1id 0.1.0

package/dist/helper.js

@@ -0,0 +1,387 @@
+/**
+ * Go binary helper for the 1id.com Node.js SDK.
+ *
+ * Manages the oneid-enroll Go binary:
+ * - Locates the binary (cached or PATH)
+ * - Downloads it from GitHub releases if not present
+ * - Spawns it for HSM operations (detect, extract, activate, sign)
+ * - Parses JSON output
+ *
+ * The binary handles all platform-specific HSM operations:
+ * - TPM access (Windows TBS.dll, Linux /dev/tpm*)
+ * - YubiKey/PIV access (PCSC)
+ * - Privilege elevation (UAC, sudo, pkexec)
+ */
+import * as child_process from "node:child_process";
+import * as crypto from "node:crypto";
+import * as fs from "node:fs";
+import * as https from "node:https";
+import * as http from "node:http";
+import * as os from "node:os";
+import * as path from "node:path";
+import { BinaryNotFoundError, HSMAccessError, NoHSMError, UACDeniedError, } from "./exceptions.js";
+// -- GitHub release URL for auto-download --
+const GITHUB_RELEASE_DOWNLOAD_URL_TEMPLATE = "https://github.com/AuraFriday/oneid-enroll/releases/latest/download/{binary_name}";
+// -- Binary naming convention --
+const BINARY_NAME_PREFIX = "oneid-enroll";
+/**
+ * Return the platform-specific binary filename.
+ */
+function get_platform_binary_name() {
+    const system = os.platform();
+    let machine = os.arch();
+    // Normalize architecture names
+    if (machine === "x64") {
+        machine = "amd64";
+    }
+    else if (machine === "arm64") { /* already correct */ }
+    if (system === "win32") {
+        return `${BINARY_NAME_PREFIX}-windows-${machine}.exe`;
+    }
+    else if (system === "darwin") {
+        return `${BINARY_NAME_PREFIX}-darwin-${machine}`;
+    }
+    else {
+        return `${BINARY_NAME_PREFIX}-linux-${machine}`;
+    }
+}
+/**
+ * Return the directory where downloaded binaries are cached.
+ */
+function get_binary_cache_directory() {
+    if (os.platform() === "win32") {
+        const base = process.env["APPDATA"] ?? path.join(os.homedir(), "AppData", "Roaming");
+        return path.join(base, "oneid", "bin");
+    }
+    else {
+        return path.join(os.homedir(), ".local", "share", "oneid", "bin");
+    }
+}
+/**
+ * Check if a file exists and is executable.
+ */
+function file_exists_and_is_executable(file_path) {
+    try {
+        fs.accessSync(file_path, fs.constants.X_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Locate the oneid-enroll binary.
+ *
+ * Search order:
+ * 1. Binary cache directory (~/.local/share/oneid/bin/ or %APPDATA%/oneid/bin/)
+ * 2. Current working directory
+ * 3. System PATH
+ *
+ * @returns Path to the binary if found, null otherwise.
+ */
+export function find_binary() {
+    const binary_name = get_platform_binary_name();
+    // 1. Check cache directory
+    const cache_dir = get_binary_cache_directory();
+    const cached_binary_path = path.join(cache_dir, binary_name);
+    if (file_exists_and_is_executable(cached_binary_path)) {
+        return cached_binary_path;
+    }
+    // 2. Check current working directory
+    const local_binary_path = path.join(process.cwd(), binary_name);
+    if (file_exists_and_is_executable(local_binary_path)) {
+        return local_binary_path;
+    }
+    // Also check generic name
+    const generic_name = os.platform() === "win32" ? `${BINARY_NAME_PREFIX}.exe` : BINARY_NAME_PREFIX;
+    const local_generic_path = path.join(process.cwd(), generic_name);
+    if (file_exists_and_is_executable(local_generic_path)) {
+        return local_generic_path;
+    }
+    // 3. Check PATH
+    const which_command = os.platform() === "win32" ? "where" : "which";
+    for (const name_to_search of [binary_name, generic_name]) {
+        try {
+            const result = child_process.execSync(`${which_command} ${name_to_search}`, {
+                encoding: "utf-8",
+                stdio: ["pipe", "pipe", "pipe"],
+            });
+            const found_path = result.trim().split("\n")[0]?.trim();
+            if (found_path && fs.existsSync(found_path)) {
+                return found_path;
+            }
+        }
+        catch {
+            // Not found in PATH
+        }
+    }
+    return null;
+}
+/**
+ * Download a file from a URL to a local path. Follows redirects (up to 5).
+ */
+function download_file_to_path(url, destination, max_redirects = 5) {
+    return new Promise((resolve, reject) => {
+        if (max_redirects <= 0) {
+            reject(new BinaryNotFoundError("Too many redirects while downloading binary"));
+            return;
+        }
+        const transport = url.startsWith("https:") ? https : http;
+        transport.get(url, { headers: { "User-Agent": "oneid-sdk-node/0.1.0" } }, (res) => {
+            // Handle redirects (GitHub releases redirect to S3)
+            if (res.statusCode && res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+                download_file_to_path(res.headers.location, destination, max_redirects - 1)
+                    .then(resolve)
+                    .catch(reject);
+                return;
+            }
+            if (res.statusCode !== 200) {
+                reject(new BinaryNotFoundError(`Failed to download from ${url}: HTTP ${res.statusCode}`));
+                return;
+            }
+            const file_stream = fs.createWriteStream(destination);
+            res.pipe(file_stream);
+            file_stream.on("finish", () => {
+                file_stream.close();
+                resolve();
+            });
+            file_stream.on("error", (err) => {
+                reject(new BinaryNotFoundError(`Failed to write binary to ${destination}: ${err.message}`));
+            });
+        }).on("error", (err) => {
+            reject(new BinaryNotFoundError(`Failed to download from ${url}: ${err.message}`));
+        });
+    });
+}
+/**
+ * Download the content of a URL as a string. Follows redirects.
