1id 0.1.0

package/dist/client.js

@@ -0,0 +1,224 @@
+/**
+ * HTTP client for the 1id.com Enrollment API.
+ *
+ * Uses Node.js built-in `https`/`http` modules -- zero external dependencies.
+ *
+ * Handles all HTTP communication with the 1id.com server, including:
+ * - Enrollment requests (declared and sovereign tiers)
+ * - Identity lookups
+ * - Handle management
+ * - Error response mapping to SDK exceptions
+ *
+ * All responses follow the 1id.com API envelope:
+ *   {"ok": true, "data": {...}, "error": null}
+ *   {"ok": false, "data": null, "error": {"code": "...", "message": "..."}}
+ */
+import * as https from "node:https";
+import * as http from "node:http";
+import { DEFAULT_API_BASE_URL } from "./credentials.js";
+import { EnrollmentError, NetworkError, raise_from_server_error_response, } from "./exceptions.js";
+// -- HTTP client configuration --
+const DEFAULT_HTTP_TIMEOUT_MILLISECONDS = 30_000;
+const USER_AGENT = "oneid-sdk-node/0.1.0";
+/**
+ * Make a raw HTTP(S) request and return the parsed JSON body.
+ * Uses only Node.js built-in modules.
+ */
+function make_http_request(base_url, options, timeout_milliseconds) {
+    return new Promise((resolve, reject) => {
+        const url = new URL(options.path, base_url);
+        const is_https = url.protocol === "https:";
+        const transport = is_https ? https : http;
+        const request_headers = {
+            "User-Agent": USER_AGENT,
+            "Accept": "application/json",
+            ...options.headers,
+        };
+        let request_body_string;
+        if (options.json_body != null) {
+            request_body_string = JSON.stringify(options.json_body);
+            request_headers["Content-Type"] = "application/json";
+            request_headers["Content-Length"] = Buffer.byteLength(request_body_string).toString();
+        }
+        const req = transport.request({
+            hostname: url.hostname,
+            port: url.port || (is_https ? 443 : 80),
+            path: url.pathname + url.search,
+            method: options.method,
+            headers: request_headers,
+            timeout: timeout_milliseconds,
+        }, (res) => {
+            const chunks = [];
+            res.on("data", (chunk) => { chunks.push(chunk); });
+            res.on("end", () => {
+                const raw_body = Buffer.concat(chunks).toString("utf-8");
+                try {
+                    const parsed_body = JSON.parse(raw_body);
+                    resolve({ status_code: res.statusCode ?? 0, body: parsed_body });
+                }
+                catch {
+                    reject(new NetworkError(`Invalid JSON response from ${url.href} (HTTP ${res.statusCode}): ${raw_body.slice(0, 200)}`));
+                }
+            });
+        });
+        req.on("error", (error) => {
+            reject(new NetworkError(`Could not connect to ${base_url}: ${error.message}`));
+        });
+        req.on("timeout", () => {
+            req.destroy();
+            reject(new NetworkError(`Request to ${url.href} timed out after ${timeout_milliseconds}ms`));
+        });
+        if (request_body_string != null) {
+            req.write(request_body_string);
+        }
+        req.end();
+    });
+}
+/**
+ * HTTP client for the 1id.com enrollment and identity API.
+ *
+ * Wraps Node.js http/https with 1id-specific error handling. All methods
+ * throw SDK exceptions on failure, never raw HTTP errors.
+ */
+export class OneIDAPIClient {
+    api_base_url;
+    timeout_milliseconds;
+    constructor(api_base_url = DEFAULT_API_BASE_URL, timeout_milliseconds = DEFAULT_HTTP_TIMEOUT_MILLISECONDS) {
+        this.api_base_url = api_base_url.replace(/\/+$/, "");
+        this.timeout_milliseconds = timeout_milliseconds;
+    }
+    /**
+     * Make an HTTP request to the 1id.com API and parse the envelope response.
+     */
+    async _make_request(method, api_path, json_body, headers) {
+        const response = await make_http_request(this.api_base_url, { method, path: api_path, json_body, headers }, this.timeout_milliseconds);
+        const response_body = response.body;
+        // Check for the standard 1id error envelope
+        if (!response_body?.ok) {
+            const error_info = (response_body?.error ?? {});
+            const error_code = error_info.code ?? "UNKNOWN_ERROR";
+            const error_message = error_info.message ?? `Server returned HTTP ${response.status_code}`;
+            raise_from_server_error_response(error_code, error_message);
+        }
+        return (response_body.data ?? {});
+    }
+    /**
+     * Enroll a new identity at the declared trust tier (no HSM required).
