openttt 0.2.11 → 0.2.13

package/dist/adaptive_switch.js

@@ -0,0 +1,108 @@
+"use strict";
+// sdk/src/adaptive_switch.ts — Adaptive Mode Switcher (public SDK stub)
+// GRG integrity check runs server-side (helm private repo).
+// This module exports types, enums, and the client-side AdaptiveSwitch
+// (timestamp + ordering check only; integrity check delegated to server).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdaptiveSwitch = exports.TIER_TOLERANCE_MS = exports.AdaptiveMode = void 0;
+const logger_1 = require("./logger");
+var AdaptiveMode;
+(function (AdaptiveMode) {
+    AdaptiveMode["TURBO"] = "TURBO";
+    AdaptiveMode["FULL"] = "FULL";
+})(AdaptiveMode || (exports.AdaptiveMode = AdaptiveMode = {}));
+/** Tier-based dynamic tolerance (ms) */
+exports.TIER_TOLERANCE_MS = {
+    T0_epoch: 2000,
+    T1_block: 200,
+    T2_slot: 500,
+    T3_micro: 10,
+};
+class AdaptiveSwitch {
+    windowSize = 20;
+    turboEntryThreshold = 0.95;
+    turboMaintainThreshold = 0.85;
+    history = [];
+    currentMode = AdaptiveMode.FULL;
+    minBlocks = 20;
+    penaltyCooldown = 0;
+    consecutiveFailures = 0;
+    tolerance;
+    constructor(options) {
+        this.tolerance = options?.tolerance ?? 100;
+    }
+    /**
+     * Client-side TTT check: timestamp ordering + time delta only.
+     * GRG integrity verification is delegated to the server (IntegrityClient).
+     */
+    verifyBlock(block, tttRecord, _chainId, _poolAddress, tier) {
+        const orderMatch = this.compareTransactionOrder(block.txs, tttRecord.txOrder);
+        const tolerance = tier ? (exports.TIER_TOLERANCE_MS[tier] ?? this.tolerance) : this.tolerance;
+        const timeMatch = Math.abs(block.timestamp - tttRecord.time) < tolerance;
+        const sequenceOk = orderMatch && timeMatch;
+        this.history.push(sequenceOk);
+        if (this.history.length > this.windowSize)
+            this.history.shift();
+        if (this.penaltyCooldown > 0)
+            this.penaltyCooldown--;
+        const matchCount = this.history.filter(h => h).length;
+        const matchRate = this.history.length > 0 ? matchCount / this.history.length : 0;
+        const effectiveThreshold = this.currentMode === AdaptiveMode.TURBO
+            ? this.turboMaintainThreshold
+            : this.turboEntryThreshold;
+        if (this.history.length >= this.minBlocks && matchRate >= effectiveThreshold && this.penaltyCooldown === 0) {
+            if (this.currentMode === AdaptiveMode.FULL) {
+                logger_1.logger.info(`[AdaptiveSwitch] Switching to TURBO (rate: ${(matchRate * 100).toFixed(1)}%)`);
+            }
+            this.currentMode = AdaptiveMode.TURBO;
+            this.consecutiveFailures = 0;
+        }
+        else {
+            if (this.currentMode === AdaptiveMode.TURBO) {
+                logger_1.logger.warn(`[AdaptiveSwitch] Switching to FULL (rate: ${(matchRate * 100).toFixed(1)}%)`);
+            }
+            this.currentMode = AdaptiveMode.FULL;
+        }
+        return this.currentMode;
+    }
+    getFeeDiscount() {
+        return this.currentMode === AdaptiveMode.TURBO ? 0.2 : 0.0;
+    }
+    getCurrentMode() {
+        return this.currentMode;
+    }
+    reset() {
+        this.history = [];
+        this.currentMode = AdaptiveMode.FULL;
+        this.penaltyCooldown = 0;
+        this.consecutiveFailures = 0;
+    }
+    serialize() {
+        return JSON.stringify({
+            history: this.history,
+            currentMode: this.currentMode,
+            consecutiveFailures: this.consecutiveFailures,
+            penaltyCooldown: this.penaltyCooldown,
+            tolerance: this.tolerance,
+        });
+    }
+    static deserialize(json) {
+        const data = JSON.parse(json);
+        const instance = new AdaptiveSwitch({ tolerance: data.tolerance ?? 100 });
+        instance.history = data.history;
+        instance.currentMode = data.currentMode;
+        instance.consecutiveFailures = data.consecutiveFailures;
+        instance.penaltyCooldown = data.penaltyCooldown;
+        return instance;
+    }
+    compareTransactionOrder(blockTxs, expectedOrder) {
+        if (blockTxs.length !== expectedOrder.length)
+            return false;
+        for (let i = 0; i < blockTxs.length; i++) {
+            if (blockTxs[i] !== expectedOrder[i])
+                return false;
+        }
+        return true;
+    }
+}
+exports.AdaptiveSwitch = AdaptiveSwitch;

