@agenticprimitives/key-custody 0.1.0-alpha.2

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Agentic Trust Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,31 @@
+# @agenticprimitives/key-custody
+
+Pluggable envelope encryption + signers + HMAC providers. Local-AES (dev only), AWS KMS, GCP KMS in v0.
+
+**Narrower than you might expect:** session lifecycle is owned by `@agenticprimitives/delegation`. This package provides the crypto primitives; delegation's `SessionManager` wires them into the lifecycle.
+
+See [`spec.md`](./spec.md) → [`specs/203-key-custody.md`](../../specs/203-key-custody.md).
+
+## Quick start
+
+```ts
+import { buildKeyProvider, createKmsAccount, canonicalContextBytes } from '@agenticprimitives/key-custody';
+
+const provider = buildKeyProvider({ backend: process.env.A2A_KMS_BACKEND });
+
+// Generate a wrapped data key for envelope encryption
+const { plaintextDataKey, encryptedDataKey, keyId, keyVersion } =
+  await provider.generateSessionDataKey({ aadContext: { /* caller-supplied */ } });
+
+// Sign as a viem-compatible signer
+const signer = buildSignerBackend({ backend: 'aws-kms' });
+const kmsAccount = await createKmsAccount(signer);
+```
+
+## Production guard
+
+`local-aes` refuses to boot when `NODE_ENV=production`. AWS and GCP backends have **no local fallback** — they fail-closed on outage. This is intentional.
+
+## Status
+
+Pre-alpha. Spec stable.

package/dist/aad.d.ts

@@ -0,0 +1,2 @@
+export declare function canonicalContextBytes(ctx: Record<string, string>): Uint8Array;
+//# sourceMappingURL=aad.d.ts.map

package/dist/aad.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aad.d.ts","sourceRoot":"","sources":["../src/aad.ts"],"names":[],"mappings":"AAMA,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,UAAU,CAY7E"}

package/dist/aad.js

@@ -0,0 +1,19 @@
+// AAD canonicalization. The caller supplies a Record<string, string>; we sort
+// keys, JSON-encode each value, and produce a deterministic byte string used
+// both as AES-GCM AAD and as KMS EncryptionContext. AAD-bound trip-wire:
+// changing any field invalidates BOTH the AES-GCM tag (when the caller wraps
+// it at the payload layer) AND the HKDF derivation here.
+export function canonicalContextBytes(ctx) {
+    const keys = Object.keys(ctx).sort();
+    // Format: key1=value1;key2=value2 (values URI-encoded to disambiguate '=' and ';')
+    const parts = [];
+    for (const k of keys) {
+        const v = ctx[k];
+        if (typeof v !== 'string') {
+            throw new Error(`canonicalContextBytes: value for "${k}" must be a string`);
+        }
+        parts.push(`${k}=${encodeURIComponent(v)}`);
+    }
+    return new TextEncoder().encode(parts.join(';'));
+}
+//# sourceMappingURL=aad.js.map

package/dist/aad.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aad.js","sourceRoot":"","sources":["../src/aad.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,6EAA6E;AAC7E,yEAAyE;AACzE,6EAA6E;AAC7E,yDAAyD;AAEzD,MAAM,UAAU,qBAAqB,CAAC,GAA2B;IAC/D,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,mFAAmF;IACnF,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;QACjB,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,oBAAoB,CAAC,CAAC;QAC9E,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACnD,CAAC"}

package/dist/account.d.ts

@@ -0,0 +1,23 @@
+import { type Hex, type Address } from 'viem';
+import type { KmsAccountBackend } from './types';
+interface KMSSignerShape {
+    readonly address: Address;
+    readonly keyId: string;
+    readonly provider: 'local-aes' | 'aws-kms' | 'gcp-kms';
+    signMessage(msg: string | {
+        raw: Hex;
+    }): Promise<Hex>;
+    signTypedData(args: {
+        domain: unknown;
+        types: unknown;
+        primaryType: string;
+        message: Record<string, unknown>;
+    }): Promise<Hex>;
+}
+export declare function createKmsAccount(backend: KmsAccountBackend, opts?: {
+    sessionId?: string;
+    chainId?: number;
+    provider?: 'local-aes' | 'aws-kms' | 'gcp-kms';
+}): Promise<KMSSignerShape>;
+export {};
+//# sourceMappingURL=account.d.ts.map

package/dist/account.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"account.d.ts","sourceRoot":"","sources":["../src/account.ts"],"names":[],"mappings":"AAIA,OAAO,EAAyC,KAAK,GAAG,EAAE,KAAK,OAAO,EAAE,MAAM,MAAM,CAAC;AACrF,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAEjD,UAAU,cAAc;IACtB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,WAAW,GAAG,SAAS,GAAG,SAAS,CAAC;IACvD,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,GAAG,EAAE,GAAG,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACtD,aAAa,CAAC,IAAI,EAAE;QAClB,MAAM,EAAE,OAAO,CAAC;QAChB,KAAK,EAAE,OAAO,CAAC;QACf,WAAW,EAAE,MAAM,CAAC;QACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;CAClB;AAWD,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,iBAAiB,EAC1B,IAAI,CAAC,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,WAAW,GAAG,SAAS,GAAG,SAAS,CAAA;CAAE,GAC9F,OAAO,CAAC,cAAc,CAAC,CA0CzB"}

