`.
+The tier is available at `res.locals.dbsc.tier` (Express), `req.dbsc.tier` (Fastify), `c.get("dbsc").tier` (Hono), and via `getDbscSession()` (Next.js). Use it to apply per-route policy — for example, block payment flows when `tier !== "dbsc"` and accept any binding for everything else with `tier !== "none"`.
 
 ## Storage
 
@@ -239,7 +266,7 @@ app.use(dbsc({
 }));
 ```
 
-Event types: `registration`, `refresh`, `verification_failure`, `session_stolen`, `fallback_tier`.
+Event types: `registration`, `refresh`, `verification_failure`, `session_stolen`, `tier_change`.
 
 ## Skipped sessions
 
@@ -274,14 +301,15 @@ res.setHeader("Sec-Session-Registration", header);
 
 Defense-in-depth layer. Does not replace TLS, secure cookie flags, MFA, or server hardening.
 
-HMAC tier is not hardware binding. It provides better-than-nothing context binding for browsers without DBSC or WebAuthn. Operators should communicate the protection tier to users and restrict sensitive operations when `tier === "hmac"` or `tier === "none"`.
+The `bound` polyfill defeats remote cookie theft but is not hardware-bound — the key lives in IndexedDB on the user's disk and can be read by infostealer malware with filesystem access on the user's machine. For routes that must defeat that threat, gate on `tier === "dbsc"` specifically. For everything else, `tier !== "none"` is the right gate.
 
-See [SECURITY.md](./SECURITY.md) for reporting vulnerabilities.
+See [SECURITY.md](./SECURITY.md) for reporting vulnerabilities and [docs/security/threat-model.md](./docs/security/threat-model.md) for the per-tier STRIDE breakdown.
 
 ## Project status
 
 - Single package on npm: `dbsc-toolkit`
-- Support floor: Chromium 145+ (Chrome, Edge, Brave, Opera, Arc, etc.) on Windows / macOS Apple Silicon / Android
+- Native DBSC: Chromium 145+ on Windows (TPM 2.0) / macOS Apple Silicon (Secure Enclave) / Android (Keystore)
+- Bound polyfill: every browser with Web Crypto + IndexedDB — Firefox, Safari, older Chromium
 - Verified end-to-end on Chrome 147 / Windows / TPM 2.0 (other Chromium browsers and platforms should work but not independently verified)
 - No third-party security audit yet
 
@@ -292,24 +320,22 @@ Honest table — what you're getting and where the rough edges are.
 | Area | Status | Confidence |
 |------|--------|-----------|
 | Core protocol (registration + refresh + verification) | Stable | High — verified against real Chrome 147 + TPM 2.0 |
+| Bound polyfill (`/dbsc-bound/*` + client SDK) | New in v2.0.0 | Medium — unit-tested; cross-browser verification on the live demo |
 | Express adapter | Stable | High — used in the live demo, exercised on Render |
 | Fastify / Hono / Next.js adapters | Stable | Medium — unit tests pass, share core code with Express, not battle-tested in production |
 | `MemoryStorage` | Dev / test only | N/A — explicitly non-production |
 | `RedisStorage` | Stable | Medium — atomic challenge consume via Lua, tested locally |
 | `PostgresStorage` | Stable | Medium — migrations included, tested locally |
-| Fallback tiers (WebAuthn, HMAC) | Implemented, lightly tested | Low — protocol shape correct, real-world step-up flows TBD |
 | Security audit | None | — |
 | W3C spec stability | Draft, library tracks Chromium's implementation | Spec may evolve; expect occasional wire-format adjustments |
 
 **Should you use this in production?** Yes, with three conditions:
 
-1. **Use Redis or Postgres storage**, not memory. Memory storage on a server that ever restarts (Render free tier, serverless, autoscaling) produces a broken loop where browsers hold cookies that no longer match any stored key.
-2. **Treat it as defense-in-depth**, never the only auth layer. Your existing session cookie, password, MFA, rate limiting — all still required. DBSC raises the floor on session-replay attacks; it doesn't replace anything else.
