@agent-receipts/crypto 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Webaes
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,57 @@
+# @agent-receipts/crypto
+
+Ed25519 signing and verification for the [Action Receipt Protocol](https://github.com/webaesbyamin/agent-receipts).
+
+## Install
+
+```bash
+npm install @agent-receipts/crypto
+```
+
+## Usage
+
+```typescript
+import {
+  generateKeyPair,
+  signReceipt,
+  verifyReceipt,
+  getSignablePayload,
+  getPublicKeyFromPrivate,
+} from '@agent-receipts/crypto'
+
+// Generate a new Ed25519 key pair
+const { privateKey, publicKey } = generateKeyPair()
+
+// Sign a receipt
+const signable = getSignablePayload(receipt)
+const signature = signReceipt(signable, privateKey)
+
+// Verify a receipt
+const valid = verifyReceipt(signable, signature, publicKey)
+
+// Derive public key from private
+const pub = getPublicKeyFromPrivate(privateKey)
+```
+
+## API
+
+| Function | Description |
+|----------|-------------|
+| `generateKeyPair()` | Generate an Ed25519 key pair (returns `{ privateKey, publicKey }` as hex strings) |
+| `signReceipt(payload, privateKey)` | Sign a canonical payload, returns hex signature |
+| `verifyReceipt(payload, signature, publicKey)` | Verify a signature against a payload and public key |
+| `getSignablePayload(receipt)` | Extract the deterministic signable fields from a receipt |
+| `getPublicKeyFromPrivate(privateKey)` | Derive the public key from a private key |
+| `canonicalize(obj)` | Deterministic JSON serialization for signing |
+
+## Key Generation CLI
+
+```bash
+npx @agent-receipts/crypto generate-keys
+```
+
+Outputs `RECEIPT_SIGNING_PRIVATE_KEY` and `RECEIPT_SIGNING_PUBLIC_KEY` for your `.env` file.
+
+## License
+
+MIT

package/bin/generate-keys.ts

@@ -0,0 +1,15 @@
+#!/usr/bin/env npx tsx
+import { generateKeyPair } from '../src/keys'
+
+function main() {
+  const { privateKey, publicKey } = generateKeyPair()
+
+  console.log('\nAgent Receipts — Ed25519 Key Pair Generated\n')
+  console.log('Add these to your .env file:\n')
+  console.log(`RECEIPT_SIGNING_PRIVATE_KEY=${privateKey}`)
+  console.log(`RECEIPT_SIGNING_PUBLIC_KEY=${publicKey}`)
+  console.log('\nKeep the private key SECRET. Never commit it to git.')
+  console.log("The public key is safe to share — it's published at /.well-known/receipt-public-key.json\n")
+}
+
+main()

package/dist/index.d.mts

@@ -0,0 +1,72 @@
+import { SignablePayload } from '@agent-receipts/schema';
+
+/**
+ * Produce a canonical JSON string from a SignablePayload.
+ * Keys are sorted alphabetically. Output is deterministic.
+ *
+ * IMPORTANT: SignablePayload contains only flat primitives (strings, nulls).
+ * No nested objects or arrays. Simple key sorting is sufficient here.
+ *
+ * For hashing arbitrary user input/output (in the SDK), use deep canonical
+ * sorting — that's a different function in the SDK package.
+ */
+declare function canonicalize(payload: SignablePayload): string;
+
+/**
+ * Extract the signable fields from a full receipt object.
+ * Maps receipt fields to the SignablePayload structure.
+ *
+ * NOTE: The API uses `timestamp` while the DB uses `created_at`.
+ * This function expects the API format (timestamp).
+ */
+declare function getSignablePayload(receipt: {
+    receipt_id: string;
+    chain_id: string;
+    receipt_type: string;
+    agent_id: string;
+    org_id: string;
+    action: string;
+    input_hash: string;
+    output_hash: string | null;
+    status: string;
+    timestamp: string;
+    completed_at: string | null;
+    environment: string;
+    [key: string]: unknown;
+}): SignablePayload;
+/**
+ * Sign a receipt payload with Ed25519.