package/dist/account.js

@@ -0,0 +1,54 @@
+// createKmsAccount — viem adapter that turns a KmsAccountBackend into a
+// KMSSigner conforming to connect-auth's Signer interface contract.
+import { keccak_256 } from '@noble/hashes/sha3';
+import { bytesToHex, hexToBytes, hashTypedData } from 'viem';
+function eip191Digest(message) {
+    const bytes = typeof message === 'string' ? new TextEncoder().encode(message) : message;
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${bytes.length}`);
+    const combined = new Uint8Array(prefix.length + bytes.length);
+    combined.set(prefix, 0);
+    combined.set(bytes, prefix.length);
+    return keccak_256(combined);
+}
+export async function createKmsAccount(backend, opts) {
+    const address = await backend.getSignerAddress();
+    // Derive from the real backend (audit F-6) — an explicit opts.provider
+    // still wins, but the default is the backend's actual kind, never a
+    // misleading 'local-aes' for a production GCP/AWS signer.
+    const provider = opts?.provider ?? backend.provider;
+    return {
+        address,
+        keyId: `${provider}:${address.toLowerCase()}`,
+        provider,
+        async signMessage(msg) {
+            let digest;
+            if (typeof msg === 'string') {
+                digest = eip191Digest(msg);
+            }
+            else {
+                // raw hex — treat as already-hashed payload signed verbatim
+                digest = hexToBytes(msg.raw);
+                if (digest.length !== 32) {
+                    // EIP-191 of raw bytes
+                    digest = eip191Digest(digest);
+                }
+            }
+            const { signature } = await backend.signA2AAction({
+                digest,
+                auditContext: opts?.sessionId ? { sessionId: opts.sessionId } : undefined,
+            });
+            return bytesToHex(signature);
+        },
+        async signTypedData(args) {
+            // viem.hashTypedData computes the EIP-712 digest exactly the way wallets do.
+            const digestHex = hashTypedData(args);
+            const digest = hexToBytes(digestHex);
+            const { signature } = await backend.signA2AAction({
+                digest,
+                auditContext: opts?.sessionId ? { sessionId: opts.sessionId } : undefined,
+            });
+            return bytesToHex(signature);
+        },
+    };
+}
+//# sourceMappingURL=account.js.map

package/dist/account.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"account.js","sourceRoot":"","sources":["../src/account.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,oEAAoE;AAEpE,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,aAAa,EAA0B,MAAM,MAAM,CAAC;AAgBrF,SAAS,YAAY,CAAC,OAA4B;IAChD,MAAM,KAAK,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IACxF,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,iCAAiC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACzF,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9D,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACxB,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACnC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC;AAC9B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAA0B,EAC1B,IAA+F;IAE/F,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,gBAAgB,EAAE,CAAC;IACjD,uEAAuE;IACvE,oEAAoE;IACpE,0DAA0D;IAC1D,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IAEpD,OAAO;QACL,OAAO;QACP,KAAK,EAAE,GAAG,QAAQ,IAAI,OAAO,CAAC,WAAW,EAAE,EAAE;QAC7C,QAAQ;QAER,KAAK,CAAC,WAAW,CAAC,GAA0B;YAC1C,IAAI,MAAkB,CAAC;YACvB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;YAC7B,CAAC;iBAAM,CAAC;gBACN,4DAA4D;gBAC5D,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC7B,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;oBACzB,uBAAuB;oBACvB,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;YACD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC;gBAChD,MAAM;gBACN,YAAY,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,SAAS;aAC1E,CAAC,CAAC;YACH,OAAO,UAAU,CAAC,SAAS,CAAQ,CAAC;QACtC,CAAC;QAED,KAAK,CAAC,aAAa,CAAC,IAAI;YACtB,6EAA6E;YAC7E,MAAM,SAAS,GAAG,aAAa,CAAC,IAA2C,CAAC,CAAC;YAC7E,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;YACrC,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC;gBAChD,MAAM;gBACN,YAAY,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,SAAS;aAC1E,CAAC,CAAC;YACH,OAAO,UAAU,CAAC,SAAS,CAAQ,CAAC;QACtC,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/derive-subject.d.ts

