signet-protocol 0.1.0

package/dist/connections.js

@@ -0,0 +1,170 @@
+// Signet Peer Connection Management
+// ECDH-based shared secret derivation and connection lifecycle
+import { secp256k1 } from '@noble/curves/secp256k1.js';
+import { sha256 } from '@noble/hashes/sha2.js';
+import { bytesToHex, hexToBytes, randomBytes } from '@noble/hashes/utils.js';
+import { SignetValidationError } from './errors.js';
+// ── ECDH ─────────────────────────────────────────────────────────────────────
+/** Compute an ECDH shared secret from our private key and their x-only public key.
+ *  The result is the SHA-256 of the x-coordinate of the ECDH point, returned as
+ *  a 32-byte hex string.  The secret is symmetric: A(priv)+B(pub) === B(priv)+A(pub). */
+export function computeSharedSecret(myPrivateKey, theirPublicKey) {
+    // Nostr/schnorr public keys are x-only (32 bytes).  To perform ECDH we need
+    // the full compressed point, so we prepend 0x02 (assume even y-coordinate,
+    // per BIP-340 convention used by Nostr).
+    const privBytes = hexToBytes(myPrivateKey);
+    const sharedPoint = secp256k1.getSharedSecret(privBytes, hexToBytes('02' + theirPublicKey));
+    privBytes.fill(0);
+    // sharedPoint is 33 bytes (compressed): prefix + x-coordinate.  Take x bytes [1..33].
+    const xBytes = sharedPoint.slice(1, 33);
+    return bytesToHex(sha256(xBytes));
+}
+// ── QR Payload ───────────────────────────────────────────────────────────────
+/**
+ * Create a QR payload containing our public key and a random nonce.
+ *
+ * **SECURITY WARNING — unencrypted payload:** The returned object is serialised
+ * as cleartext JSON by `serializeQRPayload`.  Any `ContactInfo` embedded in the
+ * payload (name, mobile, email, address, children's public keys) is transmitted
+ * without encryption.  Only display this QR code on trusted screens in
+ * controlled environments.  Do not transmit it over untrusted channels.
+ */
+export function createQRPayload(publicKey, info) {
+    const nonce = bytesToHex(randomBytes(32));
+    const payload = { pubkey: publicKey, nonce };
+    if (info !== undefined) {
+        payload.info = info;
+    }
+    return payload;
+}
+/** Serialize a QR payload to a JSON string. */
+export function serializeQRPayload(payload) {
+    return JSON.stringify(payload);
+}
+const MAX_CONTACT_FIELD_LENGTH = 256;
+const MAX_CHILD_PUBKEYS = 20;
+/** Validate ContactInfo field sizes to prevent oversized payloads from untrusted sources. */
+function validateContactInfo(info) {
+    if (typeof info !== 'object' || info === null) {
+        throw new SignetValidationError('Invalid ContactInfo: must be an object');
+    }
+    const ci = info;
+    for (const field of ['name', 'mobile', 'email', 'address']) {
+        if (ci[field] !== undefined) {
+            if (typeof ci[field] !== 'string')
+                throw new SignetValidationError(`Invalid ContactInfo: ${field} must be a string`);
+            if (ci[field].length > MAX_CONTACT_FIELD_LENGTH) {
+                throw new SignetValidationError(`Invalid ContactInfo: ${field} exceeds ${MAX_CONTACT_FIELD_LENGTH} characters`);
+            }
+        }
+    }
+    if (ci.childPubkeys !== undefined) {
+        if (!Array.isArray(ci.childPubkeys))
+            throw new SignetValidationError('Invalid ContactInfo: childPubkeys must be an array');
+        if (ci.childPubkeys.length > MAX_CHILD_PUBKEYS) {
+            throw new SignetValidationError(`Invalid ContactInfo: childPubkeys exceeds ${MAX_CHILD_PUBKEYS} entries`);
+        }
+        for (const pk of ci.childPubkeys) {
+            if (typeof pk !== 'string' || !/^[0-9a-f]{64}$/i.test(pk)) {
+                throw new SignetValidationError('Invalid ContactInfo: childPubkeys must contain valid 64-char hex pubkeys');
+            }
+        }
+    }
+}
+/** Parse and validate a QR payload from a JSON string.
+ *  Throws if the data is not valid JSON or is missing required fields. */
+export function parseQRPayload(data) {
+    let parsed;
+    try {
+        parsed = JSON.parse(data);
+    }
+    catch {
+        throw new SignetValidationError('Invalid QR payload: malformed JSON');
+    }
+    if (typeof parsed !== 'object' || parsed === null) {
+        throw new SignetValidationError('Invalid QR payload: not an object');
+    }
+    const obj = parsed;
+    if (typeof obj.pubkey !== 'string' || !/^[0-9a-f]{64}$/i.test(obj.pubkey)) {
+        throw new SignetValidationError('Invalid QR payload: pubkey must be a 64-character hex string');
+    }
+    if (typeof obj.nonce !== 'string' || obj.nonce.length < 32 || obj.nonce.length > 128) {
+        throw new SignetValidationError('Invalid QR payload: nonce must be 32-128 hex characters');
+    }
+    // Validate ContactInfo field sizes if present
+    if (obj.info !== undefined) {
+        validateContactInfo(obj.info);
+    }
+    return parsed;
+}
+// ── Connection ───────────────────────────────────────────────────────────────
+/** Create a Connection from our private key and a scanned QR payload. */
+export function createConnection(myPrivateKey, qrPayload, ourInfo) {
+    const sharedSecret = computeSharedSecret(myPrivateKey, qrPayload.pubkey);
+    return {
+        pubkey: qrPayload.pubkey,
+        sharedSecret,
+        theirInfo: qrPayload.info ?? {},
