1id 0.1.0

package/LICENSE

@@ -0,0 +1,190 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by the Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding any notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 Crypt Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,151 @@
+# 1id
+
+Hardware-anchored identity SDK for AI agents — [1id.com](https://1id.com)
+
+[![npm version](https://img.shields.io/npm/v/1id.svg)](https://www.npmjs.com/package/1id)
+[![License: Apache 2.0](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
+
+## What is 1id.com?
+
+An identity registrar for AI agents. Like a passport office, but for software.
+
+- **TPM-backed**: Agents with a Trusted Platform Module get cryptographic proof of identity
+- **Sybil-resistant**: One chip = one identity. No farming.
+- **Standards-based**: OAuth2, OIDC, JWT — your existing libraries work
+- **Free**: Enrollment and authentication cost nothing
+
+## Installation
+
+```bash
+npm install 1id
+```
+
+Requires Node.js 18 or later. Zero runtime dependencies.
+
+## Quick Start
+
+```typescript
+import oneid from "1id";
+
+// Enroll at declared tier (no TPM required, always works)
+const identity = await oneid.enroll({ request_tier: "declared" });
+console.log(`Enrolled as ${identity.handle}`);
+
+// Get an OAuth2 token for authentication
+const token = await oneid.getToken();
+console.log(`Bearer ${token.access_token}`);
+
+// Check current identity
+const me = oneid.whoami();
+console.log(`I am ${me.handle} (tier: ${me.trust_tier})`);
+```
+
+## Trust Tiers
+
+| Tier | Hardware | Sybil Resistance |
+|------|----------|-----------------|
+| `sovereign` | TPM (discrete/firmware) | Highest — manufacturer-attested |
+| `sovereign-portable` | YubiKey / Nitrokey | High — manufacturer-attested |
+| `virtual` | VMware/Hyper-V vTPM | Medium — hypervisor-attested |
+| `declared` | None (software keys) | Lowest — self-asserted |
+
+**CRITICAL**: `request_tier` is a REQUIREMENT, not a preference. You get exactly what you ask for, or an exception. No silent fallbacks.
+
+## API
+
+### `oneid.enroll(options)`
+
+Enroll this agent with 1id.com.
+
+```typescript
+const identity = await oneid.enroll({
+  request_tier: "declared",           // REQUIRED: trust tier
+  key_algorithm: "ed25519",           // Optional: ed25519 (default), ecdsa-p256, rsa-2048, etc.
+  requested_handle: "my-agent",       // Optional: vanity handle (without @)
+  operator_email: "human@example.com" // Optional: human contact
+});
+```
+
+### `oneid.getToken()`
+
+Get a valid OAuth2 access token (cached, auto-refreshes).
+
+```typescript
+const token = await oneid.getToken();
+// Use token.access_token as a Bearer token
+```
+
+### `oneid.whoami()`
+
+Read the local identity (no network call).
+
+```typescript
+const me = oneid.whoami();
+// me.internal_id, me.handle, me.trust_tier, etc.
+```
+
+### `oneid.credentials_exist()`
+
+Check if the agent has enrolled.
+
+```typescript
+if (!oneid.credentials_exist()) {
+  await oneid.enroll({ request_tier: "declared" });
+}
+```
+
+## Error Handling
+
+All errors extend `OneIDError`:
+
+```typescript
+import { OneIDError, NoHSMError, EnrollmentError, NetworkError } from "1id";
+
+try {
+  await oneid.enroll({ request_tier: "sovereign" });
+} catch (e) {
+  if (e instanceof NoHSMError) {
+    console.log("No TPM found — try 'declared' tier");
+  } else if (e instanceof NetworkError) {
+    console.log("Server unreachable — check connection");
+  }
+}
+```
+
+## Architecture
+
+The SDK uses a two-tier architecture:
+
+1. **TypeScript SDK** (this package) — handles enrollment orchestration, credential storage, OAuth2 token management, and software key operations using Node.js built-in `crypto`
+2. **Go binary** (`oneid-enroll`) — handles all TPM/HSM hardware operations. Auto-downloaded from [GitHub releases](https://github.com/AuraFriday/oneid-enroll/releases) when needed
+
+For `declared` tier enrollment, only the TypeScript SDK is needed. For `sovereign` (TPM) tier, the Go binary is automatically fetched.
