@affectively/dash 5.2.1 → 5.3.1

package/dist/src/auth/manager.js

@@ -1,598 +0,0 @@
-import * as ucans from 'ucans';
-const DB_NAME = 'dash-auth';
-const DB_VERSION = 1;
-const STORE_NAME = 'identity';
-const IDENTITY_KEY = 'primary';
-/**
- * Check if IndexedDB is available
- */
-function isIndexedDBAvailable() {
-    try {
-        return typeof indexedDB !== 'undefined' && indexedDB !== null;
-    }
-    catch {
-        return false;
-    }
-}
-/**
- * Opens the IndexedDB database for auth storage
- * Returns null if IndexedDB is not available
- */
-async function openAuthDB() {
-    if (!isIndexedDBAvailable()) {
-        return null;
-    }
-    return new Promise((resolve, reject) => {
-        const request = indexedDB.open(DB_NAME, DB_VERSION);
-        request.onerror = () => reject(request.error);
-        request.onsuccess = () => resolve(request.result);
-        request.onupgradeneeded = (event) => {
-            const db = event.target.result;
-            if (!db.objectStoreNames.contains(STORE_NAME)) {
-                db.createObjectStore(STORE_NAME);
-            }
-        };
-    });
-}
-/**
- * Derives an encryption key from a password using PBKDF2
- */
-async function deriveKeyFromPassword(password, salt) {
-    const encoder = new TextEncoder();
-    const keyMaterial = await crypto.subtle.importKey('raw', encoder.encode(password), 'PBKDF2', false, ['deriveKey']);
-    // Create a copy of salt to ensure it's a proper ArrayBuffer
-    const saltBuffer = new Uint8Array(salt).buffer;
-    return crypto.subtle.deriveKey({
-        name: 'PBKDF2',
-        salt: saltBuffer,
-        iterations: 100000,
-        hash: 'SHA-256'
-    }, keyMaterial, { name: 'AES-GCM', length: 256 }, false, ['encrypt', 'decrypt']);
-}
-/**
- * Encrypts string data with AES-GCM
- */
-async function encryptString(data, key) {
-    const encoder = new TextEncoder();
-    const dataBytes = encoder.encode(data);
-    const iv = crypto.getRandomValues(new Uint8Array(12));
-    // Create copies to ensure proper ArrayBuffer (not SharedArrayBuffer)
-    const ivBuffer = new Uint8Array(iv).buffer;
-    const dataBuffer = new Uint8Array(dataBytes).buffer;
-    const encrypted = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: ivBuffer }, key, dataBuffer);
-    return { encrypted: new Uint8Array(encrypted), iv };
-}
-/**
- * Decrypts data with AES-GCM and returns as string
- */
-async function decryptString(encrypted, iv, key) {
-    // Create copies to ensure proper ArrayBuffer (not SharedArrayBuffer)
-    const ivBuffer = new Uint8Array(iv).buffer;
-    const encryptedBuffer = new Uint8Array(encrypted).buffer;
-    const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv: ivBuffer }, key, encryptedBuffer);
-    const decoder = new TextDecoder();
-    return decoder.decode(decrypted);
-}
-/**
- * Converts Uint8Array to base64 string
- */
-function uint8ArrayToBase64(arr) {
-    return btoa(String.fromCharCode(...arr));
-}
-/**
- * Converts base64 string to Uint8Array
- */
-function base64ToUint8Array(base64) {
-    const binary = atob(base64);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
-    }
-    return bytes;
-}
-export class AuthManager {
-    keypair = null;
-    did = null;
-    oauthIdentities = [];
-    relayUrl;
-    initialized = false;
-    constructor(relayUrl = 'https://relay.buley.dev') {
-        this.relayUrl = relayUrl;
-    }
-    /**
-     * Initialize the auth manager, loading existing keypair or creating new one
-     */
-    async init() {
-        if (this.initialized && this.did) {
-            return this.did;
-        }
-        // Try to load existing keypair from IndexedDB
-        const loaded = await this.loadKeypair();
-        if (!loaded) {
-            // Create new keypair if none exists (exportable so we can save it)
-            this.keypair = await ucans.EdKeypair.create({ exportable: true });
-            this.did = this.keypair.did();
-        }
-        this.initialized = true;
-        return this.did;
-    }
-    /**
-     * Get the DID (Decentralized Identifier)
-     */
-    getDID() {
-        if (!this.did)
-            throw new Error("AuthManager not initialized");
-        return this.did;
-    }
-    /**
-     * Get linked OAuth identities
-     */
-    getLinkedIdentities() {