+     */
+    async enroll_declared(software_key_pem, key_algorithm, operator_email, requested_handle) {
+        const request_body = {
+            software_key_pem,
+            key_algorithm,
+        };
+        if (operator_email != null) {
+            request_body["operator_email"] = operator_email;
+        }
+        if (requested_handle != null) {
+            request_body["requested_handle"] = requested_handle;
+        }
+        return this._make_request("POST", "/api/v1/enroll/declared", request_body);
+    }
+    /**
+     * Begin TPM/HSM-based enrollment (sovereign/sovereign-portable tiers).
+     */
+    async enroll_begin(ek_certificate_pem, ak_public_key_pem, ak_tpmt_public_b64 = "", ek_public_key_pem = "", ek_certificate_chain_pem, hsm_type = "tpm", operator_email, requested_handle) {
+        const request_body = {
+            ek_certificate_pem,
+            ek_public_key_pem,
+            ak_public_key_pem,
+            ak_tpmt_public_b64,
+            hsm_type,
+        };
+        if (ek_certificate_chain_pem) {
+            request_body["ek_certificate_chain_pem"] = ek_certificate_chain_pem;
+        }
+        if (operator_email != null) {
+            request_body["operator_email"] = operator_email;
+        }
+        if (requested_handle != null) {
+            request_body["requested_handle"] = requested_handle;
+        }
+        return this._make_request("POST", "/api/v1/enroll/begin", request_body);
+    }
+    /**
+     * Complete TPM/HSM-based enrollment by proving HSM possession.
+     */
+    async enroll_activate(enrollment_session_id, decrypted_credential) {
+        return this._make_request("POST", "/api/v1/enroll/activate", {
+            enrollment_session_id,
+            decrypted_credential,
+        });
+    }
+    /**
+     * Look up public identity information for an agent.
+     */
+    async get_identity(agent_id) {
+        return this._make_request("GET", `/api/v1/identity/${agent_id}`);
+    }
+    /**
+     * Get an OAuth2 access token using the client_credentials grant.
+     *
+     * NOTE: Keycloak token endpoint expects form-urlencoded, not JSON.
+     */
+    async get_token_with_client_credentials(client_id, client_secret) {
+        const token_path = "/realms/agents/protocol/openid-connect/token";
+        const form_body = new URLSearchParams({
+            grant_type: "client_credentials",
+            client_id,
+            client_secret,
+        }).toString();
+        return new Promise((resolve, reject) => {
+            const url = new URL(token_path, this.api_base_url);
+            const is_https = url.protocol === "https:";
+            const transport = is_https ? https : http;
+            const req = transport.request({
+                hostname: url.hostname,
+                port: url.port || (is_https ? 443 : 80),
+                path: url.pathname,
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                    "Content-Length": Buffer.byteLength(form_body).toString(),
+                    "User-Agent": USER_AGENT,
+                },
+                timeout: this.timeout_milliseconds,
+            }, (res) => {
+                const chunks = [];
+                res.on("data", (chunk) => { chunks.push(chunk); });
+                res.on("end", () => {
+                    const raw_body = Buffer.concat(chunks).toString("utf-8");
+                    try {
+                        const parsed = JSON.parse(raw_body);
+                        if (res.statusCode !== 200) {
+                            const error_description = parsed.error_description ??
+                                parsed.error ??
+                                `HTTP ${res.statusCode}`;
+                            reject(new EnrollmentError(`Token request failed (HTTP ${res.statusCode}): ${error_description}`));
+                            return;
+                        }
+                        resolve(parsed);
+                    }
+                    catch {
+                        reject(new NetworkError(`Invalid JSON from token endpoint (HTTP ${res.statusCode}): ${raw_body.slice(0, 200)}`));
+                    }
+                });
+            });
+            req.on("error", (error) => {
+                reject(new NetworkError(`Could not connect to token endpoint ${url.href}: ${error.message}`));
+            });
+            req.on("timeout", () => {
+                req.destroy();
+                reject(new NetworkError(`Token request to ${url.href} timed out after ${this.timeout_milliseconds}ms`));
+            });
+            req.write(form_body);
+            req.end();
+        });
+    }
+    /**
+     * Check whether a vanity handle is available.