+
+## Credential Storage
+
+Credentials are stored at:
+- **Windows**: `%APPDATA%\oneid\credentials.json`
+- **Linux/macOS**: `~/.config/oneid/credentials.json`
+
+Permissions are set to owner-only (0600 on Unix).
+
+## Python SDK
+
+The Python equivalent is available as [`oneid`](https://pypi.org/project/oneid/) on PyPI:
+
+```bash
+pip install oneid
+```
+
+Both SDKs share the same API design and credential format.
+
+## License
+
+Apache 2.0 — see [LICENSE](LICENSE).
+
+## Links
+
+- [1id.com](https://1id.com) — Service homepage
+- [Enrollment guide](https://1id.com/enroll.md) — Machine-readable enrollment instructions
+- [Python SDK](https://pypi.org/project/oneid/) — `pip install oneid`
+- [Go binary](https://github.com/AuraFriday/oneid-enroll) — TPM/HSM helper

package/dist/auth.d.ts

@@ -0,0 +1,55 @@
+/**
+ * OAuth2 token management for the 1id.com Node.js SDK.
+ *
+ * After enrollment, agents authenticate using standard OAuth2
+ * client_credentials grant. No TPM operations needed for daily use.
+ *
+ * This module handles:
+ * - Token acquisition (client_credentials grant)
+ * - Token caching (in-memory, with expiry awareness)
+ * - Token refresh
+ * - Authorization header formatting
+ */
+import { type StoredCredentials } from "./credentials.js";
+import type { Token } from "./identity.js";
+/**
+ * Get a valid OAuth2 access token, refreshing if needed.
+ *
+ * This is the primary authentication method for daily use. It uses
+ * the OAuth2 client_credentials grant with the credentials stored
+ * during enrollment.
+ *
+ * Tokens are cached in memory and automatically refreshed when they
+ * are within 60s of expiry.
+ *
+ * @param force_refresh If true, always fetch a new token even if cached.
+ * @param credentials Optional pre-loaded credentials.
+ * @returns A valid Token object.
+ * @throws NotEnrolledError if no credentials file exists.
+ * @throws AuthenticationError if the token request fails.
+ * @throws NetworkError if the token endpoint cannot be reached.
+ */
+export declare function get_token(force_refresh?: boolean, credentials?: StoredCredentials | null): Promise<Token>;
+/**
+ * Clear the in-memory cached token.
+ *
+ * Useful for testing or when credentials have changed.
+ */
+export declare function clear_cached_token(): void;
+/**
+ * Authenticate using the TPM -- passwordless, zero-elevation sign-in.
+ *
+ * This is the "OAuth for agents" flow:
+ *   1. Requests a challenge nonce from the server
+ *   2. Signs it with the TPM AK (no elevation needed)
+ *   3. Sends the signature back to the server
+ *   4. Server verifies and issues a JWT
+ *
+ * @param identity_id The 1id internal ID. If null, loaded from credentials.
+ * @param ak_handle The AK persistent handle (hex). If null, loaded from credentials.
+ * @param api_base_url Base URL for the 1id API.
+ * @param credentials Pre-loaded credentials. If null, loaded from file.
+ * @returns A valid Token object.
+ */
+export declare function authenticate_with_tpm(identity_id?: string | null, ak_handle?: string | null, api_base_url?: string | null, credentials?: StoredCredentials | null): Promise<Token>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,KAAK,iBAAiB,EAAoB,MAAM,kBAAkB,CAAC;AAE5E,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAU3C;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,SAAS,CAC7B,aAAa,GAAE,OAAe,EAC9B,WAAW,CAAC,EAAE,iBAAiB,GAAG,IAAI,GACrC,OAAO,CAAC,KAAK,CAAC,CAmBhB;AA0CD;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC;AAMD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,qBAAqB,CACzC,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,EAC3B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,EACzB,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,EAC5B,WAAW,CAAC,EAAE,iBAAiB,GAAG,IAAI,GACrC,OAAO,CAAC,KAAK,CAAC,CA2FhB"}

package/dist/auth.js

@@ -0,0 +1,188 @@
+/**
+ * OAuth2 token management for the 1id.com Node.js SDK.
+ *
+ * After enrollment, agents authenticate using standard OAuth2
+ * client_credentials grant. No TPM operations needed for daily use.