+        ourInfo,
+        connectedAt: Math.floor(Date.now() / 1000),
+        method: 'qr-in-person',
+    };
+}
+// ── ConnectionStore ──────────────────────────────────────────────────────────
+/** Simple in-memory connection manager keyed by remote public key. */
+export class ConnectionStore {
+    connections = new Map();
+    /** Add a connection. If a connection with the same pubkey already exists it is replaced. */
+    add(connection) {
+        this.connections.set(connection.pubkey, connection);
+    }
+    /** Get a connection by remote public key. */
+    get(pubkey) {
+        return this.connections.get(pubkey);
+    }
+    /** List all connections. */
+    list() {
+        return Array.from(this.connections.values());
+    }
+    /** Remove a connection by remote public key. Returns true if a connection was removed. */
+    remove(pubkey) {
+        return this.connections.delete(pubkey);
+    }
+    /** Check whether a connection for the given public key exists. */
+    has(pubkey) {
+        return this.connections.has(pubkey);
+    }
+    /** Export all connections as an array (for serialization). */
+    export() {
+        return this.list();
+    }
+    /** Import connections from an array, replacing any existing connections with the same pubkey. */
+    import(connections) {
+        for (const conn of connections) {
+            if (!conn || typeof conn !== 'object')
+                continue;
+            if (typeof conn.pubkey !== 'string' || !/^[0-9a-f]{64}$/i.test(conn.pubkey))
+                continue;
+            if (typeof conn.sharedSecret !== 'string' || !/^[0-9a-f]{64}$/i.test(conn.sharedSecret))
+                continue;
+            if (typeof conn.connectedAt !== 'number' || conn.connectedAt <= 0)
+                continue;
+            if (typeof conn.theirInfo !== 'object' || conn.theirInfo === null)
+                continue;
+            if (typeof conn.ourInfo !== 'object' || conn.ourInfo === null)
+                continue;
+            if (conn.method !== 'qr-in-person' && conn.method !== 'online')
+                continue;
+            // Validate ContactInfo field sizes to prevent oversized data from untrusted sources
+            try {
+                validateContactInfo(conn.theirInfo);
+                validateContactInfo(conn.ourInfo);
+            }
+            catch {
+                continue;
+            }
+            this.connections.set(conn.pubkey, conn);
+        }
+    }
+}
+//# sourceMappingURL=connections.js.map

package/dist/connections.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connections.js","sourceRoot":"","sources":["../src/connections.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,+DAA+D;AAE/D,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC7E,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AA8BpD,gFAAgF;AAEhF;;yFAEyF;AACzF,MAAM,UAAU,mBAAmB,CAAC,YAAoB,EAAE,cAAsB;IAC9E,4EAA4E;IAC5E,2EAA2E;IAC3E,yCAAyC;IACzC,MAAM,SAAS,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IAC3C,MAAM,WAAW,GAAG,SAAS,CAAC,eAAe,CAAC,SAAS,EAAE,UAAU,CAAC,IAAI,GAAG,cAAc,CAAC,CAAC,CAAC;IAC5F,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAElB,sFAAsF;IACtF,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACxC,OAAO,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAAC,SAAiB,EAAE,IAAkB;IACnE,MAAM,KAAK,GAAG,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAc,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACxD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IACtB,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,+CAA+C;AAC/C,MAAM,UAAU,kBAAkB,CAAC,OAAkB;IACnD,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,wBAAwB,GAAG,GAAG,CAAC;AACrC,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B,6FAA6F;AAC7F,SAAS,mBAAmB,CAAC,IAAa;IACxC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAC9C,MAAM,IAAI,qBAAqB,CAAC,wCAAwC,CAAC,CAAC;IAC5E,CAAC;IACD,MAAM,EAAE,GAAG,IAA+B,CAAC;IAC3C,KAAK,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAU,EAAE,CAAC;QACpE,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;YAC5B,IAAI,OAAO,EAAE,CAAC,KAAK,CAAC,KAAK,QAAQ;gBAAE,MAAM,IAAI,qBAAqB,CAAC,wBAAwB,KAAK,mBAAmB,CAAC,CAAC;YACrH,IAAK,EAAE,CAAC,KAAK,CAAY,CAAC,MAAM,GAAG,wBAAwB,EAAE,CAAC;gBAC5D,MAAM,IAAI,qBAAqB,CAAC,wBAAwB,KAAK,YAAY,wBAAwB,aAAa,CAAC,CAAC;YAClH,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,EAAE,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QAClC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,YAAY,CAAC;YAAE,MAAM,IAAI,qBAAqB,CAAC,oDAAoD,CAAC,CAAC;QAC3H,IAAI,EAAE,CAAC,YAAY,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;YAC/C,MAAM,IAAI,qBAAqB,CAAC,6CAA6C,iBAAiB,UAAU,CAAC,CAAC;QAC5G,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,EAAE,CAAC,YAAY,EAAE,CAAC;YACjC,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC1D,MAAM,IAAI,qBAAqB,CAAC,0EAA0E,CAAC,CAAC;YAC9G,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;0EAC0E;AAC1E,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,qBAAqB,CAAC,oCAAoC,CAAC,CAAC;IACxE,CAAC;IAED,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAClD,MAAM,IAAI,qBAAqB,CAAC,mCAAmC,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,GAAG,GAAG,MAAiC,CAAC;IAE9C,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1E,MAAM,IAAI,qBAAqB,CAAC,8DAA8D,CAAC,CAAC;IAClG,