-        return [...this.oauthIdentities];
-    }
-    /**
-     * Check if initialized
-     */
-    isInitialized() {
-        return this.initialized && this.keypair !== null;
-    }
-    /**
-     * Save the keypair to IndexedDB (encrypted with password)
-     * This enables persistent identity across sessions
-     */
-    async saveKeypair(password) {
-        if (!this.keypair || !this.did) {
-            throw new Error("No keypair to save - call init() first");
-        }
-        // Generate salt for PBKDF2
-        const salt = crypto.getRandomValues(new Uint8Array(16));
-        // Derive encryption key from password
-        const encryptionKey = await deriveKeyFromPassword(password, salt);
-        // Export the keypair's private key (returns base64-encoded string)
-        const privateKeyString = await this.keypair.export();
-        // Encrypt the private key string
-        const { encrypted, iv } = await encryptString(privateKeyString, encryptionKey);
-        // Combine IV and encrypted data
-        const combined = new Uint8Array(iv.length + encrypted.length);
-        combined.set(iv);
-        combined.set(encrypted, iv.length);
-        // Prepare stored identity
-        const storedIdentity = {
-            did: this.did,
-            publicKey: this.did, // DID contains the public key
-            encryptedPrivateKey: uint8ArrayToBase64(combined),
-            salt: uint8ArrayToBase64(salt),
-            oauthIdentities: this.oauthIdentities,
-            createdAt: new Date().toISOString(),
-            updatedAt: new Date().toISOString()
-        };
-        // Store in IndexedDB (skip if not available)
-        const db = await openAuthDB();
-        if (!db) {
-            console.warn('[AuthManager] IndexedDB not available, keypair not persisted');
-            return;
-        }
-        return new Promise((resolve, reject) => {
-            const tx = db.transaction(STORE_NAME, 'readwrite');
-            const store = tx.objectStore(STORE_NAME);
-            const request = store.put(storedIdentity, IDENTITY_KEY);
-            request.onerror = () => reject(request.error);
-            request.onsuccess = () => resolve();
-            tx.oncomplete = () => db.close();
-        });
-    }
-    /**
-     * Load keypair from IndexedDB (requires password to decrypt)
-     * Returns true if successfully loaded, false if no stored identity
-     */
-    async loadKeypair(password) {
-        try {
-            const db = await openAuthDB();
-            if (!db) {
-                // IndexedDB not available
-                return false;
-            }
-            const storedIdentity = await new Promise((resolve, reject) => {
-                const tx = db.transaction(STORE_NAME, 'readonly');
-                const store = tx.objectStore(STORE_NAME);
-                const request = store.get(IDENTITY_KEY);
-                request.onerror = () => reject(request.error);
-                request.onsuccess = () => resolve(request.result);
-                tx.oncomplete = () => db.close();
-            });
-            if (!storedIdentity) {
-                return false;
-            }
-            // If no password provided, we can only restore the DID (not the full keypair)
-            if (!password) {
-                this.did = storedIdentity.did;
-                this.oauthIdentities = storedIdentity.oauthIdentities || [];
-                // Keypair remains null - user needs to provide password for signing operations
-                return true;
-            }
-            // Decrypt the private key
-            const salt = base64ToUint8Array(storedIdentity.salt);
-            const encryptionKey = await deriveKeyFromPassword(password, salt);
-            const combined = base64ToUint8Array(storedIdentity.encryptedPrivateKey);
-            const iv = combined.slice(0, 12);
-            const encrypted = combined.slice(12);
-            const privateKeyString = await decryptString(encrypted, iv, encryptionKey);
-            // Reconstruct the keypair from the private key (base64 string)
-            this.keypair = ucans.EdKeypair.fromSecretKey(privateKeyString, { exportable: true });
-            this.did = this.keypair.did();
-            this.oauthIdentities = storedIdentity.oauthIdentities || [];