@@ -0,0 +1,38 @@
+import { type Hex } from 'viem';
+import type { BuildOpts, KmsAccountBackend } from './types';
+/** The Google (OIDC) subject a custodian key is bound to. */
+export interface SubjectId {
+    /** OIDC issuer, e.g. `https://accounts.google.com`. */
+    iss: string;
+    /** OIDC subject (stable per Google account). */
+    sub: string;
+    /** Bump to rotate a subject's custodian key (defaults to 0). */
+    rotation?: number;
+}
+export interface DeriveSubjectOpts extends BuildOpts {
+    subject: SubjectId;
+}
+/**
+ * The exact message the per-subject key is derived over. Each component is
+ * percent-encoded so the `:` separators are unforgeable (so `(iss,sub:x)` and
+ * `(iss:sub,x)` can never derive the same key).
+ */
+export declare function subjectCanonicalMessage(subject: SubjectId): string;
+/**
+ * Pure derivation: expand a 32-byte master into the per-subject secp256k1
+ * private key. Deterministic (same master + subject → same key); distinct
+ * subject/rotation → distinct key. Exported for unit tests.
+ */
+export declare function deriveSubjectPrivateKeyHex(master: Uint8Array, subject: SubjectId): Hex;
+/**
+ * Build the per-subject custodian signer. The returned backend's
+ * `getSignerAddress()` is `C_sub`; `signA2AAction` signs 32-byte userOp /
+ * EIP-712 digests with the derived key.
+ *
+ * local-aes: HKDF-derive the key, wrap it in `LocalSecp256k1Signer` (which
+ *   enforces the production guard — refuses NODE_ENV=production unless
+ *   `A2A_ALLOW_LOCAL_MASTER_KEY=true`).
+ * gcp-kms / aws-kms: not yet built — fail closed (spec 235 §10).
+ */
+export declare function deriveSubjectSigner(opts: DeriveSubjectOpts): KmsAccountBackend;
+//# sourceMappingURL=derive-subject.d.ts.map

package/dist/derive-subject.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"derive-subject.d.ts","sourceRoot":"","sources":["../src/derive-subject.ts"],"names":[],"mappings":"AA8BA,OAAO,EAA0B,KAAK,GAAG,EAAE,MAAM,MAAM,CAAC;AACxD,OAAO,KAAK,EAAE,SAAS,EAAE,iBAAiB,EAAc,MAAM,SAAS,CAAC;AAMxE,6DAA6D;AAC7D,MAAM,WAAW,SAAS;IACxB,uDAAuD;IACvD,GAAG,EAAE,MAAM,CAAC;IACZ,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,gEAAgE;IAChE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAkB,SAAQ,SAAS;IAClD,OAAO,EAAE,SAAS,CAAC;CACpB;AAED;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,SAAS,GAAG,MAAM,CAUlE;AAkBD;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,GAAG,GAAG,CAetF;AAoCD;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,iBAAiB,GAAG,iBAAiB,CAa9E"}

