1id 0.5.0 → 0.7.0

package/dist/trustRoots.js

@@ -0,0 +1,145 @@
+/**
+ * 1id Trust Root Certificate Cache
+ *
+ * Manages the local cache of 1ID CA root certificates used for offline
+ * peer identity verification. The verifier never needs to contact 1ID
+ * during verification -- only to refresh the root cache.
+ *
+ * Cache lifecycle:
+ *   1. First call to get_trust_roots() auto-fetches from /api/v1/trust/roots
+ *   2. Roots are cached on disk (alongside credentials.json)
+ *   3. Subsequent calls use the cache (no network)
+ *   4. refresh_trust_roots() explicitly refetches and updates the cache
+ *   5. Cache has no expiry -- roots are long-lived (30+ years)
+ */
+import * as crypto from "node:crypto";
+import * as fs from "node:fs";
+import * as https from "node:https";
+import * as http from "node:http";
+import * as path from "node:path";
+import { get_credentials_directory } from "./credentials.js";
+const TRUST_ROOTS_CACHE_FILENAME = "trust-roots.pem";
+const TRUST_ROOTS_API_PATH = "/api/v1/trust/roots";
+const DEFAULT_API_BASE_URL = "https://1id.com";
+const FETCH_TIMEOUT_MILLISECONDS = 15_000;
+let cached_root_certificates = null;
+let cached_root_pem = null;
+function get_trust_roots_cache_path() {
+    return path.join(get_credentials_directory(), TRUST_ROOTS_CACHE_FILENAME);
+}
+/**
+ * Split a PEM bundle into individual X509Certificate objects.
+ */
+export function parse_pem_bundle_into_certificates(pem_bundle) {
+    const certificates = [];
+    const pem_regex = /-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----/g;
+    let match;
+    while ((match = pem_regex.exec(pem_bundle)) !== null) {
+        try {
+            certificates.push(new crypto.X509Certificate(match[0]));
+        }
+        catch {
+            // skip unparseable blocks
+        }
+    }
+    return certificates;
+}
+function load_from_cache() {
+    const cache_path = get_trust_roots_cache_path();
+    try {
+        if (fs.existsSync(cache_path)) {
+            const content = fs.readFileSync(cache_path, "utf-8");
+            if (content.trim()) {
+                return content;
+            }
+        }
+    }
+    catch {
+        // cache miss
+    }
+    return null;
+}
+function save_to_cache(pem_bundle) {
+    const cache_path = get_trust_roots_cache_path();
+    try {
+        fs.mkdirSync(path.dirname(cache_path), { recursive: true });
+        fs.writeFileSync(cache_path, pem_bundle, "utf-8");
+    }
+    catch {
+        // best-effort
+    }
+}
+function fetch_from_server(api_base_url) {
+    const base_url = api_base_url ?? DEFAULT_API_BASE_URL;
+    const url = new URL(TRUST_ROOTS_API_PATH, base_url);
+    return new Promise((resolve, reject) => {
+        const transport_module = url.protocol === "https:" ? https : http;
+        const request = transport_module.get(url, { timeout: FETCH_TIMEOUT_MILLISECONDS }, (response) => {
+            if (response.statusCode !== 200) {
+                reject(new Error(`Trust roots fetch failed: HTTP ${response.statusCode}`));
+                response.resume();
+                return;
+            }
+            const chunks = [];
+            response.on("data", (chunk) => chunks.push(chunk));
+            response.on("end", () => {
+                const pem_bundle = Buffer.concat(chunks).toString("utf-8");
+                if (!pem_bundle.includes("-----BEGIN CERTIFICATE-----")) {
+                    reject(new Error("Server returned invalid trust roots (no PEM certificates found)"));
+                    return;
+                }
+                resolve(pem_bundle);
+            });
+        });
+        request.on("error", reject);
+        request.on("timeout", () => {
+            request.destroy();
+            reject(new Error("Trust roots fetch timed out"));
+        });
+    });
+}
+/**
+ * Fetch current 1ID root certificates from the server and update the local cache.
+ *
+ * Called automatically on first use of verify_peer_identity(). Can also be
+ * called manually to force a refresh.
+ */
+export async function refresh_trust_roots(api_base_url) {
+    const pem_bundle = await fetch_from_server(api_base_url);
+    const certificates = parse_pem_bundle_into_certificates(pem_bundle);
+    if (certificates.length === 0) {
+        throw new Error("Trust roots PEM bundle contains no parseable certificates");
+    }
+    save_to_cache(pem_bundle);
+    cached_root_pem = pem_bundle;
+    cached_root_certificates = certificates;
+    return certificates;
+}
+/**
+ * Get the locally cached 1ID root certificates.
+ *
+ * If no cache exists, auto-fetches from the server (one-time).
+ * Subsequent calls return from the local cache (no network).
+ */
+export async function get_trust_roots(api_base_url) {
+    if (cached_root_certificates !== null) {
+        return cached_root_certificates;
+    }
+    const cached_pem = load_from_cache();
+    if (cached_pem) {
+        const certificates = parse_pem_bundle_into_certificates(cached_pem);
+        if (certificates.length > 0) {
+            cached_root_pem = cached_pem;
+            cached_root_certificates = certificates;
+            return certificates;
+        }
+    }
+    return refresh_trust_roots(api_base_url);
+}
+/**
+ * Return the raw PEM bundle of cached trust roots, or null if not loaded.