-            return true;
-        }
-        catch (error) {
-            console.error('[AuthManager] Failed to load keypair:', error);
-            return false;
-        }
-    }
-    /**
-     * Bind an OAuth identity to this UCAN identity
-     * Verifies the OAuth token with the Relay and stores the binding
-     */
-    async bindOAuthIdentity(provider, oauthToken, password) {
-        if (!this.keypair || !this.did) {
-            throw new Error("AuthManager not initialized");
-        }
-        // Verify OAuth token with Relay and get identity info
-        const response = await fetch(`${this.relayUrl}/auth/oauth/${provider}`, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json'
-            },
-            body: JSON.stringify({
-                oauthToken,
-                did: this.did
-            })
-        });
-        if (!response.ok) {
-            const error = await response.text();
-            throw new Error(`OAuth verification failed: ${error}`);
-        }
-        const identity = await response.json();
-        // Add to linked identities (prevent duplicates)
-        const existingIndex = this.oauthIdentities.findIndex(i => i.provider === provider && i.providerId === identity.providerId);
-        if (existingIndex >= 0) {
-            this.oauthIdentities[existingIndex] = identity;
-        }
-        else {
-            this.oauthIdentities.push(identity);
-        }
-        // Re-save with updated identities
-        await this.saveKeypair(password);
-        return identity;
-    }
-    /**
-     * Recover keypair from cloud escrow using password
-     * Fetches encrypted escrow from Relay and decrypts locally
-     */
-    async recoverFromEscrow(provider, oauthToken, password) {
-        // First, verify OAuth to prove identity
-        const verifyResponse = await fetch(`${this.relayUrl}/auth/oauth/${provider}/verify`, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json'
-            },
-            body: JSON.stringify({ oauthToken })
-        });
-        if (!verifyResponse.ok) {
-            throw new Error('OAuth verification failed');
-        }
-        const { userId } = await verifyResponse.json();
-        // Fetch encrypted escrow
-        const escrowResponse = await fetch(`${this.relayUrl}/auth/escrow/${userId}`, {
-            method: 'GET',
-            headers: {
-                'Authorization': `Bearer ${oauthToken}`
-            }
-        });
-        if (!escrowResponse.ok) {
-            if (escrowResponse.status === 404) {
-                return false; // No escrow found
-            }
-            throw new Error('Failed to fetch escrow');
-        }
-        const escrow = await escrowResponse.json();
-        // Decrypt using password
-        const salt = base64ToUint8Array(escrow.salt);
-        const encryptionKey = await deriveKeyFromPassword(password, salt);
-        const combined = base64ToUint8Array(escrow.encryptedKeypair);
-        const iv = combined.slice(0, 12);
-        const encrypted = combined.slice(12);
-        try {
-            const privateKeyString = await decryptString(encrypted, iv, encryptionKey);
-            // Reconstruct keypair from base64 string
-            this.keypair = ucans.EdKeypair.fromSecretKey(privateKeyString, { exportable: true });
-            this.did = this.keypair.did();
-            this.oauthIdentities = escrow.linkedIdentities || [];
-            // Save locally
-            await this.saveKeypair(password);
-            this.initialized = true;
-            return true;
-        }
-        catch (error) {
-            throw new Error('Invalid password - decryption failed');
-        }
-    }
-    /**
-     * Upload keypair escrow to cloud for recovery
-     * The escrow is encrypted with the user's password
-     */
-    async createEscrow(password) {
-        if (!this.keypair || !this.did) {
-            throw new Error("AuthManager not initialized");
-        }
-        // Generate salt
-        const salt = crypto.getRandomValues(new Uint8Array(16));
-        const encryptionKey = await deriveKeyFromPassword(password, salt);
-        // Export and encrypt private key (export returns base64 string)
-        const privateKeyString = await this.keypair.export();
-        const { encrypted, iv } = await encryptString(privateKeyString, encryptionKey);