+ */
+function download_text_from_url(url, max_redirects = 5) {
+    return new Promise((resolve, reject) => {
+        if (max_redirects <= 0) {
+            reject(new Error("Too many redirects"));
+            return;
+        }
+        const transport = url.startsWith("https:") ? https : http;
+        transport.get(url, { headers: { "User-Agent": "oneid-sdk-node/0.1.0" } }, (res) => {
+            if (res.statusCode && res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+                download_text_from_url(res.headers.location, max_redirects - 1)
+                    .then(resolve)
+                    .catch(reject);
+                return;
+            }
+            if (res.statusCode !== 200) {
+                reject(new Error(`HTTP ${res.statusCode}`));
+                return;
+            }
+            const chunks = [];
+            res.on("data", (chunk) => { chunks.push(chunk); });
+            res.on("end", () => { resolve(Buffer.concat(chunks).toString("utf-8")); });
+        }).on("error", reject);
+    });
+}
+/**
+ * Download the oneid-enroll binary from the GitHub 'latest' release.
+ *
+ * Downloads to a temporary file first, verifies the SHA-256 checksum,
+ * then moves to the final location.
+ */
+async function download_binary_from_github_release(binary_name, destination_path) {
+    const binary_download_url = GITHUB_RELEASE_DOWNLOAD_URL_TEMPLATE.replace("{binary_name}", binary_name);
+    const checksum_download_url = GITHUB_RELEASE_DOWNLOAD_URL_TEMPLATE.replace("{binary_name}", binary_name + ".sha256");
+    const destination_dir = path.dirname(destination_path);
+    fs.mkdirSync(destination_dir, { recursive: true });
+    // Use a temp file for atomic download
+    const temp_file_path = path.join(destination_dir, `oneid-enroll-download-${Date.now()}.tmp`);
+    try {
+        // Step 1: Download binary
+        await download_file_to_path(binary_download_url, temp_file_path);
+        const downloaded_size = fs.statSync(temp_file_path).size;
+        if (downloaded_size < 100_000) {
+            throw new BinaryNotFoundError(`Downloaded binary is suspiciously small (${downloaded_size} bytes). ` +
+                "The download URL may be incorrect or the release may be empty.");
+        }
+        // Step 2: Verify SHA-256 checksum
+        try {
+            const checksum_text = await download_text_from_url(checksum_download_url);
+            const expected_sha256_hash = checksum_text.trim().split(/\s+/)[0]?.toLowerCase();
+            const file_buffer = fs.readFileSync(temp_file_path);
+            const actual_sha256_hash = crypto.createHash("sha256").update(file_buffer).digest("hex").toLowerCase();
+            if (actual_sha256_hash !== expected_sha256_hash) {
+                throw new BinaryNotFoundError(`SHA-256 checksum mismatch for ${binary_name}. ` +
+                    `Expected: ${expected_sha256_hash}, got: ${actual_sha256_hash}. ` +
+                    "The binary may have been tampered with or the download was corrupted.");
+            }
+        }
+        catch (checksum_error) {
+            if (checksum_error instanceof BinaryNotFoundError) {
+                throw checksum_error;
+            }
+            // Checksum download failed -- proceed without verification (warn)
+            console.warn(`[oneid] Could not download checksum file (${checksum_error}). ` +
+                "Proceeding without verification.");
+        }
+        // Step 3: Move temp file to final destination
+        if (fs.existsSync(destination_path)) {
+            fs.unlinkSync(destination_path);
+        }
+        fs.renameSync(temp_file_path, destination_path);
+        // Step 4: Set executable permission on non-Windows
+        if (os.platform() !== "win32") {
+            fs.chmodSync(destination_path, 0o755);
+        }
+        return destination_path;
+    }
+    finally {
+        // Clean up temp file on failure
+        try {
+            if (fs.existsSync(temp_file_path)) {
+                fs.unlinkSync(temp_file_path);
+            }
+        }
+        catch { /* best effort */ }
+    }
+}
+/**
+ * Ensure the oneid-enroll binary is available, downloading if needed.
+ *
+ * @returns Path to the available binary.
+ * @throws BinaryNotFoundError if the binary cannot be found or downloaded.
+ */
+export async function ensure_binary_available() {
+    const found_binary_path = find_binary();
+    if (found_binary_path != null) {
+        return found_binary_path;
+    }
+    // Binary not found locally -- attempt auto-download
+    const binary_name = get_platform_binary_name();
+    const cache_dir = get_binary_cache_directory();
+    const destination = path.join(cache_dir, binary_name);
+    try {
+        return await download_binary_from_github_release(binary_name, destination);
+    }
+    catch (download_error) {
+        throw new BinaryNotFoundError(`oneid-enroll binary not found in cache, current directory, or PATH, ` +
+            `and auto-download failed: ${download_error}. ` +
+            `Expected filename: ${binary_name}. ` +
+            `Manual download: https://github.com/AuraFriday/oneid-enroll/releases/latest`);
+    }
+}
+/**
+ * Run an oneid-enroll subcommand and parse its JSON output.