package/dist/derive-subject.js

@@ -0,0 +1,137 @@
+// deriveSubjectSigner — a per-(iss,sub) custodian signer (spec 235).
+//
+// Given a Google subject `(iss, sub)`, derive a secp256k1 signing key bound to
+// that subject from the server master, and return a `KmsAccountBackend` whose
+// address is the per-subject custodian `C_sub`. demo-a2a uses `C_sub` as the
+// SOLE custodian of the member's Smart Agent, so signing in with Google alone
+// = full custody (the server signs on the member's behalf — see spec 235 §3
+// for the trust model: master compromise = all Google members; per-subject
+// keys bound only the single-leak blast radius).
+//
+// Divergence from smart-agent (spec 235 §2): smart-agent uses ONE shared
+// bootstrap signer + a per-subject CREATE2 *salt*. We derive a per-subject
+// signing KEY so the custodian address itself differs per member — a single
+// leaked derived key cannot custody another member's agent.
+//
+// Derivation (local-aes, the demo backend):
+//   canonical = "kms-custodian:v1:<enc(iss)>:<enc(sub)>:<rotation>"
+//   okm       = HKDF-SHA256(ikm = master, salt = "kms-custodian:v1", info = canonical, 32)
+//   priv      = (be(okm) mod (n-1)) + 1     // uniform-ish in [1, n-1], never 0, always < n
+// `enc()` is encodeURIComponent so a `:` inside iss/sub can't forge the field
+// separators (key-isolation invariant — spec 235 §9.3).
+//
+// KMS backends (gcp-kms / aws-kms): NOT YET BUILT. The prod providers expose
+// no `generateMac`, so there is no KMS-side per-subject seed today. We FAIL
+// CLOSED (no silent fallback to local-aes — ADR-0013) and point at the
+// follow-up (spec 235 §10: a per-subject KMS HMAC or asymmetric key).
+import { hkdf } from '@noble/hashes/hkdf';
+import { sha256 } from '@noble/hashes/sha256';
+import { secp256k1 } from '@noble/curves/secp256k1';
+import { hexToBytes, bytesToHex } from 'viem';
+import { LocalSecp256k1Signer } from './providers/local';
+const DERIVE_INFO_PREFIX = 'kms-custodian:v1';
+const SECP256K1_N = secp256k1.CURVE.n;
+/**
+ * The exact message the per-subject key is derived over. Each component is
+ * percent-encoded so the `:` separators are unforgeable (so `(iss,sub:x)` and
+ * `(iss:sub,x)` can never derive the same key).
+ */
+export function subjectCanonicalMessage(subject) {
+    const iss = subject.iss?.trim();
+    const sub = subject.sub?.trim();
+    if (!iss)
+        throw new Error('deriveSubjectSigner: subject.iss is required');
+    if (!sub)
+        throw new Error('deriveSubjectSigner: subject.sub is required');
+    const rotation = subject.rotation ?? 0;
+    if (!Number.isInteger(rotation) || rotation < 0) {
+        throw new Error('deriveSubjectSigner: subject.rotation must be a non-negative integer');
+    }
+    return `${DERIVE_INFO_PREFIX}:${encodeURIComponent(iss)}:${encodeURIComponent(sub)}:${rotation}`;
+}
+function beBytesToBigInt(bytes) {
+    let n = 0n;
+    for (const b of bytes)
+        n = (n << 8n) | BigInt(b);
+    return n;
+}
+function bigIntTo32Bytes(n) {
+    const out = new Uint8Array(32);
+    let v = n;
+    for (let i = 31; i >= 0; i--) {
+        out[i] = Number(v & 0xffn);
+        v >>= 8n;
+    }
+    return out;
+}
+/**
+ * Pure derivation: expand a 32-byte master into the per-subject secp256k1
+ * private key. Deterministic (same master + subject → same key); distinct
+ * subject/rotation → distinct key. Exported for unit tests.
+ */
+export function deriveSubjectPrivateKeyHex(master, subject) {
+    if (master.length < 32) {
+        throw new Error(`deriveSubjectSigner: master must be ≥ 32 bytes; got ${master.length}`);
+    }
+    const canonical = subjectCanonicalMessage(subject);
+    const okm = hkdf(sha256, master, new TextEncoder().encode(DERIVE_INFO_PREFIX), new TextEncoder().encode(canonical), 32);
+    // Map uniformly into [1, n-1]: (x mod (n-1)) + 1. Never 0, always < n.
+    const priv = (beBytesToBigInt(okm) % (SECP256K1_N - 1n)) + 1n;
+    return bytesToHex(bigIntTo32Bytes(priv));
+}
+function loadDerivationMaster(opts) {
+    // The master the subject keys are derived from. In the demo this is the
+    // server's master signing key (the server IS the trusted custodian for all
+    // Google members — spec 235 §3). `config.derivationSecretHex` lets a deploy
+    // point at a SEPARATE secret (master-key-separation invariant) without code
+    // changes; default is A2A_MASTER_PRIVATE_KEY.
+    const hex = opts.config?.derivationSecretHex ?? process.env.A2A_MASTER_PRIVATE_KEY;
+    if (!hex) {
+        throw new Error('deriveSubjectSigner (local-aes): A2A_MASTER_PRIVATE_KEY (or config.derivationSecretHex) ' +
+            'is required to derive per-subject custodian keys.');
+    }
+    const cleaned = hex.startsWith('0x') ? hex : `0x${hex}`;
+    const bytes = hexToBytes(cleaned);
+    if (bytes.length < 32) {
+        throw new Error(`deriveSubjectSigner: derivation master must be ≥ 32 bytes; got ${bytes.length}`);
+    }
+    return bytes;
+}
+function backendOf(opts) {
+    if (opts.backend)
+        return opts.backend;
+    try {
+        const env = process.env?.A2A_KMS_BACKEND;
+        if (env)
+            return env;
+    }
+    catch {
+        /* Workers may throw on process access */
+    }
+    // No silent local default here — deriving custody keys is security-sensitive.
+    // The caller (demo-a2a) sets A2A_KMS_BACKEND explicitly.
+    return 'local-aes';
+}
+/**
+ * Build the per-subject custodian signer. The returned backend's
+ * `getSignerAddress()` is `C_sub`; `signA2AAction` signs 32-byte userOp /
+ * EIP-712 digests with the derived key.
+ *
+ * local-aes: HKDF-derive the key, wrap it in `LocalSecp256k1Signer` (which
+ *   enforces the production guard — refuses NODE_ENV=production unless
+ *   `A2A_ALLOW_LOCAL_MASTER_KEY=true`).
+ * gcp-kms / aws-kms: not yet built — fail closed (spec 235 §10).
+ */
+export function deriveSubjectSigner(opts) {
+    const backend = backendOf(opts);
+    if (backend === 'local-aes') {
+        const master = loadDerivationMaster(opts);
+        const privateKeyHex = deriveSubjectPrivateKeyHex(master, opts.subject);
+        return new LocalSecp256k1Signer({ privateKeyHex, auditSink: opts.auditSink });
+    }
+    throw new Error(`deriveSubjectSigner: per-subject derivation is not yet implemented for backend "${backend}". ` +
+        `The KMS providers expose no per-subject MAC/key today. Use local-aes for the demo, or build ` +
+        `the production path per spec 235 §10 (a per-subject KMS HMAC or asymmetric key). ` +
+        `There is no silent fallback to local-aes (ADR-0013).`);
+}
+//# sourceMappingURL=derive-subject.js.map