package/dist/http_client.js

@@ -96,6 +96,11 @@ function fetchHttpsDate(name, url, timeoutMs = 3000) {
 }
 // ---------------------------------------------------------------------------
 // HMAC helpers — default sandbox key derived from fixed chain+address strings
+// HMAC key is public by design — context binding, not secrecy.
+// The sandbox key below is a fixed string for local-only verification.
+// In production, the HMAC key is derived from (chainId, poolAddress) and
+// is deterministically recomputable by any party. The security property is
+// tamper detection (integrity), not confidentiality.
 // ---------------------------------------------------------------------------
 const SANDBOX_HMAC_SECRET = "openttt-sandbox:chainId=0:address=0x0000000000000000000000000000000000000000";
 function computeHmac(timestamp, nonce, expiresAt, sources, secret = SANDBOX_HMAC_SECRET) {

package/dist/index.d.ts

@@ -1,20 +1,19 @@
 export * from "./evm_connector";
-export * from "./x402_enforcer";
 export * from "./adaptive_switch";
-export * from "./protocol_fee";
 export * from "./pool_registry";
 export * from "./v4_hook";
 export * from "./logger";
 export * from "./types";
 export * from "./http_client";
 export * from "./time_synthesis";
-export * from "./dynamic_fee";
 export * from "./signer";
 export * from "./networks";
 export * from "./errors";
 export * from "./pot_signer";
 export * from "./ct_log";
 export * from "./trust_store";
-export * from "./revenue_tiers";
 export * from "./integrity_client";
 export * from "./osnma_source";
+export * from "./tls_binding";
+export * from "./pot_frame";
+export * from "./pot_verifier";

package/dist/index.js

@@ -19,11 +19,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
 //   grg_forward, grg_inverse, grg_pipeline, golay, reed_solomon
 //   auto_mint (GRG 의존)
 // 위 모듈은 서버 코드에서 직접 경로로 import할 것.
+// 유료화 모듈 (private helm repo로 이동):
+//   protocol_fee, revenue_tiers, dynamic_fee, x402_enforcer
 __exportStar(require("./evm_connector"), exports);
-__exportStar(require("./x402_enforcer"), exports);
 __exportStar(require("./adaptive_switch"), exports);
 // ttt_builder omitted — server-internal only
-__exportStar(require("./protocol_fee"), exports);
 __exportStar(require("./pool_registry"), exports);
 __exportStar(require("./v4_hook"), exports);
 __exportStar(require("./logger"), exports);
@@ -31,13 +31,15 @@ __exportStar(require("./types"), exports);
 // ttt_client omitted — requires auto_mint (server-internal, not in public SDK)
 __exportStar(require("./http_client"), exports);
 __exportStar(require("./time_synthesis"), exports);
-__exportStar(require("./dynamic_fee"), exports);
 __exportStar(require("./signer"), exports);
 __exportStar(require("./networks"), exports);
 __exportStar(require("./errors"), exports);
 __exportStar(require("./pot_signer"), exports);
 __exportStar(require("./ct_log"), exports);
 __exportStar(require("./trust_store"), exports);
-__exportStar(require("./revenue_tiers"), exports);
 __exportStar(require("./integrity_client"), exports);
 __exportStar(require("./osnma_source"), exports);
+// TTTPS -02: TLS binding_key implementation (draft-helmprotocol-tttps-02 Section 7.1)
+__exportStar(require("./tls_binding"), exports);
+__exportStar(require("./pot_frame"), exports);
+__exportStar(require("./pot_verifier"), exports);