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACrF,MAAM,IAAI,qBAAqB,CAAC,yDAAyD,CAAC,CAAC;IAC7F,CAAC;IAED,8CAA8C;IAC9C,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC3B,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,MAAmB,CAAC;AAC7B,CAAC;AAED,gFAAgF;AAEhF,yEAAyE;AACzE,MAAM,UAAU,gBAAgB,CAC9B,YAAoB,EACpB,SAAoB,EACpB,OAAoB;IAEpB,MAAM,YAAY,GAAG,mBAAmB,CAAC,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IACzE,OAAO;QACL,MAAM,EAAE,SAAS,CAAC,MAAM;QACxB,YAAY;QACZ,SAAS,EAAE,SAAS,CAAC,IAAI,IAAI,EAAE;QAC/B,OAAO;QACP,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QAC1C,MAAM,EAAE,cAAc;KACvB,CAAC;AACJ,CAAC;AAED,gFAAgF;AAEhF,sEAAsE;AACtE,MAAM,OAAO,eAAe;IAClB,WAAW,GAA4B,IAAI,GAAG,EAAE,CAAC;IAEzD,4FAA4F;IAC5F,GAAG,CAAC,UAAsB;QACxB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACtD,CAAC;IAED,6CAA6C;IAC7C,GAAG,CAAC,MAAc;QAChB,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;IAED,4BAA4B;IAC5B,IAAI;QACF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,0FAA0F;IAC1F,MAAM,CAAC,MAAc;QACnB,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAED,kEAAkE;IAClE,GAAG,CAAC,MAAc;QAChB,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;IAED,8DAA8D;IAC9D,MAAM;QACJ,OAAO,IAAI,CAAC,IAAI,EAAE,CAAC;IACrB,CAAC;IAED,iGAAiG;IACjG,MAAM,CAAC,WAAyB;QAC9B,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;gBAAE,SAAS;YAChD,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,SAAS;YACtF,IAAI,OAAO,IAAI,CAAC,YAAY,KAAK,QAAQ,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC;gBAAE,SAAS;YAClG,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,IAAI,CAAC;gBAAE,SAAS;YAC5E,IAAI,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI;gBAAE,SAAS;YAC5E,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI;gBAAE,SAAS;YACxE,IAAI,IAAI,CAAC,MAAM,KAAK,cAAc,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ;gBAAE,SAAS;YACzE,oFAAoF;YACpF,IAAI,CAAC;gBACH,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACpC,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;CACF"}

package/dist/constants.d.ts

@@ -0,0 +1,86 @@
+import { ATTESTATION_KIND } from 'nostr-attestations';
+/** Generic Verifiable Attestation kind (NIP-VA, kind 31000) */
+export { ATTESTATION_KIND };
+/** NIP-78 App-specific Data kind (existing Nostr kind) */
+export declare const APP_DATA_KIND = 30078;
+/** Attestation type identifiers */
+export declare const ATTESTATION_TYPES: {
+    readonly CREDENTIAL: "credential";
+    readonly VOUCH: "vouch";
+    readonly VERIFIER: "verifier";
+    readonly CHALLENGE: "challenge";
+    readonly REVOCATION: "revocation";
+    readonly IDENTITY_BRIDGE: "identity-bridge";
+    readonly DELEGATION: "delegation";
+};
+/** @deprecated — use ATTESTATION_KIND + ATTESTATION_TYPES instead */
+export declare const SIGNET_KINDS: {
+    readonly CREDENTIAL: 31000;
+    readonly VOUCH: 31000;
+    readonly POLICY: 30078;
+    readonly VERIFIER: 31000;
+    readonly CHALLENGE: 31000;
+    readonly REVOCATION: 31000;
+    readonly IDENTITY_BRIDGE: 31000;
+    readonly DELEGATION: 31000;
+};
+/**
+ * @deprecated NIP-VA labels are now auto-generated by nostr-attestations.
+ * Kept for backwards compatibility with parsers consuming legacy events.
+ */
+export declare const SIGNET_LABEL = "signet";
+/** Default number of vouches needed for Tier 2 */
+export declare const DEFAULT_VOUCH_THRESHOLD = 3;
+/** Default minimum tier of vouchers for Tier 2 */
+export declare const DEFAULT_VOUCHER_MIN_TIER = 2;
+/** Default credential expiry: 2 years in seconds */
+export declare const DEFAULT_CREDENTIAL_EXPIRY_SECONDS: number;
+/** Default number of Tier 3+ confirmations to revoke a verifier */
+export declare const DEFAULT_REVOCATION_THRESHOLD = 5;
+/** Minimum cross-verification requirements for verifier activation */
+export declare const VERIFIER_ACTIVATION: {
+    readonly MIN_VOUCHES: 2;
+    readonly MIN_PROFESSIONS: 2;
+};
+/** Signet Score weights (default implementation, 0-200 scale) */
+export declare const TRUST_WEIGHTS: {
+    readonly PROFESSIONAL_VERIFICATION: 80;
+    readonly IN_PERSON_VOUCH: 16;
+    readonly ONLINE_VOUCH: 4;
+    readonly ACCOUNT_AGE_PER_YEAR: 10;
+    readonly ACCOUNT_AGE_MAX: 30;
+    readonly IDENTITY_BRIDGE: 50;
+};
+/** Minimum ring size for identity bridges (anonymity threshold) */
+export declare const MIN_BRIDGE_RING_SIZE = 5;
+/** Maximum Signet Score */
+export declare const MAX_TRUST_SCORE = 200;
+/** Valid entity types */
+export declare const ENTITY_TYPES: readonly ["natural_person", "persona", "personal_agent", "unlinked_personal_agent", "juridical_person", "juridical_persona", "organised_agent", "unlinked_organised_agent", "unlinked_agent"];
+/** Valid delegation owner → agent type mappings */
+export declare const DELEGATION_CONSTRAINTS: Record<string, string>;
+/** App-friendly labels for entity types */
+export declare const ENTITY_LABELS: Record<string, string>;
+/** Domain separator for bond proof messages */
+export declare const BOND_DOMAIN_SEPARATOR = "signet:bond";
+/** Default maximum age for bond proofs: 30 days in seconds */
+export declare const DEFAULT_BOND_MAX_AGE_SECS: number;
+/** Valid Bitcoin address types for bond proofs */
+export declare const VALID_BOND_ADDRESS_TYPES: readonly ["p2wpkh", "p2sh", "p2tr", "p2pkh"];
+/** Default asymmetric cryptographic algorithm (Nostr standard secp256k1).