+     */
+    async check_handle_availability(handle_name) {
+        return this._make_request("GET", `/api/v1/handle/${handle_name}`);
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,KAAK,MAAM,YAAY,CAAC;AACpC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EACL,eAAe,EACf,YAAY,EACZ,gCAAgC,GACjC,MAAM,iBAAiB,CAAC;AAEzB,kCAAkC;AAClC,MAAM,iCAAiC,GAAG,MAAM,CAAC;AACjD,MAAM,UAAU,GAAG,sBAAsB,CAAC;AAS1C;;;GAGG;AACH,SAAS,iBAAiB,CACxB,QAAgB,EAChB,OAAuB,EACvB,oBAA4B;IAE5B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;QAC3C,MAAM,SAAS,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QAE1C,MAAM,eAAe,GAA2B;YAC9C,YAAY,EAAE,UAAU;YACxB,QAAQ,EAAE,kBAAkB;YAC5B,GAAG,OAAO,CAAC,OAAO;SACnB,CAAC;QAEF,IAAI,mBAAuC,CAAC;QAC5C,IAAI,OAAO,CAAC,SAAS,IAAI,IAAI,EAAE,CAAC;YAC9B,mBAAmB,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACxD,eAAe,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;YACrD,eAAe,CAAC,gBAAgB,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,mBAAmB,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxF,CAAC;QAED,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAC3B;YACE,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACvC,IAAI,EAAE,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM;YAC/B,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,OAAO,EAAE,eAAe;YACxB,OAAO,EAAE,oBAAoB;SAC9B,EACD,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3D,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACjB,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACzD,IAAI,CAAC;oBACH,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;oBACzC,OAAO,CAAC,EAAE,WAAW,EAAE,GAAG,CAAC,UAAU,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;gBACnE,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,CAAC,IAAI,YAAY,CACrB,8BAA8B,GAAG,CAAC,IAAI,UAAU,GAAG,CAAC,UAAU,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAC7F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CACF,CAAC;QAEF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAY,EAAE,EAAE;YAC/B,MAAM,CAAC,IAAI,YAAY,CAAC,wBAAwB,QAAQ,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACjF,CAAC,CAAC,CAAC;QAEH,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;YACrB,GAAG,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,YAAY,CACrB,cAAc,GAAG,CAAC,IAAI,oBAAoB,oBAAoB,IAAI,CACnE,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,IAAI,mBAAmB,IAAI,IAAI,EAAE,CAAC;YAChC,GAAG,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACjC,CAAC;QACD,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,MAAM,OAAO,cAAc;IACT,YAAY,CAAS;IACrB,oBAAoB,CAAS;IAE7C,YACE,eAAuB,oBAAoB,EAC3C,uBAA+B,iCAAiC;QAEhE,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACrD,IAAI,CAAC,oBAAoB,GAAG,oBAAoB,CAAC;IACnD,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,aAAa,CACzB,MAAc,EACd,QAAgB,EAChB,SAA0C,EAC1C,OAAgC;QAEhC,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CACtC,IAAI,CAAC,YAAY,EACjB,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,EAC9C,IAAI,CAAC,oBAAoB,CAC1B,CAAC;QAEF,MAAM,aAAa,GAAG,QAAQ,CAAC,IAA+B,CAAC;QAE/D,4CAA4C;QAC5C,IAAI,CAAC,aAAa,EAAE,EAAE,EAAE,CAAC;YACvB,MAAM,UAAU,GAAG,CAAC,aAAa,EAAE,KAAK,IAAI,EAAE,CAA2B,CAAC;YAC1E,MAAM,UAAU,GAAG,UAAU,CAAC,IAAI,IAAI,eAAe,CAAC;YACtD,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,IAAI,wBAAwB,QAAQ,CAAC,WAAW,EAAE,CAAC;YAC3F,gCAAgC,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,CAAC,aAAa,CAAC,IAAI,IAAI,EAAE,CAA4B,CAAC;IAC/D,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,gBAAwB,EACxB,aAAqB,EACrB,cAA8B,EAC9B,gBAAgC;QAEhC,MAAM,YAAY,GAA4B;YAC5C,gBAAgB;YAChB,aAAa;SACd,CAAC;QACF,IAAI,cAAc,IAAI,IAAI,EAAE,CAAC;YAAC,YAAY,CAAC,gBAAgB,CAAC,GAAG,cAAc,CAAC;QAAC,CAAC;QAChF,IAAI,gBAAgB,IAAI,IAAI,EAAE,CAAC;YAAC,YAAY,CAAC,kBAAkB,CAAC,GAAG,gBAAgB,CAAC;QAAC,CAAC;QAEtF,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,yBAAyB,EAAE,YAAY,CAAC,CAAC;IAC7E,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAChB,kBAA0B,EAC1B,iBAAyB,EACzB,qBAA6B,EAAE,EAC/B,oBAA4B,EAAE,EAC9B,wBAAmC,EACnC,WAAmB,KAAK,EACxB,cAA8B,EAC9B,gBAAgC;QAEhC,MAAM,YAAY,GAA4B;YAC5C,kBAAkB;YAClB,iBAAiB;YACjB,iBAAiB;YACjB,kBAAkB;YAClB,QAAQ;SACT,CAAC;QACF,IAAI,wBAAwB,EAAE,CAAC;YAAC,YAAY,CAAC,0BAA0B,CAAC,GAAG,wBAAwB,CAAC;QAAC,CAAC;QACtG,IAAI,cAAc,IAAI,IAAI,EAAE,CAAC;YAAC,YAAY,CAAC,gBAAgB,CAAC,GAAG,cAAc,CAAC;QAAC,CAAC;QAChF,IAAI,gBAAgB,IAAI,IAAI,EAAE,CAAC;YAAC,YAAY,CAAC,kBAAkB,CAAC,GAAG,gBAAgB,CAAC;QAAC,CAAC;QAEtF,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,sBAAsB,EAAE,YAAY,CAAC,CAAC;IAC1E,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,qBAA6B,EAC7B,oBAA4B;QAE5B,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,yBAAyB,EAAE;YAC3D,qBAAqB;YACrB,oBAAoB;SACrB,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,QAAgB;QACjC,OAAO,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,oBAAoB,QAAQ,EAAE,CAAC,CAAC;IACnE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,iCAAiC,CACrC,SAAiB,EACjB,aAAqB;QAErB,MAAM,UAAU,GAAG,8CAA8C,CAAC;QAClE,MAAM,SAAS,GAAG,IAAI,eAAe,CAAC;YACpC,UAAU,EAAE,oBAAoB;YAChC,SAAS;YACT,aAAa;SACd,CAAC,CAAC,QAAQ,EAAE,CAAC;QAEd,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;YACnD,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;YAC3C,MAAM,SAAS,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;YAE1C,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAC3B;gBACE,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvC,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;oBACnD,gBAAgB,EAAE,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE;oBACzD,YAAY,EAAE,UAAU;iBACzB;gBACD,OAAO,EAAE,IAAI,CAAC,oBAAoB;aACnC,EACD,CAAC,GAAG,EAAE,EAAE;gBACN,MAAM,MAAM,GAAa,EAAE,CAAC;gBAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC3D,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACjB,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBACzD,IAAI,CAAC;wBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAA4B,CAAC;wBAC/D,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;4BAC3B,MAAM,iBAAiB,GACpB,MAAM,CAAC,iBAA4B;gCACnC,MAAM,CAAC,KAAgB;gCACxB,QAAQ,GAAG,CAAC,UAAU,EAAE,CAAC;4BAC3B,MAAM,CAAC,IAAI,eAAe,CACxB,8BAA8B,GAAG,CAAC,UAAU,MAAM,iBAAiB,EAAE,CACtE,CAAC,CAAC;4BACH,OAAO;wBACT,CAAC;wBACD,OAAO,CAAC,MAAM,CAAC,CAAC;oBAClB,CAAC;oBAAC,MAAM,CAAC;wBACP,MAAM,CAAC,IAAI,YAAY,CACrB,0CAA0C,GAAG,CAAC,UAAU,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CACvF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CACF,CAAC;YAEF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAY,EAAE,EAAE;gBAC/B,MAAM,CAAC,IAAI,YAAY,CACrB,uCAAuC,GAAG,CAAC,IAAI,KAAK,KAAK,CAAC,OAAO,EAAE,CACpE,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;gBACrB,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,MAAM,CAAC,IAAI,YAAY,CACrB,oBAAoB,GAAG,CAAC,IAAI,oBAAoB,IAAI,CAAC,oBAAoB,IAAI,CAC9E,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACrB,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,yBAAyB,CAAC,WAAmB;QACjD,OAAO,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,kBAAkB,WAAW,EAAE,CAAC,CAAC;IACpE,CAAC;CACF"}

package/dist/credentials.d.ts

@@ -0,0 +1,84 @@
+/**
+ * Credential storage for the 1id.com Node.js SDK.
+ *
+ * Manages the local credentials file that stores OAuth2 client credentials
+ * and the agent's signing key (for declared-tier software keys or references
+ * to TPM/YubiKey keys for hardware-backed tiers).