package/dist/pot_frame.d.ts

@@ -0,0 +1,59 @@
+/**
+ * pot_frame.ts — TTTPS PoT Frame encoder/decoder
+ *
+ * Wire format per draft-helmprotocol-tttps-02 Section 7.1:
+ *
+ *   +----------------------------------+
+ *   |  binding_key  (32 bytes)         |  ← TLS Exporter output
+ *   +----------------------------------+
+ *   |  pot_record   (143 bytes)        |  ← Section 4.1
+ *   |    Version[1] Tier[1] Res[1]     |
+ *   |    Timestamp[8]                  |
+ *   |    Confidence[4]                 |
+ *   |    Nonce[32]                     |
+ *   |    GRGCommit[32]                 |
+ *   |    Ed25519Sig[64]                |
+ *   +----------------------------------+
+ *   Total: 175 bytes
+ *
+ * pot_record_without_sig = first 79 bytes of pot_record
+ * (used as TLS Exporter context)
+ */
+export declare const POT_RECORD_SIZE = 143;
+export declare const POT_WITHOUT_SIG_SIZE = 79;
+export declare const BINDING_KEY_SIZE = 32;
+export declare const POT_FRAME_SIZE = 175;
+export interface PotFrame {
+    bindingKey: Buffer;
+    potRecord: Buffer;
+    version: number;
+    tier: number;
+    reserved: number;
+    timestamp: bigint;
+    confidence: number;
+    nonce: Buffer;
+    grgCommit: Buffer;
+    ed25519Sig: Buffer;
+}
+export declare class PotFrameError extends Error {
+    constructor(message: string);
+}
+/**
+ * Encode a PoT frame (175 bytes) from components.
+ */
+export declare function encodePotFrame(bindingKey: Buffer, potRecord: Buffer): Buffer;
+/**
+ * Decode a PoT frame (175 bytes) into components.
+ */
+export declare function decodePotFrame(frame: Buffer): PotFrame;
+/**
+ * Extract the portion of pot_record EXCLUDING the signature.
+ * This is used as the TLS Exporter context (Section 7.1).
+ * = first 79 bytes of the 143-byte pot_record
+ */
+export declare function potRecordWithoutSig(potRecord: Buffer): Buffer;
+/**
+ * Validate basic frame structure without TLS verification.
+ * (Full verification requires a TLS socket — see tls_binding.ts)
+ */
+export declare function validatePotFrameStructure(frame: Buffer): void;