+ *
+ * @param payload - The signable fields (12 deterministic fields)
+ * @param privateKey - Ed25519 private key as hex string (64 chars = 32 bytes)
+ * @returns Signature string in format "ed25519:<base64>"
+ */
+declare function signReceipt(payload: SignablePayload, privateKey: string): string;
+/**
+ * Verify a receipt signature.
+ *
+ * @param payload - The signable fields (must match what was signed)
+ * @param signature - Signature string in format "ed25519:<base64>"
+ * @param publicKey - Ed25519 public key as hex string (64 chars = 32 bytes)
+ * @returns true if signature is valid
+ */
+declare function verifyReceipt(payload: SignablePayload, signature: string, publicKey: string): boolean;
+
+/**
+ * Generate a new Ed25519 key pair.
+ *
+ * @returns { privateKey: string, publicKey: string } — both hex-encoded (64 chars each)
+ */
+declare function generateKeyPair(): {
+    privateKey: string;
+    publicKey: string;
+};
+/**
+ * Derive public key from private key.
+ *
+ * @param privateKeyHex - Ed25519 private key as hex string (64 chars)
+ * @returns Public key as hex string (64 chars)
+ */
+declare function getPublicKeyFromPrivate(privateKeyHex: string): string;
+
+export { canonicalize, generateKeyPair, getPublicKeyFromPrivate, getSignablePayload, signReceipt, verifyReceipt };

package/dist/index.d.ts

@@ -0,0 +1,72 @@
+import { SignablePayload } from '@agent-receipts/schema';
+
+/**
+ * Produce a canonical JSON string from a SignablePayload.
+ * Keys are sorted alphabetically. Output is deterministic.
+ *
+ * IMPORTANT: SignablePayload contains only flat primitives (strings, nulls).
+ * No nested objects or arrays. Simple key sorting is sufficient here.
+ *
+ * For hashing arbitrary user input/output (in the SDK), use deep canonical
+ * sorting — that's a different function in the SDK package.
+ */
+declare function canonicalize(payload: SignablePayload): string;
+
+/**
+ * Extract the signable fields from a full receipt object.
+ * Maps receipt fields to the SignablePayload structure.
+ *
+ * NOTE: The API uses `timestamp` while the DB uses `created_at`.
+ * This function expects the API format (timestamp).
+ */
+declare function getSignablePayload(receipt: {
+    receipt_id: string;
+    chain_id: string;
+    receipt_type: string;
+    agent_id: string;
+    org_id: string;
+    action: string;
+    input_hash: string;
+    output_hash: string | null;
+    status: string;
+    timestamp: string;
+    completed_at: string | null;
+    environment: string;
+    [key: string]: unknown;
+}): SignablePayload;
+/**
+ * Sign a receipt payload with Ed25519.
+ *
+ * @param payload - The signable fields (12 deterministic fields)
+ * @param privateKey - Ed25519 private key as hex string (64 chars = 32 bytes)
+ * @returns Signature string in format "ed25519:<base64>"
+ */
+declare function signReceipt(payload: SignablePayload, privateKey: string): string;
+/**
+ * Verify a receipt signature.
+ *
+ * @param payload - The signable fields (must match what was signed)
+ * @param signature - Signature string in format "ed25519:<base64>"
+ * @param publicKey - Ed25519 public key as hex string (64 chars = 32 bytes)
+ * @returns true if signature is valid
+ */
+declare function verifyReceipt(payload: SignablePayload, signature: string, publicKey: string): boolean;
+
+/**
+ * Generate a new Ed25519 key pair.
+ *
+ * @returns { privateKey: string, publicKey: string } — both hex-encoded (64 chars each)
+ */
+declare function generateKeyPair(): {
+    privateKey: string;
+    publicKey: string;
+};
+/**
+ * Derive public key from private key.
