@agenticprimitives/key-custody 0.1.0-alpha.2

package/dist/providers/local.js

@@ -0,0 +1,246 @@
+// LocalAesProvider / LocalSecp256k1Signer — DEV ONLY backends.
+//
+// Refuses to instantiate when NODE_ENV=production. Production guard per spec.
+//
+// LocalAesProvider:
+//   - "Wraps" data keys via HKDF derivation. encryptedDataKey is a random salt;
+//     the data key is HKDF(masterSecret, salt, infoBytes(aadContext)).
+//   - To "decrypt", re-derives from masterSecret + salt + AAD. Tampering with
+//     AAD changes the derived key, which surfaces as a tag mismatch when the
+//     caller AES-GCM-decrypts the payload.
+//
+// LocalSecp256k1Signer:
+//   - Holds a hardcoded private key from env (A2A_MASTER_PRIVATE_KEY).
+//   - secp256k1 signs a 32-byte digest; returns 65-byte (r,s,v) signature.
+import { hmac } from '@noble/hashes/hmac';
+import { sha256 } from '@noble/hashes/sha256';
+import { hkdf } from '@noble/hashes/hkdf';
+import { secp256k1 } from '@noble/curves/secp256k1';
+import { keccak_256 } from '@noble/hashes/sha3';
+import { hexToBytes, bytesToHex, toHex } from 'viem';
+import { canonicalContextBytes } from '../aad';
+import { buildEvent } from '@agenticprimitives/audit';
+const HKDF_INFO = 'agenticprimitives/local-aes:v1';
+const SALT_BYTES = 16;
+/**
+ * Fail-closed default: refuse to start when NODE_ENV=production, but let a
+ * deliberate deployment opt into a local in-memory primitive with an explicit
+ * acknowledgement env var. Use case: demo / staging stacks that want to
+ * run the full A2A flow without standing up a real KMS first.
+ *
+ * Each override emits a loud one-time warning at boot. Production preflight
+ * (`scripts/check-production-deploy.ts`) is the load-bearing check that
+ * these opt-ins do not coexist with real-value keys.
+ *
+ * Two opt-ins exist because the threat models differ:
+ * - `A2A_ALLOW_LOCAL_MASTER_KEY` — in-memory secp256k1 signer (relayer,
+ *   bundler, paymaster envelope). Compromise = forge bundler txs.
+ * - `A2A_ALLOW_LOCAL_ENVELOPE_KEY` — HKDF-derived AES-GCM session-data-key
+ *   wrap. Compromise = decrypt session keypairs at rest = forge delegations.
+ */
+const warnedOptIns = new Set();
+/**
+ * H7-B.9 / XPKG-005 — production guard. Previously keyed off
+ * `process.env.NODE_ENV !== 'production'` to SKIP — which silently
+ * allowed local providers on runtimes that don't set NODE_ENV
+ * (Cloudflare Workers, Deno, SES). Fix: inferred environment defaults
+ * to `'production'` when NODE_ENV is unreadable or missing, matching
+ * `inferEnvironment` in `factories.ts` / sibling-package inferEnvironment functions.
+ */
+function isProductionEnvironment() {
+    try {
+        if (typeof process !== 'undefined' && process.env?.NODE_ENV) {
+            return process.env.NODE_ENV === 'production';
+        }
+    }
+    catch {
+        /* SES / Workers may throw on process access */
+    }
+    // Ambiguous runtime → assume production (fail-closed).