+ */
+export async function run_binary_command(command, args, json_mode = true, timeout_milliseconds = 30_000) {
+    const binary_path = await ensure_binary_available();
+    const cmd_args = [command];
+    if (json_mode) {
+        cmd_args.push("--json");
+    }
+    if (args) {
+        cmd_args.push(...args);
+    }
+    return new Promise((resolve, reject) => {
+        let stdout_data = "";
+        let stderr_data = "";
+        const spawned_process = child_process.spawn(binary_path, cmd_args, {
+            stdio: ["pipe", "pipe", "pipe"],
+            timeout: timeout_milliseconds,
+        });
+        spawned_process.stdout?.on("data", (chunk) => { stdout_data += chunk.toString(); });
+        spawned_process.stderr?.on("data", (chunk) => { stderr_data += chunk.toString(); });
+        spawned_process.on("error", (err) => {
+            if (err.code === "ENOENT") {
+                reject(new BinaryNotFoundError(`Could not execute ${binary_path}: file not found`));
+            }
+            else if (err.code === "EACCES") {
+                reject(new BinaryNotFoundError(`Could not execute ${binary_path}: permission denied`));
+            }
+            else {
+                reject(new HSMAccessError(`Error spawning ${binary_path}: ${err.message}`));
+            }
+        });
+        spawned_process.on("close", (exit_code) => {
+            let output;
+            if (json_mode && stdout_data.trim()) {
+                try {
+                    output = JSON.parse(stdout_data.trim());
+                }
+                catch {
+                    reject(new HSMAccessError(`oneid-enroll returned invalid JSON: ${stdout_data.slice(0, 500)}`));
+                    return;
+                }
+            }
+            else {
+                output = { stdout: stdout_data, stderr: stderr_data, returncode: exit_code };
+            }
+            if (exit_code !== 0) {
+                const error_code = output.error_code ?? "UNKNOWN";
+                const error_message = output.error ?? (stderr_data.trim() || `Exit code ${exit_code}`);
+                if (error_code === "NO_HSM_FOUND" || /no.*hsm/i.test(error_message) || /no.*tpm/i.test(error_message)) {
+                    reject(new NoHSMError(error_message));
+                }
+                else if (error_code === "UAC_DENIED" || /denied/i.test(error_message)) {
+                    reject(new UACDeniedError(error_message));
+                }
+                else if (error_code === "HSM_ACCESS_ERROR") {
+                    reject(new HSMAccessError(error_message));
+                }
+                else {
+                    reject(new HSMAccessError(`oneid-enroll '${command}' failed: ${error_message}`));
+                }
+                return;
+            }
+            resolve(output);
+        });
+    });
+}
+/**
+ * Detect available hardware security modules via the Go binary.
+ *
+ * Runs 'oneid-enroll detect --json' which does NOT require elevation.
+ */
+export async function detect_available_hsms() {
+    try {
+        const output = await run_binary_command("detect");
+        return output.hsms ?? [];
+    }
+    catch (error) {
+        if (error instanceof NoHSMError) {
+            return [];
+        }
+        if (error instanceof BinaryNotFoundError) {
+            throw error;
+        }
+        return [];
+    }
+}
+/**
+ * Extract attestation data from an HSM (requires elevation).
+ */
+export async function extract_attestation_data(hsm) {
+    const hsm_type = hsm.type ?? "tpm";
+    return run_binary_command("extract", ["--type", hsm_type, "--elevated"]);
+}
+/**
+ * Decrypt a credential activation challenge via the HSM (requires elevation).
+ */
+export async function activate_credential(_hsm, credential_blob_b64, encrypted_secret_b64, ak_handle) {
+    const output = await run_binary_command("activate", [
+        "--credential-blob", credential_blob_b64,
+        "--encrypted-secret", encrypted_secret_b64,
+        "--ak-handle", ak_handle,
+        "--elevated",
+    ]);
+    return output.decrypted_credential ?? "";
+}
+/**
+ * Sign a challenge nonce using the TPM AK -- NO ELEVATION NEEDED.
+ *
+ * This is the core of ongoing TPM-backed authentication.