+ *
+ * @param privateKeyHex - Ed25519 private key as hex string (64 chars)
+ * @returns Public key as hex string (64 chars)
+ */
+declare function getPublicKeyFromPrivate(privateKeyHex: string): string;
+
+export { canonicalize, generateKeyPair, getPublicKeyFromPrivate, getSignablePayload, signReceipt, verifyReceipt };

package/dist/index.js

@@ -0,0 +1,110 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  canonicalize: () => canonicalize,
+  generateKeyPair: () => generateKeyPair,
+  getPublicKeyFromPrivate: () => getPublicKeyFromPrivate,
+  getSignablePayload: () => getSignablePayload,
+  signReceipt: () => signReceipt,
+  verifyReceipt: () => verifyReceipt
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/canonical.ts
+function canonicalize(payload) {
+  const sorted = Object.keys(payload).sort();
+  return JSON.stringify(payload, sorted);
+}
+
+// src/sign.ts
+var import_ed25519 = require("@noble/ed25519");
+var import_sha512 = require("@noble/hashes/sha512");
+import_ed25519.etc.sha512Sync = (...messages) => (0, import_sha512.sha512)(import_ed25519.etc.concatBytes(...messages));
+function getSignablePayload(receipt) {
+  return {
+    receipt_id: receipt.receipt_id,
+    chain_id: receipt.chain_id,
+    receipt_type: receipt.receipt_type,
+    agent_id: receipt.agent_id,
+    org_id: receipt.org_id,
+    action: receipt.action,
+    input_hash: receipt.input_hash,
+    output_hash: receipt.output_hash,
+    status: receipt.status,
+    timestamp: receipt.timestamp,
+    completed_at: receipt.completed_at,
+    environment: receipt.environment
+  };
+}
+function signReceipt(payload, privateKey) {
+  const canonical = canonicalize(payload);
+  const message = new TextEncoder().encode(canonical);
+  const privKeyBytes = import_ed25519.etc.hexToBytes(privateKey);
+  const signature = (0, import_ed25519.sign)(message, privKeyBytes);
+  return `ed25519:${bytesToBase64(signature)}`;
+}
+function verifyReceipt(payload, signature, publicKey) {
+  try {
+    if (!signature.startsWith("ed25519:")) {
+      return false;
+    }
+    const canonical = canonicalize(payload);
+    const message = new TextEncoder().encode(canonical);
+    const sigBytes = base64ToBytes(signature.slice("ed25519:".length));
+    const pubKeyBytes = import_ed25519.etc.hexToBytes(publicKey);
+    return (0, import_ed25519.verify)(sigBytes, message, pubKeyBytes);
+  } catch {
+    return false;
+  }
+}
+function bytesToBase64(bytes) {
+  return Buffer.from(bytes).toString("base64");
+}
+function base64ToBytes(b64) {
+  return new Uint8Array(Buffer.from(b64, "base64"));
+}
+
+// src/keys.ts
+var import_ed255192 = require("@noble/ed25519");
+function generateKeyPair() {
+  const privateKeyBytes = import_ed255192.utils.randomPrivateKey();
+  const publicKeyBytes = (0, import_ed255192.getPublicKey)(privateKeyBytes);
+  return {
+    privateKey: import_ed255192.etc.bytesToHex(privateKeyBytes),
+    publicKey: import_ed255192.etc.bytesToHex(publicKeyBytes)
+  };
+}
+function getPublicKeyFromPrivate(privateKeyHex) {
+  const privKeyBytes = import_ed255192.etc.hexToBytes(privateKeyHex);
+  const pubKeyBytes = (0, import_ed255192.getPublicKey)(privKeyBytes);
+  return import_ed255192.etc.bytesToHex(pubKeyBytes);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  canonicalize,
+  generateKeyPair,
+  getPublicKeyFromPrivate,
+  getSignablePayload,
