@agenticprimitives/key-custody 0.1.0-alpha.2

package/dist/kms-viem-account.js

@@ -0,0 +1,72 @@
+// createKmsViemAccount — wrap a KmsAccountBackend as a viem LocalAccount
+// so it can be plugged into viem's writeContract / sendTransaction / etc.
+// anywhere a privateKeyToAccount(...) account would go.
+//
+// Why a separate file from src/account.ts (createKmsAccount):
+//   - createKmsAccount produces an connect-auth `Signer` shape
+//     (signMessage / signTypedData only) for the identity layer.
+//   - createKmsViemAccount produces a viem `LocalAccount` (adds
+//     signTransaction) for the wallet/broadcast layer.
+//   - Different consumers, different layers — separating them keeps
+//     each surface minimal.
+//
+// Signing flow (all routes funnel into backend.signA2AAction):
+//   - signMessage:     EIP-191 hash via viem.hashMessage → 32-byte digest → KMS sign
+//   - signTransaction: viem.serializeTransaction (unsigned) → keccak256 → KMS sign,
+//                      then viem.serializeTransaction with the signature
+//   - signTypedData:   viem.hashTypedData → 32-byte digest → KMS sign
+//
+// The private key never leaves Cloud KMS / AWS KMS / etc. — the HSM signs
+// the digest; viem assembles the signed RLP / serialized signature locally.
+import { hashMessage, hashTypedData, keccak256, serializeTransaction, serializeSignature, bytesToHex, hexToBytes, } from 'viem';
+async function signDigestViaBackend(backend, digest) {
+    const { signature } = await backend.signA2AAction({ digest: hexToBytes(digest) });
+    if (signature.length !== 65) {
+        throw new Error(`KMS signer returned ${signature.length}-byte signature; expected 65 (r||s||v)`);
+    }
+    const r = bytesToHex(signature.slice(0, 32));
+    const s = bytesToHex(signature.slice(32, 64));
+    const vByte = signature[64];
+    if (vByte !== 27 && vByte !== 28) {
+        throw new Error(`KMS signer returned non-canonical v=${vByte}; expected 27 or 28`);
+    }
+    return { r, s, v: vByte, yParity: (vByte - 27) };
+}
+export async function createKmsViemAccount(backend) {
+    const address = await backend.getSignerAddress();
+    return {
+        address,
+        type: 'local',
+        source: 'kms',
+        // publicKey is optional on LocalAccount; we'd need the uncompressed
+        // secp256k1 point to populate it. Skipping — viem only needs it for
+        // a few utility paths that don't apply to our use case.
+        publicKey: '0x',
+        async signMessage({ message }) {
+            const digest = hashMessage(message);
+            const { r, s, v } = await signDigestViaBackend(backend, digest);
+            return serializeSignature({ r, s, v: BigInt(v) });
+        },
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        async signTransaction(transaction, options) {
+            // Match viem's privateKeyToAccount pattern: serialize unsigned →
+            // keccak256 → sign → re-serialize with signature. viem dispatches
+            // legacy/EIP-1559/EIP-4844 internally based on transaction shape.
+            const serializer = options?.serializer ?? serializeTransaction;
+            const unsigned = serializer(transaction);
+            const digest = keccak256(unsigned);
+            const { r, s, v, yParity } = await signDigestViaBackend(backend, digest);
+            // Pass both v (legacy) and yParity (EIP-1559+).
+            return serializer(transaction, { r, s, v: BigInt(v), yParity });
+        },
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        async signTypedData(args) {
+            // viem's TypedDataDefinition is heavily generic; we accept whatever
+            // viem's hashTypedData accepts and forward it verbatim.
+            const digest = hashTypedData(args);
+            const { r, s, v } = await signDigestViaBackend(backend, digest);
+            return serializeSignature({ r, s, v: BigInt(v) });
+        },
+    };
+}
+//# sourceMappingURL=kms-viem-account.js.map