+ */
+export async function sign_challenge_with_tpm(nonce_b64, ak_handle) {
+    return run_binary_command("sign", [
+        "--nonce", nonce_b64,
+        "--ak-handle", ak_handle,
+    ]);
+}
+//# sourceMappingURL=helper.js.map

package/dist/helper.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helper.js","sourceRoot":"","sources":["../src/helper.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,aAAa,MAAM,oBAAoB,CAAC;AACpD,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,KAAK,MAAM,YAAY,CAAC;AACpC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,UAAU,EACV,cAAc,GACf,MAAM,iBAAiB,CAAC;AAEzB,6CAA6C;AAC7C,MAAM,oCAAoC,GACxC,mFAAmF,CAAC;AAEtF,iCAAiC;AACjC,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAE1C;;GAEG;AACH,SAAS,wBAAwB;IAC/B,MAAM,MAAM,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,OAAO,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC;IAExB,+BAA+B;IAC/B,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;QAAC,OAAO,GAAG,OAAO,CAAC;IAAC,CAAC;SACxC,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC,CAAC,qBAAqB,CAAC,CAAC;IAEvD,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,GAAG,kBAAkB,YAAY,OAAO,MAAM,CAAC;IACxD,CAAC;SAAM,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,OAAO,GAAG,kBAAkB,WAAW,OAAO,EAAE,CAAC;IACnD,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,kBAAkB,UAAU,OAAO,EAAE,CAAC;IAClD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,0BAA0B;IACjC,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QACrF,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IACzC,CAAC;SAAM,CAAC;QACN,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,6BAA6B,CAAC,SAAiB;IACtD,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,WAAW;IACzB,MAAM,WAAW,GAAG,wBAAwB,EAAE,CAAC;IAE/C,2BAA2B;IAC3B,MAAM,SAAS,GAAG,0BAA0B,EAAE,CAAC;IAC/C,MAAM,kBAAkB,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IAC7D,IAAI,6BAA6B,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACtD,OAAO,kBAAkB,CAAC;IAC5B,CAAC;IAED,qCAAqC;IACrC,MAAM,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,WAAW,CAAC,CAAC;IAChE,IAAI,6BAA6B,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACrD,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,0BAA0B;IAC1B,MAAM,YAAY,GAAG,EAAE,CAAC,QAAQ,EAAE,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,kBAAkB,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC;IAClG,MAAM,kBAAkB,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,YAAY,CAAC,CAAC;IAClE,IAAI,6BAA6B,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACtD,OAAO,kBAAkB,CAAC;IAC5B,CAAC;IAED,gBAAgB;IAChB,MAAM,aAAa,GAAG,EAAE,CAAC,QAAQ,EAAE,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IACpE,KAAK,MAAM,cAAc,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,EAAE,CAAC;QACzD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,aAAa,CAAC,QAAQ,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,EAAE;gBAC1E,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;YACxD,IAAI,UAAU,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC5C,OAAO,UAAU,CAAC;YACpB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,GAAW,EAAE,WAAmB,EAAE,gBAAwB,CAAC;IACxF,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,aAAa,IAAI,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,mBAAmB,CAAC,6CAA6C,CAAC,CAAC,CAAC;YAC/E,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QAC1D,SAAS,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,EAAE,YAAY,EAAE,sBAAsB,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE;YAChF,oDAAoD;YACpD,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;gBAC5F,qBAAqB,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,WAAW,EAAE,aAAa,GAAG,CAAC,CAAC;qBACxE,IAAI,CAAC,OAAO,CAAC;qBACb,KAAK,CAAC,MAAM,CAAC,CAAC;gBACjB,OAAO;YACT,CAAC;YAED,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC3B,MAAM,CAAC,IAAI,mBAAmB,CAC5B,2BAA2B,GAAG,UAAU,GAAG,CAAC,UAAU,EAAE,CACzD,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,MAAM,WAAW,GAAG,EAAE,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;YACtD,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACtB,WAAW,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;gBAC5B,WAAW,CAAC,KAAK,EAAE,CAAC;gBACpB,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YACH,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC9B,MAAM,CAAC,IAAI,mBAAmB,CAAC,6BAA6B,WAAW,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAC9F,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACrB,MAAM,CAAC,IAAI,mBAAmB,CAAC,2BAA2B,GAAG,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACpF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,GAAW,EAAE,gBAAwB,CAAC;IACpE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,aAAa,IAAI,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC;YACxC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QAC1D,SAAS,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,EAAE,YAAY,EAAE,sBAAsB,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE;YAChF,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;gBAC5F,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,aAAa,GAAG,CAAC,CAAC;qBAC5D,IAAI,CAAC,OAAO,CAAC;qBACb,KAAK,CAAC,MAAM,CAAC,CAAC;gBACjB,OAAO;YACT,CAAC;YAED,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC3B,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;gBAC5C,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3D,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC7E,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,mCAAmC,CAChD,WAAmB,EACnB,gBAAwB;IAExB,MAAM,mBAAmB,GAAG,oCAAoC,CAAC,OAAO,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IACvG,MAAM,qBAAqB,GAAG,oCAAoC,CAAC,OAAO,CAAC,eAAe,EAAE,WAAW,GAAG,SAAS,CAAC,CAAC;IAErH,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACvD,EAAE,CAAC,SAAS,CAAC,eAAe,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEnD,sCAAsC;IACtC,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,yBAAyB,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAE7F,IAAI,CAAC;QACH,0BAA0B;QAC1B,MAAM,qBAAqB,CAAC,mBAAmB,EAAE,cAAc,CAAC,CAAC;QACjE,MAAM,eAAe,GAAG,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC;QAEzD,IAAI,eAAe,GAAG,OAAO,EAAE,CAAC;YAC9B,MAAM,IAAI,mBAAmB,CAC3B,4CAA4C,eAAe,WAAW;gBACtE,gEAAgE,CACjE,CAAC;QACJ,CAAC;QAED,kCAAkC;QAClC,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,qBAAqB,CAAC,CAAC;YAC1E,MAAM,oBAAoB,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC;YAEjF,MAAM,WAAW,GAAG,EAAE,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC;YACpD,MAAM,kBAAkB,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;YAEvG,IAAI,kBAAkB,KAAK,oBAAoB,EAAE,CAAC;gBAChD,MAAM,IAAI,mBAAmB,CAC3B,iCAAiC,WAAW,IAAI;oBAChD,aAAa,oBAAoB,UAAU,kBAAkB,IAAI;oBACjE,uEAAuE,CACxE,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,cAAc,EAAE,CAAC;YACxB,IAAI,cAAc,YAAY,mBAAmB,EAAE,CAAC;gBAAC,MAAM,cAAc,CAAC;YAAC,CAAC;YAC5E,kEAAkE;YAClE,OAAO,CAAC,IAAI,CACV,6CAA6C,cAAc,KAAK;gBAChE,kCAAkC,CACnC,CAAC;QACJ,CAAC;QAED,8CAA8C;QAC9C,IAAI,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACpC,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;QAClC,CAAC;QACD,EAAE,CAAC,UAAU,CAAC,cAAc,EAAE,gBAAgB,CAAC,CAAC;QAEhD,mDAAmD;QACnD,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,OAAO,EAAE,CAAC;YAC9B,EAAE,CAAC,SAAS,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,gBAAgB,CAAC;IAC1B,CAAC;YAAS,CAAC;QACT,gCAAgC;QAChC,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;YAAC,CAAC;QACvE,CAAC;QAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;IAC/B,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB;IAC3C,MAAM,iBAAiB,GAAG,WAAW,EAAE,CAAC;IACxC,IAAI,iBAAiB,IAAI,IAAI,EAAE,CAAC;QAC9B,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,oDAAoD;IACpD,MAAM,WAAW,GAAG,wBAAwB,EAAE,CAAC;IAC/C,MAAM,SAAS,GAAG,0BAA0B,EAAE,CAAC;IAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IAEtD,IAAI,CAAC;QACH,OAAO,MAAM,mCAAmC,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IAC7E,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,IAAI,mBAAmB,CAC3B,sEAAsE;YACtE,6BAA6B,cAAc,IAAI;YAC/C,sBAAsB,WAAW,IAAI;YACrC,6EAA6E,CAC9E,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAe,EACf,IAAe,EACf,YAAqB,IAAI,EACzB,uBAA+B,MAAM;IAErC,MAAM,WAAW,GAAG,MAAM,uBAAuB,EAAE,CAAC;IAEpD,MAAM,QAAQ,GAAG,CAAC,OAAO,CAAC,CAAC;IAC3B,IAAI,SAAS,EAAE,CAAC;QAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAAC,CAAC;IAC3C,IAAI,IAAI,EAAE,CAAC;QAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;IAAC,CAAC;IAErC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI,WAAW,GAAG,EAAE,CAAC;QAErB,MAAM,eAAe,GAAG,aAAa,CAAC,KAAK,CAAC,WAAW,EAAE,QAAQ,EAAE;YACjE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,OAAO,EAAE,oBAAoB;SAC9B,CAAC,CAAC;QAEH,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,WAAW,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5F,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,WAAW,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAE5F,eAAe,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YAClC,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACrD,MAAM,CAAC,IAAI,mBAAmB,CAAC,qBAAqB,WAAW,kBAAkB,CAAC,CAAC,CAAC;YACtF,CAAC;iBAAM,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC5D,MAAM,CAAC,IAAI,mBAAmB,CAAC,qBAAqB,WAAW,qBAAqB,CAAC,CAAC,CAAC;YACzF,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,cAAc,CAAC,kBAAkB,WAAW,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAC9E,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,eAAe,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,SAAS,EAAE,EAAE;YACxC,IAAI,MAA+B,CAAC;YAEpC,IAAI,SAAS,IAAI,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC;gBACpC,IAAI,CAAC;oBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC1C,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,CAAC,IAAI,cAAc,CACvB,uCAAuC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CACnE,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;YAC/E,CAAC;YAED,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;gBACpB,MAAM,UAAU,GAAI,MAAM,CAAC,UAAqB,IAAI,SAAS,CAAC;gBAC9D,MAAM,aAAa,GAAI,MAAM,CAAC,KAAgB,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,aAAa,SAAS,EAAE,CAAC,CAAC;gBAEnG,IAAI,UAAU,KAAK,cAAc,IAAI,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;oBACtG,MAAM,CAAC,IAAI,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC;gBACxC,CAAC;qBAAM,IAAI,UAAU,KAAK,YAAY,IAAI,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;oBACxE,MAAM,CAAC,IAAI,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC;gBAC5C,CAAC;qBAAM,IAAI,UAAU,KAAK,kBAAkB,EAAE,CAAC;oBAC7C,MAAM,CAAC,IAAI,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC;gBAC5C,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,cAAc,CAAC,iBAAiB,OAAO,aAAa,aAAa,EAAE,CAAC,CAAC,CAAC;gBACnF,CAAC;gBACD,OAAO;YACT,CAAC;YAED,OAAO,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACzC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAClD,OAAQ,MAAM,CAAC,IAAkC,IAAI,EAAE,CAAC;IAC1D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;YAAC,OAAO,EAAE,CAAC;QAAC,CAAC;QAC/C,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YAAC,MAAM,KAAK,CAAC;QAAC,CAAC;QAC1D,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,GAA4B;IAE5B,MAAM,QAAQ,GAAI,GAAG,CAAC,IAAe,IAAI,KAAK,CAAC;IAC/C,OAAO,kBAAkB,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,IAA6B,EAC7B,mBAA2B,EAC3B,oBAA4B,EAC5B,SAAiB;IAEjB,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,UAAU,EAAE;QAClD,mBAAmB,EAAE,mBAAmB;QACxC,oBAAoB,EAAE,oBAAoB;QAC1C,aAAa,EAAE,SAAS;QACxB,YAAY;KACb,CAAC,CAAC;IACH,OAAQ,MAAM,CAAC,oBAA+B,IAAI,EAAE,CAAC;AACvD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,SAAiB,EACjB,SAAiB;IAEjB,OAAO,kBAAkB,CAAC,MAAM,EAAE;QAChC,SAAS,EAAE,SAAS;QACpB,aAAa,EAAE,SAAS;KACzB,CAAC,CAAC;AACL,CAAC"}

package/dist/identity.d.ts

@@ -0,0 +1,106 @@
+/**
+ * Identity and Token data models for the 1id.com Node.js SDK.