+ * Tagged on events so future parsers can distinguish pre- and post-quantum events. */
+export declare const DEFAULT_CRYPTO_ALGORITHM: "secp256k1";
+/** Cold-call verification constants */
+export declare const COLD_CALL_CONTEXT = "signet:cold-call";
+export declare const COLD_CALL_EPOCH_SECONDS = 30;
+export declare const COLD_CALL_TOLERANCE = 1;
+export declare const WELL_KNOWN_PATH = "/.well-known/signet.json";
+export declare const WELL_KNOWN_MAX_SIZE = 10240;
+export declare const WELL_KNOWN_MAX_PUBKEYS = 20;
+export declare const WELL_KNOWN_MAX_CACHE_HOURS = 24;
+export declare const SESSION_CODE_EXPIRY_SECONDS = 300;
+/** NATO phonetic alphabet for session codes */
+export declare const NATO_ALPHABET: readonly ["ALFA", "BRAVO", "CHARLIE", "DELTA", "ECHO", "FOXTROT", "GOLF", "HOTEL", "INDIA", "JULIET", "KILO", "LIMA", "MIKE", "NOVEMBER", "OSCAR", "PAPA", "QUEBEC", "ROMEO", "SIERRA", "TANGO", "UNIFORM", "VICTOR", "WHISKEY", "XRAY", "YANKEE", "ZULU"];
+/** Signal ordering (protocol-mandated) */
+export declare const SIGNAL_PRIORITY: readonly ["professional-verification", "identity-bridge", "in-person-vouch", "online-vouch", "account-age"];
+//# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,+DAA+D;AAC/D,OAAO,EAAE,gBAAgB,EAAE,CAAC;AAE5B,0DAA0D;AAC1D,eAAO,MAAM,aAAa,QAAQ,CAAC;AAEnC,mCAAmC;AACnC,eAAO,MAAM,iBAAiB;;;;;;;;CAQpB,CAAC;AAEX,qEAAqE;AACrE,eAAO,MAAM,YAAY;;;;;;;;;CASf,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,YAAY,WAAW,CAAC;AAErC,kDAAkD;AAClD,eAAO,MAAM,uBAAuB,IAAI,CAAC;AAEzC,kDAAkD;AAClD,eAAO,MAAM,wBAAwB,IAAI,CAAC;AAE1C,oDAAoD;AACpD,eAAO,MAAM,iCAAiC,QAAyB,CAAC;AAExE,mEAAmE;AACnE,eAAO,MAAM,4BAA4B,IAAI,CAAC;AAE9C,sEAAsE;AACtE,eAAO,MAAM,mBAAmB;;;CAGtB,CAAC;AAEX,iEAAiE;AACjE,eAAO,MAAM,aAAa;;;;;;;CAOhB,CAAC;AAEX,mEAAmE;AACnE,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,2BAA2B;AAC3B,eAAO,MAAM,eAAe,MAAM,CAAC;AAEnC,yBAAyB;AACzB,eAAO,MAAM,YAAY,+LAUf,CAAC;AAEX,mDAAmD;AACnD,eAAO,MAAM,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAKzD,CAAC;AAEF,2CAA2C;AAC3C,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAUhD,CAAC;AAEF,+CAA+C;AAC/C,eAAO,MAAM,qBAAqB,gBAAgB,CAAC;AAEnD,8DAA8D;AAC9D,eAAO,MAAM,yBAAyB,QAAoB,CAAC;AAE3D,kDAAkD;AAClD,eAAO,MAAM,wBAAwB,8CAA+C,CAAC;AAErF;sFACsF;AACtF,eAAO,MAAM,wBAAwB,EAAG,WAAoB,CAAC;AAE7D,uCAAuC;AACvC,eAAO,MAAM,iBAAiB,qBAAqB,CAAC;AACpD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAC1C,eAAO,MAAM,mBAAmB,IAAI,CAAC;AACrC,eAAO,MAAM,eAAe,6BAA6B,CAAC;AAC1D,eAAO,MAAM,mBAAmB,QAAQ,CAAC;AACzC,eAAO,MAAM,sBAAsB,KAAK,CAAC;AACzC,eAAO,MAAM,0BAA0B,KAAK,CAAC;AAC7C,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C,+CAA+C;AAC/C,eAAO,MAAM,aAAa,4PAMhB,CAAC;AAEX,0CAA0C;AAC1C,eAAO,MAAM,eAAe,6GAMlB,CAAC"}

package/dist/constants.js

@@ -0,0 +1,124 @@
+// Signet Protocol Constants
+import { ATTESTATION_KIND } from 'nostr-attestations';
+/** Generic Verifiable Attestation kind (NIP-VA, kind 31000) */
+export { ATTESTATION_KIND };
+/** NIP-78 App-specific Data kind (existing Nostr kind) */
+export const APP_DATA_KIND = 30078;
+/** Attestation type identifiers */
+export const ATTESTATION_TYPES = {
+    CREDENTIAL: 'credential',
+    VOUCH: 'vouch',
+    VERIFIER: 'verifier',
+    CHALLENGE: 'challenge',
+    REVOCATION: 'revocation',
+    IDENTITY_BRIDGE: 'identity-bridge',
+    DELEGATION: 'delegation',
+};
+/** @deprecated — use ATTESTATION_KIND + ATTESTATION_TYPES instead */
+export const SIGNET_KINDS = {
+    CREDENTIAL: ATTESTATION_KIND,
+    VOUCH: ATTESTATION_KIND,
+    POLICY: APP_DATA_KIND,
+    VERIFIER: ATTESTATION_KIND,
+    CHALLENGE: ATTESTATION_KIND,
+    REVOCATION: ATTESTATION_KIND,
+    IDENTITY_BRIDGE: ATTESTATION_KIND,
+    DELEGATION: ATTESTATION_KIND,
+};
+/**
+ * @deprecated NIP-VA labels are now auto-generated by nostr-attestations.
+ * Kept for backwards compatibility with parsers consuming legacy events.