package/dist/kms-viem-account.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-viem-account.js","sourceRoot":"","sources":["../src/kms-viem-account.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,0EAA0E;AAC1E,wDAAwD;AACxD,EAAE;AACF,8DAA8D;AAC9D,+DAA+D;AAC/D,iEAAiE;AACjE,gEAAgE;AAChE,uDAAuD;AACvD,oEAAoE;AACpE,4BAA4B;AAC5B,EAAE;AACF,+DAA+D;AAC/D,qFAAqF;AACrF,oFAAoF;AACpF,yEAAyE;AACzE,sEAAsE;AACtE,EAAE;AACF,0EAA0E;AAC1E,4EAA4E;AAE5E,OAAO,EACL,WAAW,EACX,aAAa,EACb,SAAS,EACT,oBAAoB,EACpB,kBAAkB,EAClB,UAAU,EACV,UAAU,GAIX,MAAM,MAAM,CAAC;AAUd,KAAK,UAAU,oBAAoB,CACjC,OAA0B,EAC1B,MAAW;IAEX,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAClF,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,uBAAuB,SAAS,CAAC,MAAM,wCAAwC,CAAC,CAAC;IACnG,CAAC;IACD,MAAM,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAQ,CAAC;IACpD,MAAM,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAQ,CAAC;IACrD,MAAM,KAAK,GAAG,SAAS,CAAC,EAAE,CAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,EAAE,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,uCAAuC,KAAK,qBAAqB,CAAC,CAAC;IACrF,CAAC;IACD,OAAO,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,KAAK,GAAG,EAAE,CAAU,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,OAA0B;IACnE,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,gBAAgB,EAAE,CAAC;IAEjD,OAAO;QACL,OAAO;QACP,IAAI,EAAE,OAAO;QACb,MAAM,EAAE,KAAK;QACb,oEAAoE;QACpE,oEAAoE;QACpE,wDAAwD;QACxD,SAAS,EAAE,IAAW;QAEtB,KAAK,CAAC,WAAW,CAAC,EAAE,OAAO,EAAgC;YACzD,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;YACpC,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAChE,OAAO,kBAAkB,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACpD,CAAC;QAED,8DAA8D;QAC9D,KAAK,CAAC,eAAe,CAAC,WAAgB,EAAE,OAAa;YACnD,iEAAiE;YACjE,kEAAkE;YAClE,kEAAkE;YAClE,MAAM,UAAU,GAAG,OAAO,EAAE,UAAU,IAAI,oBAAoB,CAAC;YAC/D,MAAM,QAAQ,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC;YACzC,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;YACnC,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,MAAM,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACzE,gDAAgD;YAChD,OAAO,UAAU,CAAC,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAClE,CAAC;QAED,8DAA8D;QAC9D,KAAK,CAAC,aAAa,CAAC,IAAS;YAC3B,oEAAoE;YACpE,wDAAwD;YACxD,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;YACnC,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAChE,OAAO,kBAAkB,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACpD,CAAC;KACqB,CAAC;AAC3B,CAAC"}

package/dist/providers/aws.d.ts

@@ -0,0 +1,13 @@
+import type { A2AKeyProvider, KmsAccountBackend } from '../types';
+import type { Address } from '@agenticprimitives/types';
+export declare class AwsKmsProvider implements A2AKeyProvider {
+    readonly keyVersion = "aws-kms:not-implemented";
+    generateSessionDataKey(): Promise<never>;
+    decryptSessionDataKey(): Promise<never>;
+}
+export declare class AwsKmsSigner implements KmsAccountBackend {
+    readonly provider: "aws-kms";
+    signA2AAction(): Promise<never>;
+    getSignerAddress(): Promise<Address>;
+}
+//# sourceMappingURL=aws.d.ts.map

package/dist/providers/aws.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../../src/providers/aws.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAClE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AAIxD,qBAAa,cAAe,YAAW,cAAc;IACnD,QAAQ,CAAC,UAAU,6BAA6B;IAC1C,sBAAsB,IAAI,OAAO,CAAC,KAAK,CAAC;IACxC,qBAAqB,IAAI,OAAO,CAAC,KAAK,CAAC;CAC9C;AAED,qBAAa,YAAa,YAAW,iBAAiB;IACpD,QAAQ,CAAC,QAAQ,EAAG,SAAS,CAAU;IACjC,aAAa,IAAI,OAAO,CAAC,KAAK,CAAC;IAC/B,gBAAgB,IAAI,OAAO,CAAC,OAAO,CAAC;CAC3C"}

package/dist/providers/aws.js

@@ -0,0 +1,14 @@
+// AwsKmsProvider / AwsKmsSigner — production AWS KMS backends.
+// Stubs in v0 demo; full implementation lands in v0.1.
+const NOT_IMPLEMENTED = 'AwsKmsProvider / AwsKmsSigner not yet implemented in v0; use LocalAesProvider for the demo.';
+export class AwsKmsProvider {
+    keyVersion = 'aws-kms:not-implemented';
+    async generateSessionDataKey() { throw new Error(NOT_IMPLEMENTED); }
+    async decryptSessionDataKey() { throw new Error(NOT_IMPLEMENTED); }
+}
+export class AwsKmsSigner {
+    provider = 'aws-kms';
+    async signA2AAction() { throw new Error(NOT_IMPLEMENTED); }
+    async getSignerAddress() { throw new Error(NOT_IMPLEMENTED); }
+}
+//# sourceMappingURL=aws.js.map