+    return true;
+}
+function assertLocalProviderAllowedInProduction(label, optInEnvVar) {
+    if (!isProductionEnvironment())
+        return;
+    let optIn = false;
+    try {
+        optIn = process.env?.[optInEnvVar] === 'true';
+    }
+    catch {
+        /* SES / Workers — opt-in not readable, treat as not-set */
+    }
+    if (optIn) {
+        if (!warnedOptIns.has(optInEnvVar)) {
+            warnedOptIns.add(optInEnvVar);
+            // eslint-disable-next-line no-console
+            console.warn(`[key-custody] ${label}: running in production via ${optInEnvVar}=true. ` +
+                `A managed KMS backend (gcp-kms / aws-kms) MUST replace this before any real-value keys land.`);
+        }
+        return;
+    }
+    throw new Error(`${label} refuses to start in production (or in a runtime where NODE_ENV is unset). ` +
+        `Configure a managed KMS backend (gcp-kms / aws-kms), or set ` +
+        `${optInEnvVar}=true to acknowledge running with local key material (demo / staging only).`);
+}
+function loadMasterSecret(envOverride) {
+    const hex = envOverride ?? process.env.A2A_SESSION_SECRET;
+    if (!hex) {
+        throw new Error('LocalAesProvider: A2A_SESSION_SECRET (hex) is required. Generate one for dev: openssl rand -hex 32');
+    }
+    const bytes = hexToBytes(hex.startsWith('0x') ? hex : `0x${hex}`);
+    if (bytes.length < 32) {
+        throw new Error(`A2A_SESSION_SECRET must be at least 32 bytes (64 hex chars); got ${bytes.length}.`);
+    }
+    return bytes;
+}
+function loadPrivateKey(envOverride) {
+    const hex = envOverride ?? process.env.A2A_MASTER_PRIVATE_KEY;
+    if (!hex) {
+        throw new Error('LocalSecp256k1Signer: A2A_MASTER_PRIVATE_KEY (0x-prefixed hex) is required.');
+    }
+    const cleaned = hex.startsWith('0x') ? hex : `0x${hex}`;
+    const bytes = hexToBytes(cleaned);
+    if (bytes.length !== 32) {
+        throw new Error(`A2A_MASTER_PRIVATE_KEY must be 32 bytes; got ${bytes.length}.`);
+    }
+    return bytes;
+}
+function randomBytes(n) {
+    const out = new Uint8Array(n);
+    // Node 20+ and modern browsers both expose globalThis.crypto.getRandomValues
+    globalThis.crypto.getRandomValues(out);
+    return out;
+}
+function publicKeyToAddress(pubKey) {
+    // pubKey: 64-byte uncompressed (no 0x04 prefix)
+    const raw = pubKey.length === 65 ? pubKey.slice(1) : pubKey;
+    const hash = keccak_256(raw);
+    // viem's bytesToHex already prefixes with 0x — don't double it.
+    return bytesToHex(hash.slice(12));
+}
+export class LocalAesProvider {
+    keyVersion = 'local-v1';
+    master;
+    constructor(opts) {
+        // Production guard moved from the constructor to the
+        // envelope-encryption methods (generateSessionDataKey /
+        // decryptSessionDataKey). Rationale: the production posture
+        // requires a real KMS for SESSION DATA KEY material (encrypt /
+        // decrypt of session payloads) — HKDF-from-a-local-secret is the
+        // dev-only path that gets refused in prod. The MAC primitive
+        // (generateMac, below) is just HMAC-SHA256 over a wrangler-secret-
+        // loaded value, which is a legitimate production pattern for
+        // service-to-service auth (audit C1). Splitting the guard lets
+        // generateMac work in production without weakening the encryption
+        // posture.
+        this.master = loadMasterSecret(opts?.sessionSecretHex);
+    }
+    async generateSessionDataKey(input) {
+        assertLocalProviderAllowedInProduction('LocalAesProvider.generateSessionDataKey', 'A2A_ALLOW_LOCAL_ENVELOPE_KEY');
+        const salt = randomBytes(SALT_BYTES);
+        const info = canonicalContextBytes(input.aadContext);
+        // Derive 32-byte data key. encryptedDataKey == salt (the master is held in process memory).