package/dist/pot_frame.js

@@ -0,0 +1,130 @@
+"use strict";
+/**
+ * pot_frame.ts — TTTPS PoT Frame encoder/decoder
+ *
+ * Wire format per draft-helmprotocol-tttps-02 Section 7.1:
+ *
+ *   +----------------------------------+
+ *   |  binding_key  (32 bytes)         |  ← TLS Exporter output
+ *   +----------------------------------+
+ *   |  pot_record   (143 bytes)        |  ← Section 4.1
+ *   |    Version[1] Tier[1] Res[1]     |
+ *   |    Timestamp[8]                  |
+ *   |    Confidence[4]                 |
+ *   |    Nonce[32]                     |
+ *   |    GRGCommit[32]                 |
+ *   |    Ed25519Sig[64]                |
+ *   +----------------------------------+
+ *   Total: 175 bytes
+ *
+ * pot_record_without_sig = first 79 bytes of pot_record
+ * (used as TLS Exporter context)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PotFrameError = exports.POT_FRAME_SIZE = exports.BINDING_KEY_SIZE = exports.POT_WITHOUT_SIG_SIZE = exports.POT_RECORD_SIZE = void 0;
+exports.encodePotFrame = encodePotFrame;
+exports.decodePotFrame = decodePotFrame;
+exports.potRecordWithoutSig = potRecordWithoutSig;
+exports.validatePotFrameStructure = validatePotFrameStructure;
+exports.POT_RECORD_SIZE = 143; // bytes
+exports.POT_WITHOUT_SIG_SIZE = 79; // bytes (143 - 64 sig)
+exports.BINDING_KEY_SIZE = 32; // bytes
+exports.POT_FRAME_SIZE = 175; // bytes (32 + 143)
+class PotFrameError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "PotFrameError";
+    }
+}
+exports.PotFrameError = PotFrameError;
+/**
+ * Encode a PoT frame (175 bytes) from components.
+ */
+function encodePotFrame(bindingKey, potRecord) {
+    if (bindingKey.length !== exports.BINDING_KEY_SIZE) {
+        throw new PotFrameError(`binding_key must be ${exports.BINDING_KEY_SIZE} bytes, got ${bindingKey.length}`);
+    }
+    if (potRecord.length !== exports.POT_RECORD_SIZE) {
+        throw new PotFrameError(`pot_record must be ${exports.POT_RECORD_SIZE} bytes, got ${potRecord.length}`);
+    }
+    const frame = Buffer.allocUnsafe(exports.POT_FRAME_SIZE);
+    bindingKey.copy(frame, 0);
+    potRecord.copy(frame, exports.BINDING_KEY_SIZE);
+    return frame;
+}
+/**
+ * Decode a PoT frame (175 bytes) into components.
+ */
+function decodePotFrame(frame) {
+    if (frame.length !== exports.POT_FRAME_SIZE) {
+        throw new PotFrameError(`PoT frame must be ${exports.POT_FRAME_SIZE} bytes, got ${frame.length}`);
+    }
+    const bindingKey = frame.subarray(0, exports.BINDING_KEY_SIZE);
+    const potRecord = frame.subarray(exports.BINDING_KEY_SIZE, exports.POT_FRAME_SIZE);
+    // Parse pot_record fields (big-endian per Section 4.1)
+    let offset = 0;
+    // Byte 0: Version[4 bits] | Tier[4 bits]
+    const versionTier = potRecord.readUInt8(offset++);
+    const version = (versionTier >> 4) & 0x0F;
+    const tier = versionTier & 0x0F;
+    // Byte 1: Source Count (ignored in frame, stored separately)
+    const _sourceCount = potRecord.readUInt8(offset++);
+    // Byte 2: Reserved
+    const reserved = potRecord.readUInt8(offset++);
+    // Bytes 3-10: Timestamp (64-bit BE, nanoseconds)
+    const timestamp = potRecord.readBigUInt64BE(offset);
+    offset += 8;
+    // Bytes 11-14: Confidence (32-bit BE, ppm)
+    const confidence = potRecord.readUInt32BE(offset);
+    offset += 4;
+    // Bytes 15-46: Nonce (32 bytes)
+    const nonce = Buffer.from(potRecord.subarray(offset, offset + 32));
+    offset += 32;
+    // Bytes 47-78: GRG Commitment (32 bytes)
+    const grgCommit = Buffer.from(potRecord.subarray(offset, offset + 32));
+    offset += 32;
+    // Bytes 79-142: Ed25519 Signature (64 bytes)
+    const ed25519Sig = Buffer.from(potRecord.subarray(offset, offset + 64));
+    return {
+        bindingKey: Buffer.from(bindingKey),
+        potRecord: Buffer.from(potRecord),
+        version,
+        tier,
+        reserved,
+        timestamp,
+        confidence,
+        nonce,
+        grgCommit,
+        ed25519Sig,
+    };
+}
+/**
+ * Extract the portion of pot_record EXCLUDING the signature.
+ * This is used as the TLS Exporter context (Section 7.1).
+ * = first 79 bytes of the 143-byte pot_record
+ */
+function potRecordWithoutSig(potRecord) {
+    if (potRecord.length !== exports.POT_RECORD_SIZE) {
+        throw new PotFrameError(`pot_record must be ${exports.POT_RECORD_SIZE} bytes`);
+    }
+    return Buffer.from(potRecord.subarray(0, exports.POT_WITHOUT_SIG_SIZE));
+}
+/**
+ * Validate basic frame structure without TLS verification.
+ * (Full verification requires a TLS socket — see tls_binding.ts)
+ */
+function validatePotFrameStructure(frame) {
+    if (frame.length !== exports.POT_FRAME_SIZE) {
+        throw new PotFrameError(`Expected ${exports.POT_FRAME_SIZE} bytes, got ${frame.length}`);
+    }
+    const parsed = decodePotFrame(frame);
+    if (parsed.version !== 1) {
+        throw new PotFrameError(`Unknown PoT version: ${parsed.version}. Expected 1.`);
+    }
+    if (parsed.tier > 3) {
+        throw new PotFrameError(`Invalid tier: ${parsed.tier}. Valid range 0-3.`);
+    }
+    if (parsed.reserved !== 0) {
+        throw new PotFrameError(`Reserved field must be 0x00, got 0x${parsed.reserved.toString(16)}`);
+    }
+}