-3. **Pin a version.** The W3C spec is still draft and the library tracks Chromium's implementation. Wire-format changes are unlikely but possible. Pin `dbsc-toolkit@~1.5.0` (patch updates only) and read the changelog before bumping.
-
-Rough readiness estimate: **~85%** for the Express + Redis path (core protocol + main adapter + production storage all solid). **~70%** for Fastify / Hono / Next.js (same core, less production mileage). **~60%** for the fallback tier flows (WebAuthn/HMAC code is there, real-world step-up UX is on the user).
+1. **Use Redis or Postgres storage**, not memory. Memory storage on a server that ever restarts produces a broken loop where browsers hold cookies that no longer match any stored key.
+2. **Treat it as defense-in-depth**, never the only auth layer. Your existing session cookie, password, MFA, rate limiting — all still required. This library raises the floor on session-replay attacks; it doesn't replace anything else.
+3. **Pin a version.** Pin `dbsc-toolkit@~2.0.0` (patch updates only) and read the changelog before bumping. v2 dropped the HMAC and WebAuthn tiers — see CHANGELOG for the migration path.
 
-The realistic adoption pattern: ship it as the second layer behind your existing auth on Chromium-supporting routes. Don't lock non-Chromium users out. Gate genuinely high-value actions (payments, password change, admin) on `tier === "dbsc"`; leave everything else permissive. That's the recipe a Reddit-style site would use — see [docs/integrating-existing-auth.md](./docs/integrating-existing-auth.md).
+The realistic adoption pattern: ship it as the second layer behind your existing auth. The bound polyfill means you don't have to lock non-Chromium users out. Gate genuinely high-value actions (payments, password change, admin) on `tier === "dbsc"`; gate everything else on `tier !== "none"`. See [docs/integrating-existing-auth.md](./docs/integrating-existing-auth.md).
 
 ## License
 

package/dist/client/index.d.ts

@@ -1,4 +1,11 @@
-export { detectClientTier, type ClientTier } from "./detect.js";
-export { registerWebAuthn, authenticateWebAuthn } from "./webauthn.js";
-export { collectClientSignals, type ClientSignals } from "./signals.js";
+export interface InitBoundDbscOptions {
+    statePath?: string;
+    challengePath?: string;
+    registrationPath?: string;
+    refreshPath?: string;
+    nativeProbeWindowMs?: number;
+    refreshMarginMs?: number;
+}
+export declare function initBoundDbsc(options?: InitBoundDbscOptions): Promise<void>;
+export declare function stopBoundDbsc(): void;
 //# sourceMappingURL=index.d.ts.map

package/dist/client/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,KAAK,UAAU,EAAE,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,KAAK,aAAa,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AA0CD,wBAAsB,aAAa,CAAC,OAAO,GAAE,oBAAyB,GAAG,OAAO,CAAC,IAAI,CAAC,CA4CrF;AAED,wBAAgB,aAAa,IAAI,IAAI,CAKpC"}

package/dist/client/index.js

@@ -1,4 +1,127 @@
-export { detectClientTier } from "./detect.js";
-export { registerWebAuthn, authenticateWebAuthn } from "./webauthn.js";
-export { collectClientSignals } from "./signals.js";
+import { clearKeyRecord, getKeyRecord, setKeyRecord } from "./keystore.js";
+const DEFAULTS = {
+    statePath: "/dbsc-bound/state",
+    challengePath: "/dbsc-bound/challenge",
+    registrationPath: "/dbsc-bound/registration",
+    refreshPath: "/dbsc-bound/refresh",
+    nativeProbeWindowMs: 3000,
+    refreshMarginMs: 5000,
+};
+let refreshTimer = null;
+export async function initBoundDbsc(options = {}) {
+    if (typeof window === "undefined" || typeof indexedDB === "undefined")
+        return;
+    const cfg = {
+        statePath: options.statePath ?? DEFAULTS.statePath,
+        challengePath: options.challengePath ?? DEFAULTS.challengePath,
+        registrationPath: options.registrationPath ?? DEFAULTS.registrationPath,
+        refreshPath: options.refreshPath ?? DEFAULTS.refreshPath,
+        nativeProbeWindowMs: options.nativeProbeWindowMs ?? DEFAULTS.nativeProbeWindowMs,
+        refreshMarginMs: options.refreshMarginMs ?? DEFAULTS.refreshMarginMs,
+    };