package/dist/derive-subject.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"derive-subject.js","sourceRoot":"","sources":["../src/derive-subject.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,+EAA+E;AAC/E,8EAA8E;AAC9E,6EAA6E;AAC7E,8EAA8E;AAC9E,4EAA4E;AAC5E,2EAA2E;AAC3E,iDAAiD;AACjD,EAAE;AACF,yEAAyE;AACzE,2EAA2E;AAC3E,4EAA4E;AAC5E,4DAA4D;AAC5D,EAAE;AACF,4CAA4C;AAC5C,oEAAoE;AACpE,2FAA2F;AAC3F,4FAA4F;AAC5F,8EAA8E;AAC9E,wDAAwD;AACxD,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,uEAAuE;AACvE,sEAAsE;AAEtE,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAY,MAAM,MAAM,CAAC;AAExD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAEzD,MAAM,kBAAkB,GAAG,kBAAkB,CAAC;AAC9C,MAAM,WAAW,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;AAgBtC;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAkB;IACxD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;IAChC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;IAChC,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAC1E,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAC1E,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;IAC1F,CAAC;IACD,OAAO,GAAG,kBAAkB,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,QAAQ,EAAE,CAAC;AACnG,CAAC;AAED,SAAS,eAAe,CAAC,KAAiB;IACxC,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACjD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAC/B,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,GAAG,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;QAC3B,CAAC,KAAK,EAAE,CAAC;IACX,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CAAC,MAAkB,EAAE,OAAkB;IAC/E,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,uDAAuD,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1F,CAAC;IACD,MAAM,SAAS,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IACnD,MAAM,GAAG,GAAG,IAAI,CACd,MAAM,EACN,MAAM,EACN,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,EAC5C,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EACnC,EAAE,CACH,CAAC;IACF,uEAAuE;IACvE,MAAM,IAAI,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC;IAC9D,OAAO,UAAU,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAuB;IACnD,wEAAwE;IACxE,2EAA2E;IAC3E,4EAA4E;IAC5E,4EAA4E;IAC5E,8CAA8C;IAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,mBAAmB,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IACnF,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CACb,0FAA0F;YACxF,mDAAmD,CACtD,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAE,GAAqB,CAAC,CAAC,CAAE,KAAK,GAAG,EAAoB,CAAC;IAC9F,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAClC,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,kEAAkE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACpG,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,SAAS,CAAC,IAAuB;IACxC,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC,OAAO,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,eAAyC,CAAC;QACnE,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,yCAAyC;IAC3C,CAAC;IACD,8EAA8E;IAC9E,yDAAyD;IACzD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAuB;IACzD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,OAAO,KAAK,WAAW,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,aAAa,GAAG,0BAA0B,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACvE,OAAO,IAAI,oBAAoB,CAAC,EAAE,aAAa,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAChF,CAAC;IACD,MAAM,IAAI,KAAK,CACb,mFAAmF,OAAO,KAAK;QAC7F,8FAA8F;QAC9F,mFAAmF;QACnF,sDAAsD,CACzD,CAAC;AACJ,CAAC"}

package/dist/factories.d.ts

@@ -0,0 +1,30 @@
+import type { A2AKeyProvider, BuildOpts, KmsAccountBackend } from './types';
+export declare function buildKeyProvider(opts: BuildOpts): A2AKeyProvider;
+export declare function buildSignerBackend(opts: BuildOpts): KmsAccountBackend;
+/**
+ * @deprecated Renamed in H7-B.1 to make the lie loud. Use
+ * `buildToolExecutorBackendNoIsolation` (and read its JSDoc before you do).
+ * Closure of PKG-KEY-CUSTODY-001 / EXT-020.
+ */
+export declare function buildToolExecutorBackend(_toolId: string, _opts: BuildOpts): KmsAccountBackend;
+/**
+ * **NO per-tool isolation.** Returns the master signer (or the resolved KMS
+ * backend) regardless of `toolId`. This is a deliberately ugly name so the
+ * caller cannot pretend it's "per-tool" — that capability is not yet built.
+ *
+ * Use cases (all transitional):
+ *   - test fixtures
+ *   - dev-mode demos where a single master signer is acceptable
+ *   - operator opt-in while per-tool HKDF lands
+ *
+ * Refuses to run unless `AP_ALLOW_NO_TOOL_ISOLATION=true` in env (or
+ * `opts.developmentMode === true` / `opts.environment === 'development'`),
+ * AND throws in production environments regardless of the opt-out flag.
+ *
+ * Closure of PKG-KEY-CUSTODY-001 / EXT-020 / CT-6.
+ *
+ * For per-OIDC-subject isolation, use {@link deriveSubjectSigner} (spec 235).
+ */
+export declare function buildToolExecutorBackendNoIsolation(toolId: string, opts: BuildOpts): KmsAccountBackend;
+export declare function buildMacProvider(audience: string, opts: BuildOpts): A2AKeyProvider;
+//# sourceMappingURL=factories.d.ts.map

package/dist/factories.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"factories.d.ts","sourceRoot":"","sources":["../src/factories.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,SAAS,EAAE,iBAAiB,EAAc,MAAM,SAAS,CAAC;AAwDxF,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,SAAS,GAAG,cAAc,CAYhE;AAED,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,SAAS,GAAG,iBAAiB,CAgBrE;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,GAAG,iBAAiB,CAU7F;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,mCAAmC,CACjD,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,SAAS,GACd,iBAAiB,CAyBnB;AAED,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,cAAc,CAMlF"}