package/dist/pot_verifier.d.ts

@@ -0,0 +1,56 @@
+/**
+ * pot_verifier.ts — Complete TTTPS PoT frame verification
+ *
+ * Implements the normative verification sequence from
+ * draft-helmprotocol-tttps-02 Section 4.5 + Section 7.1:
+ *
+ *   1. Version check
+ *   2. TLS binding_key check  ← NEW in -02 (Ekr fix)
+ *   3. HMAC context gate      (~6 μs)
+ *   4. Ed25519 signature      (~100 μs)
+ *   5. Recency check
+ *   6. Nonce freshness
+ *
+ * Step 2 is checked FIRST because it's O(1) constant-time
+ * and prevents cross-session replay before any crypto.
+ */
+import * as tls from "tls";
+import { PotFrame } from "./pot_frame";
+export type VerifyError = "UNKNOWN_VERSION" | "BINDING_KEY_MISMATCH" | "HMAC_CONTEXT_FAILURE" | "SIGNATURE_INVALID" | "SUBMISSION_OUTSIDE_TOLERANCE" | "NONCE_REPLAY" | "FRAME_MALFORMED";
+export interface VerifyResult {
+    valid: boolean;
+    error?: VerifyError;
+    frame?: PotFrame;
+    latencyMs?: number;
+}
+export interface VerifierConfig {
+    /** Ed25519 public key of the trusted PoT Issuer (hex or Buffer) */
+    issuerPublicKey: Buffer | string;
+    /** Non-recoverable nonce cache (implement as LRU or Set with TTL) */
+    nonceCache: {
+        has(nonce: string): boolean;
+        add(nonce: string): void;
+    };
+}
+export declare class PotVerifier {
+    private issuerPubKey;
+    private nonceCache;
+    constructor(config: VerifierConfig);
+    /**
+     * Verify a 175-byte PoT frame over an active TLS socket.
+     *
+     * @param socket   - The TLS socket on which the frame was received
+     * @param frame    - 175-byte PoT frame (binding_key[32] + pot_record[143])
+     * @param nowMs    - Current time in milliseconds (injectable for testing)
+     */
+    verify(socket: tls.TLSSocket, frame: Buffer, nowMs?: number): VerifyResult;
+    private verifyEd25519;
+}
+export declare class MemoryNonceCache {
+    private cache;
+    private ttlMs;
+    constructor(ttlMs?: number);
+    has(nonce: string): boolean;
+    add(nonce: string): void;
+    private sweep;
+}