+    const state = await fetchState(cfg.statePath);
+    if (state.phase === "unbound") {
+        await clearKeyRecord().catch(() => { });
+        return;
+    }
+    if (state.phase === "bound") {
+        if (state.tier === "dbsc")
+            return;
+        const rec = await getKeyRecord().catch(() => null);
+        if (!rec || rec.sessionId !== state.sessionId) {
+            await clearKeyRecord().catch(() => { });
+            const fresh = await fetchState(cfg.statePath);
+            if (fresh.phase === "needs-registration") {
+                await runRegistration(fresh.sessionId, fresh.challenge, cfg);
+                scheduleRefresh(cfg, state.refreshIntervalMs);
+            }
+            return;
+        }
+        scheduleRefresh(cfg, state.refreshIntervalMs);
+        return;
+    }
+    await sleep(cfg.nativeProbeWindowMs);
+    const recheck = await fetchState(cfg.statePath);
+    if (recheck.phase === "bound" && recheck.tier === "dbsc")
+        return;
+    if (recheck.phase !== "needs-registration")
+        return;
+    await runRegistration(recheck.sessionId, recheck.challenge, cfg);
+    const final = await fetchState(cfg.statePath);
+    if (final.phase === "bound")
+        scheduleRefresh(cfg, final.refreshIntervalMs);
+}
+export function stopBoundDbsc() {
+    if (refreshTimer !== null) {
+        clearTimeout(refreshTimer);
+        refreshTimer = null;
+    }
+}
+async function fetchState(path) {
+    const r = await fetch(path, { credentials: "include" });
+    return (await r.json());
+}
+async function runRegistration(sessionId, challenge, cfg) {
+    await clearKeyRecord().catch(() => { });
+    const keyPair = await crypto.subtle.generateKey({ name: "ECDSA", namedCurve: "P-256" }, false, ["sign", "verify"]);
+    const publicKey = await crypto.subtle.exportKey("jwk", keyPair.publicKey);
+    const signature = await signMessage(keyPair.privateKey, challenge);
+    const res = await fetch(cfg.registrationPath, {
+        method: "POST",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ publicKey, signature, challenge }),
+    });
+    if (!res.ok) {
+        throw new Error(`bound registration failed: ${res.status}`);
+    }
+    await setKeyRecord({ sessionId, keyPair });
+}
+async function runRefresh(cfg) {
+    const rec = await getKeyRecord().catch(() => null);
+    if (!rec)
+        return false;
+    const cRes = await fetch(cfg.challengePath, { credentials: "include" });
+    if (!cRes.ok)
+        return false;
+    const { challenge } = (await cRes.json());
+    const timestamp = Date.now();
+    const message = `${challenge}.${timestamp}`;
+    const signature = await signMessage(rec.keyPair.privateKey, message);
+    const res = await fetch(cfg.refreshPath, {
+        method: "POST",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ challenge, signature, timestamp }),
+    });
+    return res.ok;
+}
+function scheduleRefresh(cfg, intervalMs) {
+    if (refreshTimer !== null)
+        clearTimeout(refreshTimer);
+    const wait = Math.max(1000, intervalMs - cfg.refreshMarginMs);
+    refreshTimer = setTimeout(async () => {
+        const ok = await runRefresh(cfg).catch(() => false);
+        if (ok) {
+            scheduleRefresh(cfg, intervalMs);
+        }
+        else {
+            refreshTimer = null;
+        }
+    }, wait);
+}
+async function signMessage(privateKey, message) {
+    const data = new TextEncoder().encode(message);
+    const sig = await crypto.subtle.sign({ name: "ECDSA", hash: "SHA-256" }, privateKey, data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength));
+    return base64urlEncode(new Uint8Array(sig));
+}
+function base64urlEncode(bytes) {
+    let s = "";
+    for (let i = 0; i < bytes.length; i++)
+        s += String.fromCharCode(bytes[i]);
+    return btoa(s).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function sleep(ms) {
+    return new Promise((r) => setTimeout(r, ms));
+}
 //# sourceMappingURL=index.js.map