+ */
+export const SIGNET_LABEL = 'signet';
+/** Default number of vouches needed for Tier 2 */
+export const DEFAULT_VOUCH_THRESHOLD = 3;
+/** Default minimum tier of vouchers for Tier 2 */
+export const DEFAULT_VOUCHER_MIN_TIER = 2;
+/** Default credential expiry: 2 years in seconds */
+export const DEFAULT_CREDENTIAL_EXPIRY_SECONDS = 2 * 365 * 24 * 60 * 60;
+/** Default number of Tier 3+ confirmations to revoke a verifier */
+export const DEFAULT_REVOCATION_THRESHOLD = 5;
+/** Minimum cross-verification requirements for verifier activation */
+export const VERIFIER_ACTIVATION = {
+    MIN_VOUCHES: 2,
+    MIN_PROFESSIONS: 2,
+};
+/** Signet Score weights (default implementation, 0-200 scale) */
+export const TRUST_WEIGHTS = {
+    PROFESSIONAL_VERIFICATION: 80,
+    IN_PERSON_VOUCH: 16,
+    ONLINE_VOUCH: 4,
+    ACCOUNT_AGE_PER_YEAR: 10,
+    ACCOUNT_AGE_MAX: 30,
+    IDENTITY_BRIDGE: 50,
+};
+/** Minimum ring size for identity bridges (anonymity threshold) */
+export const MIN_BRIDGE_RING_SIZE = 5;
+/** Maximum Signet Score */
+export const MAX_TRUST_SCORE = 200;
+/** Valid entity types */
+export const ENTITY_TYPES = [
+    'natural_person',
+    'persona',
+    'personal_agent',
+    'unlinked_personal_agent',
+    'juridical_person',
+    'juridical_persona',
+    'organised_agent',
+    'unlinked_organised_agent',
+    'unlinked_agent',
+];
+/** Valid delegation owner → agent type mappings */
+export const DELEGATION_CONSTRAINTS = {
+    natural_person: 'personal_agent',
+    persona: 'unlinked_personal_agent',
+    juridical_person: 'organised_agent',
+    juridical_persona: 'unlinked_organised_agent',
+};
+/** App-friendly labels for entity types */
+export const ENTITY_LABELS = {
+    natural_person: 'Person',
+    persona: 'Alias',
+    personal_agent: 'Personal Agent',
+    unlinked_personal_agent: 'Unlinked Personal Agent',
+    juridical_person: 'Organisation',
+    juridical_persona: 'Org Alias',
+    organised_agent: 'Organised Agent',
+    unlinked_organised_agent: 'Unlinked Org Agent',
+    unlinked_agent: 'Unlinked Agent',
+};
+/** Domain separator for bond proof messages */
+export const BOND_DOMAIN_SEPARATOR = 'signet:bond';
+/** Default maximum age for bond proofs: 30 days in seconds */
+export const DEFAULT_BOND_MAX_AGE_SECS = 30 * 24 * 60 * 60;
+/** Valid Bitcoin address types for bond proofs */
+export const VALID_BOND_ADDRESS_TYPES = ['p2wpkh', 'p2sh', 'p2tr', 'p2pkh'];
+/** Default asymmetric cryptographic algorithm (Nostr standard secp256k1).
+ * Tagged on events so future parsers can distinguish pre- and post-quantum events. */
+export const DEFAULT_CRYPTO_ALGORITHM = 'secp256k1';
+/** Cold-call verification constants */
+export const COLD_CALL_CONTEXT = 'signet:cold-call';
+export const COLD_CALL_EPOCH_SECONDS = 30;
+export const COLD_CALL_TOLERANCE = 1; // ±1 epoch
+export const WELL_KNOWN_PATH = '/.well-known/signet.json';
+export const WELL_KNOWN_MAX_SIZE = 10240; // 10 KB
+export const WELL_KNOWN_MAX_PUBKEYS = 20;
+export const WELL_KNOWN_MAX_CACHE_HOURS = 24;
+export const SESSION_CODE_EXPIRY_SECONDS = 300; // 5 minutes
+/** NATO phonetic alphabet for session codes */
+export const NATO_ALPHABET = [
+    'ALFA', 'BRAVO', 'CHARLIE', 'DELTA', 'ECHO', 'FOXTROT',
+    'GOLF', 'HOTEL', 'INDIA', 'JULIET', 'KILO', 'LIMA',
+    'MIKE', 'NOVEMBER', 'OSCAR', 'PAPA', 'QUEBEC', 'ROMEO',
+    'SIERRA', 'TANGO', 'UNIFORM', 'VICTOR', 'WHISKEY',
+    'XRAY', 'YANKEE', 'ZULU',
+];
+/** Signal ordering (protocol-mandated) */
+export const SIGNAL_PRIORITY = [
+    'professional-verification',
+    'identity-bridge',
+    'in-person-vouch',
+    'online-vouch',
+    'account-age',
+];
+//# sourceMappingURL=constants.js.map

package/dist/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,4BAA4B;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,+DAA+D;AAC/D,OAAO,EAAE,gBAAgB,EAAE,CAAC;AAE5B,0DAA0D;AAC1D,MAAM,CAAC,MAAM,aAAa,GAAG,KAAK,CAAC;AAEnC,mCAAmC;AACnC,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,UAAU,EAAE,YAAY;IACxB,KAAK,EAAE,OAAO;IACd,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,WAAW;IACtB,UAAU,EAAE,YAAY;IACxB,eAAe,EAAE,iBAAiB;IAClC,UAAU,EAAE,YAAY;CAChB,CAAC;AAEX,qEAAqE;AACrE,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,UAAU,EAAE,gBAAgB;IAC5B,KAAK,EAAE,gBAAgB;IACvB,MAAM,EAAE,aAAa;IACrB,QAAQ,EAAE,gBAAgB;IAC1B,SAAS,EAAE,gBAAgB;IAC3B,UAAU,EAAE,gBAAgB;IAC5B,eAAe,EAAE,gBAAgB;IACjC,UAAU,EAAE,gBAAgB;CACpB,CAAC;AAEX;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,QAAQ,CAAC;AAErC,kDAAkD;AAClD,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC;AAEzC,kDAAkD;AAClD,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,CAAC;AAE1C,oDAAoD;AACpD,MAAM,CAAC,MAAM,iCAAiC,GAAG,CAAC,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAExE,mEAAmE;AACnE,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC;AAE9C,sEAAsE;AACtE,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,WAAW,EAAE,CAAC;IACd,eAAe,EAAE,CAAC;CACV,CAAC;AAEX,iEAAiE;AACjE,