@affix-io/sdk 2.0.0 → 2.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +123 -13
- package/package.json +3 -5
- package/scripts/postinstall.mjs +0 -19
package/README.md
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
# AffixIO SDK
|
|
2
2
|
|
|
3
|
+
[](https://www.npmjs.com/package/@affix-io/sdk)
|
|
3
4
|
[](LICENSE)
|
|
4
5
|
[](package.json)
|
|
5
6
|
[](https://csrc.nist.gov/pubs/fips/204/final)
|
|
@@ -20,21 +21,60 @@ Classical signatures (ECDSA, EdDSA, RSA) are vulnerable to future quantum attack
|
|
|
20
21
|
|
|
21
22
|
You get prove, verify, storage, and a CLI without running a proving cluster locally.
|
|
22
23
|
|
|
23
|
-
##
|
|
24
|
+
## Get the SDK
|
|
25
|
+
|
|
26
|
+
| Source | Best for |
|
|
27
|
+
|---|---|
|
|
28
|
+
| **[npm](https://www.npmjs.com/package/@affix-io/sdk)** `@affix-io/sdk` | Production apps, CI, Docker images, `package.json` dependencies |
|
|
29
|
+
| **[GitHub](https://github.com/AffixIO/SDK)** `AffixIO/SDK` | Source review, Apache 2.0 audit, pinning a commit, air-gapped installs from tarball |
|
|
30
|
+
|
|
31
|
+
**npm** is what most teams use day to day. Install once, import in code, ship with your service:
|
|
24
32
|
|
|
25
33
|
```bash
|
|
26
34
|
npm install @affix-io/sdk
|
|
27
35
|
```
|
|
28
36
|
|
|
29
|
-
|
|
37
|
+
**GitHub** is the same compiled package (pre-built `dist/`, no TypeScript source in the public tree). Clone when you need to inspect exactly what ships, vendor the repo, or run the CLI without adding a registry dependency:
|
|
30
38
|
|
|
31
39
|
```bash
|
|
32
40
|
git clone https://github.com/AffixIO/SDK.git
|
|
33
41
|
cd SDK
|
|
34
|
-
npm install
|
|
35
42
|
cp .env.example .env
|
|
43
|
+
npx affix-sdk health
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
Neither path runs `npm install` per proof. Both give you a library you call at runtime.
|
|
47
|
+
|
|
48
|
+
## Where it fits in your stack
|
|
49
|
+
|
|
50
|
+
The SDK is a Node.js client. Proving and verification run on the AffixIO API; your app sends credentials or witnesses and receives proof strings back.
|
|
51
|
+
|
|
52
|
+
```
|
|
53
|
+
Your service AffixIO API
|
|
54
|
+
┌─────────────────┐ ┌──────────────────────┐
|
|
55
|
+
│ Express / Fastify│ HTTPS │ witness/prepare │
|
|
56
|
+
│ Next.js API route│ ────────► │ circuits/:id/prove │
|
|
57
|
+
│ BullMQ worker │ │ circuits/:id/verify │
|
|
58
|
+
│ LangChain tool │ │ merkle/audit │
|
|
59
|
+
│ MCP server │ └──────────────────────┘
|
|
60
|
+
│ Cron / batch job │
|
|
61
|
+
└────────┬─────────┘
|
|
62
|
+
│ optional local
|
|
63
|
+
▼
|
|
64
|
+
.affix/proofs.json
|
|
65
|
+
.affix/offline-queue.json
|
|
36
66
|
```
|
|
37
67
|
|
|
68
|
+
Typical integration points:
|
|
69
|
+
|
|
70
|
+
- **API middleware**: prove a predicate before a sensitive route runs (payout, account change, data export).
|
|
71
|
+
- **Background workers**: batch eligibility checks; `flushOfflineQueue()` when connectivity returns.
|
|
72
|
+
- **LLM orchestration**: gate tool calls, model tiers, or retrieval scopes with a proof instead of passing raw KYC or HR data into the prompt.
|
|
73
|
+
- **Agent and MCP servers**: return a `proof_id` alongside tool results so downstream systems can verify without seeing credentials.
|
|
74
|
+
- **Webhooks and event pipelines**: attach a proof digest to an audit log entry via Merkle anchoring.
|
|
75
|
+
|
|
76
|
+
Install the package in the service that holds secrets and talks to AffixIO. Do not embed API keys in browser bundles or client-side LLM prompts.
|
|
77
|
+
|
|
38
78
|
Requires Node.js 18+.
|
|
39
79
|
|
|
40
80
|
## Quick start
|
|
@@ -184,19 +224,89 @@ Local paths: `.affix/offline-queue.json`, `.affix/proofs.json`.