-        const combined = new Uint8Array(iv.length + encrypted.length);
-        combined.set(iv);
-        combined.set(encrypted, iv.length);
-        // Upload to relay
-        const response = await fetch(`${this.relayUrl}/auth/escrow`, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json'
-            },
-            body: JSON.stringify({
-                did: this.did,
-                encryptedKeypair: uint8ArrayToBase64(combined),
-                salt: uint8ArrayToBase64(salt),
-                linkedIdentities: this.oauthIdentities
-            })
-        });
-        if (!response.ok) {
-            throw new Error('Failed to create escrow');
-        }
-    }
-    /**
-     * Issue a UCAN token for room access
-     */
-    async issueRoomToken(roomAudience, roomName) {
-        // Auto-initialize if not already done
-        if (!this.keypair) {
-            await this.init();
-        }
-        if (!this.keypair) {
-            throw new Error("Keypair not loaded - provide password to unlock");
-        }
-        const capability = {
-            with: { scheme: "room", hierPart: `//${roomName}` },
-            can: { namespace: "room", segments: ["write"] }
-        };
-        const ucan = await ucans.build({
-            audience: roomAudience,
-            issuer: this.keypair,
-            capabilities: [capability],
-            lifetimeInSeconds: 3600
-        });
-        return ucans.encode(ucan);
-    }
-    /**
-     * Issue a UCAN token with custom capabilities
-     */
-    async issueToken(audience, capabilities, lifetimeInSeconds = 3600) {
-        if (!this.keypair) {
-            throw new Error("Keypair not loaded - provide password to unlock");
-        }
-        const ucan = await ucans.build({
-            audience,
-            issuer: this.keypair,
-            capabilities,
-            lifetimeInSeconds
-        });
-        return ucans.encode(ucan);
-    }
-    /**
-     * Clear local identity (logout)
-     */
-    /**
-     * Clear local identity (logout)
-     * @param injectedDb (for testing only) - pass a mock IndexedDB instance
-     */
-    async clearIdentity(injectedDb) {
-        this.keypair = null;
-        this.did = null;
-        this.oauthIdentities = [];
-        this.initialized = false;
-        try {
-            const db = injectedDb || await openAuthDB();
-            if (!db) {
-                return; // IndexedDB not available
-            }
-            await new Promise((resolve, reject) => {
-                let tx, store, request;
-                try {
-                    tx = db.transaction(STORE_NAME, 'readwrite');
-                    store = tx.objectStore(STORE_NAME);
-                    request = store.delete(IDENTITY_KEY);
-                }
-                catch (err) {
-                    reject(err);
-                    return;
-                }
-                request.onerror = () => reject(request.error);
-                request.onsuccess = () => resolve();
-                if (tx && typeof tx.oncomplete === 'function') {
-                    tx.oncomplete = () => db.close();
-                }
-            });
-        }
-        catch (error) {
-            console.error('[AuthManager] Failed to clear identity:', error);
-        }
-    }
-    // ============================================
-    // INTROSPECTION METHODS FOR DASH-STUDIO
-    // ============================================
-    /**
-     * Parse a UCAN token and extract its structure without verification
-     * This is for inspection/debugging purposes
-     */
-    parseUCAN(token) {
-        try {
-            const parts = token.split('.');
-            if (parts.length !== 3) {
-                return {
-                    valid: false,
-                    error: 'Invalid token format: expected 3 parts (header.payload.signature)'
-                };
-            }
-            // Decode header
-            let header;
-            try {
-                header = JSON.parse(atob(parts[0].replace(/-/g, '+').replace(/_/g, '/')));
-            }
-            catch {
-                return { valid: false, error: 'Failed to decode header' };
-            }
-            // Decode payload
-            let payload;
-            try {