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,yBAAyB,EAAE,EAAE;IAC7B,eAAe,EAAE,EAAE;IACnB,YAAY,EAAE,CAAC;IACf,oBAAoB,EAAE,EAAE;IACxB,eAAe,EAAE,EAAE;IACnB,eAAe,EAAE,EAAE;CACX,CAAC;AAEX,mEAAmE;AACnE,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC;AAEtC,2BAA2B;AAC3B,MAAM,CAAC,MAAM,eAAe,GAAG,GAAG,CAAC;AAEnC,yBAAyB;AACzB,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,gBAAgB;IAChB,SAAS;IACT,gBAAgB;IAChB,yBAAyB;IACzB,kBAAkB;IAClB,mBAAmB;IACnB,iBAAiB;IACjB,0BAA0B;IAC1B,gBAAgB;CACR,CAAC;AAEX,mDAAmD;AACnD,MAAM,CAAC,MAAM,sBAAsB,GAA2B;IAC5D,cAAc,EAAE,gBAAgB;IAChC,OAAO,EAAE,yBAAyB;IAClC,gBAAgB,EAAE,iBAAiB;IACnC,iBAAiB,EAAE,0BAA0B;CAC9C,CAAC;AAEF,2CAA2C;AAC3C,MAAM,CAAC,MAAM,aAAa,GAA2B;IACnD,cAAc,EAAE,QAAQ;IACxB,OAAO,EAAE,OAAO;IAChB,cAAc,EAAE,gBAAgB;IAChC,uBAAuB,EAAE,yBAAyB;IAClD,gBAAgB,EAAE,cAAc;IAChC,iBAAiB,EAAE,WAAW;IAC9B,eAAe,EAAE,iBAAiB;IAClC,wBAAwB,EAAE,oBAAoB;IAC9C,cAAc,EAAE,gBAAgB;CACjC,CAAC;AAEF,+CAA+C;AAC/C,MAAM,CAAC,MAAM,qBAAqB,GAAG,aAAa,CAAC;AAEnD,8DAA8D;AAC9D,MAAM,CAAC,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAE3D,kDAAkD;AAClD,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAU,CAAC;AAErF;sFACsF;AACtF,MAAM,CAAC,MAAM,wBAAwB,GAAG,WAAoB,CAAC;AAE7D,uCAAuC;AACvC,MAAM,CAAC,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AACpD,MAAM,CAAC,MAAM,uBAAuB,GAAG,EAAE,CAAC;AAC1C,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,CAAW,WAAW;AAC3D,MAAM,CAAC,MAAM,eAAe,GAAG,0BAA0B,CAAC;AAC1D,MAAM,CAAC,MAAM,mBAAmB,GAAG,KAAK,CAAC,CAAO,QAAQ;AACxD,MAAM,CAAC,MAAM,sBAAsB,GAAG,EAAE,CAAC;AACzC,MAAM,CAAC,MAAM,0BAA0B,GAAG,EAAE,CAAC;AAC7C,MAAM,CAAC,MAAM,2BAA2B,GAAG,GAAG,CAAC,CAAC,YAAY;AAE5D,+CAA+C;AAC/C,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;IACtD,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM;IAClD,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO;IACtD,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS;IACjD,MAAM,EAAE,QAAQ,EAAE,MAAM;CAChB,CAAC;AAEX,0CAA0C;AAC1C,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,2BAA2B;IAC3B,iBAAiB;IACjB,iBAAiB;IACjB,cAAc;IACd,aAAa;CACL,CAAC"}

package/dist/credentials.d.ts

@@ -0,0 +1,190 @@
+import { type RingSignature } from './ring-signature.js';
+import { type RangeProof } from './range-proof.js';
+import type { NostrEvent, UnsignedEvent, CredentialParams, ParsedCredential, VerificationScope, TwoCredentialResult, CredentialChain, GuardianDelegationParams } from './types.js';
+/** Build an unsigned credential event */
+export declare function buildCredentialEvent(verifierPubkey: string, params: CredentialParams): UnsignedEvent;
+/** Create and sign a Tier 1 (self-declared) credential */
+export declare function createSelfDeclaredCredential(privateKey: string, scope?: VerificationScope, expiresAt?: number): Promise<NostrEvent>;
+/** Create and sign a Tier 2 (web-of-trust vouched) credential.
+ * Typically issued by an aggregator service when vouch threshold is met.
+ * Uses assertion-first hybrid pattern: references the subject's Tier 1 self-declaration. */
+export declare function createPeerVouchedCredential(issuerPrivateKey: string, subjectPubkey: string, opts: {
+    assertionEventId: string;
+    assertionRelay?: string;
+    expiresAt?: number;
+}): Promise<NostrEvent>;
+/** Create and sign a Tier 3 (professional verified adult) credential.
+ * Uses assertion-first hybrid pattern: references the subject's Tier 1 self-declaration. */
+export declare function createProfessionalCredential(verifierPrivateKey: string, subjectPubkey: string, opts: {
+    assertionEventId: string;
+    profession: string;
+    jurisdiction: string;
+    assertionRelay?: string;
+    expiresAt?: number;
+    occurredAt?: number;
+    proofBlob?: string;
+}): Promise<NostrEvent>;
+/** Create and sign a Tier 4 (professional verified adult+child) credential.
+ * Uses assertion-first hybrid pattern: references the subject's Tier 1 self-declaration. */
+export declare function createChildSafetyCredential(verifierPrivateKey: string, subjectPubkey: string, opts: {
+    assertionEventId: string;
+    profession: string;
+    jurisdiction: string;
+    ageRange: string;
+    assertionRelay?: string;
+    expiresAt?: number;
+    occurredAt?: number;
+    proofBlob?: string;
+}): Promise<NostrEvent>;
+/** Verify a credential event's signature and structure */
+export declare function verifyCredential(event: NostrEvent): Promise<{
+    signatureValid: boolean;
+    structureValid: boolean;
+    expired: boolean;
+    errors: string[];
+}>;
+/** Check if a credential is expired */
+export declare function isCredentialExpired(event: NostrEvent): boolean;
+/** Parse a credential event into a structured object */
+export declare function parseCredential(event: NostrEvent): ParsedCredential | null;
+/** Content structure for ring-signature-protected credentials */
+export interface RingProtectedContent {
+    ringSignature: RingSignature;
+    rangeProof?: RangeProof;
+}
+/**
+ * Create a Tier 3 credential with ring signature issuer privacy.