+ *
+ * This module handles:
+ * - Token acquisition (client_credentials grant)
+ * - Token caching (in-memory, with expiry awareness)
+ * - Token refresh
+ * - Authorization header formatting
+ */
+import { load_credentials } from "./credentials.js";
+import { AuthenticationError, NetworkError } from "./exceptions.js";
+import { OneIDAPIClient } from "./client.js";
+// -- Configuration --
+const TOKEN_REFRESH_MARGIN_MILLISECONDS = 60_000; // Refresh tokens 60s before expiry
+const TOKEN_REQUEST_TIMEOUT_MILLISECONDS = 15_000;
+// -- Module-level token cache --
+let cached_token = null;
+/**
+ * Get a valid OAuth2 access token, refreshing if needed.
+ *
+ * This is the primary authentication method for daily use. It uses
+ * the OAuth2 client_credentials grant with the credentials stored
+ * during enrollment.
+ *
+ * Tokens are cached in memory and automatically refreshed when they
+ * are within 60s of expiry.
+ *
+ * @param force_refresh If true, always fetch a new token even if cached.
+ * @param credentials Optional pre-loaded credentials.
+ * @returns A valid Token object.
+ * @throws NotEnrolledError if no credentials file exists.
+ * @throws AuthenticationError if the token request fails.
+ * @throws NetworkError if the token endpoint cannot be reached.
+ */
+export async function get_token(force_refresh = false, credentials) {
+    // Check if cached token is still valid (with margin)
+    if (!force_refresh && cached_token != null) {
+        const margin_adjusted_expiry = new Date(cached_token.expires_at.getTime() - TOKEN_REFRESH_MARGIN_MILLISECONDS);
+        if (new Date() < margin_adjusted_expiry) {
+            return cached_token;
+        }
+    }
+    // Load credentials
+    if (credentials == null) {
+        credentials = load_credentials();
+    }
+    // Request a new token
+    const token = await request_token_from_keycloak(credentials);
+    cached_token = token;
+    return token;
+}
+/**
+ * Request a new access token from Keycloak using client_credentials grant.
+ */
+async function request_token_from_keycloak(credentials) {
+    const api_client = new OneIDAPIClient(credentials.api_base_url, TOKEN_REQUEST_TIMEOUT_MILLISECONDS);
+    let token_response;
+    try {
+        token_response = await api_client.get_token_with_client_credentials(credentials.client_id, credentials.client_secret);
+    }
+    catch (error) {
+        if (error instanceof NetworkError || error instanceof AuthenticationError) {
+            throw error;
+        }
+        throw new AuthenticationError(`Token request failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    const access_token = token_response.access_token;
+    if (!access_token) {
+        throw new AuthenticationError("Token response missing 'access_token' field");
+    }
+    const expires_in_seconds = token_response.expires_in ?? 3600;
+    const expires_at = new Date(Date.now() + expires_in_seconds * 1000);
+    return {
+        access_token,
+        token_type: token_response.token_type ?? "Bearer",
+        expires_at,
+        refresh_token: token_response.refresh_token ?? null,
+    };
+}
+/**
+ * Clear the in-memory cached token.
+ *
+ * Useful for testing or when credentials have changed.
+ */
+export function clear_cached_token() {
+    cached_token = null;
+}
+// ---------------------------------------------------------------------------
+// TPM-backed passwordless authentication (sovereign/virtual tier)
+// ---------------------------------------------------------------------------
+/**
+ * Authenticate using the TPM -- passwordless, zero-elevation sign-in.
+ *
+ * This is the "OAuth for agents" flow:
+ *   1. Requests a challenge nonce from the server
+ *   2. Signs it with the TPM AK (no elevation needed)
+ *   3. Sends the signature back to the server
+ *   4. Server verifies and issues a JWT
+ *
+ * @param identity_id The 1id internal ID. If null, loaded from credentials.
+ * @param ak_handle The AK persistent handle (hex). If null, loaded from credentials.
+ * @param api_base_url Base URL for the 1id API.
+ * @param credentials Pre-loaded credentials. If null, loaded from file.
+ * @returns A valid Token object.