+ *
+ * Storage locations:
+ *   Windows:  %APPDATA%\oneid\credentials.json
+ *   Linux:    ~/.config/oneid/credentials.json
+ *   macOS:    ~/.config/oneid/credentials.json
+ *
+ * Security:
+ *   - File permissions set to owner-only (0600 on Unix)
+ *   - Private keys are stored PEM-encoded in the credentials file
+ *   - Credentials are NEVER logged or printed
+ */
+export declare const DEFAULT_API_BASE_URL = "https://1id.com";
+export declare const DEFAULT_TOKEN_ENDPOINT = "https://1id.com/realms/agents/protocol/openid-connect/token";
+/**
+ * Credentials stored locally after enrollment.
+ *
+ * Contains everything needed to authenticate and sign challenges
+ * without re-enrolling.
+ */
+export interface StoredCredentials {
+    /** The 1id internal ID (e.g., '1id_a7b3c9d2'), used as OAuth2 client_id. */
+    client_id: string;
+    /** OAuth2 client secret issued by Keycloak. */
+    client_secret: string;
+    /** Full URL of the Keycloak token endpoint. */
+    token_endpoint: string;
+    /** Base URL for the 1id.com enrollment API. */
+    api_base_url: string;
+    /** The trust tier assigned at enrollment. */
+    trust_tier: string;
+    /** The key algorithm used for the signing key. */
+    key_algorithm: string;
+    /** PEM-encoded private key (declared tier). Null for TPM tiers. */
+    private_key_pem?: string | null;
+    /** Reference to the HSM-stored key (e.g., TPM AK handle). Null for declared tier. */
+    hsm_key_reference?: string | null;
+    /** ISO 8601 timestamp of enrollment. */
+    enrolled_at?: string | null;
+}
+/**
+ * Return the platform-appropriate directory for storing credentials.
+ *
+ * Windows:  %APPDATA%\oneid\
+ * Linux:    ~/.config/oneid/
+ * macOS:    ~/.config/oneid/
+ */
+export declare function get_credentials_directory(): string;
+/**
+ * Return the full path to the credentials JSON file.
+ */
+export declare function get_credentials_file_path(): string;
+/**
+ * Save enrollment credentials to the local credentials file.
+ *
+ * Creates the directory if it doesn't exist. Sets file permissions
+ * to owner-only for security.
+ *
+ * @returns Path to the saved credentials file.
+ */
+export declare function save_credentials(credentials: StoredCredentials): string;
+/**
+ * Load enrollment credentials from the local credentials file.
+ *
+ * @throws NotEnrolledError if no credentials file exists.
+ * @throws OneIDError if the credentials file is corrupted.
+ */
+export declare function load_credentials(): StoredCredentials;
+/**
+ * Check whether a credentials file exists (agent has enrolled).
+ */
+export declare function credentials_exist(): boolean;
+/**
+ * Delete the local credentials file (for re-enrollment or cleanup).
+ *
+ * @returns true if the file was deleted, false if it didn't exist.
+ */
+export declare function delete_credentials(): boolean;
+//# sourceMappingURL=credentials.d.ts.map

package/dist/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAQH,eAAO,MAAM,oBAAoB,oBAAoB,CAAC;AACtD,eAAO,MAAM,sBAAsB,gEAAgE,CAAC;AAKpG;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,4EAA4E;IAC5E,SAAS,EAAE,MAAM,CAAC;IAClB,+CAA+C;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,+CAA+C;IAC/C,cAAc,EAAE,MAAM,CAAC;IACvB,+CAA+C;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,6CAA6C;IAC7C,UAAU,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,aAAa,EAAE,MAAM,CAAC;IACtB,mEAAmE;IACnE,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,qFAAqF;IACrF,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,wCAAwC;IACxC,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,wBAAgB,yBAAyB,IAAI,MAAM,CAelD;AAED;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,MAAM,CAElD;AAgBD;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,iBAAiB,GAAG,MAAM,CA4BvE;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,IAAI,iBAAiB,CAkCpD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAE3C;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,OAAO,CAO5C"}

package/dist/credentials.js

@@ -0,0 +1,155 @@
+/**
+ * Credential storage for the 1id.com Node.js SDK.
+ *
+ * Manages the local credentials file that stores OAuth2 client credentials
+ * and the agent's signing key (for declared-tier software keys or references
+ * to TPM/YubiKey keys for hardware-backed tiers).