+ * The credential is signed by the verifier's Nostr key (for relay acceptance),
+ * but the content includes a ring signature proving "one of N verifiers" issued it.
+ */
+export declare function createRingProtectedCredential(verifierPrivateKey: string, subjectPubkey: string, ring: string[], signerIndex: number, opts: {
+    profession: string;
+    jurisdiction: string;
+    expiresAt?: number;
+}): Promise<NostrEvent>;
+/**
+ * Create a Tier 4 credential with ring signature AND age range proof.
+ */
+export declare function createRingProtectedChildCredential(verifierPrivateKey: string, subjectPubkey: string, ring: string[], signerIndex: number, opts: {
+    profession: string;
+    jurisdiction: string;
+    ageRange: string;
+    actualAge: number;
+    expiresAt?: number;
+}): Promise<NostrEvent>;
+/**
+ * Verify the ring signature and optional range proof inside a credential's content.
+ */
+export declare function verifyRingProtectedContent(event: NostrEvent): {
+    hasRingSignature: boolean;
+    ringValid: boolean;
+    hasRangeProof: boolean;
+    rangeProofValid: boolean;
+};
+/**
+ * Renew an expiring credential. Creates a new credential with the same parameters
+ * but a fresh expiry. Must be issued by the same verifier (or a new one for re-verification).
+ */
+export declare function renewCredential(verifierPrivateKey: string, existingCredential: NostrEvent, newExpiresAt?: number): Promise<NostrEvent>;
+/**
+ * Check if a credential needs renewal (within N days of expiry).
+ */
+export declare function needsRenewal(event: NostrEvent, withinDays?: number): boolean;
+/**
+ * Create a two-credential ceremony issuing Natural Person + Persona credentials.
+ * The verifier sees all documents but only publishes privacy-preserving tags.
+ */
+export declare function createTwoCredentialCeremony(verifierPrivateKey: string, naturalPersonPubkey: string, personaPubkey: string, opts: {
+    name: string;
+    nationality: string;
+    documentType: string;
+    documentNumber: string;
+    documentCountry: string;
+    dateOfBirth: string;
+    profession: string;
+    jurisdiction: string;
+    ageRange?: string;
+    guardianPubkeys?: string[];
+    expiresAt?: number;
+    occurredAt?: number;
+}): Promise<TwoCredentialResult>;
+/**
+ * Issue a new credential that supersedes an existing one.
+ * The old credential gets a superseded-by tag added (returned as updated event).
+ */
+export declare function supersedeCredential(verifierPrivateKey: string, oldCredential: NostrEvent, newParams: Partial<CredentialParams> & {
+    subjectPubkey: string;
+}): Promise<{
+    newCredential: NostrEvent;
+    oldCredential: NostrEvent;
+}>;
+/**
+ * Follow supersedes/superseded-by chain to find current active credential.
+ */
+export declare function resolveCredentialChain(events: NostrEvent[]): CredentialChain | null;
+/**
+ * Check if a credential has been superseded.
+ */
+export declare function isSuperseded(event: NostrEvent): boolean;
+/**
+ * Compute a deterministic nullifier from document details.
+ * Uses length-prefixed encoding to prevent field-boundary collisions:
+ *   SHA-256( len(docType) + docType + len(country) + country + len(docNum) + docNum + domainTag )
+ *
+ * Each field is prefixed with its UTF-8 byte length as a 2-byte big-endian uint16,
+ * followed by a fixed domain separation tag.
+ */
+export declare function computeNullifier(documentType: string, countryCode: string, documentNumber: string): string;
+/**
+ * Check if a nullifier already exists in a set of credentials.
+ * Returns the conflicting credential if found.
+ */
+export declare function checkNullifierDuplicate(nullifier: string, existingCredentials: NostrEvent[]): {
+    isDuplicate: boolean;
+    conflicting?: NostrEvent;
+};
+/**
+ * Build a nullifier-chain tag linking old and new nullifiers (for document renewal).
+ */
+export declare function buildNullifierChainTag(oldNullifier: string): string[][];
+export interface DocumentDescriptor {
+    documentType: string;
+    countryCode: string;
+    documentNumber: string;
+}
+export interface NullifierFamily {
+    /** Primary nullifier (first document) */
+    primary: string;
+    /** All nullifiers in the family (including primary) */
+    nullifiers: Array<{
+        documentType: string;
+        nullifier: string;
+    }>;
+}
+/**
+ * Compute nullifiers for ALL documents presented during a verification ceremony.
+ * Returns a nullifier family containing all nullifiers. Collision with ANY nullifier
+ * in ANY family triggers duplicate detection.
+ */
+export declare function computeNullifierFamily(documents: DocumentDescriptor[]): NullifierFamily;
+/**
+ * Build nullifier-family tags for a credential event.
+ * The primary nullifier is stored in the 'nullifier' tag (backwards compatible).
+ * Additional nullifiers are stored in 'nullifier-family' tags.
+ */
+export declare function buildNullifierFamilyTags(family: NullifierFamily): string[][];
+/**
+ * Check if ANY nullifier in a family collides with ANY nullifier in existing credentials.
+ * This catches attempts to use different documents for the same person.
+ */
+export declare function checkNullifierFamilyDuplicate(family: NullifierFamily, existingCredentials: NostrEvent[]): {
+    isDuplicate: boolean;
+    conflicting?: NostrEvent;
+    matchedNullifier?: string;
+};
+/**
+ * Create a guardian delegation event (kind 31000, type: delegation).