+        const dk = hkdf(sha256, this.master, salt, new Uint8Array([...new TextEncoder().encode(HKDF_INFO + '|'), ...info]), 32);
+        return {
+            plaintextDataKey: dk,
+            encryptedDataKey: salt,
+            keyId: 'local-master',
+            keyVersion: this.keyVersion,
+        };
+    }
+    async decryptSessionDataKey(input) {
+        assertLocalProviderAllowedInProduction('LocalAesProvider.decryptSessionDataKey', 'A2A_ALLOW_LOCAL_ENVELOPE_KEY');
+        if (input.keyVersion !== this.keyVersion) {
+            throw new Error(`LocalAesProvider: keyVersion mismatch (got "${input.keyVersion}", expected "${this.keyVersion}").`);
+        }
+        const info = canonicalContextBytes(input.aadContext);
+        const dk = hkdf(sha256, this.master, input.encryptedDataKey, new Uint8Array([...new TextEncoder().encode(HKDF_INFO + '|'), ...info]), 32);
+        return dk;
+    }
+    async generateMac(input) {
+        // Permitted in production: this is HMAC-SHA256 with a wrangler-
+        // secret-loaded shared key, which is a legitimate production
+        // pattern for service-to-service auth. Production should migrate
+        // to a managed KMS HMAC key for key rotation + IAM scoping, but
+        // the LocalAesProvider MAC path is structurally safe.
+        const ctx = `mac|${input.service}|${input.audience}`;
+        const subkey = hmac(sha256, this.master, new TextEncoder().encode(ctx));
+        const mac = hmac(sha256, subkey, input.canonicalMessage);
+        return { mac, keyId: `local-mac:${input.service}:${input.audience}` };
+    }
+}
+export class LocalSecp256k1Signer {
+    provider = 'local-aes';
+    priv;
+    addr;
+    auditSink;
+    constructor(opts) {
+        assertLocalProviderAllowedInProduction('LocalSecp256k1Signer', 'A2A_ALLOW_LOCAL_MASTER_KEY');
+        this.priv = loadPrivateKey(opts?.privateKeyHex);
+        const pub = secp256k1.getPublicKey(this.priv, false); // uncompressed (65 bytes)
+        this.addr = publicKeyToAddress(pub);
+        this.auditSink = opts?.auditSink;
+    }
+    async signA2AAction(input) {
+        if (input.digest.length !== 32) {
+            throw new Error(`signA2AAction expects a 32-byte digest; got ${input.digest.length}.`);
+        }
+        const sig = secp256k1.sign(input.digest, this.priv);
+        // viem-compatible signature: r (32) | s (32) | v (1, 27 or 28)
+        const out = new Uint8Array(65);
+        out.set(numberTo32Bytes(sig.r), 0);
+        out.set(numberTo32Bytes(sig.s), 32);
+        out[64] = (sig.recovery ?? 0) + 27;
+        // Audit emit (C3 pass 3c). Per CLAUDE.md security invariant:
+        //   "Every Decrypt and signing op emits an audit row with
+        //    keyVersion, hashed sessionId, optional toolId/actionId.
+        //    Raw sessionId MUST NEVER be logged."
+        if (this.auditSink) {
+            const ctx = input.auditContext ?? {};
+            try {
+                await this.auditSink.write(buildEvent({
+                    action: 'key-custody.sign',
+                    outcome: 'success',
+                    actor: { type: 'system', id: 'local-secp256k1-signer' },
+                    subject: { type: 'sign-digest', id: bytesToHex(input.digest) },
+                    context: {
+                        keyId: 'local-master-secp256k1',
+                        signerAddress: this.addr,
+                        toolId: ctx.toolId ?? null,
+                        actionId: ctx.actionId ?? null,
+                        // Hash sessionId — never log raw.