+ */
+export async function authenticate_with_tpm(identity_id, ak_handle, api_base_url, credentials) {
+    // Load credentials if not provided
+    if (credentials == null) {
+        credentials = load_credentials();
+    }
+    if (identity_id == null) {
+        identity_id = credentials.client_id;
+    }
+    if (ak_handle == null) {
+        ak_handle = credentials.hsm_key_reference ?? null;
+        if (!ak_handle) {
+            throw new AuthenticationError("No AK handle found in credentials. TPM authentication requires " +
+                "a sovereign or virtual tier enrollment with a TPM.");
+        }
+    }
+    if (api_base_url == null) {
+        api_base_url = credentials.api_base_url;
+    }
+    // Step 1: Request a challenge nonce from the server
+    const api_client = new OneIDAPIClient(api_base_url, TOKEN_REQUEST_TIMEOUT_MILLISECONDS);
+    let challenge_data;
+    try {
+        challenge_data = await api_client["_make_request"]("POST", "/api/v1/auth/challenge", {
+            identity_id,
+        });
+    }
+    catch (error) {
+        if (error instanceof NetworkError) {
+            throw error;
+        }
+        throw new AuthenticationError(`Challenge request failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    const challenge_id = challenge_data.challenge_id;
+    const nonce_b64 = challenge_data.nonce_b64;
+    if (!challenge_id || !nonce_b64) {
+        throw new AuthenticationError("Server returned incomplete challenge response");
+    }
+    // Step 2: Sign the nonce with the TPM AK (NO elevation needed)
+    const { sign_challenge_with_tpm } = await import("./helper.js");
+    const sign_result = await sign_challenge_with_tpm(nonce_b64, ak_handle);
+    const signature_b64 = sign_result.signature_b64 ?? "";
+    if (!signature_b64) {
+        throw new AuthenticationError("TPM signing returned empty signature");
+    }
+    // Step 3: Send the signature to the server for verification
+    let verify_data;
+    try {
+        verify_data = await api_client["_make_request"]("POST", "/api/v1/auth/verify", {
+            challenge_id,
+            signature_b64,
+        });
+    }
+    catch (error) {
+        if (error instanceof NetworkError) {
+            throw error;
+        }
+        throw new AuthenticationError(`TPM authentication failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    if (!verify_data.authenticated) {
+        throw new AuthenticationError("Server did not confirm authentication");
+    }
+    // Extract token from response
+    const tokens = verify_data.tokens;
+    if (tokens?.access_token) {
+        const expires_in_seconds = tokens.expires_in ?? 3600;
+        const token = {
+            access_token: tokens.access_token,
+            token_type: tokens.token_type ?? "Bearer",
+            expires_at: new Date(Date.now() + expires_in_seconds * 1000),
+            refresh_token: tokens.refresh_token ?? null,
+        };
+        cached_token = token;
+        return token;
+    }
+    else {
+        throw new AuthenticationError("TPM signature verified but no tokens were issued. " +
+            "The Keycloak token endpoint may be unavailable.");
+    }
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAA0B,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC5E,OAAO,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpE,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,sBAAsB;AACtB,MAAM,iCAAiC,GAAG,MAAM,CAAC,CAAC,mCAAmC;AACrF,MAAM,kCAAkC,GAAG,MAAM,CAAC;AAElD,iCAAiC;AACjC,IAAI,YAAY,GAAiB,IAAI,CAAC;AAEtC;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,gBAAyB,KAAK,EAC9B,WAAsC;IAEtC,qDAAqD;IACrD,IAAI,CAAC,aAAa,IAAI,YAAY,IAAI,IAAI,EAAE,CAAC;QAC3C,MAAM,sBAAsB,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,iCAAiC,CAAC,CAAC;QAC/G,IAAI,IAAI,IAAI,EAAE,GAAG,sBAAsB,EAAE,CAAC;YACxC,OAAO,YAAY,CAAC;QACtB,CAAC;IACH,CAAC;IAED,mBAAmB;IACnB,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;QACxB,WAAW,GAAG,gBAAgB,EAAE,CAAC;IACnC,CAAC;IAED,sBAAsB;IACtB,MAAM,KAAK,GAAG,MAAM,2BAA2B,CAAC,WAAW,CAAC,CAAC;IAC7D,YAAY,GAAG,KAAK,CAAC;IAErB,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,2BAA2B,CAAC,WAA8B;IACvE,MAAM,UAAU,GAAG,IAAI,cAAc,CACnC,WAAW,CAAC,YAAY,EACxB,kCAAkC,CACnC,CAAC;IAEF,IAAI,cAAuC,CAAC;IAC5C,IAAI,CAAC;QACH,cAAc,GAAG,MAAM,UAAU,CAAC,iCAAiC,CACjE,WAAW,CAAC,SAAS,EACrB,WAAW,CAAC,aAAa,CAC1B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,YAAY,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YAC1E,MAAM,KAAK,CAAC;QACd,CAAC;QACD,MAAM,IAAI,mBAAmB,CAC3B,yBAAyB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAClF,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,cAAc,CAAC,YAAsB,CAAC;IAC3D,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,mBAAmB,CAAC,6CAA6C,CAAC,CAAC;IAC/E,CAAC;IAED,MAAM,kBAAkB,GAAI,cAAc,CAAC,UAAqB,IAAI,IAAI,CAAC;IACzE,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAEpE,OAAO;QACL,YAAY;QACZ,UAAU,EAAG,cAAc,CAAC,UAAqB,IAAI,QAAQ;QAC7D,UAAU;QACV,aAAa,EAAG,cAAc,CAAC,aAAwB,IAAI,IAAI;KAChE,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,YAAY,GAAG,IAAI,CAAC;AACtB,CAAC;AAED,8EAA8E;AAC9E,kEAAkE;AAClE,8EAA8E;AAE9E;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,WAA2B,EAC3B,SAAyB,EACzB,YAA4B,EAC5B,WAAsC;IAEtC,mCAAmC;IACnC,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;QACxB,WAAW,GAAG,gBAAgB,EAAE,CAAC;IACnC,CAAC;IAED,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;QACxB,WAAW,GAAG,WAAW,CAAC,SAAS,CAAC;IACtC,CAAC;IAED,IAAI,SAAS,IAAI,IAAI,EAAE,CAAC;QACtB,SAAS,GAAG,WAAW,CAAC,iBAAiB,IAAI,IAAI,CAAC;QAClD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,mBAAmB,CAC3B,iEAAiE;gBACjE,oDAAoD,CACrD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,YAAY,IAAI,IAAI,EAAE,CAAC;QACzB,YAAY,GAAG,WAAW,CAAC,YAAY,CAAC;IAC1C,CAAC;IAED,oDAAoD;IACpD,MAAM,UAAU,GAAG,IAAI,cAAc,CAAC,YAAY,EAAE,kCAAkC,CAAC,CAAC;IAExF,IAAI,cAAuC,CAAC;IAC5C,IAAI,CAAC;QACH,cAAc,GAAG,MAAM,UAAU,CAAC,eAAe,CAAC,CAAC,MAAM,EAAE,wBAAwB,EAAE;YACnF,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,YAAY,EAAE,CAAC;YAAC,MAAM,KAAK,CAAC;QAAC,CAAC;QACnD,MAAM,IAAI,mBAAmB,CAC3B,6BAA6B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACtF,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,cAAc,CAAC,YAAsB,CAAC;IAC3D,MAAM,SAAS,GAAG,cAAc,CAAC,SAAmB,CAAC;IAErD,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,mBAAmB,CAAC,+CAA+C,CAAC,CAAC;IACjF,CAAC;IAED,+DAA+D;IAC/D,MAAM,EAAE,uBAAuB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IAChE,MAAM,WAAW,GAAG,MAAM,uBAAuB,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IACxE,MAAM,aAAa,GAAG,WAAW,CAAC,aAAa,IAAI,EAAE,CAAC;IAEtD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,mBAAmB,CAAC,sCAAsC,CAAC,CAAC;IACxE,CAAC;IAED,4DAA4D;IAC5D,IAAI,WAAoC,CAAC;IACzC,IAAI,CAAC;QACH,WAAW,GAAG,MAAM,UAAU,CAAC,eAAe,CAAC,CAAC,MAAM,EAAE,qBAAqB,EAAE;YAC7E,YAAY;YACZ,aAAa;SACd,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,YAAY,EAAE,CAAC;YAAC,MAAM,KAAK,CAAC;QAAC,CAAC;QACnD,MAAM,IAAI,mBAAmB,CAC3B,8BAA8B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACvF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QAC/B,MAAM,IAAI,mBAAmB,CAAC,uCAAuC,CAAC,CAAC;IACzE,CAAC;IAED,8BAA8B;IAC9B,MAAM,MAAM,GAAG,WAAW,CAAC,MAA6C,CAAC;IACzE,IAAI,MAAM,EAAE,YAAY,EAAE,CAAC;QACzB,MAAM,kBAAkB,GAAI,MAAM,CAAC,UAAqB,IAAI,IAAI,CAAC;QACjE,MAAM,KAAK,GAAU;YACnB,YAAY,EAAE,MAAM,CAAC,YAAsB;YAC3C,UAAU,EAAG,MAAM,CAAC,UAAqB,IAAI,QAAQ;YACrD,UAAU,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,kBAAkB,GAAG,IAAI,CAAC;YAC5D,aAAa,EAAG,MAAM,CAAC,aAAwB,IAAI,IAAI;SACxD,CAAC;QACF,YAAY,GAAG,KAAK,CAAC;QACrB,OAAO,KAAK,CAAC;IACf,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,mBAAmB,CAC3B,oDAAoD;YACpD,iDAAiD,CAClD,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/client.d.ts

@@ -0,0 +1,57 @@
+/**
+ * HTTP client for the 1id.com Enrollment API.