+ */
+export function get_trust_roots_pem() {
+    return cached_root_pem;
+}
+//# sourceMappingURL=trustRoots.js.map

package/dist/trustRoots.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trustRoots.js","sourceRoot":"","sources":["../src/trustRoots.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,KAAK,MAAM,YAAY,CAAC;AACpC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAC;AAE7D,MAAM,0BAA0B,GAAG,iBAAiB,CAAC;AACrD,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;AACnD,MAAM,oBAAoB,GAAG,iBAAiB,CAAC;AAC/C,MAAM,0BAA0B,GAAG,MAAM,CAAC;AAE1C,IAAI,wBAAwB,GAAoC,IAAI,CAAC;AACrE,IAAI,eAAe,GAAkB,IAAI,CAAC;AAE1C,SAAS,0BAA0B;IACjC,OAAO,IAAI,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,0BAA0B,CAAC,CAAC;AAC5E,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kCAAkC,CAAC,UAAkB;IACnE,MAAM,YAAY,GAA6B,EAAE,CAAC;IAClD,MAAM,SAAS,GAAG,+DAA+D,CAAC;IAClF,IAAI,KAA6B,CAAC;IAClC,OAAO,CAAC,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACrD,IAAI,CAAC;YACH,YAAY,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,0BAA0B;QAC5B,CAAC;IACH,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,eAAe;IACtB,MAAM,UAAU,GAAG,0BAA0B,EAAE,CAAC;IAChD,IAAI,CAAC;QACH,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACrD,IAAI,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;gBAAC,OAAO,OAAO,CAAC;YAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,aAAa;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CAAC,UAAkB;IACvC,MAAM,UAAU,GAAG,0BAA0B,EAAE,CAAC;IAChD,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5D,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,YAAqB;IAC9C,MAAM,QAAQ,GAAG,YAAY,IAAI,oBAAoB,CAAC;IACtD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,oBAAoB,EAAE,QAAQ,CAAC,CAAC;IAEpD,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,MAAM,gBAAgB,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QAClE,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,0BAA0B,EAAE,EAAE,CAAC,QAAQ,EAAE,EAAE;YAC9F,IAAI,QAAQ,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAChC,MAAM,CAAC,IAAI,KAAK,CAAC,kCAAkC,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;gBAC3E,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAClB,OAAO;YACT,CAAC;YACD,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YAC3D,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACtB,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBAC3D,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,6BAA6B,CAAC,EAAE,CAAC;oBACxD,MAAM,CAAC,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC,CAAC;oBACrF,OAAO;gBACT,CAAC;gBACD,OAAO,CAAC,UAAU,CAAC,CAAC;YACtB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC5B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;YACzB,OAAO,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,CAAC,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,YAAqB;IAC7D,MAAM,UAAU,GAAG,MAAM,iBAAiB,CAAC,YAAY,CAAC,CAAC;IACzD,MAAM,YAAY,GAAG,kCAAkC,CAAC,UAAU,CAAC,CAAC;IAEpE,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;IAC/E,CAAC;IAED,aAAa,CAAC,UAAU,CAAC,CAAC;IAC1B,eAAe,GAAG,UAAU,CAAC;IAC7B,wBAAwB,GAAG,YAAY,CAAC;IAExC,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,YAAqB;IACzD,IAAI,wBAAwB,KAAK,IAAI,EAAE,CAAC;QACtC,OAAO,wBAAwB,CAAC;IAClC,CAAC;IAED,MAAM,UAAU,GAAG,eAAe,EAAE,CAAC;IACrC,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,kCAAkC,CAAC,UAAU,CAAC,CAAC;QACpE,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5B,eAAe,GAAG,UAAU,CAAC;YAC7B,wBAAwB,GAAG,YAAY,CAAC;YACxC,OAAO,YAAY,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,mBAAmB,CAAC,YAAY,CAAC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/verify.d.ts

@@ -0,0 +1,71 @@
+/**
+ * 1id Peer Identity Verification
+ *
+ * Assembles and validates proof bundles for offline, privacy-preserving
+ * agent-to-agent identity verification.
+ *
+ * Protocol:
+ *   1. Verifier generates a random nonce (32+ bytes)
+ *   2. Agent calls signChallenge(nonce) -> IdentityProofBundle
+ *   3. Verifier calls verifyPeerIdentity(nonce, bundle)
+ *      -> VerifiedPeerIdentity
+ *
+ * No secrets are exchanged. The verifier never contacts 1ID. Once the
+ * trust root is cached locally, verification is entirely offline.
+ */
+import { OneIDError } from "./exceptions.js";
+export declare class PeerVerificationError extends OneIDError {
+    constructor(message: string, error_code?: string);
+}
+export declare class CertificateChainValidationError extends PeerVerificationError {
+    constructor(message: string);
+}
+export declare class SignatureVerificationError extends PeerVerificationError {
+    constructor(message: string);
+}
+export declare class MissingIdentityCertificateError extends PeerVerificationError {
+    constructor(message: string);
+}
+export interface IdentityProofBundle {
+    signature_b64: string;
+    certificate_chain_pem: string;
+    agent_id: string;
+    trust_tier: string;
+    algorithm: string;
+}
+export interface VerifiedPeerIdentity {
+    agent_id: string;
+    trust_tier: string;
+    enrolled_at: string;
+    hardware_locked: boolean;
+    chain_valid: boolean;
+}
+/**
+ * Sign a verifier-provided nonce and assemble a proof bundle.
+ *
+ * Dispatches to the appropriate signing mechanism based on trust tier:
+ *   - sovereign (TPM): delegates to oneid-enroll sign
+ *   - portable (YubiKey): delegates to oneid-enroll piv-sign
+ *   - declared (software): signs with local private key
+ *
+ * @param nonce_bytes Raw bytes of the verifier-generated nonce.