|
|
|
184
224
|
|
|
185
225
|
## Use cases
|
|
186
226
|
|
|
187
|
-
|
|
188
|
-
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
|
|
227
|
+
### AI, LLMs, and agents
|
|
228
|
+
|
|
229
|
+
Large language models should not receive passports, medical records, or full KYC payloads just to answer "is this user allowed?". The SDK lets a **trusted backend** prove a yes/no predicate and hand the model (or tool runtime) only the outcome.
|
|
230
|
+
|
|
231
|
+
| Scenario | Circuit examples | What you prove without exposing |
|
|
232
|
+
|---|---|---|
|
|
233
|
+
| Tool gating before expensive calls | `attested_boolean`, `kyc`, `govt_security_clearance` | User tier, account standing, or clearance level |
|
|
234
|
+
| RAG and document access | `attested_membership`, `govt_professional_license`, `edu_enrollment_verification` | Group membership or role without employee/student IDs |
|
|
235
|
+
| Age and consent checks for restricted advice | `health_age`, `ent_age_restriction`, `hosp_checkin_age` | Age threshold met, not date of birth |
|
|
236
|
+
| Healthcare-adjacent assistants | `health_consent_verification`, `health_prescription_auth`, `health_clinical_trial_eligibility` | Consent or trial eligibility, not PHI |
|
|
237
|
+
| Cross-border or policy-bound models | `travel_visa_eligibility`, `travel_restriction_check`, `govt_immigration_status` | Eligibility flag, not passport number |
|
|
238
|
+
| Agent audit trail | `audit_proof`, `merkle_batch` | That a decision was proved at a point in time |
|
|
239
|
+
|
|
240
|
+
Example pattern for an LLM tool router:
|
|
241
|
+
|
|
242
|
+
```typescript
|
|
243
|
+
import { AffixSDK, defaultContext } from "@affix-io/sdk";
|
|
244
|
+
|
|
245
|
+
const sdk = new AffixSDK();
|
|
246
|
+
|
|
247
|
+
export async function beforeToolRun(userCredential: Record<string, unknown>) {
|
|
248
|
+
const { valid, proof_id } = await sdk.prove({
|
|
249
|
+
circuitId: "govt_security_clearance",
|
|
250
|
+
credential: userCredential,
|
|
251
|
+
context: defaultContext({ required_claim_hash: "cleared" }),
|
|
252
|
+
});
|
|
253
|
+
if (!valid) throw new Error("tool_access_denied");
|
|
254
|
+
return proof_id; // pass to logs or Merkle audit, not to the model context
|
|
255
|
+
}
|
|
256
|
+
```
|
|
257
|
+
|
|
258
|
+
The model sees tool output. It does not need the credential or the witness.
|
|
259
|
+
|
|
260
|
+
### Identity, KYC, and compliance
|
|
261
|
+
|
|
262
|
+
- **Onboarding**: `kyc`, `attested_boolean`, `consent_verification`
|
|
263
|
+
- **PEP and sanctions-style gates**: `govt_criminal_record`, `cross_data_consent`
|
|
264
|
+
- **Professional and licence checks**: `govt_professional_license`, `hosp_agent_credentials`
|
|
265
|
+
|
|
266
|
+
### Fintech and lending
|
|
267
|
+
|
|
268
|
+
- **Credit and income bands**: `cross_credit_score_range`, `cross_income_bracket`, `govt_tax_bracket`
|
|
269
|
+
- **Mortgage and motor finance**: `mortgage_engine`, `motor_finance_eligibility`, `motor_ownership_verification`
|
|
270
|
+
- **Insurance validity**: `motor_insurance_proof`, `travel_insurance_coverage`
|
|
271
|
+
|
|
272
|
+
### Health and life sciences
|
|
273
|
+
|
|
274
|
+
- **Age-gated services**: `health_age`, `health_age_verification`
|
|
275
|
+
- **Vaccination and trial eligibility**: `health_vaccination_status`, `health_clinical_trial_eligibility`
|
|
276
|
+
- **Prescription and insurance predicates**: `health_prescription_auth`, `health_insurance_eligibility`
|
|
277
|
+
|
|
278
|
+
### Travel, hospitality, and ticketing
|
|
279
|
+
|
|
280
|
+
- **Residency and local rates**: `ticket_local_resident`, `travel_residency_proof`, `hosp_longstay_resident`
|
|
281
|
+
- **Passport and visa windows**: `travel_passport_validity`, `travel_visa_eligibility`
|
|
282
|
+
- **Venue access**: `ticket_student_discount`, `ticket_vip_access`, `ticket_disability_access`
|
|
283
|
+
|
|
284
|
+
### Education and workforce
|
|
285
|
+
|
|
286
|
+
- **Admissions and attendance**: `edu_age_admission`, `edu_attendance_threshold`, `edu_prerequisites_met`
|
|
287
|
+
- **Alumni and library access**: `edu_alumni_status`, `edu_library_access`
|
|
288
|
+
- **Employment proofs**: `cross_employment_status`, `edu_degree_completion`
|
|
289
|
+
|
|
290
|
+
### Government and civic
|
|
291
|
+
|
|
292
|
+
- **Voting and benefits**: `govt_voting_eligibility`, `govt_benefit_entitlement`, `zk_voting`
|
|
293
|
+
- **Residency duration and property**: `govt_residency_duration`, `govt_property_ownership`
|
|
294
|
+
- **Military and immigration**: `govt_military_service`, `govt_immigration_status`
|
|
295
|
+
|
|
296
|
+
### Security, tokens, and audit
|
|
297
|
+
|
|
298
|
+
- **Post-quantum token checks**: `quantum_safe_token`, `token_validation`
|
|
299
|
+
- **Tamper-evident history**: `audit_proof`, `merkle_batch`
|
|
300
|
+
- **Offline and edge**: queue failed `prove()` calls, replay with `flushOfflineQueue()` when the API is reachable again
|
|
301
|
+
|
|
302
|
+
Run `npx affix-sdk circuits` for the live catalogue (115+ templates). Circuit IDs map to Noir attestation templates on the API.