+ *
+ * These types represent the agent's enrolled identity and OAuth2 tokens.
+ * They are returned by enroll(), whoami(), and getToken() respectively.
+ */
+/**
+ * Trust tiers assigned by 1id.com based on hardware attestation.
+ *
+ * Ordered from highest to lowest Sybil resistance:
+ * - sovereign: Non-portable hardware (TPM), manufacturer-attested, current cert
+ * - sovereign-portable: Portable hardware (YubiKey/Nitrokey), manufacturer-attested
+ * - legacy: Was sovereign/sovereign-portable, but manufacturer cert expired
+ * - virtual: Virtual TPM (VMware/Hyper-V), hypervisor-attested
+ * - enclave: Apple Secure Enclave, TOFU (no attestation PKI)
+ * - declared: Software-only, no hardware proof, self-asserted
+ */
+export declare enum TrustTier {
+    SOVEREIGN = "sovereign",
+    SOVEREIGN_PORTABLE = "sovereign-portable",
+    LEGACY = "legacy",
+    VIRTUAL = "virtual",
+    ENCLAVE = "enclave",
+    DECLARED = "declared"
+}
+/**
+ * Supported key algorithms for declared-tier software keys.
+ */
+export declare enum KeyAlgorithm {
+    ED25519 = "ed25519",
+    ECDSA_P256 = "ecdsa-p256",
+    ECDSA_P384 = "ecdsa-p384",
+    RSA_2048 = "rsa-2048",
+    RSA_4096 = "rsa-4096"
+}
+/** The default key algorithm for declared-tier enrollment. */
+export declare const DEFAULT_KEY_ALGORITHM = KeyAlgorithm.ED25519;
+/**
+ * Types of hardware security modules supported by 1id.com.
+ */
+export declare enum HSMType {
+    TPM = "tpm",
+    YUBIKEY = "yubikey",
+    NITROKEY = "nitrokey",
+    FEITIAN = "feitian",
+    SOLOKEYS = "solokeys",
+    SECURE_ENCLAVE = "secure_enclave",
+    SOFTWARE = "software"
+}
+/**
+ * Represents an enrolled 1id.com agent identity.
+ *
+ * Returned by enroll() and whoami(). All fields are readonly.
+ */
+export interface Identity {
+    /** Permanent unique identifier (e.g., '1id_a7b3c9d2'). Never changes. */
+    readonly internal_id: string;
+    /** Display name (e.g., '@clawdia' or '@1id_a7b3c9d2'). */
+    readonly handle: string;
+    /** The trust level assigned based on hardware attestation. */
+    readonly trust_tier: TrustTier;
+    /** Type of HSM used for enrollment, or null for declared tier. */
+    readonly hsm_type: HSMType | null;
+    /** Manufacturer code (e.g., 'INTC', 'Yubico'), or null. */
+    readonly hsm_manufacturer: string | null;
+    /** When this identity was first created. */
+    readonly enrolled_at: Date;
+    /** Number of HSMs currently linked to this identity. */
+    readonly device_count: number;
+    /** The key algorithm used for this identity's signing key. */
+    readonly key_algorithm: KeyAlgorithm;
+}
+/**
+ * Represents an OAuth2 access token from 1id.com / Keycloak.
+ *
+ * Returned by getToken(). The accessToken is a signed JWT
+ * containing the agent's identity claims (sub, handle, trust_tier, etc.).
+ */
+export interface Token {
+    /** The JWT access token string (Bearer token). */
+    readonly access_token: string;
+    /** Always 'Bearer'. */
+    readonly token_type: string;
+    /** When this token expires (UTC). */
+    readonly expires_at: Date;
+    /** Refresh token for obtaining new access tokens, or null. */
+    readonly refresh_token: string | null;
+}
+/**
+ * Check whether a token is still valid based on its expiry time.
+ *
+ * Returns true if the token's expiry time is in the future.
+ * Does NOT verify the JWT signature or check revocation.
+ */
+export declare function this_token_has_not_yet_expired(token: Token): boolean;
+/**
+ * Format a token for use in an HTTP Authorization header.
+ *
+ * Returns a string in the format 'Bearer <access_token>'.
+ */
+export declare function format_authorization_header_value(token: Token): string;
+/**
+ * Format an Identity as a human-readable string.