package/dist/factories.js

@@ -0,0 +1,149 @@
+import { LocalAesProvider, LocalSecp256k1Signer } from './providers/local';
+import { AwsKmsProvider, AwsKmsSigner } from './providers/aws';
+import { GcpKmsProvider, GcpKmsSigner } from './providers/gcp';
+/**
+ * Resolve effective environment for production-default gates (audit H1).
+ *   1. Explicit `opts.environment` wins.
+ *   2. `developmentMode: true` shorthand → 'development'.
+ *   3. `process.env.NODE_ENV` if readable.
+ *   4. Default to 'production' — safe-by-default when the runtime is
+ *      ambiguous. Consumers who want a permissive default MUST opt out.
+ */
+function inferEnvironment(opts) {
+    if (opts.environment)
+        return opts.environment;
+    if (opts.developmentMode === true)
+        return 'development';
+    try {
+        if (typeof process !== 'undefined' && process.env?.NODE_ENV) {
+            return process.env.NODE_ENV === 'production' ? 'production' : 'development';
+        }
+    }
+    catch {
+        /* SES / Workers may throw on process access */
+    }
+    return 'production';
+}
+/**
+ * Backend selection (audit H1). Required-by-default:
+ *   - `opts.backend` always wins.
+ *   - Fall back to A2A_KMS_BACKEND env.
+ *   - In production with neither, THROW. The previous silent fallback
+ *     to `local-aes` was a footgun — production consumers should fail
+ *     at construction time, not boot a dev-mode signer.
+ *   - In development with neither, default to `local-aes` for ergonomics.
+ */
+function backendOrEnv(opts) {
+    if (opts.backend)
+        return opts.backend;
+    const envBackend = (() => {
+        try {
+            return process.env?.A2A_KMS_BACKEND;
+        }
+        catch {
+            return undefined;
+        }
+    })();
+    if (envBackend)
+        return envBackend;
+    if (inferEnvironment(opts) === 'production') {
+        throw new Error('[key-custody] No backend specified for production. Pass `opts.backend` ' +
+            '(`aws-kms` / `gcp-kms` for real deploys; `local-aes` for dev) or set ' +
+            'the A2A_KMS_BACKEND env var. There is no implicit fallback in production — ' +
+            'pass `developmentMode: true` to opt into the dev default.');
+    }
+    return 'local-aes';
+}
+export function buildKeyProvider(opts) {
+    switch (backendOrEnv(opts)) {
+        case 'local-aes':
+            return new LocalAesProvider({ sessionSecretHex: opts.config?.sessionSecretHex });
+        case 'aws-kms':
+            return new AwsKmsProvider();
+        case 'gcp-kms':
+            return new GcpKmsProvider({
+                cryptoKeyName: opts.config?.cryptoKeyName,
+                serviceAccountJson: opts.config?.serviceAccountJson,
+            });
+    }
+}
+export function buildSignerBackend(opts) {
+    switch (backendOrEnv(opts)) {
+        case 'local-aes':
+            return new LocalSecp256k1Signer({
+                privateKeyHex: opts.config?.privateKeyHex,
+                auditSink: opts.auditSink,
+            });
+        case 'aws-kms':
+            return new AwsKmsSigner();
+        case 'gcp-kms':
+            return new GcpKmsSigner({
+                cryptoKeyVersionName: opts.config?.cryptoKeyVersionName,
+                serviceAccountJson: opts.config?.serviceAccountJson,
+                auditSink: opts.auditSink,
+            });
+    }
+}
+/**
+ * @deprecated Renamed in H7-B.1 to make the lie loud. Use
+ * `buildToolExecutorBackendNoIsolation` (and read its JSDoc before you do).
+ * Closure of PKG-KEY-CUSTODY-001 / EXT-020.
+ */
+export function buildToolExecutorBackend(_toolId, _opts) {
+    throw new Error('[key-custody] buildToolExecutorBackend was removed in H7-B.1 (PKG-KEY-CUSTODY-001 closure). ' +
+        'The function ignored toolId and returned the master signer — every call signed with the ' +
+        'master key, which contradicted the JSDoc promise of per-tool isolation. ' +
+        'If you actually want master-signer fallback while per-tool HKDF is being built, use ' +
+        '`buildToolExecutorBackendNoIsolation(toolId, opts)` AND set ' +
+        '`AP_ALLOW_NO_TOOL_ISOLATION=true` (refused in production). ' +
+        'For per-OIDC-subject isolation, use `deriveSubjectSigner` (spec 235).');
+}
+/**
+ * **NO per-tool isolation.** Returns the master signer (or the resolved KMS
+ * backend) regardless of `toolId`. This is a deliberately ugly name so the
+ * caller cannot pretend it's "per-tool" — that capability is not yet built.
+ *
+ * Use cases (all transitional):
+ *   - test fixtures
+ *   - dev-mode demos where a single master signer is acceptable
+ *   - operator opt-in while per-tool HKDF lands
+ *
+ * Refuses to run unless `AP_ALLOW_NO_TOOL_ISOLATION=true` in env (or
+ * `opts.developmentMode === true` / `opts.environment === 'development'`),
+ * AND throws in production environments regardless of the opt-out flag.
+ *
+ * Closure of PKG-KEY-CUSTODY-001 / EXT-020 / CT-6.
+ *
+ * For per-OIDC-subject isolation, use {@link deriveSubjectSigner} (spec 235).
+ */
+export function buildToolExecutorBackendNoIsolation(toolId, opts) {
+    void toolId;
+    const env = inferEnvironment(opts);
+    if (env === 'production') {
+        throw new Error('[key-custody] buildToolExecutorBackendNoIsolation is refused in production. ' +
+            'Per-tool isolation is not implemented; the function would return the master signer. ' +
+            'Build the per-tool HKDF path (mirror `deriveSubjectSigner` from spec 235) before ' +
+            'wiring tool executors in production.');
+    }
+    let allowFlag = false;
+    try {
+        allowFlag = process.env?.AP_ALLOW_NO_TOOL_ISOLATION === 'true';
+    }
+    catch {
+        /* SES / Workers may throw */
+    }
+    if (!allowFlag) {
+        throw new Error('[key-custody] buildToolExecutorBackendNoIsolation requires opt-in. ' +
+            'Set AP_ALLOW_NO_TOOL_ISOLATION=true (and ensure you are not in production). ' +
+            'This signer has NO per-tool isolation — every toolId resolves to the master signer.');
+    }
+    return buildSignerBackend(opts);
+}
+export function buildMacProvider(audience, opts) {
+    // Same backend selector; provider returns generateMac.
+    // The audience is consumed by generateMac at call time; the provider itself
+    // doesn't bind to one audience.
+    void audience;
+    return buildKeyProvider(opts);
+}
+//# sourceMappingURL=factories.js.map