package/dist/client/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAmB,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAsB,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAwC3E,MAAM,QAAQ,GAAoB;IAChC,SAAS,EAAE,mBAAmB;IAC9B,aAAa,EAAE,uBAAuB;IACtC,gBAAgB,EAAE,0BAA0B;IAC5C,WAAW,EAAE,qBAAqB;IAClC,mBAAmB,EAAE,IAAI;IACzB,eAAe,EAAE,IAAI;CACtB,CAAC;AAEF,IAAI,YAAY,GAAyC,IAAI,CAAC;AAE9D,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,UAAgC,EAAE;IACpE,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,SAAS,KAAK,WAAW;QAAE,OAAO;IAE9E,MAAM,GAAG,GAAoB;QAC3B,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS;QAClD,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,QAAQ,CAAC,aAAa;QAC9D,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,IAAI,QAAQ,CAAC,gBAAgB;QACvE,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,QAAQ,CAAC,WAAW;QACxD,mBAAmB,EAAE,OAAO,CAAC,mBAAmB,IAAI,QAAQ,CAAC,mBAAmB;QAChF,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI,QAAQ,CAAC,eAAe;KACrE,CAAC;IAEF,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAE9C,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC9B,MAAM,cAAc,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACvC,OAAO;IACT,CAAC;IAED,IAAI,KAAK,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM;YAAE,OAAO;QAClC,MAAM,GAAG,GAAG,MAAM,YAAY,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,KAAK,KAAK,CAAC,SAAS,EAAE,CAAC;YAC9C,MAAM,cAAc,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACvC,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC9C,IAAI,KAAK,CAAC,KAAK,KAAK,oBAAoB,EAAE,CAAC;gBACzC,MAAM,eAAe,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;gBAC7D,eAAe,CAAC,GAAG,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC;YAChD,CAAC;YACD,OAAO;QACT,CAAC;QACD,eAAe,CAAC,GAAG,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAC9C,OAAO;IACT,CAAC;IAED,MAAM,KAAK,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAErC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,KAAK,KAAK,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM;QAAE,OAAO;IACjE,IAAI,OAAO,CAAC,KAAK,KAAK,oBAAoB;QAAE,OAAO;IAEnD,MAAM,eAAe,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACjE,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC9C,IAAI,KAAK,CAAC,KAAK,KAAK,OAAO;QAAE,eAAe,CAAC,GAAG,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QAC1B,YAAY,CAAC,YAAY,CAAC,CAAC;QAC3B,YAAY,GAAG,IAAI,CAAC;IACtB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,IAAY;IACpC,MAAM,CAAC,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC,CAAC;IACxD,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAkB,CAAC;AAC3C,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,SAAiB,EACjB,SAAiB,EACjB,GAAoB;IAEpB,MAAM,cAAc,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAEvC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAC7C,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EACtC,KAAK,EACL,CAAC,MAAM,EAAE,QAAQ,CAAC,CACnB,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAC1E,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAEnE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,gBAAgB,EAAE;QAC5C,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,SAAS;QACtB,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;KAC1D,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,YAAY,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;AAC7C,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,GAAoB;IAC5C,MAAM,GAAG,GAAG,MAAM,YAAY,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IAEvB,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC,CAAC;IACxE,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,KAAK,CAAC;IAC3B,MAAM,EAAE,SAAS,EAAE,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA0B,CAAC;IAEnE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAG,GAAG,SAAS,IAAI,SAAS,EAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAErE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE;QACvC,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,SAAS;QACtB,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;KAC1D,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC,EAAE,CAAC;AAChB,CAAC;AAED,SAAS,eAAe,CAAC,GAAoB,EAAE,UAAkB;IAC/D,IAAI,YAAY,KAAK,IAAI;QAAE,YAAY,CAAC,YAAY,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,GAAG,GAAG,CAAC,eAAe,CAAC,CAAC;IAC9D,YAAY,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE;QACnC,MAAM,EAAE,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;QACpD,IAAI,EAAE,EAAE,CAAC;YACP,eAAe,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QACnC,CAAC;aAAM,CAAC;YACN,YAAY,GAAG,IAAI,CAAC;QACtB,CAAC;IACH,CAAC,EAAE,IAAI,CAAC,CAAC;AACX,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,UAAqB,EAAE,OAAe;IAC/D,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAClC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAClC,UAAU,EACV,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAgB,CACrF,CAAC;IACF,OAAO,eAAe,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,eAAe,CAAC,KAAiB;IACxC,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,CAAC,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAW,CAAC,CAAC;IACpF,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAC/C,CAAC"}

package/dist/client/keystore.d.ts

@@ -0,0 +1,8 @@
+export interface KeyRecord {
+    sessionId: string;
+    keyPair: CryptoKeyPair;
+}
+export declare function getKeyRecord(): Promise<KeyRecord | null>;
+export declare function setKeyRecord(rec: KeyRecord): Promise<void>;
+export declare function clearKeyRecord(): Promise<void>;
+//# sourceMappingURL=keystore.d.ts.map

package/dist/client/keystore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keystore.d.ts","sourceRoot":"","sources":["../../src/client/keystore.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,SAAS;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,aAAa,CAAC;CACxB;AAgBD,wBAAsB,YAAY,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAQ9D;AAED,wBAAsB,YAAY,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAQhE;AAED,wBAAsB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CAQpD"}

package/dist/client/keystore.js

@@ -0,0 +1,44 @@
+const DB_NAME = "dbsc-toolkit";
+const STORE_NAME = "bound";
+const KEY_RECORD_KEY = "key-record";
+function openDb() {
+    return new Promise((resolve, reject) => {
+        const req = indexedDB.open(DB_NAME, 1);
+        req.onupgradeneeded = () => {
+            const db = req.result;
+            if (!db.objectStoreNames.contains(STORE_NAME)) {
+                db.createObjectStore(STORE_NAME);
+            }
+        };
+        req.onsuccess = () => resolve(req.result);
+        req.onerror = () => reject(req.error);
+    });
+}
+export async function getKeyRecord() {
+    const db = await openDb();
+    return new Promise((resolve, reject) => {
+        const tx = db.transaction(STORE_NAME, "readonly");
+        const req = tx.objectStore(STORE_NAME).get(KEY_RECORD_KEY);
+        req.onsuccess = () => resolve(req.result ?? null);
+        req.onerror = () => reject(req.error);
+    });
+}
+export async function setKeyRecord(rec) {
+    const db = await openDb();
+    return new Promise((resolve, reject) => {
+        const tx = db.transaction(STORE_NAME, "readwrite");
+        tx.objectStore(STORE_NAME).put(rec, KEY_RECORD_KEY);
+        tx.oncomplete = () => resolve();
+        tx.onerror = () => reject(tx.error);
+    });
+}
+export async function clearKeyRecord() {
+    const db = await openDb();
+    return new Promise((resolve, reject) => {
+        const tx = db.transaction(STORE_NAME, "readwrite");
+        tx.objectStore(STORE_NAME).delete(KEY_RECORD_KEY);
+        tx.oncomplete = () => resolve();
+        tx.onerror = () => reject(tx.error);
+    });
+}
+//# sourceMappingURL=keystore.js.map

package/dist/client/keystore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keystore.js","sourceRoot":"","sources":["../../src/client/keystore.