+  signReceipt,
+  verifyReceipt
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts","../src/canonical.ts","../src/sign.ts","../src/keys.ts"],"sourcesContent":["export { canonicalize } from './canonical'\nexport { signReceipt, verifyReceipt, getSignablePayload } from './sign'\nexport { generateKeyPair, getPublicKeyFromPrivate } from './keys'\n","import type { SignablePayload } from '@agent-receipts/schema'\n\n/**\n * Produce a canonical JSON string from a SignablePayload.\n * Keys are sorted alphabetically. Output is deterministic.\n *\n * IMPORTANT: SignablePayload contains only flat primitives (strings, nulls).\n * No nested objects or arrays. Simple key sorting is sufficient here.\n *\n * For hashing arbitrary user input/output (in the SDK), use deep canonical\n * sorting — that's a different function in the SDK package.\n */\nexport function canonicalize(payload: SignablePayload): string {\n  const sorted = Object.keys(payload).sort()\n  return JSON.stringify(payload, sorted)\n}\n","import { sign, verify, etc, getPublicKey } from '@noble/ed25519'\nimport { sha512 } from '@noble/hashes/sha512'\nimport type { SignablePayload } from '@agent-receipts/schema'\nimport { canonicalize } from './canonical'\n\n// Configure noble/ed25519 to use sha512 for sync operations.\n// This is required by @noble/ed25519 v2 — without it, sync sign/verify throw.\netc.sha512Sync = (...messages: Uint8Array[]): Uint8Array =>\n  sha512(etc.concatBytes(...messages))\n\n/**\n * Extract the signable fields from a full receipt object.\n * Maps receipt fields to the SignablePayload structure.\n *\n * NOTE: The API uses `timestamp` while the DB uses `created_at`.\n * This function expects the API format (timestamp).\n */\nexport function getSignablePayload(receipt: {\n  receipt_id: string\n  chain_id: string\n  receipt_type: string\n  agent_id: string\n  org_id: string\n  action: string\n  input_hash: string\n  output_hash: string | null\n  status: string\n  timestamp: string\n  completed_at: string | null\n  environment: string\n  [key: string]: unknown\n}): SignablePayload {\n  return {\n    receipt_id: receipt.receipt_id,\n    chain_id: receipt.chain_id,\n    receipt_type: receipt.receipt_type as SignablePayload['receipt_type'],\n    agent_id: receipt.agent_id,\n    org_id: receipt.org_id,\n    action: receipt.action,\n    input_hash: receipt.input_hash,\n    output_hash: receipt.output_hash,\n    status: receipt.status as SignablePayload['status'],\n    timestamp: receipt.timestamp,\n    completed_at: receipt.completed_at,\n    environment: receipt.environment as SignablePayload['environment'],\n  }\n}\n\n/**\n * Sign a receipt payload with Ed25519.\n *\n * @param payload - The signable fields (12 deterministic fields)\n * @param privateKey - Ed25519 private key as hex string (64 chars = 32 bytes)\n * @returns Signature string in format \"ed25519:<base64>\"\n */\nexport function signReceipt(\n  payload: SignablePayload,\n  privateKey: string\n): string {\n  const canonical = canonicalize(payload)\n  const message = new TextEncoder().encode(canonical)\n  const privKeyBytes = etc.hexToBytes(privateKey)\n  const signature = sign(message, privKeyBytes)\n  return `ed25519:${bytesToBase64(signature)}`\n}\n\n/**\n * Verify a receipt signature.