+ * @returns IdentityProofBundle ready to send to the verifier.
+ */
+export declare function signChallenge(nonce_bytes: Buffer): Promise<IdentityProofBundle>;
+/**
+ * Validate another agent's proof bundle. Entirely offline after first trust root fetch.
+ *
+ * Steps:
+ *   1. Parse the certificate chain from the proof bundle
+ *   2. Validate the chain (each cert signed by its parent)
+ *   3. Verify the chain terminates at a locally cached 1ID root
+ *   4. Verify the nonce signature against the leaf certificate's public key
+ *   5. Extract identity claims from the leaf cert extensions
+ *
+ * @param nonce_bytes The original nonce bytes that the prover was asked to sign.
+ * @param proof_bundle The IdentityProofBundle from the prover.
+ * @param api_base_url Override for trust root server URL (only on first call if no cache).
+ * @returns VerifiedPeerIdentity with verified agent_id, trust_tier, etc.
+ */
+export declare function verifyPeerIdentity(nonce_bytes: Buffer, proof_bundle: IdentityProofBundle, api_base_url?: string): Promise<VerifiedPeerIdentity>;
+//# sourceMappingURL=verify.d.ts.map

package/dist/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH,OAAO,EAAoB,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAQ/D,qBAAa,qBAAsB,SAAQ,UAAU;gBACvC,OAAO,EAAE,MAAM,EAAE,UAAU,GAAE,MAAkC;CAI5E;AAED,qBAAa,+BAAgC,SAAQ,qBAAqB;gBAC5D,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,0BAA2B,SAAQ,qBAAqB;gBACvD,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,+BAAgC,SAAQ,qBAAqB;gBAC5D,OAAO,EAAE,MAAM;CAI5B;AAED,MAAM,WAAW,mBAAmB;IAClC,aAAa,EAAE,MAAM,CAAC;IACtB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,OAAO,CAAC;IACzB,WAAW,EAAE,OAAO,CAAC;CACtB;AA+BD;;;;;;;;;;GAUG;AACH,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CA0CrF;AAwJD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,kBAAkB,CACtC,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,mBAAmB,EACjC,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,oBAAoB,CAAC,CAsD/B"}

package/dist/verify.js

@@ -0,0 +1,315 @@
+/**
+ * 1id Peer Identity Verification
+ *
+ * Assembles and validates proof bundles for offline, privacy-preserving
+ * agent-to-agent identity verification.
+ *
+ * Protocol:
+ *   1. Verifier generates a random nonce (32+ bytes)
+ *   2. Agent calls signChallenge(nonce) -> IdentityProofBundle
+ *   3. Verifier calls verifyPeerIdentity(nonce, bundle)
+ *      -> VerifiedPeerIdentity
+ *
+ * No secrets are exchanged. The verifier never contacts 1ID. Once the
+ * trust root is cached locally, verification is entirely offline.
+ */
+import * as crypto from "node:crypto";
+import { load_credentials } from "./credentials.js";
+import { NotEnrolledError, OneIDError } from "./exceptions.js";
+import { sign_challenge_with_private_key } from "./keys.js";
+import { get_trust_roots, parse_pem_bundle_into_certificates } from "./trustRoots.js";
+const ONEID_OID_TRUST_TIER = "1.3.6.1.4.1.59999.1.1";
+const ONEID_OID_ENROLLED_AT = "1.3.6.1.4.1.59999.1.2";
+const ONEID_OID_HARDWARE_LOCKED = "1.3.6.1.4.1.59999.1.3";
+export class PeerVerificationError extends OneIDError {
+    constructor(message, error_code = "PEER_VERIFICATION_ERROR") {
+        super(message, error_code);
+        this.name = "PeerVerificationError";
+    }
+}
+export class CertificateChainValidationError extends PeerVerificationError {
+    constructor(message) {
+        super(message, "CERTIFICATE_CHAIN_VALIDATION_ERROR");
+        this.name = "CertificateChainValidationError";
+    }
+}
+export class SignatureVerificationError extends PeerVerificationError {
+    constructor(message) {
+        super(message, "SIGNATURE_VERIFICATION_ERROR");
+        this.name = "SignatureVerificationError";
+    }
+}
+export class MissingIdentityCertificateError extends PeerVerificationError {
+    constructor(message) {
+        super(message, "MISSING_IDENTITY_CERTIFICATE");
+        this.name = "MissingIdentityCertificateError";
+    }
+}
+function determine_signing_algorithm_name(creds) {
+    const algo = (creds.key_algorithm ?? "").toLowerCase();
+    if (algo.includes("ed25519")) {
+        return "EdDSA";
+    }
+    if (algo.includes("p-384") || algo.includes("p384") || algo.includes("ecdsa-p384")) {
+        return "ES384";
+    }
+    if (algo.includes("p-256") || algo.includes("p256") || algo.includes("ecdsa") || algo.includes("piv")) {
+        return "ES256";
+    }
+    if (algo.includes("rsa") || algo.includes("tpm-ak")) {
+        return "RS256";
+    }
+    return "RS256";
+}
+async function sign_with_tpm(nonce_bytes, ak_handle) {
+    const { sign_challenge_with_tpm } = await import("./helper.js");
+    const nonce_b64 = nonce_bytes.toString("base64");
+    const result = await sign_challenge_with_tpm(nonce_b64, ak_handle);
+    const signature_b64 = result["signature_b64"] ?? "";
+    const algorithm_raw = result["algorithm"] ?? "RSASSA-SHA256";
+    const algorithm = algorithm_raw.toUpperCase().includes("RSA") ? "RS256" : algorithm_raw;
+    return { signature_bytes: Buffer.from(signature_b64, "base64"), algorithm };
+}
+async function sign_with_piv(nonce_bytes) {
+    const { sign_challenge_with_piv } = await import("./helper.js");
+    const nonce_b64 = nonce_bytes.toString("base64");
+    const result = await sign_challenge_with_piv(nonce_b64);
+    const signature_b64 = result["signature_b64"] ?? "";
+    const algorithm_raw = result["algorithm"] ?? "ECDSA-SHA256";
+    const algorithm = algorithm_raw.toUpperCase().includes("ECDSA") ? "ES256" : algorithm_raw;
+    return { signature_bytes: Buffer.from(signature_b64, "base64"), algorithm };
+}
+/**
+ * Sign a verifier-provided nonce and assemble a proof bundle.