+ */
+export declare function format_identity_as_display_string(identity: Identity): string;
+//# sourceMappingURL=identity.d.ts.map

package/dist/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;;;GAUG;AACH,oBAAY,SAAS;IACnB,SAAS,cAAc;IACvB,kBAAkB,uBAAuB;IACzC,MAAM,WAAW;IACjB,OAAO,YAAY;IACnB,OAAO,YAAY;IACnB,QAAQ,aAAa;CACtB;AAED;;GAEG;AACH,oBAAY,YAAY;IACtB,OAAO,YAAY;IACnB,UAAU,eAAe;IACzB,UAAU,eAAe;IACzB,QAAQ,aAAa;IACrB,QAAQ,aAAa;CACtB;AAED,8DAA8D;AAC9D,eAAO,MAAM,qBAAqB,uBAAuB,CAAC;AAE1D;;GAEG;AACH,oBAAY,OAAO;IACjB,GAAG,QAAQ;IACX,OAAO,YAAY;IACnB,QAAQ,aAAa;IACrB,OAAO,YAAY;IACnB,QAAQ,aAAa;IACrB,cAAc,mBAAmB;IACjC,QAAQ,aAAa;CACtB;AAED;;;;GAIG;AACH,MAAM,WAAW,QAAQ;IACvB,yEAAyE;IACzE,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,0DAA0D;IAC1D,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,8DAA8D;IAC9D,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,kEAAkE;IAClE,QAAQ,CAAC,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC;IAClC,2DAA2D;IAC3D,QAAQ,CAAC,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IACzC,4CAA4C;IAC5C,QAAQ,CAAC,WAAW,EAAE,IAAI,CAAC;IAC3B,wDAAwD;IACxD,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,8DAA8D;IAC9D,QAAQ,CAAC,aAAa,EAAE,YAAY,CAAC;CACtC;AAED;;;;;GAKG;AACH,MAAM,WAAW,KAAK;IACpB,kDAAkD;IAClD,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,uBAAuB;IACvB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,qCAAqC;IACrC,QAAQ,CAAC,UAAU,EAAE,IAAI,CAAC;IAC1B,8DAA8D;IAC9D,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;CACvC;AAED;;;;;GAKG;AACH,wBAAgB,8BAA8B,CAAC,KAAK,EAAE,KAAK,GAAG,OAAO,CAEpE;AAED;;;;GAIG;AACH,wBAAgB,iCAAiC,CAAC,KAAK,EAAE,KAAK,GAAG,MAAM,CAEtE;AAED;;GAEG;AACH,wBAAgB,iCAAiC,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,CAE5E"}

package/dist/identity.js

@@ -0,0 +1,76 @@
+/**
+ * Identity and Token data models for the 1id.com Node.js SDK.
+ *
+ * These types represent the agent's enrolled identity and OAuth2 tokens.
+ * They are returned by enroll(), whoami(), and getToken() respectively.
+ */
+/**
+ * Trust tiers assigned by 1id.com based on hardware attestation.
+ *
+ * Ordered from highest to lowest Sybil resistance:
+ * - sovereign: Non-portable hardware (TPM), manufacturer-attested, current cert
+ * - sovereign-portable: Portable hardware (YubiKey/Nitrokey), manufacturer-attested
+ * - legacy: Was sovereign/sovereign-portable, but manufacturer cert expired
+ * - virtual: Virtual TPM (VMware/Hyper-V), hypervisor-attested
+ * - enclave: Apple Secure Enclave, TOFU (no attestation PKI)
+ * - declared: Software-only, no hardware proof, self-asserted
+ */
+export var TrustTier;
+(function (TrustTier) {
+    TrustTier["SOVEREIGN"] = "sovereign";
+    TrustTier["SOVEREIGN_PORTABLE"] = "sovereign-portable";
+    TrustTier["LEGACY"] = "legacy";
+    TrustTier["VIRTUAL"] = "virtual";
+    TrustTier["ENCLAVE"] = "enclave";
+    TrustTier["DECLARED"] = "declared";
+})(TrustTier || (TrustTier = {}));
+/**
+ * Supported key algorithms for declared-tier software keys.
+ */
+export var KeyAlgorithm;
+(function (KeyAlgorithm) {
+    KeyAlgorithm["ED25519"] = "ed25519";
+    KeyAlgorithm["ECDSA_P256"] = "ecdsa-p256";
+    KeyAlgorithm["ECDSA_P384"] = "ecdsa-p384";
+    KeyAlgorithm["RSA_2048"] = "rsa-2048";
+    KeyAlgorithm["RSA_4096"] = "rsa-4096";
+})(KeyAlgorithm || (KeyAlgorithm = {}));
+/** The default key algorithm for declared-tier enrollment. */
+export const DEFAULT_KEY_ALGORITHM = KeyAlgorithm.ED25519;
+/**
+ * Types of hardware security modules supported by 1id.com.
+ */
+export var HSMType;
+(function (HSMType) {
+    HSMType["TPM"] = "tpm";
+    HSMType["YUBIKEY"] = "yubikey";
+    HSMType["NITROKEY"] = "nitrokey";
+    HSMType["FEITIAN"] = "feitian";
+    HSMType["SOLOKEYS"] = "solokeys";
+    HSMType["SECURE_ENCLAVE"] = "secure_enclave";
+    HSMType["SOFTWARE"] = "software";
+})(HSMType || (HSMType = {}));
+/**
+ * Check whether a token is still valid based on its expiry time.
+ *
+ * Returns true if the token's expiry time is in the future.
+ * Does NOT verify the JWT signature or check revocation.
+ */
+export function this_token_has_not_yet_expired(token) {
+    return new Date() < token.expires_at;
+}
+/**
+ * Format a token for use in an HTTP Authorization header.
+ *
+ * Returns a string in the format 'Bearer <access_token>'.
+ */
+export function format_authorization_header_value(token) {
+    return `${token.token_type} ${token.access_token}`;
+}
+/**
+ * Format an Identity as a human-readable string.