-                payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
-            }
-            catch {
-                return { valid: false, error: 'Failed to decode payload' };
-            }
-            const now = Math.floor(Date.now() / 1000);
-            // Check expiration status
-            const isExpired = payload.exp ? payload.exp < now : false;
-            const isNotYetValid = payload.nbf ? payload.nbf > now : false;
-            // Calculate time until expiration
-            const expiresIn = payload.exp ? payload.exp - now : null;
-            // Parse capabilities
-            const capabilities = (payload.att || []).map((att) => ({
-                can: att.can || '',
-                with: att.with || '',
-                delegationDepth: att.delegationDepth,
-                constraints: att.constraints
-            }));
-            // Extract facts
-            const facts = payload.fct || {};
-            return {
-                valid: true,
-                header: {
-                    alg: header.alg,
-                    typ: header.typ,
-                    ucv: header.ucv
-                },
-                payload: {
-                    iss: payload.iss,
-                    aud: payload.aud,
-                    exp: payload.exp,
-                    nbf: payload.nbf,
-                    nnc: payload.nnc,
-                    att: capabilities,
-                    prf: payload.prf || [],
-                    fct: facts
-                },
-                signature: parts[2],
-                meta: {
-                    isExpired,
-                    isNotYetValid,
-                    expiresIn,
-                    proofCount: (payload.prf || []).length,
-                    capabilityCount: capabilities.length,
-                    hasKarma: 'karma' in facts,
-                    karma: typeof facts.karma === 'number' ? facts.karma : undefined
-                }
-            };
-        }
-        catch (error) {
-            return {
-                valid: false,
-                error: error instanceof Error ? error.message : 'Failed to parse token'
-            };
-        }
-    }
-    /**
-     * Check if keypair is loaded and ready for signing
-     */
-    isKeypairLoaded() {
-        return this.keypair !== null;
-    }
-    /**
-     * Get current DID or null if not initialized
-     */
-    getCurrentDID() {
-        return this.did;
-    }
-    /**
-     * Get full auth status for introspection
-     */
-    getAuthStatus() {
-        return {
-            initialized: this.initialized,
-            keypairLoaded: this.keypair !== null,
-            did: this.did,
-            linkedIdentityCount: this.oauthIdentities.length,
-            linkedProviders: this.oauthIdentities.map(i => i.provider),
-            relayUrl: this.relayUrl
-        };
-    }
-    /**
-     * Get linked devices (from OAuth identities)
-     */
-    getLinkedDevices() {
-        return this.oauthIdentities.map(identity => ({
-            provider: identity.provider,
-            providerId: identity.providerId,
-            email: identity.email,
-            displayName: identity.displayName,
-            photoURL: identity.photoURL,
-            linkedAt: identity.linkedAt
-        }));
-    }
-    /**
-     * Generate a device linking token for QR code display
-     * This token allows another device to link to this identity
-     */
-    async generateLinkToken(expirationMinutes = 5) {
-        if (!this.keypair || !this.did) {
-            return null;
-        }
-        const expiresAt = new Date(Date.now() + expirationMinutes * 60 * 1000);
-        // Create a capability that allows device linking
-        const linkCapability = {
-            with: { scheme: 'device', hierPart: `//link/${this.did}` },
-            can: { namespace: 'device', segments: ['link'] }
-        };
-        const ucan = await ucans.build({
-            audience: 'did:web:relay.buley.dev',
-            issuer: this.keypair,
-            capabilities: [linkCapability],
-            lifetimeInSeconds: expirationMinutes * 60
-        });
-        const token = ucans.encode(ucan);
-        return {
-            token,
-            did: this.did,
-            expiresAt: expiresAt.toISOString(),