+ *
+ * Dispatches to the appropriate signing mechanism based on trust tier:
+ *   - sovereign (TPM): delegates to oneid-enroll sign
+ *   - portable (YubiKey): delegates to oneid-enroll piv-sign
+ *   - declared (software): signs with local private key
+ *
+ * @param nonce_bytes Raw bytes of the verifier-generated nonce.
+ * @returns IdentityProofBundle ready to send to the verifier.
+ */
+export async function signChallenge(nonce_bytes) {
+    const creds = load_credentials();
+    if (!creds.identity_certificate_chain_pem) {
+        throw new MissingIdentityCertificateError("No identity certificate chain found in credentials. " +
+            "This agent was enrolled before certificate issuance was available. " +
+            "Re-enroll or recover your identity to obtain a certificate.");
+    }
+    const trust_tier = creds.trust_tier ?? "declared";
+    const agent_id = creds.client_id;
+    let signature_bytes;
+    let algorithm;
+    if (trust_tier === "sovereign" || trust_tier === "virtual" || creds.key_algorithm === "tpm-ak") {
+        const ak_handle = creds.hsm_key_reference ?? "";
+        const result = await sign_with_tpm(nonce_bytes, ak_handle);
+        signature_bytes = result.signature_bytes;
+        algorithm = result.algorithm;
+    }
+    else if (trust_tier === "portable" || creds.hsm_key_reference === "piv-slot-9a") {
+        const result = await sign_with_piv(nonce_bytes);
+        signature_bytes = result.signature_bytes;
+        algorithm = result.algorithm;
+    }
+    else if (creds.private_key_pem) {
+        signature_bytes = sign_challenge_with_private_key(creds.private_key_pem, nonce_bytes);
+        algorithm = determine_signing_algorithm_name(creds);
+    }
+    else {
+        throw new NotEnrolledError("Cannot sign challenge: no signing key available. " +
+            "Credentials exist but contain neither a private key nor an HSM reference.");
+    }
+    return {
+        signature_b64: signature_bytes.toString("base64"),
+        certificate_chain_pem: creds.identity_certificate_chain_pem,
+        agent_id,
+        trust_tier,
+        algorithm,
+    };
+}
+/**
+ * Extract the value of a custom extension by OID from a certificate.
+ * Node.js X509Certificate doesn't expose arbitrary extensions directly,
+ * so we parse the raw DER to find it.
+ */
+function extract_custom_extension_value_from_raw_der(cert, target_oid) {
+    const info_access = cert.infoAccess;
+    // Node.js X509Certificate doesn't expose custom OIDs through its API.
+    // We look for the OID in the raw DER data as a fallback.
+    const raw = cert.raw;
+    const oid_parts = target_oid.split(".").map(Number);
+    // Encode the OID in DER format for searching
+    const encoded_oid_bytes = [];
+    encoded_oid_bytes.push(40 * oid_parts[0] + oid_parts[1]);
+    for (let i = 2; i < oid_parts.length; i++) {
+        let value = oid_parts[i];
+        if (value < 128) {
+            encoded_oid_bytes.push(value);
+        }
+        else {
+            const temp = [];
+            temp.push(value & 0x7f);
+            value >>= 7;
+            while (value > 0) {
+                temp.push((value & 0x7f) | 0x80);
+                value >>= 7;
+            }
+            temp.reverse();
+            encoded_oid_bytes.push(...temp);
+        }
+    }
+    const oid_buffer = Buffer.from(encoded_oid_bytes);
+    // Search for the OID in the raw DER
+    let search_offset = 0;
+    while (search_offset < raw.length - oid_buffer.length) {
+        const found_at = raw.indexOf(oid_buffer, search_offset);
+        if (found_at === -1) {
+            break;
+        }
+        // The extension value follows: OID -> critical flag -> OCTET STRING wrapping the value
+        // Walk past the OID to find the OCTET STRING (tag 0x04) containing the value
+        let pos = found_at + oid_buffer.length;
+        // Skip past remaining TLV structures until we find the OCTET STRING
+        let depth = 0;
+        while (pos < raw.length && depth < 20) {
+            const tag = raw[pos];
+            if (tag === 0x04) { // OCTET STRING
+                pos++;
+                let octet_length = raw[pos];
+                pos++;
+                if (octet_length > 127) {
+                    const num_length_bytes = octet_length & 0x7f;
+                    octet_length = 0;
+                    for (let j = 0; j < num_length_bytes; j++) {
+                        octet_length = (octet_length << 8) | raw[pos];
+                        pos++;
+                    }
+                }
+                return raw.subarray(pos, pos + octet_length);
+            }
+            // Skip this TLV
+            pos++;
+            if (pos >= raw.length) {
+                break;
+            }
+            let skip_length = raw[pos];
+            pos++;
+            if (skip_length > 127) {
+                const num_bytes = skip_length & 0x7f;
+                skip_length = 0;