+ */
+export function format_identity_as_display_string(identity) {
+    return `${identity.handle} (tier: ${identity.trust_tier}, id: ${identity.internal_id})`;
+}
+//# sourceMappingURL=identity.js.map

package/dist/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,CAAN,IAAY,SAOX;AAPD,WAAY,SAAS;IACnB,oCAAuB,CAAA;IACvB,sDAAyC,CAAA;IACzC,8BAAiB,CAAA;IACjB,gCAAmB,CAAA;IACnB,gCAAmB,CAAA;IACnB,kCAAqB,CAAA;AACvB,CAAC,EAPW,SAAS,KAAT,SAAS,QAOpB;AAED;;GAEG;AACH,MAAM,CAAN,IAAY,YAMX;AAND,WAAY,YAAY;IACtB,mCAAmB,CAAA;IACnB,yCAAyB,CAAA;IACzB,yCAAyB,CAAA;IACzB,qCAAqB,CAAA;IACrB,qCAAqB,CAAA;AACvB,CAAC,EANW,YAAY,KAAZ,YAAY,QAMvB;AAED,8DAA8D;AAC9D,MAAM,CAAC,MAAM,qBAAqB,GAAG,YAAY,CAAC,OAAO,CAAC;AAE1D;;GAEG;AACH,MAAM,CAAN,IAAY,OAQX;AARD,WAAY,OAAO;IACjB,sBAAW,CAAA;IACX,8BAAmB,CAAA;IACnB,gCAAqB,CAAA;IACrB,8BAAmB,CAAA;IACnB,gCAAqB,CAAA;IACrB,4CAAiC,CAAA;IACjC,gCAAqB,CAAA;AACvB,CAAC,EARW,OAAO,KAAP,OAAO,QAQlB;AA2CD;;;;;GAKG;AACH,MAAM,UAAU,8BAA8B,CAAC,KAAY;IACzD,OAAO,IAAI,IAAI,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iCAAiC,CAAC,KAAY;IAC5D,OAAO,GAAG,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;AACrD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iCAAiC,CAAC,QAAkB;IAClE,OAAO,GAAG,QAAQ,CAAC,MAAM,WAAW,QAAQ,CAAC,UAAU,SAAS,QAAQ,CAAC,WAAW,GAAG,CAAC;AAC1F,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,70 @@
+/**
+ * 1id.com SDK -- Hardware-anchored identity for AI agents.
+ *
+ * Quick start:
+ *
+ *     import oneid from "1id";
+ *
+ *     // Enroll at declared tier (no HSM, always works)
+ *     const identity = await oneid.enroll({ request_tier: "declared" });
+ *     console.log(`Enrolled as ${identity.handle}`);
+ *
+ *     // Get an OAuth2 token for authentication
+ *     const token = await oneid.getToken();
+ *     console.log(`Bearer ${token.access_token}`);
+ *
+ *     // Check current identity
+ *     const me = oneid.whoami();
+ *
+ * Trust tiers (request_tier parameter):
+ *     'sovereign'          -- TPM hardware, manufacturer-attested
+ *     'sovereign-portable' -- YubiKey/Nitrokey, manufacturer-attested
+ *     'declared'           -- Software keys, no hardware proof
+ *
+ * CRITICAL: request_tier is a REQUIREMENT, not a preference.
+ * You get exactly what you ask for, or an exception. No fallbacks.
+ */
+import { clear_cached_token, get_token, authenticate_with_tpm } from "./auth.js";
+import { credentials_exist } from "./credentials.js";
+import { enroll, type EnrollOptions } from "./enroll.js";
+import { sign_challenge_with_private_key } from "./keys.js";
+import { DEFAULT_KEY_ALGORITHM, HSMType, type Identity, KeyAlgorithm, type Token, TrustTier, this_token_has_not_yet_expired, format_authorization_header_value, format_identity_as_display_string } from "./identity.js";
+export { OneIDError, EnrollmentError, NoHSMError, UACDeniedError, HSMAccessError, AlreadyEnrolledError, HandleTakenError, HandleInvalidError, HandleRetiredError, AuthenticationError, NetworkError, NotEnrolledError, BinaryNotFoundError, RateLimitExceededError, } from "./exceptions.js";
+export { TrustTier, KeyAlgorithm, HSMType, DEFAULT_KEY_ALGORITHM, type Identity, type Token, type EnrollOptions, this_token_has_not_yet_expired, format_authorization_header_value, format_identity_as_display_string, };
+export { enroll, get_token as getToken, get_token, clear_cached_token, authenticate_with_tpm, credentials_exist, sign_challenge_with_private_key, };
+/** SDK version string. */
+export declare const VERSION = "0.1.0";
+/**
+ * Check the current enrolled identity.
+ *
+ * Reads the local credentials file and returns the identity information
+ * stored during enrollment. Does NOT make a network request.
+ *
+ * @throws NotEnrolledError if no credentials exist.
+ */
+export declare function whoami(): Identity;
+/**
+ * Force-refresh the cached OAuth2 token.
+ *
+ * Discards the in-memory cached token and fetches a new one
+ * on the next getToken() call.
+ */
+export declare function refresh(): void;
+declare const oneid: {
+    enroll: typeof enroll;
+    getToken: typeof get_token;
+    get_token: typeof get_token;
+    whoami: typeof whoami;
+    refresh: typeof refresh;
+    credentials_exist: typeof credentials_exist;
+    authenticate_with_tpm: typeof authenticate_with_tpm;
+    sign_challenge_with_private_key: typeof sign_challenge_with_private_key;
+    clear_cached_token: typeof clear_cached_token;
+    VERSION: string;
+    TrustTier: typeof TrustTier;
+    KeyAlgorithm: typeof KeyAlgorithm;
+    HSMType: typeof HSMType;
+    DEFAULT_KEY_ALGORITHM: KeyAlgorithm;
+};
+export default oneid;
+//# sourceMappingURL=index.d.ts.map