+ *
+ * Uses Node.js built-in `https`/`http` modules -- zero external dependencies.
+ *
+ * Handles all HTTP communication with the 1id.com server, including:
+ * - Enrollment requests (declared and sovereign tiers)
+ * - Identity lookups
+ * - Handle management
+ * - Error response mapping to SDK exceptions
+ *
+ * All responses follow the 1id.com API envelope:
+ *   {"ok": true, "data": {...}, "error": null}
+ *   {"ok": false, "data": null, "error": {"code": "...", "message": "..."}}
+ */
+/**
+ * HTTP client for the 1id.com enrollment and identity API.
+ *
+ * Wraps Node.js http/https with 1id-specific error handling. All methods
+ * throw SDK exceptions on failure, never raw HTTP errors.
+ */
+export declare class OneIDAPIClient {
+    readonly api_base_url: string;
+    readonly timeout_milliseconds: number;
+    constructor(api_base_url?: string, timeout_milliseconds?: number);
+    /**
+     * Make an HTTP request to the 1id.com API and parse the envelope response.
+     */
+    private _make_request;
+    /**
+     * Enroll a new identity at the declared trust tier (no HSM required).
+     */
+    enroll_declared(software_key_pem: string, key_algorithm: string, operator_email?: string | null, requested_handle?: string | null): Promise<Record<string, unknown>>;
+    /**
+     * Begin TPM/HSM-based enrollment (sovereign/sovereign-portable tiers).
+     */
+    enroll_begin(ek_certificate_pem: string, ak_public_key_pem: string, ak_tpmt_public_b64?: string, ek_public_key_pem?: string, ek_certificate_chain_pem?: string[], hsm_type?: string, operator_email?: string | null, requested_handle?: string | null): Promise<Record<string, unknown>>;
+    /**
+     * Complete TPM/HSM-based enrollment by proving HSM possession.
+     */
+    enroll_activate(enrollment_session_id: string, decrypted_credential: string): Promise<Record<string, unknown>>;
+    /**
+     * Look up public identity information for an agent.
+     */
+    get_identity(agent_id: string): Promise<Record<string, unknown>>;
+    /**
+     * Get an OAuth2 access token using the client_credentials grant.
+     *
+     * NOTE: Keycloak token endpoint expects form-urlencoded, not JSON.
+     */
+    get_token_with_client_credentials(client_id: string, client_secret: string): Promise<Record<string, unknown>>;
+    /**
+     * Check whether a vanity handle is available.
+     */
+    check_handle_availability(handle_name: string): Promise<Record<string, unknown>>;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AA6FH;;;;;GAKG;AACH,qBAAa,cAAc;IACzB,SAAgB,YAAY,EAAE,MAAM,CAAC;IACrC,SAAgB,oBAAoB,EAAE,MAAM,CAAC;gBAG3C,YAAY,GAAE,MAA6B,EAC3C,oBAAoB,GAAE,MAA0C;IAMlE;;OAEG;YACW,aAAa;IAyB3B;;OAEG;IACG,eAAe,CACnB,gBAAgB,EAAE,MAAM,EACxB,aAAa,EAAE,MAAM,EACrB,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,EAC9B,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAWnC;;OAEG;IACG,YAAY,CAChB,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,EACzB,kBAAkB,GAAE,MAAW,EAC/B,iBAAiB,GAAE,MAAW,EAC9B,wBAAwB,CAAC,EAAE,MAAM,EAAE,EACnC,QAAQ,GAAE,MAAc,EACxB,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,EAC9B,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAenC;;OAEG;IACG,eAAe,CACnB,qBAAqB,EAAE,MAAM,EAC7B,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAOnC;;OAEG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAItE;;;;OAIG;IACG,iCAAiC,CACrC,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAuEnC;;OAEG;IACG,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAGvF"}