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,GAAG,cAAc,CAAC;AAC/B,MAAM,UAAU,GAAG,OAAO,CAAC;AAC3B,MAAM,cAAc,GAAG,YAAY,CAAC;AAOpC,SAAS,MAAM;IACb,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACvC,GAAG,CAAC,eAAe,GAAG,GAAG,EAAE;YACzB,MAAM,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;YACtB,IAAI,CAAC,EAAE,CAAC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC9C,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YACnC,CAAC;QACH,CAAC,CAAC;QACF,GAAG,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,GAAG,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,MAAM,EAAE,GAAG,MAAM,MAAM,EAAE,CAAC;IAC1B,OAAO,IAAI,OAAO,CAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACvD,MAAM,EAAE,GAAG,EAAE,CAAC,WAAW,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC3D,GAAG,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC,OAAO,CAAE,GAAG,CAAC,MAAgC,IAAI,IAAI,CAAC,CAAC;QAC7E,GAAG,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAc;IAC/C,MAAM,EAAE,GAAG,MAAM,MAAM,EAAE,CAAC;IAC1B,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,MAAM,EAAE,GAAG,EAAE,CAAC,WAAW,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QACnD,EAAE,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;QACpD,EAAE,CAAC,UAAU,GAAG,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;QAChC,EAAE,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,MAAM,EAAE,GAAG,MAAM,MAAM,EAAE,CAAC;IAC1B,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,MAAM,EAAE,GAAG,EAAE,CAAC,WAAW,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QACnD,EAAE,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAClD,EAAE,CAAC,UAAU,GAAG,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;QAChC,EAAE,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/core/bound/index.d.ts

@@ -0,0 +1,6 @@
+export { handleBoundRegistration } from "./registration.js";
+export type { BoundRegistrationRequest, BoundRegistrationResult } from "./registration.js";
+export { handleBoundRefresh } from "./refresh.js";
+export type { BoundRefreshRequest } from "./refresh.js";
+export { verifyP256Signature } from "./verify.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/core/bound/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/core/bound/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AAC5D,YAAY,EAAE,wBAAwB,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AAC3F,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,YAAY,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC"}

package/dist/core/bound/index.js

@@ -0,0 +1,4 @@
+export { handleBoundRegistration } from "./registration.js";
+export { handleBoundRefresh } from "./refresh.js";
+export { verifyP256Signature } from "./verify.js";
+//# sourceMappingURL=index.js.map

package/dist/core/bound/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/core/bound/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AAE5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAElD,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC"}

package/dist/core/bound/refresh.d.ts

@@ -0,0 +1,9 @@
+import type { RefreshProof, StorageAdapter } from "../types.js";
+export interface BoundRefreshRequest {
+    sessionId: string;
+    signature: string;
+    expectedJti: string;
+    timestamp: number;
+}
+export declare function handleBoundRefresh(req: BoundRefreshRequest, storage: StorageAdapter): Promise<RefreshProof>;
+//# sourceMappingURL=refresh.d.ts.map

package/dist/core/bound/refresh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../../src/core/bound/refresh.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAKhE,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,mBAAmB,EACxB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CAyDvB"}

package/dist/core/bound/refresh.js

@@ -0,0 +1,52 @@
+import { DbscProtocolError, DbscVerificationError, ErrorCodes } from "../errors.js";
+import { verifyP256Signature } from "./verify.js";
+const TIMESTAMP_WINDOW_MS = 60_000;
+export async function handleBoundRefresh(req, storage) {
+    if (!req.signature) {
+        throw new DbscProtocolError(ErrorCodes.MISSING_RESPONSE_HEADER, "signature is required for bound refresh");
+    }
+    const skew = Math.abs(Date.now() - req.timestamp);
+    if (skew > TIMESTAMP_WINDOW_MS) {
+        throw new DbscVerificationError(ErrorCodes.SIGNATURE_INVALID, "timestamp outside acceptable window");
+    }
+    const key = await storage.getBoundKey(req.sessionId);
+    if (!key) {
+        throw new DbscVerificationError(ErrorCodes.KEY_NOT_FOUND, "no bound key for session");
+    }
+    const challenge = await storage.getChallenge(req.expectedJti);
+    if (!challenge) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_NOT_FOUND, "challenge not found");