+                for (let j = 0; j < num_bytes; j++) {
+                    skip_length = (skip_length << 8) | raw[pos];
+                    pos++;
+                }
+            }
+            pos += skip_length;
+            depth++;
+        }
+        search_offset = found_at + 1;
+    }
+    return null;
+}
+function verify_certificate_chain_signatures(chain) {
+    for (let i = 0; i < chain.length - 1; i++) {
+        const child = chain[i];
+        const parent = chain[i + 1];
+        if (!child.checkIssued(parent)) {
+            throw new CertificateChainValidationError(`Certificate at position ${i} is not issued by certificate at position ${i + 1}`);
+        }
+    }
+}
+function verify_chain_terminates_at_trusted_root(chain, trusted_roots) {
+    if (chain.length === 0) {
+        throw new CertificateChainValidationError("Certificate chain is empty");
+    }
+    const chain_root = chain[chain.length - 1];
+    const chain_root_fingerprint = chain_root.fingerprint256;
+    const root_is_trusted = trusted_roots.some((root) => root.fingerprint256 === chain_root_fingerprint);
+    if (!root_is_trusted) {
+        throw new CertificateChainValidationError(`Chain root '${chain_root.subject}' is not in the set of trusted 1ID roots`);
+    }
+}
+function verify_nonce_signature(nonce_bytes, signature_bytes, leaf_cert) {
+    const public_key = leaf_cert.publicKey;
+    const key_type = public_key.asymmetricKeyType;
+    let signature_is_valid = false;
+    if (key_type === "ed25519") {
+        signature_is_valid = crypto.verify(null, nonce_bytes, public_key, signature_bytes);
+    }
+    else if (key_type === "ec") {
+        const curve_name = public_key.asymmetricKeyDetails?.namedCurve;
+        const hash_algorithm = curve_name === "P-384" ? "sha384" : "sha256";
+        signature_is_valid = crypto.verify(hash_algorithm, nonce_bytes, public_key, signature_bytes);
+    }
+    else if (key_type === "rsa") {
+        signature_is_valid = crypto.verify("sha256", nonce_bytes, {
+            key: public_key,
+            padding: crypto.constants.RSA_PKCS1_PADDING,
+        }, signature_bytes);
+    }
+    else {
+        throw new SignatureVerificationError(`Unsupported public key type: ${key_type}`);
+    }
+    if (!signature_is_valid) {
+        throw new SignatureVerificationError("Nonce signature does not match the leaf certificate's public key");
+    }
+}
+/**
+ * Validate another agent's proof bundle. Entirely offline after first trust root fetch.
+ *
+ * Steps:
+ *   1. Parse the certificate chain from the proof bundle
+ *   2. Validate the chain (each cert signed by its parent)
+ *   3. Verify the chain terminates at a locally cached 1ID root
+ *   4. Verify the nonce signature against the leaf certificate's public key
+ *   5. Extract identity claims from the leaf cert extensions
+ *
+ * @param nonce_bytes The original nonce bytes that the prover was asked to sign.
+ * @param proof_bundle The IdentityProofBundle from the prover.
+ * @param api_base_url Override for trust root server URL (only on first call if no cache).
+ * @returns VerifiedPeerIdentity with verified agent_id, trust_tier, etc.
+ */
+export async function verifyPeerIdentity(nonce_bytes, proof_bundle, api_base_url) {
+    const chain = parse_pem_bundle_into_certificates(proof_bundle.certificate_chain_pem);
+    if (chain.length === 0) {
+        throw new CertificateChainValidationError("Proof bundle contains no parseable certificates");
+    }
+    const trusted_roots = await get_trust_roots(api_base_url);
+    verify_certificate_chain_signatures(chain);
+    verify_chain_terminates_at_trusted_root(chain, trusted_roots);
+    const leaf_cert = chain[0];
+    const now = new Date();
+    const not_before = new Date(leaf_cert.validFrom);
+    const not_after = new Date(leaf_cert.validTo);
+    if (not_before > now) {
+        throw new CertificateChainValidationError(`Leaf certificate is not yet valid (not_before: ${leaf_cert.validFrom})`);
+    }
+    if (not_after < now) {
+        throw new CertificateChainValidationError(`Leaf certificate has expired (not_after: ${leaf_cert.validTo})`);
+    }
+    const signature_bytes = Buffer.from(proof_bundle.signature_b64, "base64");
+    verify_nonce_signature(nonce_bytes, signature_bytes, leaf_cert);
+    // Extract custom extensions from the leaf certificate
+    const trust_tier_raw = extract_custom_extension_value_from_raw_der(leaf_cert, ONEID_OID_TRUST_TIER);
+    const enrolled_at_raw = extract_custom_extension_value_from_raw_der(leaf_cert, ONEID_OID_ENROLLED_AT);
+    const hardware_locked_raw = extract_custom_extension_value_from_raw_der(leaf_cert, ONEID_OID_HARDWARE_LOCKED);
+    const verified_trust_tier = trust_tier_raw ? trust_tier_raw.toString("utf-8") : proof_bundle.trust_tier;
+    const verified_enrolled_at = enrolled_at_raw ? enrolled_at_raw.toString("utf-8") : "";