+ * Allows a guardian to delegate specific permissions to another adult for a child.
+ */
+export declare function createGuardianDelegation(guardianPrivateKey: string, params: GuardianDelegationParams): Promise<NostrEvent>;
+//# sourceMappingURL=credentials.d.ts.map

package/dist/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAOA,OAAO,EAAwB,KAAK,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAC/E,OAAO,EAA4C,KAAK,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE7F,OAAO,KAAK,EACV,UAAU,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAGhB,iBAAiB,EAGjB,mBAAmB,EACnB,eAAe,EACf,wBAAwB,EAGzB,MAAM,YAAY,CAAC;AAGpB,yCAAyC;AACzC,wBAAgB,oBAAoB,CAClC,cAAc,EAAE,MAAM,EACtB,MAAM,EAAE,gBAAgB,GACvB,aAAa,CA8Cf;AAED,0DAA0D;AAC1D,wBAAsB,4BAA4B,CAChD,UAAU,EAAE,MAAM,EAClB,KAAK,GAAE,iBAA2B,EAClC,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,UAAU,CAAC,CAWrB;AAED;;4FAE4F;AAC5F,wBAAsB,2BAA2B,CAC/C,gBAAgB,EAAE,MAAM,EACxB,aAAa,EAAE,MAAM,EACrB,IAAI,EAAE;IACJ,gBAAgB,EAAE,MAAM,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACA,OAAO,CAAC,UAAU,CAAC,CAarB;AAED;4FAC4F;AAC5F,wBAAsB,4BAA4B,CAChD,kBAAkB,EAAE,MAAM,EAC1B,aAAa,EAAE,MAAM,EACrB,IAAI,EAAE;IACJ,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACA,OAAO,CAAC,UAAU,CAAC,CAiBrB;AAED;4FAC4F;AAC5F,wBAAsB,2BAA2B,CAC/C,kBAAkB,EAAE,MAAM,EAC1B,aAAa,EAAE,MAAM,EACrB,IAAI,EAAE;IACJ,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACA,OAAO,CAAC,UAAU,CAAC,CAkBrB;AAED,0DAA0D;AAC1D,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC;IACjE,cAAc,EAAE,OAAO,CAAC;IACxB,cAAc,EAAE,OAAO,CAAC;IACxB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB,CAAC,CAYD;AAED,uCAAuC;AACvC,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAM9D;AAED,wDAAwD;AACxD,wBAAgB,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG,gBAAgB,GAAG,IAAI,CAwC1E;AAID,iEAAiE;AACjE,MAAM,WAAW,oBAAoB;IACnC,aAAa,EAAE,aAAa,CAAC;IAC7B,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB;AAED;;;;GAIG;AACH,wBAAsB,6BAA6B,CACjD,kBAAkB,EAAE,MAAM,EAC1B,aAAa,EAAE,MAAM,EACrB,IAAI,EAAE,MAAM,EAAE,EACd,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE;IACJ,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACA,OAAO,CAAC,UAAU,CAAC,CAoCrB;AAED;;GAEG;AACH,wBAAsB,kCAAkC,CACtD,kBAAkB,EAAE,MAAM,EAC1B,aAAa,EAAE,MAAM,EACrB,IAAI,EAAE,MAAM,EAAE,EACd,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE;IACJ,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACA,OAAO,CAAC,UAAU,CAAC,CA2CrB;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,UAAU,GAAG;IAC7D,gBAAgB,EAAE,OAAO,CAAC;IAC1B,SAAS,EAAE,OAAO,CAAC;IACnB,aAAa,EAAE,OAAO,CAAC;IACvB,eAAe,EAAE,OAAO,CAAC;CAC1B,CA0DA;AAID;;;GAGG;AACH,wBAAsB,eAAe,CACnC,kBAAkB,EAAE,MAAM,EAC1B,kBAAkB,EAAE,UAAU,EAC9B,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,UAAU,CAAC,CAoBrB;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,UAAU,GAAE,MAAW,GAAG,OAAO,CAWhF;AAID;;;GAGG;AACH,wBAAsB,2BAA2B,CAC/C,kBAAkB,EAAE,MAAM,EAC1B,mBAAmB,EAAE,MAAM,EAC3B,aAAa,EAAE,MAAM,EACrB,IAAI,EAAE;IACJ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GACA,OAAO,CAAC,mBAAmB,CAAC,CA6E9B;AAyBD;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,kBAAkB,EAAE,MAAM,EAC1B,aAAa,EAAE,UAAU,EACzB,SAAS,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG;IAAE,aAAa,EAAE,MAAM,CAAA;CAAE,GAC/D,OAAO,CAAC;IAAE,aAAa,EAAE,UAAU,CAAC;IAAC,aAAa,EAAE,UAAU,CAAA;CAAE,CAAC,CAiCnE;AAID;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,UAAU,EAAE,GAAG,eAAe,GAAG,IAAI,CA6CnF;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAEvD;AAID;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAqB1G;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,MAAM,EACjB,mBAAmB,EAAE,UAAU,EAAE,GAChC;IAAE,WAAW,EAAE,OAAO,CAAC;IAAC,WAAW,CAAC,EAAE,UAAU,CAAA;CAAE,CAQpD;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,CAEvE;AAID,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC9B,yCAAyC;IACzC,OAAO,EAAE,MAAM,CAAC;IAChB,uDAAuD;IACvD,UAAU,EAAE,KAAK,CAAC;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChE;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,kBAAkB,EAAE,GAAG,eAAe,CAcvF;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM,EAAE,EAAE,CAQ5E;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,CAC3C,MAAM,EAAE,eAAe,EACvB,mBAAmB,EAAE,UAAU,EAAE,GAChC;IAAE,WAAW,EAAE,OAAO,CAAC;IAAC,WAAW,CAAC,EAAE,UAAU,CAAC;IAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAAE,CAuB/E;AAID;;;GAGG;AACH,wBAAsB,wBAAwB,CAC5C,kBAAkB,EAAE,MAAM,EAC1B,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,UAAU,CAAC,CA6BrB"}