\n *\n * @param payload - The signable fields (must match what was signed)\n * @param signature - Signature string in format \"ed25519:<base64>\"\n * @param publicKey - Ed25519 public key as hex string (64 chars = 32 bytes)\n * @returns true if signature is valid\n */\nexport function verifyReceipt(\n  payload: SignablePayload,\n  signature: string,\n  publicKey: string\n): boolean {\n  try {\n    if (!signature.startsWith('ed25519:')) {\n      return false\n    }\n    const canonical = canonicalize(payload)\n    const message = new TextEncoder().encode(canonical)\n    const sigBytes = base64ToBytes(signature.slice('ed25519:'.length))\n    const pubKeyBytes = etc.hexToBytes(publicKey)\n    return verify(sigBytes, message, pubKeyBytes)\n  } catch {\n    return false\n  }\n}\n\nfunction bytesToBase64(bytes: Uint8Array): string {\n  return Buffer.from(bytes).toString('base64')\n}\n\nfunction base64ToBytes(b64: string): Uint8Array {\n  return new Uint8Array(Buffer.from(b64, 'base64'))\n}\n","import { getPublicKey, etc, utils } from '@noble/ed25519'\n\n/**\n * Generate a new Ed25519 key pair.\n *\n * @returns { privateKey: string, publicKey: string } — both hex-encoded (64 chars each)\n */\nexport function generateKeyPair(): {\n  privateKey: string\n  publicKey: string\n} {\n  const privateKeyBytes = utils.randomPrivateKey()\n  const publicKeyBytes = getPublicKey(privateKeyBytes)\n  return {\n    privateKey: etc.bytesToHex(privateKeyBytes),\n    publicKey: etc.bytesToHex(publicKeyBytes),\n  }\n}\n\n/**\n * Derive public key from private key.\n *\n * @param privateKeyHex - Ed25519 private key as hex string (64 chars)\n * @returns Public key as hex string (64 chars)\n */\nexport function getPublicKeyFromPrivate(privateKeyHex: string): string {\n  const privKeyBytes = etc.hexToBytes(privateKeyHex)\n  const pubKeyBytes = getPublicKey(privKeyBytes)\n  return etc.bytesToHex(pubKeyBytes)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACYO,SAAS,aAAa,SAAkC;AAC7D,QAAM,SAAS,OAAO,KAAK,OAAO,EAAE,KAAK;AACzC,SAAO,KAAK,UAAU,SAAS,MAAM;AACvC;;;ACfA,qBAAgD;AAChD,oBAAuB;AAMvB,mBAAI,aAAa,IAAI,iBACnB,sBAAO,mBAAI,YAAY,GAAG,QAAQ,CAAC;AAS9B,SAAS,mBAAmB,SAcf;AAClB,SAAO;AAAA,IACL,YAAY,QAAQ;AAAA,IACpB,UAAU,QAAQ;AAAA,IAClB,cAAc,QAAQ;AAAA,IACtB,UAAU,QAAQ;AAAA,IAClB,QAAQ,QAAQ;AAAA,IAChB,QAAQ,QAAQ;AAAA,IAChB,YAAY,QAAQ;AAAA,IACpB,aAAa,QAAQ;AAAA,IACrB,QAAQ,QAAQ;AAAA,IAChB,WAAW,QAAQ;AAAA,IACnB,cAAc,QAAQ;AAAA,IACtB,aAAa,QAAQ;AAAA,EACvB;AACF;AASO,SAAS,YACd,SACA,YACQ;AACR,QAAM,YAAY,aAAa,OAAO;AACtC,QAAM,UAAU,IAAI,YAAY,EAAE,OAAO,SAAS;AAClD,QAAM,eAAe,mBAAI,WAAW,UAAU;AAC9C,QAAM,gBAAY,qBAAK,SAAS,YAAY;AAC5C,SAAO,WAAW,cAAc,SAAS,CAAC;AAC5C;AAUO,SAAS,cACd,SACA,WACA,WACS;AACT,MAAI;AACF,QAAI,CAAC,UAAU,WAAW,UAAU,GAAG;AACrC,aAAO;AAAA,IACT;AACA,UAAM,YAAY,aAAa,OAAO;AACtC,UAAM,UAAU,IAAI,YAAY,EAAE,OAAO,SAAS;AAClD,UAAM,WAAW,cAAc,UAAU,MAAM,WAAW,MAAM,CAAC;AACjE,UAAM,cAAc,mBAAI,WAAW,SAAS;AAC5C,eAAO,uBAAO,UAAU,SAAS,WAAW;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,cAAc,OAA2B;AAChD,SAAO,OAAO,KAAK,KAAK,EAAE,SAAS,QAAQ;AAC7C;AAEA,SAAS,cAAc,KAAyB;AAC9C,SAAO,IAAI,WAAW,OAAO,KAAK,KAAK,QAAQ,CAAC;AAClD;;;ACnGA,IAAAA,kBAAyC;AAOlC,SAAS,kBAGd;AACA,QAAM,kBAAkB,sBAAM,iBAAiB;AAC/C,QAAM,qBAAiB,8BAAa,eAAe;AACnD,SAAO;AAAA,IACL,YAAY,oBAAI,WAAW,eAAe;AAAA,IAC1C,WAAW,oBAAI,WAAW,cAAc;AAAA,EAC1C;AACF;AAQO,SAAS,wBAAwB,eAA+B;AACrE,QAAM,eAAe,oBAAI,WAAW,aAAa;AACjD,QAAM,kBAAc,8BAAa,YAAY;AAC7C,SAAO,oBAAI,WAAW,WAAW;AACnC;","names":["import_ed25519"]}

package/dist/index.mjs