package/dist/factories.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"factories.js","sourceRoot":"","sources":["../src/factories.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAC3E,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAE/D;;;;;;;GAOG;AACH,SAAS,gBAAgB,CAAC,IAAe;IACvC,IAAI,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC,WAAW,CAAC;IAC9C,IAAI,IAAI,CAAC,eAAe,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC;IACxD,IAAI,CAAC;QACH,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,CAAC;YAC5D,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,aAAa,CAAC;QAC9E,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,+CAA+C;IACjD,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,YAAY,CAAC,IAAe;IACnC,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC,OAAO,CAAC;IACtC,MAAM,UAAU,GAAG,CAAC,GAAG,EAAE;QACvB,IAAI,CAAC;YACH,OAAO,OAAO,CAAC,GAAG,EAAE,eAAyC,CAAC;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IACL,IAAI,UAAU;QAAE,OAAO,UAAU,CAAC;IAClC,IAAI,gBAAgB,CAAC,IAAI,CAAC,KAAK,YAAY,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CACb,yEAAyE;YACvE,uEAAuE;YACvE,6EAA6E;YAC7E,2DAA2D,CAC9D,CAAC;IACJ,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,IAAe;IAC9C,QAAQ,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,KAAK,WAAW;YACd,OAAO,IAAI,gBAAgB,CAAC,EAAE,gBAAgB,EAAE,IAAI,CAAC,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;QACnF,KAAK,SAAS;YACZ,OAAO,IAAI,cAAc,EAAE,CAAC;QAC9B,KAAK,SAAS;YACZ,OAAO,IAAI,cAAc,CAAC;gBACxB,aAAa,EAAE,IAAI,CAAC,MAAM,EAAE,aAAa;gBACzC,kBAAkB,EAAE,IAAI,CAAC,MAAM,EAAE,kBAAkB;aACpD,CAAC,CAAC;IACP,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,IAAe;IAChD,QAAQ,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,KAAK,WAAW;YACd,OAAO,IAAI,oBAAoB,CAAC;gBAC9B,aAAa,EAAE,IAAI,CAAC,MAAM,EAAE,aAAa;gBACzC,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,CAAC,CAAC;QACL,KAAK,SAAS;YACZ,OAAO,IAAI,YAAY,EAAE,CAAC;QAC5B,KAAK,SAAS;YACZ,OAAO,IAAI,YAAY,CAAC;gBACtB,oBAAoB,EAAE,IAAI,CAAC,MAAM,EAAE,oBAAoB;gBACvD,kBAAkB,EAAE,IAAI,CAAC,MAAM,EAAE,kBAAkB;gBACnD,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,CAAC,CAAC;IACP,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,OAAe,EAAE,KAAgB;IACxE,MAAM,IAAI,KAAK,CACb,8FAA8F;QAC5F,0FAA0F;QAC1F,0EAA0E;QAC1E,sFAAsF;QACtF,8DAA8D;QAC9D,6DAA6D;QAC7D,uEAAuE,CAC1E,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,mCAAmC,CACjD,MAAc,EACd,IAAe;IAEf,KAAK,MAAM,CAAC;IACZ,MAAM,GAAG,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,GAAG,KAAK,YAAY,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,8EAA8E;YAC5E,sFAAsF;YACtF,mFAAmF;YACnF,sCAAsC,CACzC,CAAC;IACJ,CAAC;IACD,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,IAAI,CAAC;QACH,SAAS,GAAG,OAAO,CAAC,GAAG,EAAE,0BAA0B,KAAK,MAAM,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,6BAA6B;IAC/B,CAAC;IACD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,qEAAqE;YACnE,8EAA8E;YAC9E,qFAAqF,CACxF,CAAC;IACJ,CAAC;IACD,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,QAAgB,EAAE,IAAe;IAChE,uDAAuD;IACvD,4EAA4E;IAC5E,gCAAgC;IAChC,KAAK,QAAQ,CAAC;IACd,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+import type { Address, Hex } from '@agenticprimitives/types';
+export type { Address, Hex };
+export type { A2AKeyProvider, KmsAccountBackend, BuildOpts, KmsBackend, Secret } from './types';
+export { loadSecret, loadSecretFromEnv, unwrapSecret, isSecret } from './types';
+export { buildKeyProvider, buildSignerBackend, buildToolExecutorBackend, buildToolExecutorBackendNoIsolation, buildMacProvider, } from './factories';
+export { deriveSubjectSigner, subjectCanonicalMessage, type SubjectId, type DeriveSubjectOpts, } from './derive-subject';
+export { getRelayOnlySigner } from './relay-only';
+export { createKmsAccount } from './account';
+export { canonicalContextBytes } from './aad';
+export { LocalAesProvider, LocalSecp256k1Signer } from './providers/local';
+export { AwsKmsProvider, AwsKmsSigner } from './providers/aws';
+export { GcpKmsProvider, GcpKmsSigner } from './providers/gcp';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,0BAA0B,CAAC;AAE7D,YAAY,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AAC7B,YAAY,EAAE,cAAc,EAAE,iBAAiB,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAChG,OAAO,EAAE,UAAU,EAAE,iBAAiB,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEhF,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,wBAAwB,EACxB,mCAAmC,EACnC,gBAAgB,GACjB,MAAM,aAAa,CAAC;AAKrB,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,KAAK,SAAS,EACd,KAAK,iBAAiB,GACvB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,qBAAqB,EAAE,MAAM,OAAO,CAAC;AAE9C,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAC3E,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/index.js