|
|
193
303
|
|
|
194
304
|
## Related projects
|
|
195
305
|
|
|
196
|
-
- [noir-lang/noir](https://github.com/noir-lang/noir)
|
|
197
|
-
- [@aztec/bb.js](https://www.npmjs.com/package/@aztec/bb.js)
|
|
198
|
-
- [@noble/post-quantum](https://www.npmjs.com/package/@noble/post-quantum)
|
|
199
|
-
- [NIST PQC standards](https://csrc.nist.gov/projects/post-quantum-cryptography)
|
|
306
|
+
- [noir-lang/noir](https://github.com/noir-lang/noir): ZK domain-specific language
|
|
307
|
+
- [@aztec/bb.js](https://www.npmjs.com/package/@aztec/bb.js): Barretenberg proving backend
|
|
308
|
+
- [@noble/post-quantum](https://www.npmjs.com/package/@noble/post-quantum): ML-DSA / SLH-DSA primitives
|
|
309
|
+
- [NIST PQC standards](https://csrc.nist.gov/projects/post-quantum-cryptography): FIPS 203, 204, 205
|
|
200
310
|
|
|
201
311
|
## License
|
|
202
312
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@affix-io/sdk",
|
|
3
|
-
"version": "2.0.
|
|
3
|
+
"version": "2.0.2",
|
|
4
4
|
"description": "Post-quantum zero-knowledge proof SDK for Node.js. Noir circuits, ML-DSA-65 attestation, Barretenberg UltraHonk proving, verifiable credentials, and privacy-preserving KYC.",
|
|
5
5
|
"license": "Apache-2.0",
|
|
6
6
|
"type": "module",
|
|
@@ -55,8 +55,7 @@
|
|
|
55
55
|
"NOTICE",
|
|
56
56
|
"SECURITY.md",
|
|
57
57
|
"CONTRIBUTING.md",
|
|
58
|
-
"AUTHORS"
|
|
59
|
-
"scripts/postinstall.mjs"
|
|
58
|
+
"AUTHORS"
|
|
60
59
|
],
|
|
61
60
|
"exports": {
|
|
62
61
|
".": {
|
|
@@ -69,8 +68,7 @@
|
|
|
69
68
|
"affix-sdk-web": "./dist/cli.js"
|
|
70
69
|
},
|
|
71
70
|
"scripts": {
|
|
72
|
-
"start": "node dist/cli.js"
|
|
73
|
-
"postinstall": "node scripts/postinstall.mjs"
|
|
71
|
+
"start": "node dist/cli.js"
|
|
74
72
|
},
|
|
75
73
|
"engines": {
|
|
76
74
|
"node": ">=18"
|
package/scripts/postinstall.mjs
DELETED
|
@@ -1,19 +0,0 @@
|
|
|
1
|
-
import { chmodSync, existsSync, readdirSync, statSync } from "node:fs";
|
|
2
|
-
import { join } from "node:path";
|
|
3
|
-
|
|
4
|
-
const binDir = join(process.cwd(), "node_modules", ".bin");
|
|
5
|
-
if (!existsSync(binDir)) {
|
|
6
|
-
process.exit(0);
|
|
7
|
-
}
|
|
8
|
-
|
|
9
|
-
for (const name of readdirSync(binDir)) {
|
|
10
|
-
const path = join(binDir, name);
|
|
11
|
-
try {
|
|
12
|
-
const mode = statSync(path).mode;
|
|
13
|
-
if ((mode & 0o111) === 0) {
|
|
14
|
-
chmodSync(path, mode | 0o755);
|
|
15
|
-
}
|
|
16
|
-
} catch {
|
|
17
|
-
// ignore broken symlinks
|
|
18
|
-
}
|
|
19
|
-
}
|