package/dist/pot_verifier.js

@@ -0,0 +1,183 @@
+"use strict";
+/**
+ * pot_verifier.ts — Complete TTTPS PoT frame verification
+ *
+ * Implements the normative verification sequence from
+ * draft-helmprotocol-tttps-02 Section 4.5 + Section 7.1:
+ *
+ *   1. Version check
+ *   2. TLS binding_key check  ← NEW in -02 (Ekr fix)
+ *   3. HMAC context gate      (~6 μs)
+ *   4. Ed25519 signature      (~100 μs)
+ *   5. Recency check
+ *   6. Nonce freshness
+ *
+ * Step 2 is checked FIRST because it's O(1) constant-time
+ * and prevents cross-session replay before any crypto.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MemoryNonceCache = exports.PotVerifier = void 0;
+const crypto = __importStar(require("crypto"));
+const pot_frame_1 = require("./pot_frame");
+const tls_binding_1 = require("./tls_binding");
+/** Tier tolerance windows in milliseconds (Section 8) — numeric tier ID */
+const TTTPS_TIER_TOLERANCE_MS = {
+    0: 60_000, // T0_epoch: 60s
+    1: 2_000, // T1_block: 2s
+    2: 12_000, // T2_slot: 12s
+    3: 100, // T3_micro: 100ms
+};
+class PotVerifier {
+    issuerPubKey;
+    nonceCache;
+    constructor(config) {
+        this.issuerPubKey = typeof config.issuerPublicKey === "string"
+            ? Buffer.from(config.issuerPublicKey, "hex")
+            : config.issuerPublicKey;
+        this.nonceCache = config.nonceCache;
+    }
+    /**
+     * Verify a 175-byte PoT frame over an active TLS socket.
+     *
+     * @param socket   - The TLS socket on which the frame was received
+     * @param frame    - 175-byte PoT frame (binding_key[32] + pot_record[143])
+     * @param nowMs    - Current time in milliseconds (injectable for testing)
+     */
+    verify(socket, frame, nowMs = Date.now()) {
+        // ── Structural check ──────────────────────────────────────────
+        if (frame.length !== pot_frame_1.POT_FRAME_SIZE) {
+            return { valid: false, error: "FRAME_MALFORMED" };
+        }
+        let parsed;
+        try {
+            parsed = (0, pot_frame_1.decodePotFrame)(frame);
+        }
+        catch {
+            return { valid: false, error: "FRAME_MALFORMED" };
+        }
+        // ── Step 1: Version check ──────────────────────────────────────
+        if (parsed.version !== 1) {
+            return { valid: false, error: "UNKNOWN_VERSION" };
+        }
+        // ── Step 2: TLS binding_key (NEW — Ekr Section 7.1 fix) ───────
+        // O(1), constant-time. Must precede all crypto to prevent
+        // cross-session replay amplification.
+        const potWithoutSig = (0, pot_frame_1.potRecordWithoutSig)(parsed.potRecord);
+        const bindingValid = (0, tls_binding_1.verifyBindingKey)(socket, potWithoutSig, parsed.bindingKey);
+        if (!bindingValid) {
+            return { valid: false, error: "BINDING_KEY_MISMATCH", frame: parsed };
+        }
+        // ── Step 3: HMAC context gate (~6 μs) ─────────────────────────
+        // NOTE: Actual GRG HMAC verification is done server-side via
+        // IntegrityClient (integrity.helmprotocol.com).
+        // Local verification checks Ed25519 over grgCommit.
+        // Full HMAC verification is available when running Helm server.
+        // ── Step 4: Ed25519 signature verification (~100 μs) ──────────
+        const signatureValid = this.verifyEd25519(parsed.potRecord.subarray(0, 79), // pot_without_sig
+        parsed.ed25519Sig);
+        if (!signatureValid) {
+            return { valid: false, error: "SIGNATURE_INVALID", frame: parsed };
+        }
+        // ── Step 5: Recency check (AdaptiveSwitch gate) ────────────────
+        const potTimestampMs = Number(parsed.timestamp / 1000000n);
+        const latencyMs = nowMs - potTimestampMs;
+        const tolerance = TTTPS_TIER_TOLERANCE_MS[parsed.tier] ?? TTTPS_TIER_TOLERANCE_MS[1];
+        if (latencyMs > tolerance) {
+            // Delay attack detected → triggers FULL mode in AdaptiveSwitch
+            return {
+                valid: false,
+                error: "SUBMISSION_OUTSIDE_TOLERANCE",
+                frame: parsed,
+                latencyMs,
+            };
+        }
+        // ── Step 6: Nonce freshness ────────────────────────────────────
+        const nonceHex = parsed.nonce.toString("hex");
+        if (this.nonceCache.has(nonceHex)) {
+            return { valid: false, error: "NONCE_REPLAY", frame: parsed };
+        }
+        this.nonceCache.add(nonceHex);
+        return { valid: true, frame: parsed, latencyMs };
+    }
+    verifyEd25519(data, signature) {
+        try {
+            return crypto.verify(null, data, {
+                key: this.issuerPubKey,
+                format: "der",
+                type: "spki",
+            }, signature);
+        }
+        catch {
+            return false;
+        }
+    }
+}
+exports.PotVerifier = PotVerifier;
+// ──────────────────────────────────────────────────────────────────
+// Simple in-memory nonce cache with TTL (for testing / small deployments)
+// Production: use Redis with SETEX
+// ──────────────────────────────────────────────────────────────────
+class MemoryNonceCache {
+    cache = new Map(); // nonce → expiresAt
+    ttlMs;
+    constructor(ttlMs = 120_000) {
+        this.ttlMs = ttlMs;
+    }
+    has(nonce) {
+        const exp = this.cache.get(nonce);
+        if (exp === undefined)
+            return false;
+        if (Date.now() > exp) {
+            this.cache.delete(nonce);
+            return false;
+        }
+        return true;
+    }
+    add(nonce) {
+        // Periodic cleanup (keep cache from growing unbounded)
+        if (this.cache.size > 10_000)
+            this.sweep();
+        this.cache.set(nonce, Date.now() + this.ttlMs);
+    }
+    sweep() {
+        const now = Date.now();
+        for (const [k, exp] of this.cache) {
+            if (now > exp)
+                this.cache.delete(k);
+        }
+    }
+}
+exports.MemoryNonceCache = MemoryNonceCache;