@@ -0,0 +1,17 @@
+// @agenticprimitives/key-custody — public API
+//
+// See ../../specs/203-key-custody.md for the full contract.
+export { loadSecret, loadSecretFromEnv, unwrapSecret, isSecret } from './types';
+export { buildKeyProvider, buildSignerBackend, buildToolExecutorBackend, buildToolExecutorBackendNoIsolation, buildMacProvider, } from './factories';
+// `deriveSubjectPrivateKeyHex` is intentionally NOT re-exported here — it returns
+// a per-subject raw private key (security-sensitive). It stays exported from
+// `./derive-subject` for in-package unit tests but is not part of the public API.
+// See `capability.manifest.json:publicExports` (audit row ARCH-006 / PKG-KEY-CUSTODY-002 closure).
+export { deriveSubjectSigner, subjectCanonicalMessage, } from './derive-subject';
+export { getRelayOnlySigner } from './relay-only';
+export { createKmsAccount } from './account';
+export { canonicalContextBytes } from './aad';
+export { LocalAesProvider, LocalSecp256k1Signer } from './providers/local';
+export { AwsKmsProvider, AwsKmsSigner } from './providers/aws';
+export { GcpKmsProvider, GcpKmsSigner } from './providers/gcp';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,8CAA8C;AAC9C,EAAE;AACF,4DAA4D;AAM5D,OAAO,EAAE,UAAU,EAAE,iBAAiB,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEhF,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,wBAAwB,EACxB,mCAAmC,EACnC,gBAAgB,GACjB,MAAM,aAAa,CAAC;AACrB,kFAAkF;AAClF,6EAA6E;AAC7E,kFAAkF;AAClF,mGAAmG;AACnG,OAAO,EACL,mBAAmB,EACnB,uBAAuB,GAGxB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,qBAAqB,EAAE,MAAM,OAAO,CAAC;AAE9C,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAC3E,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/kms-viem-account.d.ts

@@ -0,0 +1,4 @@
+import { type LocalAccount } from 'viem';
+import type { KmsAccountBackend } from './types';
+export declare function createKmsViemAccount(backend: KmsAccountBackend): Promise<LocalAccount>;
+//# sourceMappingURL=kms-viem-account.d.ts.map

package/dist/kms-viem-account.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-viem-account.d.ts","sourceRoot":"","sources":["../src/kms-viem-account.ts"],"names":[],"mappings":"AAqBA,OAAO,EASL,KAAK,YAAY,EAElB,MAAM,MAAM,CAAC;AACd,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AA0BjD,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,YAAY,CAAC,CAwC5F"}