package/dist/providers/aws.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws.js","sourceRoot":"","sources":["../../src/providers/aws.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,uDAAuD;AAKvD,MAAM,eAAe,GAAG,6FAA6F,CAAC;AAEtH,MAAM,OAAO,cAAc;IAChB,UAAU,GAAG,yBAAyB,CAAC;IAChD,KAAK,CAAC,sBAAsB,KAAqB,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACpF,KAAK,CAAC,qBAAqB,KAAqB,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;CACpF;AAED,MAAM,OAAO,YAAY;IACd,QAAQ,GAAG,SAAkB,CAAC;IACvC,KAAK,CAAC,aAAa,KAAqB,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IAC3E,KAAK,CAAC,gBAAgB,KAAuB,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;CACjF"}

package/dist/providers/gcp.d.ts

@@ -0,0 +1,103 @@
+import { type Address } from 'viem';
+import { type AuditSink } from '@agenticprimitives/audit';
+import type { A2AKeyProvider, KmsAccountBackend } from '../types';
+interface ServiceAccount {
+    client_email: string;
+    /** PEM-encoded PKCS#8 RSA private key. */
+    private_key: string;
+    project_id?: string;
+}
+interface CachedToken {
+    accessToken: string;
+    /** Unix seconds at which the token must be refreshed (already minus buffer). */
+    expiresAt: number;
+}
+export interface GcpKmsSignerOpts {
+    /**
+     * Full Cloud KMS resource name of the key version to sign with, e.g.
+     * `projects/<P>/locations/<L>/keyRings/<R>/cryptoKeys/<K>/cryptoKeyVersions/<V>`.
+     * Algorithm must be `EC_SIGN_SECP256K1_SHA256`.
+     */
+    cryptoKeyVersionName: string;
+    /** Raw JSON string of the service-account key file. */
+    serviceAccountJson: string;
+}
+export declare function base64UrlEncode(bytes: Uint8Array): string;
+export declare function pemToDer(pem: string): Uint8Array;
+export declare function signJwt(serviceAccount: ServiceAccount, scope: string): Promise<string>;
+export declare function fetchAccessToken(serviceAccount: ServiceAccount): Promise<CachedToken>;
+export declare function parseSpkiUncompressedSecp256k1PubKey(spkiDer: Uint8Array): Uint8Array;
+export declare function publicKeyToAddress(pubKey65: Uint8Array): Address;
+export declare function parseDerEcdsa(der: Uint8Array): {
+    r: bigint;
+    s: bigint;
+};
+export declare function bigIntTo32Bytes(n: bigint): Uint8Array;
+export declare function normalizeLowS(s: bigint): bigint;
+export declare function findRecoveryByte(r: bigint, s: bigint, digest: Uint8Array, knownPubKey65: Uint8Array): number;
+export declare class GcpKmsSigner implements KmsAccountBackend {
+    readonly provider: "gcp-kms";
+    private readonly keyName;
+    private readonly serviceAccount;
+    private readonly auditSink?;
+    private cachedToken?;
+    private cachedPubKey65?;
+    private cachedAddress?;
+    constructor(opts?: Partial<GcpKmsSignerOpts> & {
+        auditSink?: AuditSink;
+    });
+    private getAccessToken;
+    private getPublicKeyBytes;
+    getSignerAddress(): Promise<Address>;
+    signA2AAction(input: {
+        digest: Uint8Array;
+        auditContext?: {
+            toolId?: string;
+            sessionId?: string;
+            actionId?: string;
+        };
+    }): Promise<{
+        signature: Uint8Array;
+        keyId: string;
+        signerAddress: Address;
+    }>;
+}
+export interface GcpKmsProviderOpts {
+    /**
+     * Full Cloud KMS resource name of the symmetric encrypt-decrypt key, e.g.
+     * `projects/<P>/locations/<L>/keyRings/<R>/cryptoKeys/<K>`. Note: NO
+     * `/cryptoKeyVersions/N` suffix — GCP picks the active version.
+     */
+    cryptoKeyName: string;
+    /** Raw JSON string of the service-account key file. */
+    serviceAccountJson: string;
+}
+export declare class GcpKmsProvider implements A2AKeyProvider {
+    /**
+     * H7-F.4: this default is now ONLY used when the GCP encrypt response
+     * doesn't carry a `name` field (test fixtures + offline mocks). Real
+     * runs derive `keyVersion` from the response per call.
+     */
+    readonly keyVersion = "gcp-kms:unknown";
+    private readonly keyName;
+    private readonly serviceAccount;
+    private cachedToken?;
+    constructor(opts?: Partial<GcpKmsProviderOpts>);
+    private getAccessToken;
+    generateSessionDataKey(input: {
+        aadContext: Record<string, string>;
+    }): Promise<{
+        plaintextDataKey: Uint8Array;
+        encryptedDataKey: Uint8Array;
+        keyId: string;
+        keyVersion: string;
+    }>;
+    decryptSessionDataKey(input: {
+        encryptedDataKey: Uint8Array;
+        aadContext: Record<string, string>;
+        keyId: string;
+        keyVersion: string;
+    }): Promise<Uint8Array>;
+}
+export {};
+//# sourceMappingURL=gcp.d.ts.map