@@ -0,0 +1,78 @@
+// src/canonical.ts
+function canonicalize(payload) {
+  const sorted = Object.keys(payload).sort();
+  return JSON.stringify(payload, sorted);
+}
+
+// src/sign.ts
+import { sign, verify, etc } from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+etc.sha512Sync = (...messages) => sha512(etc.concatBytes(...messages));
+function getSignablePayload(receipt) {
+  return {
+    receipt_id: receipt.receipt_id,
+    chain_id: receipt.chain_id,
+    receipt_type: receipt.receipt_type,
+    agent_id: receipt.agent_id,
+    org_id: receipt.org_id,
+    action: receipt.action,
+    input_hash: receipt.input_hash,
+    output_hash: receipt.output_hash,
+    status: receipt.status,
+    timestamp: receipt.timestamp,
+    completed_at: receipt.completed_at,
+    environment: receipt.environment
+  };
+}
+function signReceipt(payload, privateKey) {
+  const canonical = canonicalize(payload);
+  const message = new TextEncoder().encode(canonical);
+  const privKeyBytes = etc.hexToBytes(privateKey);
+  const signature = sign(message, privKeyBytes);
+  return `ed25519:${bytesToBase64(signature)}`;
+}
+function verifyReceipt(payload, signature, publicKey) {
+  try {
+    if (!signature.startsWith("ed25519:")) {
+      return false;
+    }
+    const canonical = canonicalize(payload);
+    const message = new TextEncoder().encode(canonical);
+    const sigBytes = base64ToBytes(signature.slice("ed25519:".length));
+    const pubKeyBytes = etc.hexToBytes(publicKey);
+    return verify(sigBytes, message, pubKeyBytes);
+  } catch {
+    return false;
+  }
+}
+function bytesToBase64(bytes) {
+  return Buffer.from(bytes).toString("base64");
+}
+function base64ToBytes(b64) {
+  return new Uint8Array(Buffer.from(b64, "base64"));
+}
+
+// src/keys.ts
+import { getPublicKey as getPublicKey2, etc as etc2, utils } from "@noble/ed25519";
+function generateKeyPair() {
+  const privateKeyBytes = utils.randomPrivateKey();
+  const publicKeyBytes = getPublicKey2(privateKeyBytes);
+  return {
+    privateKey: etc2.bytesToHex(privateKeyBytes),
+    publicKey: etc2.bytesToHex(publicKeyBytes)
+  };
+}
+function getPublicKeyFromPrivate(privateKeyHex) {
+  const privKeyBytes = etc2.hexToBytes(privateKeyHex);
+  const pubKeyBytes = getPublicKey2(privKeyBytes);
+  return etc2.bytesToHex(pubKeyBytes);
+}
+export {
+  canonicalize,
+  generateKeyPair,
+  getPublicKeyFromPrivate,
+  getSignablePayload,
+  signReceipt,
+  verifyReceipt
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/canonical.ts","../src/sign.ts","../src/keys.ts"],"sourcesContent":["import type { SignablePayload } from '@agent-receipts/schema'\n\n/**\n * Produce a canonical JSON string from a SignablePayload.\n * Keys are sorted alphabetically. Output is deterministic.\n *\n * IMPORTANT: SignablePayload contains only flat primitives (strings, nulls).\n * No nested objects or arrays. Simple key sorting is sufficient here.\n *\n * For hashing arbitrary user input/output (in the SDK), use deep canonical\n * sorting — that's a different function in the SDK package.\n */\nexport function canonicalize(payload: SignablePayload): string {\n  const sorted = Object.keys(payload).sort()\n  return JSON.stringify(payload, sorted)\n}\n","import { sign, verify, etc, getPublicKey } from '@noble/ed25519'\nimport { sha512 } from '@noble/hashes/sha512'\nimport type { SignablePayload } from '@agent-receipts/schema'\nimport { canonicalize } from './canonical'\n\n// Configure noble/ed25519 to use sha512 for sync operations.