+ *
+ * Storage locations:
+ *   Windows:  %APPDATA%\oneid\credentials.json
+ *   Linux:    ~/.config/oneid/credentials.json
+ *   macOS:    ~/.config/oneid/credentials.json
+ *
+ * Security:
+ *   - File permissions set to owner-only (0600 on Unix)
+ *   - Private keys are stored PEM-encoded in the credentials file
+ *   - Credentials are NEVER logged or printed
+ */
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { NotEnrolledError, OneIDError } from "./exceptions.js";
+// -- Default server endpoints --
+export const DEFAULT_API_BASE_URL = "https://1id.com";
+export const DEFAULT_TOKEN_ENDPOINT = "https://1id.com/realms/agents/protocol/openid-connect/token";
+// -- Credential file name --
+const CREDENTIALS_FILENAME = "credentials.json";
+/**
+ * Return the platform-appropriate directory for storing credentials.
+ *
+ * Windows:  %APPDATA%\oneid\
+ * Linux:    ~/.config/oneid/
+ * macOS:    ~/.config/oneid/
+ */
+export function get_credentials_directory() {
+    const system_platform = os.platform();
+    if (system_platform === "win32") {
+        const appdata = process.env["APPDATA"];
+        if (appdata) {
+            return path.join(appdata, "oneid");
+        }
+        return path.join(os.homedir(), "AppData", "Roaming", "oneid");
+    }
+    else {
+        const xdg_config_home = process.env["XDG_CONFIG_HOME"];
+        if (xdg_config_home) {
+            return path.join(xdg_config_home, "oneid");
+        }
+        return path.join(os.homedir(), ".config", "oneid");
+    }
+}
+/**
+ * Return the full path to the credentials JSON file.
+ */
+export function get_credentials_file_path() {
+    return path.join(get_credentials_directory(), CREDENTIALS_FILENAME);
+}
+/**
+ * Set file permissions to owner-only (0600 on Unix).
+ * On Windows, %APPDATA% is already user-private by default.
+ */
+function set_owner_only_permissions(file_path) {
+    if (os.platform() !== "win32") {
+        try {
+            fs.chmodSync(file_path, 0o600);
+        }
+        catch {
+            // Best effort -- may fail in some environments
+        }
+    }
+}
+/**
+ * Save enrollment credentials to the local credentials file.
+ *
+ * Creates the directory if it doesn't exist. Sets file permissions
+ * to owner-only for security.
+ *
+ * @returns Path to the saved credentials file.
+ */
+export function save_credentials(credentials) {
+    const credentials_directory = get_credentials_directory();
+    fs.mkdirSync(credentials_directory, { recursive: true });
+    const credentials_file_path = path.join(credentials_directory, CREDENTIALS_FILENAME);
+    // Serialize to JSON -- only include key fields that are present
+    const credentials_dict = {
+        client_id: credentials.client_id,
+        client_secret: credentials.client_secret,
+        token_endpoint: credentials.token_endpoint,
+        api_base_url: credentials.api_base_url,
+        trust_tier: credentials.trust_tier,
+        key_algorithm: credentials.key_algorithm,
+        enrolled_at: credentials.enrolled_at ?? null,
+    };
+    if (credentials.private_key_pem != null) {
+        credentials_dict["private_key_pem"] = credentials.private_key_pem;
+    }
+    if (credentials.hsm_key_reference != null) {
+        credentials_dict["hsm_key_reference"] = credentials.hsm_key_reference;
+    }
+    fs.writeFileSync(credentials_file_path, JSON.stringify(credentials_dict, null, 2) + "\n", "utf-8");
+    set_owner_only_permissions(credentials_file_path);
+    return credentials_file_path;
+}
+/**
+ * Load enrollment credentials from the local credentials file.
+ *
+ * @throws NotEnrolledError if no credentials file exists.
+ * @throws OneIDError if the credentials file is corrupted.
+ */
+export function load_credentials() {
+    const credentials_file_path = get_credentials_file_path();
+    if (!fs.existsSync(credentials_file_path)) {
+        throw new NotEnrolledError(`No credentials file found at ${credentials_file_path}. ` +
+            "Call oneid.enroll() to create an identity first.");
+    }
+    let raw_json_text;
+    let credentials_dict;
+    try {
+        raw_json_text = fs.readFileSync(credentials_file_path, "utf-8");
+        credentials_dict = JSON.parse(raw_json_text);
+    }
+    catch (read_error) {
+        throw new OneIDError(`Credentials file at ${credentials_file_path} is corrupted or unreadable: ${read_error}`, "CREDENTIALS_CORRUPTED");
+    }
+    return {
+        client_id: credentials_dict["client_id"],
+        client_secret: credentials_dict["client_secret"],
+        token_endpoint: credentials_dict["token_endpoint"],
+        api_base_url: credentials_dict["api_base_url"],
+        trust_tier: credentials_dict["trust_tier"] ?? "declared",
+        key_algorithm: credentials_dict["key_algorithm"] ?? "ed25519",
+        private_key_pem: credentials_dict["private_key_pem"] ?? null,
+        hsm_key_reference: credentials_dict["hsm_key_reference"] ?? null,
+        enrolled_at: credentials_dict["enrolled_at"] ?? null,
+    };
+}
+/**
+ * Check whether a credentials file exists (agent has enrolled).