-            qrData: JSON.stringify({
-                type: 'dash-device-link',
-                token,
-                did: this.did,
-                relay: this.relayUrl
-            })
-        };
-    }
-    /**
-     * Revoke a linked device (by provider and providerId)
-     */
-    async revokeDevice(provider, providerId, password) {
-        const index = this.oauthIdentities.findIndex(i => i.provider === provider && i.providerId === providerId);
-        if (index === -1) {
-            return false;
-        }
-        this.oauthIdentities.splice(index, 1);
-        // Re-save with updated identities
-        await this.saveKeypair(password);
-        return true;
-    }
-}
-export const auth = new AuthManager();

package/dist/src/engine/ai.d.ts

@@ -1,10 +0,0 @@
-export declare class VectorEngine {
-    private pipe;
-    private modelName;
-    private readyPromise;
-    constructor();
-    init(): Promise<void>;
-    embed(text: string): Promise<number[]>;
-    cosineSimilarity(vecA: number[], vecB: number[]): number;
-}
-export declare const vectorEngine: VectorEngine;

package/dist/src/engine/ai.js

@@ -1,76 +0,0 @@
-// import { pipeline } from '@huggingface/transformers'; // Moved to dynamic import
-export class VectorEngine {
-    pipe = null;
-    modelName = 'Xenova/all-MiniLM-L6-v2';
-    readyPromise = null;
-    constructor() { }
-    async init() {
-        if (this.readyPromise)
-            return this.readyPromise;
-        this.readyPromise = (async () => {
-            try {
-                console.log('Dash: Loading AI Model...', this.modelName);
-                // Import from the new official package
-                const { pipeline, env } = await import('@huggingface/transformers');
-                // Skip local checks for browser env
-                env.allowLocalModels = false;
-                try {
-                    // 1. Try WebNN (NPU)
-                    console.log('Dash: Attempting WebNN backend...');
-                    this.pipe = await pipeline('feature-extraction', this.modelName, {
-                        device: 'webnn',
-                        dtype: 'fp32'
-                    });
-                    console.log('Dash: AI Model Ready (WebNN)');
-                }
-                catch (webnnError) {
-                    console.warn('Dash: WebNN failed, falling back to WebGPU', webnnError);
-                    try {
-                        // 2. Try WebGPU (GPU)
-                        console.log('Dash: Attempting WebGPU backend...');
-                        this.pipe = await pipeline('feature-extraction', this.modelName, {
-                            device: 'webgpu',
-                            dtype: 'fp32'
-                        });
-                        console.log('Dash: AI Model Ready (WebGPU)');
-                    }
-                    catch (gpuError) {
-                        // 3. Fallback to WASM (CPU)
-                        console.warn('Dash: WebGPU failed, failing back to WASM/CPU', gpuError);
-                        this.pipe = await pipeline('feature-extraction', this.modelName, {
-                            device: 'wasm'
-                        });
-                        console.log('Dash: AI Model Ready (WASM)');
-                    }
-                }
-            }
-            catch (err) {
-                console.error('Dash: Failed to load AI model', err);
-                throw err;
-            }
-        })();
-        return this.readyPromise;
-    }
-    async embed(text) {
-        if (!this.pipe)
-            await this.init();
-        // Generate embedding
-        const output = await this.pipe(text, { pooling: 'mean', normalize: true });
-        // Convert generic Tensor to standard number array
-        return Array.from(output.data);
-    }
-    cosineSimilarity(vecA, vecB) {
-        let dotProduct = 0;
-        let normA = 0;
-        let normB = 0;
-        for (let i = 0; i < vecA.length; i++) {
-            dotProduct += vecA[i] * vecB[i];
-            normA += vecA[i] * vecA[i];
-            normB += vecB[i] * vecB[i];
-        }
-        if (normA === 0 || normB === 0)
-            return 0;
-        return dotProduct / (Math.sqrt(normA) * Math.sqrt(normB));
-    }
-}
-export const vectorEngine = new VectorEngine();