+    }
+    if (challenge.consumed) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_CONSUMED, "challenge already consumed");
+    }
+    if (Date.now() > challenge.expiresAt) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_EXPIRED, "challenge expired");
+    }
+    if (challenge.sessionId !== req.sessionId) {
+        throw new DbscVerificationError(ErrorCodes.JTI_MISMATCH, "challenge does not belong to this session");
+    }
+    const message = `${req.expectedJti}.${req.timestamp}`;
+    const ok = await verifyP256Signature(key.jwk, req.signature, message);
+    if (!ok) {
+        const session = await storage.getSession(req.sessionId);
+        if (session) {
+            await storage.setSession({ ...session, tier: "none" });
+        }
+        throw new DbscVerificationError(ErrorCodes.SIGNATURE_INVALID, "signature does not verify");
+    }
+    const consumed = await storage.consumeChallenge(req.expectedJti);
+    if (!consumed) {
+        throw new DbscVerificationError(ErrorCodes.CHALLENGE_CONSUMED, "challenge already consumed");
+    }
+    const session = await storage.getSession(req.sessionId);
+    if (session) {
+        await storage.setSession({ ...session, tier: "bound", lastRefreshAt: Date.now() });
+    }
+    return {
+        sessionId: req.sessionId,
+        jti: req.expectedJti,
+        verified: true,
+    };
+}
+//# sourceMappingURL=refresh.js.map

package/dist/core/bound/refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../../src/core/bound/refresh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAEpF,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAElD,MAAM,mBAAmB,GAAG,MAAM,CAAC;AASnC,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,GAAwB,EACxB,OAAuB;IAEvB,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACnB,MAAM,IAAI,iBAAiB,CACzB,UAAU,CAAC,uBAAuB,EAClC,yCAAyC,CAC1C,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC;IAClD,IAAI,IAAI,GAAG,mBAAmB,EAAE,CAAC;QAC/B,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,qCAAqC,CAAC,CAAC;IACvG,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,aAAa,EAAE,0BAA0B,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC;IACzF,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IACrF,CAAC;IACD,IAAI,SAAS,CAAC,SAAS,KAAK,GAAG,CAAC,SAAS,EAAE,CAAC;QAC1C,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,YAAY,EAAE,2CAA2C,CAAC,CAAC;IACxG,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;IACtD,MAAM,EAAE,GAAG,MAAM,mBAAmB,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACtE,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACxD,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,OAAO,CAAC,UAAU,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,2BAA2B,CAAC,CAAC;IAC7F,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACjE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACxD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,OAAO,CAAC,UAAU,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,OAAO;QACL,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,GAAG,EAAE,GAAG,CAAC,WAAW;QACpB,QAAQ,EAAE,IAAI;KACf,CAAC;AACJ,CAAC"}

package/dist/core/bound/registration.d.ts

@@ -0,0 +1,12 @@
+import type { BoundKey, StorageAdapter } from "../types.js";
+export interface BoundRegistrationRequest {
+    sessionId: string;
+    publicKey: JsonWebKey;
+    signature: string;
+    expectedJti: string;
+}
+export interface BoundRegistrationResult {
+    boundKey: BoundKey;
+}
+export declare function handleBoundRegistration(req: BoundRegistrationRequest, storage: StorageAdapter): Promise<BoundRegistrationResult>;
+//# sourceMappingURL=registration.d.ts.map

package/dist/core/bound/registration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registration.d.ts","sourceRoot":"","sources":["../../../src/core/bound/registration.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAG5D,MAAM,WAAW,wBAAwB;IACvC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,UAAU,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,wBAAwB,EAC7B,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,uBAAuB,CAAC,CAiElC"}