+ */
+export function credentials_exist() {
+    return fs.existsSync(get_credentials_file_path());
+}
+/**
+ * Delete the local credentials file (for re-enrollment or cleanup).
+ *
+ * @returns true if the file was deleted, false if it didn't exist.
+ */
+export function delete_credentials() {
+    const credentials_file_path = get_credentials_file_path();
+    if (fs.existsSync(credentials_file_path)) {
+        fs.unlinkSync(credentials_file_path);
+        return true;
+    }
+    return false;
+}
+//# sourceMappingURL=credentials.js.map

package/dist/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAE/D,iCAAiC;AACjC,MAAM,CAAC,MAAM,oBAAoB,GAAG,iBAAiB,CAAC;AACtD,MAAM,CAAC,MAAM,sBAAsB,GAAG,6DAA6D,CAAC;AAEpG,6BAA6B;AAC7B,MAAM,oBAAoB,GAAG,kBAAkB,CAAC;AA6BhD;;;;;;GAMG;AACH,MAAM,UAAU,yBAAyB;IACvC,MAAM,eAAe,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IACtC,IAAI,eAAe,KAAK,OAAO,EAAE,CAAC;QAChC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACrC,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAChE,CAAC;SAAM,CAAC;QACN,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACvD,IAAI,eAAe,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;QAC7C,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB;IACvC,OAAO,IAAI,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,oBAAoB,CAAC,CAAC;AACtE,CAAC;AAED;;;GAGG;AACH,SAAS,0BAA0B,CAAC,SAAiB;IACnD,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,OAAO,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,+CAA+C;QACjD,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAAC,WAA8B;IAC7D,MAAM,qBAAqB,GAAG,yBAAyB,EAAE,CAAC;IAC1D,EAAE,CAAC,SAAS,CAAC,qBAAqB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEzD,MAAM,qBAAqB,GAAG,IAAI,CAAC,IAAI,CAAC,qBAAqB,EAAE,oBAAoB,CAAC,CAAC;IAErF,gEAAgE;IAChE,MAAM,gBAAgB,GAA4B;QAChD,SAAS,EAAE,WAAW,CAAC,SAAS;QAChC,aAAa,EAAE,WAAW,CAAC,aAAa;QACxC,cAAc,EAAE,WAAW,CAAC,cAAc;QAC1C,YAAY,EAAE,WAAW,CAAC,YAAY;QACtC,UAAU,EAAE,WAAW,CAAC,UAAU;QAClC,aAAa,EAAE,WAAW,CAAC,aAAa;QACxC,WAAW,EAAE,WAAW,CAAC,WAAW,IAAI,IAAI;KAC7C,CAAC;IAEF,IAAI,WAAW,CAAC,eAAe,IAAI,IAAI,EAAE,CAAC;QACxC,gBAAgB,CAAC,iBAAiB,CAAC,GAAG,WAAW,CAAC,eAAe,CAAC;IACpE,CAAC;IACD,IAAI,WAAW,CAAC,iBAAiB,IAAI,IAAI,EAAE,CAAC;QAC1C,gBAAgB,CAAC,mBAAmB,CAAC,GAAG,WAAW,CAAC,iBAAiB,CAAC;IACxE,CAAC;IAED,EAAE,CAAC,aAAa,CAAC,qBAAqB,EAAE,IAAI,CAAC,SAAS,CAAC,gBAAgB,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IACnG,0BAA0B,CAAC,qBAAqB,CAAC,CAAC;IAElD,OAAO,qBAAqB,CAAC;AAC/B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,qBAAqB,GAAG,yBAAyB,EAAE,CAAC;IAE1D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,gBAAgB,CACxB,gCAAgC,qBAAqB,IAAI;YACzD,kDAAkD,CACnD,CAAC;IACJ,CAAC;IAED,IAAI,aAAqB,CAAC;IAC1B,IAAI,gBAAyC,CAAC;IAE9C,IAAI,CAAC;QACH,aAAa,GAAG,EAAE,CAAC,YAAY,CAAC,qBAAqB,EAAE,OAAO,CAAC,CAAC;QAChE,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,UAAU,EAAE,CAAC;QACpB,MAAM,IAAI,UAAU,CAClB,uBAAuB,qBAAqB,gCAAgC,UAAU,EAAE,EACxF,uBAAuB,CACxB,CAAC;IACJ,CAAC;IAED,OAAO;QACL,SAAS,EAAE,gBAAgB,CAAC,WAAW,CAAW;QAClD,aAAa,EAAE,gBAAgB,CAAC,eAAe,CAAW;QAC1D,cAAc,EAAE,gBAAgB,CAAC,gBAAgB,CAAW;QAC5D,YAAY,EAAE,gBAAgB,CAAC,cAAc,CAAW;QACxD,UAAU,EAAG,gBAAgB,CAAC,YAAY,CAAY,IAAI,UAAU;QACpE,aAAa,EAAG,gBAAgB,CAAC,eAAe,CAAY,IAAI,SAAS;QACzE,eAAe,EAAG,gBAAgB,CAAC,iBAAiB,CAAY,IAAI,IAAI;QACxE,iBAAiB,EAAG,gBAAgB,CAAC,mBAAmB,CAAY,IAAI,IAAI;QAC5E,WAAW,EAAG,gBAAgB,CAAC,aAAa,CAAY,IAAI,IAAI;KACjE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,EAAE,CAAC,UAAU,CAAC,yBAAyB,EAAE,CAAC,CAAC;AACpD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,qBAAqB,GAAG,yBAAyB,EAAE,CAAC;IAC1D,IAAI,EAAE,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;QACzC,EAAE,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/enroll.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Enrollment logic for the 1id.com Node.js SDK.
+ *
+ * Orchestrates the enrollment flow for all trust tiers:
+ * - Declared: Pure software, generates a keypair, sends public key to server.
+ * - Sovereign: Spawns Go binary for TPM operations, two-phase enrollment.
+ * - Sovereign-portable: Spawns Go binary for YubiKey/PIV operations.
+ *
+ * CRITICAL DESIGN RULE: requestTier is a REQUIREMENT, not a preference.
+ * The agent gets exactly the tier it requests, or an exception.
+ * There are NO automatic fallbacks. The caller's logic decides what to do.
+ */
+import { type Identity, KeyAlgorithm } from "./identity.js";
+/**
+ * Options for the enroll() function.
+ */
+export interface EnrollOptions {
+    /** REQUIRED. The trust tier to request. */
+    request_tier: string;
+    /** Optional. Human contact email for this agent. */
+    operator_email?: string | null;
+    /** Optional. Vanity handle to claim (without '@' prefix). */
+    requested_handle?: string | null;
+    /** Optional. Key algorithm for declared-tier enrollment. Default: 'ed25519'. */
+    key_algorithm?: string | KeyAlgorithm | null;
+    /** Optional. Override the API base URL (for testing/staging). */
+    api_base_url?: string;
+}
+/**
+ * Enroll this agent with 1id.com to receive a unique, verifiable identity.
+ *
+ * This is the primary entry point for enrollment. The agent specifies
+ * which trust tier it requires, and gets exactly that tier or an exception.
+ *
+ * THERE ARE NO AUTOMATIC FALLBACKS.
+ *
+ * @param options Enrollment options including the required request_tier.
+ * @returns The enrolled Identity.
+ * @throws NoHSMError if requested tier requires an HSM but none was found.
+ * @throws EnrollmentError for any enrollment failure.
+ * @throws NetworkError if the server cannot be reached.
+ */
+export declare function enroll(options: EnrollOptions): Promise<Identity>;
+//# sourceMappingURL=enroll.d.ts.map

package/dist/enroll.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"enroll.d.ts","sourceRoot":"","sources":["../src/enroll.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AASH,OAAO,EAGL,KAAK,QAAQ,EACb,YAAY,EAEb,MAAM,eAAe,CAAC;AAqBvB;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,2CAA2C;IAC3C,YAAY,EAAE,MAAM,CAAC;IACrB,oDAAoD;IACpD,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,6DAA6D;IAC7D,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,gFAAgF;IAChF,aAAa,CAAC,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CAAC;IAC7C,iEAAiE;IACjE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,MAAM,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,QAAQ,CAAC,CA8CtE"}