package/dist/tls_binding.d.ts

@@ -0,0 +1,52 @@
+/**
+ * tls_binding.ts — RFC 5705 TLS Exporter binding for TTTPS
+ *
+ * Implements Section 7.1 of draft-helmprotocol-tttps-02:
+ *   binding_key = TLS-Exporter("EXPORTER-tttps-pot-binding",
+ *                               pot_record_without_sig, 32)
+ *
+ * Both client and server derive the same 32-byte key from the
+ * shared TLS session master secret. A PoT frame generated in
+ * session A cannot be replayed into session B.
+ *
+ * Node.js API: tls.TLSSocket.exportKeyingMaterial()
+ * Available since Node.js 13.x (LTS 14+)
+ * RFC 5705 compliant.
+ */
+import * as tls from "tls";
+/** Label defined in draft-helmprotocol-tttps-02 Section 7.1 */
+export declare const TTTPS_EXPORTER_LABEL = "EXPORTER-tttps-pot-binding";
+export declare const TTTPS_BINDING_KEY_LENGTH = 32;
+export interface BindingKeyResult {
+    bindingKey: Buffer;
+    sessionId: string;
+}
+export declare class TLSBindingError extends Error {
+    constructor(message: string);
+}
+/**
+ * Derive the 32-byte binding key from a TLS session and a PoT record.
+ *
+ * @param socket          - Active TLS socket (must be in CONNECTED state)
+ * @param potWithoutSig   - PoT record bytes WITHOUT the Ed25519 signature
+ *                          (first 79 bytes of the 143-byte record:
+ *                           Version[1] + Tier[1] + Reserved[1] +
+ *                           Timestamp[8] + Confidence[4] +
+ *                           Nonce[32] + GRGCommit[32])
+ * @returns 32-byte binding key
+ */
+export declare function computeBindingKey(socket: tls.TLSSocket, potWithoutSig: Buffer): BindingKeyResult;
+/**
+ * Verify that a received binding_key matches the expected value
+ * for this TLS session and PoT record.
+ *
+ * This is the normative check from draft-helmprotocol-tttps-02 Section 7.1:
+ *   "The verifier MUST recompute expected_key via TLS-Exporter
+ *    and verify it matches the binding_key in the PoT frame header."
+ *
+ * @param socket            - Active TLS socket (same session as sender)
+ * @param potWithoutSig     - PoT record bytes WITHOUT signature (79 bytes)
+ * @param receivedBindingKey - 32-byte binding_key from the received PoT frame
+ * @returns true if binding is valid, false if cross-session replay detected
+ */
+export declare function verifyBindingKey(socket: tls.TLSSocket, potWithoutSig: Buffer, receivedBindingKey: Buffer): boolean;