\n// This is required by @noble/ed25519 v2 — without it, sync sign/verify throw.\netc.sha512Sync = (...messages: Uint8Array[]): Uint8Array =>\n  sha512(etc.concatBytes(...messages))\n\n/**\n * Extract the signable fields from a full receipt object.\n * Maps receipt fields to the SignablePayload structure.\n *\n * NOTE: The API uses `timestamp` while the DB uses `created_at`.\n * This function expects the API format (timestamp).\n */\nexport function getSignablePayload(receipt: {\n  receipt_id: string\n  chain_id: string\n  receipt_type: string\n  agent_id: string\n  org_id: string\n  action: string\n  input_hash: string\n  output_hash: string | null\n  status: string\n  timestamp: string\n  completed_at: string | null\n  environment: string\n  [key: string]: unknown\n}): SignablePayload {\n  return {\n    receipt_id: receipt.receipt_id,\n    chain_id: receipt.chain_id,\n    receipt_type: receipt.receipt_type as SignablePayload['receipt_type'],\n    agent_id: receipt.agent_id,\n    org_id: receipt.org_id,\n    action: receipt.action,\n    input_hash: receipt.input_hash,\n    output_hash: receipt.output_hash,\n    status: receipt.status as SignablePayload['status'],\n    timestamp: receipt.timestamp,\n    completed_at: receipt.completed_at,\n    environment: receipt.environment as SignablePayload['environment'],\n  }\n}\n\n/**\n * Sign a receipt payload with Ed25519.\n *\n * @param payload - The signable fields (12 deterministic fields)\n * @param privateKey - Ed25519 private key as hex string (64 chars = 32 bytes)\n * @returns Signature string in format \"ed25519:<base64>\"\n */\nexport function signReceipt(\n  payload: SignablePayload,\n  privateKey: string\n): string {\n  const canonical = canonicalize(payload)\n  const message = new TextEncoder().encode(canonical)\n  const privKeyBytes = etc.hexToBytes(privateKey)\n  const signature = sign(message, privKeyBytes)\n  return `ed25519:${bytesToBase64(signature)}`\n}\n\n/**\n * Verify a receipt signature.\n *\n * @param payload - The signable fields (must match what was signed)\n * @param signature - Signature string in format \"ed25519:<base64>\"\n * @param publicKey - Ed25519 public key as hex string (64 chars = 32 bytes)\n * @returns true if signature is valid\n */\nexport function verifyReceipt(\n  payload: SignablePayload,\n  signature: string,\n  publicKey: string\n): boolean {\n  try {\n    if (!signature.startsWith('ed25519:')) {\n      return false\n    }\n    const canonical = canonicalize(payload)\n    const message = new TextEncoder().encode(canonical)\n    const sigBytes = base64ToBytes(signature.slice('ed25519:'.length))\n    const pubKeyBytes = etc.hexToBytes(publicKey)\n    return verify(sigBytes, message, pubKeyBytes)\n  } catch {\n    return false\n  }\n}\n\nfunction bytesToBase64(bytes: Uint8Array): string {\n  return Buffer.from(bytes).toString('base64')\n}\n\nfunction base64ToBytes(b64: string): Uint8Array {\n  return new Uint8Array(Buffer.from(b64, 'base64'))\n}\n","import { getPublicKey, etc, utils } from '@noble/ed25519'\n\n/**\n * Generate a new Ed25519 key pair.