package/dist/providers/gcp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gcp.d.ts","sourceRoot":"","sources":["../../src/providers/gcp.ts"],"names":[],"mappings":"AA6BA,OAAO,EAAc,KAAK,OAAO,EAAE,MAAM,MAAM,CAAC;AAChD,OAAO,EAAc,KAAK,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAkBlE,UAAU,cAAc;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,0CAA0C;IAC1C,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,UAAU,WAAW;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,SAAS,EAAE,MAAM,CAAC;CACnB;AAYD,MAAM,WAAW,gBAAgB;IAC/B;;;;OAIG;IACH,oBAAoB,EAAE,MAAM,CAAC;IAC7B,uDAAuD;IACvD,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAMD,wBAAgB,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAIzD;AAeD,wBAAgB,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAMhD;AAMD,wBAAsB,OAAO,CAAC,cAAc,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAiC5F;AAED,wBAAsB,gBAAgB,CAAC,cAAc,EAAE,cAAc,GAAG,OAAO,CAAC,WAAW,CAAC,CAoB3F;AAiCD,wBAAgB,oCAAoC,CAAC,OAAO,EAAE,UAAU,GAAG,UAAU,CAkBpF;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,UAAU,GAAG,OAAO,CAKhE;AAMD,wBAAgB,aAAa,CAAC,GAAG,EAAE,UAAU,GAAG;IAAE,CAAC,EAAE,MAAM,CAAC;IAAC,CAAC,EAAE,MAAM,CAAA;CAAE,CA8BvE;AAQD,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,GAAG,UAAU,CAQrD;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAE/C;AAQD,wBAAgB,gBAAgB,CAC9B,CAAC,EAAE,MAAM,EACT,CAAC,EAAE,MAAM,EACT,MAAM,EAAE,UAAU,EAClB,aAAa,EAAE,UAAU,GACxB,MAAM,CA6BR;AAMD,qBAAa,YAAa,YAAW,iBAAiB;IACpD,QAAQ,CAAC,QAAQ,EAAG,SAAS,CAAU;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAiB;IAChD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAY;IACvC,OAAO,CAAC,WAAW,CAAC,CAAc;IAClC,OAAO,CAAC,cAAc,CAAC,CAAa;IACpC,OAAO,CAAC,aAAa,CAAC,CAAU;gBAEpB,IAAI,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG;QAAE,SAAS,CAAC,EAAE,SAAS,CAAA;KAAE;YAyB1D,cAAc;YASd,iBAAiB;IAwBzB,gBAAgB,IAAI,OAAO,CAAC,OAAO,CAAC;IAOpC,aAAa,CAAC,KAAK,EAAE;QACzB,MAAM,EAAE,UAAU,CAAC;QACnB,YAAY,CAAC,EAAE;YAAE,MAAM,CAAC,EAAE,MAAM,CAAC;YAAC,SAAS,CAAC,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;KAC3E,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,UAAU,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,OAAO,CAAA;KAAE,CAAC;CAsD9E;AAmBD,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB,uDAAuD;IACvD,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAiCD,qBAAa,cAAe,YAAW,cAAc;IACnD;;;;OAIG;IACH,QAAQ,CAAC,UAAU,qBAAqB;IACxC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAiB;IAChD,OAAO,CAAC,WAAW,CAAC,CAAc;gBAEtB,IAAI,CAAC,EAAE,OAAO,CAAC,kBAAkB,CAAC;YAwBhC,cAAc;IAStB,sBAAsB,CAAC,KAAK,EAAE;QAClC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACpC,GAAG,OAAO,CAAC;QACV,gBAAgB,EAAE,UAAU,CAAC;QAC7B,gBAAgB,EAAE,UAAU,CAAC;QAC7B,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IA6BI,qBAAqB,CAAC,KAAK,EAAE;QACjC,gBAAgB,EAAE,UAAU,CAAC;QAC7B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACnC,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,EAAE,MAAM,CAAC;KACpB,GAAG,OAAO,CAAC,UAAU,CAAC;CAwBxB"}