+    const verified_hardware_locked = hardware_locked_raw ? hardware_locked_raw[0] === 0x01 : false;
+    // Try to extract agent_id from SAN URI
+    let verified_agent_id = proof_bundle.agent_id;
+    const san_string = leaf_cert.subjectAltName ?? "";
+    const uri_match = san_string.match(/URI:urn:oneid:agent:([^\s,]+)/);
+    if (uri_match) {
+        verified_agent_id = uri_match[1];
+    }
+    return {
+        agent_id: verified_agent_id,
+        trust_tier: verified_trust_tier,
+        enrolled_at: verified_enrolled_at,
+        hardware_locked: verified_hardware_locked,
+        chain_valid: true,
+    };
+}
+//# sourceMappingURL=verify.js.map

package/dist/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,gBAAgB,EAA0B,MAAM,kBAAkB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,+BAA+B,EAAE,MAAM,WAAW,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,kCAAkC,EAAE,MAAM,iBAAiB,CAAC;AAEtF,MAAM,oBAAoB,GAAG,uBAAuB,CAAC;AACrD,MAAM,qBAAqB,GAAG,uBAAuB,CAAC;AACtD,MAAM,yBAAyB,GAAG,uBAAuB,CAAC;AAE1D,MAAM,OAAO,qBAAsB,SAAQ,UAAU;IACnD,YAAY,OAAe,EAAE,aAAqB,yBAAyB;QACzE,KAAK,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAC3B,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED,MAAM,OAAO,+BAAgC,SAAQ,qBAAqB;IACxE,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,EAAE,oCAAoC,CAAC,CAAC;QACrD,IAAI,CAAC,IAAI,GAAG,iCAAiC,CAAC;IAChD,CAAC;CACF;AAED,MAAM,OAAO,0BAA2B,SAAQ,qBAAqB;IACnE,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,EAAE,8BAA8B,CAAC,CAAC;QAC/C,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAC;IAC3C,CAAC;CACF;AAED,MAAM,OAAO,+BAAgC,SAAQ,qBAAqB;IACxE,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,EAAE,8BAA8B,CAAC,CAAC;QAC/C,IAAI,CAAC,IAAI,GAAG,iCAAiC,CAAC;IAChD,CAAC;CACF;AAkBD,SAAS,gCAAgC,CAAC,KAAwB;IAChE,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACvD,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAAC,OAAO,OAAO,CAAC;IAAC,CAAC;IACjD,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAAC,OAAO,OAAO,CAAC;IAAC,CAAC;IACvG,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAAC,OAAO,OAAO,CAAC;IAAC,CAAC;IAC1H,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAAC,OAAO,OAAO,CAAC;IAAC,CAAC;IACxE,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,WAAmB,EAAE,SAAiB;IACjE,MAAM,EAAE,uBAAuB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IAChE,MAAM,SAAS,GAAG,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IACnE,MAAM,aAAa,GAAI,MAAM,CAAC,eAAe,CAAY,IAAI,EAAE,CAAC;IAChE,MAAM,aAAa,GAAI,MAAM,CAAC,WAAW,CAAY,IAAI,eAAe,CAAC;IACzE,MAAM,SAAS,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC;IACxF,OAAO,EAAE,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,EAAE,SAAS,EAAE,CAAC;AAC9E,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,WAAmB;IAC9C,MAAM,EAAE,uBAAuB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IAChE,MAAM,SAAS,GAAG,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,SAAS,CAAC,CAAC;IACxD,MAAM,aAAa,GAAI,MAAM,CAAC,eAAe,CAAY,IAAI,EAAE,CAAC;IAChE,MAAM,aAAa,GAAI,MAAM,CAAC,WAAW,CAAY,IAAI,cAAc,CAAC;IACxE,MAAM,SAAS,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC;IAC1F,OAAO,EAAE,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,EAAE,SAAS,EAAE,CAAC;AAC9E,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,WAAmB;IACrD,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IAEjC,IAAI,CAAC,KAAK,CAAC,8BAA8B,EAAE,CAAC;QAC1C,MAAM,IAAI,+BAA+B,CACvC,sDAAsD;YACtD,qEAAqE;YACrE,6DAA6D,CAC9D,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,UAAU,CAAC;IAClD,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAS,CAAC;IACjC,IAAI,eAAuB,CAAC;IAC5B,IAAI,SAAiB,CAAC;IAEtB,IAAI,UAAU,KAAK,WAAW,IAAI,UAAU,KAAK,SAAS,IAAI,KAAK,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;QAC/F,MAAM,SAAS,GAAG,KAAK,CAAC,iBAAiB,IAAI,EAAE,CAAC;QAChD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QAC3D,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;QACzC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;IAC/B,CAAC;SAAM,IAAI,UAAU,KAAK,UAAU,IAAI,KAAK,CAAC,iBAAiB,KAAK,aAAa,EAAE,CAAC;QAClF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;QAChD,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;QACzC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;IAC/B,CAAC;SAAM,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;QACjC,eAAe,GAAG,+BAA+B,CAAC,KAAK,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;QACtF,SAAS,GAAG,gCAAgC,CAAC,KAAK,CAAC,CAAC;IACtD,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,gBAAgB,CACxB,mDAAmD;YACnD,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED,OAAO;QACL,aAAa,EAAE,eAAe,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACjD,qBAAqB,EAAE,KAAK,CAAC,8BAA8B;QAC3D,QAAQ;QACR,UAAU;QACV,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,2CAA2C,CAAC,IAA4B,EAAE,UAAkB;IACnG,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC;IACpC,sEAAsE;IACtE,yDAAyD;IACzD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IACrB,MAAM,SAAS,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAEpD,6CAA6C;IAC7C,MAAM,iBAAiB,GAAa,EAAE,CAAC;IACvC,iBAAiB,CAAC,IAAI,CAAC,EAAE,GAAG,SAAS,CAAC,CAAC,CAAE,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC,CAAC;IAC3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,IAAI,KAAK,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;QAC1B,IAAI,KAAK,GAAG,GAAG,EAAE,CAAC;YAChB,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,IAAI,CAAC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;YACxB,KAAK,KAAK,CAAC,CAAC;YACZ,OAAO,KAAK,GAAG,CAAC,EAAE,CAAC;gBACjB,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;gBACjC,KAAK,KAAK,CAAC,CAAC;YACd,CAAC;YACD,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,iBAAiB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAElD,oCAAoC;IACpC,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,OAAO,aAAa,GAAG,GAAG,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC;QACtD,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QACxD,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;YAAC,MAAM;QAAC,CAAC;QAE/B,uFAAuF;QACvF,6EAA6E;QAC7E,IAAI,GAAG,GAAG,QAAQ,GAAG,UAAU,CAAC,MAAM,CAAC;QACvC,oEAAoE;QACpE,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,OAAO,GAAG,GAAG,GAAG,CAAC,MAAM,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAE,CAAC;YACtB,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC,CAAC,eAAe;gBACjC,GAAG,EAAE,CAAC;gBACN,IAAI,YAAY,GAAG,GAAG,CAAC,GAAG,CAAE,CAAC;gBAC7B,GAAG,EAAE,CAAC;gBACN,IAAI,YAAY,GAAG,GAAG,EAAE,CAAC;oBACvB,MAAM,gBAAgB,GAAG,YAAY,GAAG,IAAI,CAAC;oBAC7C,YAAY,GAAG,CAAC,CAAC;oBACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,gBAAgB,EAAE,CAAC,EAAE,EAAE,CAAC;wBAC1C,YAAY,GAAG,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAE,CAAC;wBAC/C,GAAG,EAAE,CAAC;oBACR,CAAC;gBACH,CAAC;gBACD,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,GAAG,YAAY,CAAC,CAAC;YAC/C,CAAC;YACD,gBAAgB;YAChB,GAAG,EAAE,CAAC;YACN,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;gBAAC,MAAM;YAAC,CAAC;YACjC,IAAI,WAAW,GAAG,GAAG,CAAC,GAAG,CAAE,CAAC;YAC5B,GAAG,EAAE,CAAC;YACN,IAAI,WAAW,GAAG,GAAG,EAAE,CAAC;gBACtB,MAAM,SAAS,GAAG,WAAW,GAAG,IAAI,CAAC;gBACrC,WAAW,GAAG,CAAC,CAAC;gBAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC;oBACnC,WAAW,GAAG,CAAC,WAAW,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAE,CAAC;oBAC7C,GAAG,EAAE,CAAC;gBACR,CAAC;YACH,CAAC;YACD,GAAG,IAAI,WAAW,CAAC;YACnB,KAAK,EAAE,CAAC;QACV,CAAC;QAED,aAAa,GAAG,QAAQ,GAAG,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mCAAmC,CAAC,KAA+B;IAC1E,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QACxB,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,+BAA+B,CACvC,2BAA2B,CAAC,6CAA6C,CAAC,GAAG,CAAC,EAAE,CACjF,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,uCAAuC,CAC9C,KAA+B,EAC/B,aAAuC;IAEvC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,+BAA+B,CAAC,4BAA4B,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAE,CAAC;IAC5C,MAAM,sBAAsB,GAAG,UAAU,CAAC,cAAc,CAAC;IAEzD,MAAM,eAAe,GAAG,aAAa,CAAC,IAAI,CACxC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,cAAc,KAAK,sBAAsB,CACzD,CAAC;IAEF,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,IAAI,+BAA+B,CACvC,eAAe,UAAU,CAAC,OAAO,0CAA0C,CAC5E,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAC7B,WAAmB,EACnB,eAAuB,EACvB,SAAiC;IAEjC,MAAM,UAAU,GAAG,SAAS,CAAC,SAAS,CAAC;IACvC,MAAM,QAAQ,GAAG,UAAU,CAAC,iBAAiB,CAAC;IAE9C,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,kBAAkB,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IACrF,CAAC;SAAM,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QAC7B,MAAM,UAAU,GAAG,UAAU,CAAC,oBAAoB,EAAE,UAAU,CAAC;QAC/D,MAAM,cAAc,GAAG,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;QACpE,kBAAkB,GAAG,MAAM,CAAC,MAAM,CAAC,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAC/F,CAAC;SAAM,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;QAC9B,kBAAkB,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,WAAW,EAAE;YACxD,GAAG,EAAE,UAAU;YACf,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,iBAAiB;SAC5C,EAAE,eAAe,CAAC,CAAC;IACtB,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,0BAA0B,CAAC,gCAAgC,QAAQ,EAAE,CAAC,CAAC;IACnF,CAAC;IAED,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,MAAM,IAAI,0BAA0B,CAClC,kEAAkE,CACnE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,WAAmB,EACnB,YAAiC,EACjC,YAAqB;IAErB,MAAM,KAAK,GAAG,kCAAkC,CAAC,YAAY,CAAC,qBAAqB,CAAC,CAAC;IACrF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,+BAA+B,CAAC,iDAAiD,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,eAAe,CAAC,YAAY,CAAC,CAAC;IAE1D,mCAAmC,CAAC,KAAK,CAAC,CAAC;IAC3C,uCAAuC,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;IAE9D,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;IAE5B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,UAAU,GAAG,GAAG,EAAE,CAAC;QACrB,MAAM,IAAI,+BAA+B,CACvC,kDAAkD,SAAS,CAAC,SAAS,GAAG,CACzE,CAAC;IACJ,CAAC;IACD,IAAI,SAAS,GAAG,GAAG,EAAE,CAAC;QACpB,MAAM,IAAI,+BAA+B,CACvC,4CAA4C,SAAS,CAAC,OAAO,GAAG,CACjE,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAC1E,sBAAsB,CAAC,WAAW,EAAE,eAAe,EAAE,SAAS,CAAC,CAAC;IAEhE,sDAAsD;IACtD,MAAM,cAAc,GAAG,2CAA2C,CAAC,SAAS,EAAE,oBAAoB,CAAC,CAAC;IACpG,MAAM,eAAe,GAAG,2CAA2C,CAAC,SAAS,EAAE,qBAAqB,CAAC,CAAC;IACtG,MAAM,mBAAmB,GAAG,2CAA2C,CAAC,SAAS,EAAE,yBAAyB,CAAC,CAAC;IAE9G,MAAM,mBAAmB,GAAG,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC;IACxG,MAAM,oBAAoB,GAAG,eAAe,CAAC,CAAC,CAAC,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACtF,MAAM,wBAAwB,GAAG,mBAAmB,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;IAE/F,uCAAuC;IACvC,IAAI,iBAAiB,GAAG,YAAY,CAAC,QAAQ,CAAC;IAC9C,MAAM,UAAU,GAAG,SAAS,CAAC,cAAc,IAAI,EAAE,CAAC;IAClD,MAAM,SAAS,GAAG,UAAU,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACpE,IAAI,SAAS,EAAE,CAAC;QACd,iBAAiB,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;IACpC,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,iBAAiB;QAC3B,UAAU,EAAE,mBAAmB;QAC/B,WAAW,EAAE,oBAAoB;QACjC,eAAe,EAAE,wBAAwB;QACzC,WAAW,EAAE,IAAI;KAClB,CAAC;AACJ,CAAC"}

package/dist/world.d.ts

@@ -0,0 +1,83 @@
+/**
+ * World/status endpoint for the 1id.com Node.js SDK.
+ *
+ * Fetches the full identity state from the server's world endpoint:
+ * identity, devices, connected services, available services, and operator guidance.
+ *
+ * Results are cached for 5 minutes. Call invalidate_world_cache() to force a fresh fetch.
+ */
+import { type StoredCredentials } from "./credentials.js";
+export interface WorldIdentitySection {
+    internal_id: string;
+    handle: string;
+    trust_tier: string;
+    display_name: string | null;
+    agent_identity_urn: string | null;
+    enrolled_at: string | null;
+    hardware_locked: boolean;
+    locked_at: string | null;
+    hardware_lock_notice: string | null;
+    operator_email_registered: boolean;
+    credential_pointer_count: number;
+}
+export interface WorldDeviceEntry {
+    device_type: string;
+    device_fingerprint: string;
+    device_status: string;
+    trust_tier: string | null;
+    tpm_manufacturer: string | null;
+    piv_serial: string | null;
+    bound_at: string | null;
+    burned_at: string | null;
+    burn_reason: string | null;
+}
+export interface WorldServiceEntry {
+    service_id: string;
+    service_name: string;
+    service_type: string | null;
+    category: string | null;
+    status: string | null;
+    primary_identifier: string | null;
+    aliases: string[] | null;
+    dashboard_url: string | null;
+    description: string | null;
+    minimum_trust_tier: string | null;
+}
+export interface WorldGuidanceItem {
+    id: string;
+    priority: string;
+    title: string;
+    description: string;
+    human_action_url: string | null;
+    agent_api_endpoint: string | null;
+}
+export interface WorldOperatorGuidance {
+    message_for_human: string;
+    items: WorldGuidanceItem[];
+}
+export interface WorldStatus {
+    identity: WorldIdentitySection;
+    devices: WorldDeviceEntry[];
+    connected_services: WorldServiceEntry[];
+    available_services: WorldServiceEntry[];
+    operator_guidance: WorldOperatorGuidance | null;
+    raw_data: Record<string, unknown>;
+}
+/**
+ * Fetch the full world state from the server.
+ *
+ * Returns everything: identity, devices, connected services, available services,
+ * and operator guidance. Results are cached for 5 minutes.
+ *
+ * @param credentials Optional pre-loaded credentials.
+ * @returns WorldStatus with complete identity state.
+ * @throws NotEnrolledError if no credentials exist.
+ * @throws AuthenticationError if the token is invalid or expired.
+ * @throws NetworkError if the server cannot be reached.
+ */
+export declare function fetch_world_status_from_server(credentials?: StoredCredentials | null): Promise<WorldStatus>;
+/**
+ * Clear the cached world status, forcing a fresh fetch on next call.
+ */
+export declare function invalidate_world_cache(): void;
+//# sourceMappingURL=world.d.ts.map

package/dist/world.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"world.d.ts","sourceRoot":"","sources":["../src/world.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAoB,KAAK,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAO5E,MAAM,WAAW,oBAAoB;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,eAAe,EAAE,OAAO,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,yBAAyB,EAAE,OAAO,CAAC;IACnC,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IACzB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAC;CACnC;AAED,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAC;CACnC;AAED,MAAM,WAAW,qBAAqB;IACpC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,KAAK,EAAE,iBAAiB,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,OAAO,EAAE,gBAAgB,EAAE,CAAC;IAC5B,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,iBAAiB,EAAE,qBAAqB,GAAG,IAAI,CAAC;IAChD,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAKD;;;;;;;;;;;GAWG;AACH,wBAAsB,8BAA8B,CAClD,WAAW,CAAC,EAAE,iBAAiB,GAAG,IAAI,GACrC,OAAO,CAAC,WAAW,CAAC,CA2BtB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,IAAI,IAAI,CAG7C"}