\n *\n * @returns { privateKey: string, publicKey: string } — both hex-encoded (64 chars each)\n */\nexport function generateKeyPair(): {\n  privateKey: string\n  publicKey: string\n} {\n  const privateKeyBytes = utils.randomPrivateKey()\n  const publicKeyBytes = getPublicKey(privateKeyBytes)\n  return {\n    privateKey: etc.bytesToHex(privateKeyBytes),\n    publicKey: etc.bytesToHex(publicKeyBytes),\n  }\n}\n\n/**\n * Derive public key from private key.\n *\n * @param privateKeyHex - Ed25519 private key as hex string (64 chars)\n * @returns Public key as hex string (64 chars)\n */\nexport function getPublicKeyFromPrivate(privateKeyHex: string): string {\n  const privKeyBytes = etc.hexToBytes(privateKeyHex)\n  const pubKeyBytes = getPublicKey(privKeyBytes)\n  return etc.bytesToHex(pubKeyBytes)\n}\n"],"mappings":";AAYO,SAAS,aAAa,SAAkC;AAC7D,QAAM,SAAS,OAAO,KAAK,OAAO,EAAE,KAAK;AACzC,SAAO,KAAK,UAAU,SAAS,MAAM;AACvC;;;ACfA,SAAS,MAAM,QAAQ,WAAyB;AAChD,SAAS,cAAc;AAMvB,IAAI,aAAa,IAAI,aACnB,OAAO,IAAI,YAAY,GAAG,QAAQ,CAAC;AAS9B,SAAS,mBAAmB,SAcf;AAClB,SAAO;AAAA,IACL,YAAY,QAAQ;AAAA,IACpB,UAAU,QAAQ;AAAA,IAClB,cAAc,QAAQ;AAAA,IACtB,UAAU,QAAQ;AAAA,IAClB,QAAQ,QAAQ;AAAA,IAChB,QAAQ,QAAQ;AAAA,IAChB,YAAY,QAAQ;AAAA,IACpB,aAAa,QAAQ;AAAA,IACrB,QAAQ,QAAQ;AAAA,IAChB,WAAW,QAAQ;AAAA,IACnB,cAAc,QAAQ;AAAA,IACtB,aAAa,QAAQ;AAAA,EACvB;AACF;AASO,SAAS,YACd,SACA,YACQ;AACR,QAAM,YAAY,aAAa,OAAO;AACtC,QAAM,UAAU,IAAI,YAAY,EAAE,OAAO,SAAS;AAClD,QAAM,eAAe,IAAI,WAAW,UAAU;AAC9C,QAAM,YAAY,KAAK,SAAS,YAAY;AAC5C,SAAO,WAAW,cAAc,SAAS,CAAC;AAC5C;AAUO,SAAS,cACd,SACA,WACA,WACS;AACT,MAAI;AACF,QAAI,CAAC,UAAU,WAAW,UAAU,GAAG;AACrC,aAAO;AAAA,IACT;AACA,UAAM,YAAY,aAAa,OAAO;AACtC,UAAM,UAAU,IAAI,YAAY,EAAE,OAAO,SAAS;AAClD,UAAM,WAAW,cAAc,UAAU,MAAM,WAAW,MAAM,CAAC;AACjE,UAAM,cAAc,IAAI,WAAW,SAAS;AAC5C,WAAO,OAAO,UAAU,SAAS,WAAW;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,cAAc,OAA2B;AAChD,SAAO,OAAO,KAAK,KAAK,EAAE,SAAS,QAAQ;AAC7C;AAEA,SAAS,cAAc,KAAyB;AAC9C,SAAO,IAAI,WAAW,OAAO,KAAK,KAAK,QAAQ,CAAC;AAClD;;;ACnGA,SAAS,gBAAAA,eAAc,OAAAC,MAAK,aAAa;AAOlC,SAAS,kBAGd;AACA,QAAM,kBAAkB,MAAM,iBAAiB;AAC/C,QAAM,iBAAiBD,cAAa,eAAe;AACnD,SAAO;AAAA,IACL,YAAYC,KAAI,WAAW,eAAe;AAAA,IAC1C,WAAWA,KAAI,WAAW,cAAc;AAAA,EAC1C;AACF;AAQO,SAAS,wBAAwB,eAA+B;AACrE,QAAM,eAAeA,KAAI,WAAW,aAAa;AACjD,QAAM,cAAcD,cAAa,YAAY;AAC7C,SAAOC,KAAI,WAAW,WAAW;AACnC;","names":["getPublicKey","etc"]}

package/package.json

@@ -0,0 +1,62 @@
+{
+  "name": "@agent-receipts/crypto",
+  "version": "0.1.0",
+  "description": "Ed25519 signing and verification for the Action Receipt Protocol",
+  "license": "MIT",
+  "author": "Amin <amin@webaes.co> (https://webaes.co)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/webaesbyamin/agent-receipts",
+    "directory": "packages/crypto"
+  },
+  "homepage": "https://github.com/webaesbyamin/agent-receipts#readme",
+  "bugs": {
+    "url": "https://github.com/webaesbyamin/agent-receipts/issues"
+  },
+  "keywords": [
+    "agent-receipts",
+    "ed25519",
+    "signing",
+    "verification",
+    "cryptography",
+    "ai-agents",
+    "mcp"
+  ],
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "bin": {
+    "generate-keys": "./bin/generate-keys.ts"
+  },
+  "files": [
+    "dist",
+    "bin"
+  ],
+  "dependencies": {
+    "@noble/ed25519": "^2.1.0",
+    "@noble/hashes": "^1.7.0",
+    "@agent-receipts/schema": "0.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.14.0",
+    "tsup": "^8.2.0",
+    "typescript": "^5.4.0",
+    "vitest": "^2.1.0"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit"
+  }
+}