+                        sessionHash: ctx.sessionId
+                            ? toHex(keccak_256(new TextEncoder().encode(ctx.sessionId))).slice(0, 18)
+                            : null,
+                    },
+                }));
+            }
+            catch {
+                /* fail-soft */
+            }
+        }
+        return {
+            signature: out,
+            keyId: 'local-master-secp256k1',
+            signerAddress: this.addr,
+        };
+    }
+    async getSignerAddress() {
+        return this.addr;
+    }
+    /** Internal: returns the address as a hex string for use by adapters. */
+    addressHex() {
+        return this.addr;
+    }
+}
+function numberTo32Bytes(n) {
+    const out = new Uint8Array(32);
+    let value = n;
+    for (let i = 31; i >= 0; i--) {
+        out[i] = Number(value & 0xffn);
+        value >>= 8n;
+    }
+    return out;
+}
+export { hexToBytes, bytesToHex, toHex };
+//# sourceMappingURL=local.js.map

package/dist/providers/local.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local.js","sourceRoot":"","sources":["../../src/providers/local.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,EAAE;AACF,8EAA8E;AAC9E,EAAE;AACF,oBAAoB;AACpB,gFAAgF;AAChF,uEAAuE;AACvE,8EAA8E;AAC9E,6EAA6E;AAC7E,2CAA2C;AAC3C,EAAE;AACF,wBAAwB;AACxB,uEAAuE;AACvE,2EAA2E;AAE3E,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,EAA0B,MAAM,MAAM,CAAC;AAE7E,OAAO,EAAE,qBAAqB,EAAE,MAAM,QAAQ,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAkB,MAAM,0BAA0B,CAAC;AAEtE,MAAM,SAAS,GAAG,gCAAgC,CAAC;AACnD,MAAM,UAAU,GAAG,EAAE,CAAC;AAEtB;;;;;;;;;;;;;;;GAeG;AACH,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;AAEvC;;;;;;;GAOG;AACH,SAAS,uBAAuB;IAC9B,IAAI,CAAC;QACH,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,CAAC;YAC5D,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;QAC/C,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,+CAA+C;IACjD,CAAC;IACD,uDAAuD;IACvD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,sCAAsC,CAAC,KAAa,EAAE,WAAmB;IAChF,IAAI,CAAC,uBAAuB,EAAE;QAAE,OAAO;IACvC,IAAI,KAAK,GAAG,KAAK,CAAC;IAClB,IAAI,CAAC;QACH,KAAK,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,KAAK,MAAM,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,2DAA2D;IAC7D,CAAC;IACD,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;YACnC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YAC9B,sCAAsC;YACtC,OAAO,CAAC,IAAI,CACV,iBAAiB,KAAK,+BAA+B,WAAW,SAAS;gBACvE,8FAA8F,CACjG,CAAC;QACJ,CAAC;QACD,OAAO;IACT,CAAC;IACD,MAAM,IAAI,KAAK,CACb,GAAG,KAAK,6EAA6E;QACnF,8DAA8D;QAC9D,GAAG,WAAW,6EAA6E,CAC9F,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,WAAoB;IAC5C,MAAM,GAAG,GAAG,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAC1D,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CACb,oGAAoG,CACrG,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAE,GAAqB,CAAC,CAAC,CAAE,KAAK,GAAG,EAAoB,CAAC,CAAC;IACxG,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,oEAAoE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IACvG,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,cAAc,CAAC,WAAoB;IAC1C,MAAM,GAAG,GAAG,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IAC9D,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CACb,6EAA6E,CAC9E,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAE,GAAqB,CAAC,CAAC,CAAE,KAAK,GAAG,EAAoB,CAAC;IAC9F,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAClC,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,gDAAgD,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IACnF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9B,6EAA6E;IAC7E,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAkB;IAC5C,gDAAgD;IAChD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAC5D,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAC7B,gEAAgE;IAChE,OAAO,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAY,CAAC;AAC/C,CAAC;AAED,MAAM,OAAO,gBAAgB;IAClB,UAAU,GAAG,UAAU,CAAC;IAChB,MAAM,CAAa;IAEpC,YAAY,IAAoC;QAC9C,qDAAqD;QACrD,wDAAwD;QACxD,4DAA4D;QAC5D,+DAA+D;QAC/D,iEAAiE;QACjE,6DAA6D;QAC7D,mEAAmE;QACnE,6DAA6D;QAC7D,+DAA+D;QAC/D,kEAAkE;QAClE,WAAW;QACX,IAAI,CAAC,MAAM,GAAG,gBAAgB,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,CAAC,sBAAsB,CAAC,KAA6C;QACxE,sCAAsC,CACpC,yCAAyC,EACzC,8BAA8B,CAC/B,CAAC;QACF,MAAM,IAAI,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,qBAAqB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACrD,4FAA4F;QAC5F,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,UAAU,CAAC,CAAC,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,GAAG,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACxH,OAAO;YACL,gBAAgB,EAAE,EAAE;YACpB,gBAAgB,EAAE,IAAI;YACtB,KAAK,EAAE,cAAc;YACrB,UAAU,EAAE,IAAI,CAAC,UAAU;SAC5B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,KAK3B;QACC,sCAAsC,CACpC,wCAAwC,EACxC,8BAA8B,CAC/B,CAAC;QACF,IAAI,KAAK,CAAC,UAAU,KAAK,IAAI,CAAC,UAAU,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CAAC,+CAA+C,KAAK,CAAC,UAAU,gBAAgB,IAAI,CAAC,UAAU,KAAK,CAAC,CAAC;QACvH,CAAC;QACD,MAAM,IAAI,GAAG,qBAAqB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACrD,MAAM,EAAE,GAAG,IAAI,CACb,MAAM,EACN,IAAI,CAAC,MAAM,EACX,KAAK,CAAC,gBAAgB,EACtB,IAAI,UAAU,CAAC,CAAC,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,GAAG,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,EACvE,EAAE,CACH,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAA0E;QAC1F,gEAAgE;QAChE,6DAA6D;QAC7D,iEAAiE;QACjE,gEAAgE;QAChE,sDAAsD;QACtD,MAAM,GAAG,GAAG,OAAO,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACrD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACxE,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAC;QACzD,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,aAAa,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE,CAAC;IACxE,CAAC;CACF;AAED,MAAM,OAAO,oBAAoB;IACtB,QAAQ,GAAG,WAAoB,CAAC;IACxB,IAAI,CAAa;IACjB,IAAI,CAAU;IACd,SAAS,CAAa;IAEvC,YAAY,IAAwD;QAClE,sCAAsC,CAAC,sBAAsB,EAAE,4BAA4B,CAAC,CAAC;QAC7F,IAAI,CAAC,IAAI,GAAG,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;QAChD,MAAM,GAAG,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,0BAA0B;QAChF,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,SAAS,GAAG,IAAI,EAAE,SAAS,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAGnB;QACC,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,+CAA+C,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;QACzF,CAAC;QACD,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QACpD,+DAA+D;QAC/D,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAC/B,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACnC,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC;QACnC,6DAA6D;QAC7D,0DAA0D;QAC1D,6DAA6D;QAC7D,0CAA0C;QAC1C,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,GAAG,GAAG,KAAK,CAAC,YAAY,IAAI,EAAE,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CACxB,UAAU,CAAC;oBACT,MAAM,EAAE,kBAAkB;oBAC1B,OAAO,EAAE,SAAS;oBAClB,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,wBAAwB,EAAE;oBACvD,OAAO,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE,EAAE,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE;oBAC9D,OAAO,EAAE;wBACP,KAAK,EAAE,wBAAwB;wBAC/B,aAAa,EAAE,IAAI,CAAC,IAAI;wBACxB,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,IAAI;wBAC1B,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,IAAI;wBAC9B,kCAAkC;wBAClC,WAAW,EAAE,GAAG,CAAC,SAAS;4BACxB,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;4BACzE,CAAC,CAAC,IAAI;qBACT;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe;YACjB,CAAC;QACH,CAAC;QACD,OAAO;YACL,SAAS,EAAE,GAAG;YACd,KAAK,EAAE,wBAAwB;YAC/B,aAAa,EAAE,IAAI,CAAC,IAAI;SACzB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,gBAAgB;QACpB,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED,yEAAyE;IACzE,UAAU;QACR,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;CACF;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAC/B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,GAAG,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC;QAC/B,KAAK,KAAK,EAAE,CAAC;IACf,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAID,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC"}

package/dist/relay-only.d.ts

@@ -0,0 +1,3 @@
+import type { BuildOpts, KmsAccountBackend } from './types';
+export declare function getRelayOnlySigner(opts: BuildOpts): KmsAccountBackend;
+//# sourceMappingURL=relay-only.d.ts.map

package/dist/relay-only.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay-only.d.ts","sourceRoot":"","sources":["../src/relay-only.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAI5D,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,SAAS,GAAG,iBAAiB,CAerE"}

package/dist/relay-only.js

@@ -0,0 +1,19 @@
+// getRelayOnlySigner — wraps a KmsAccountBackend so any sign call throws.
+// Used in Phase B to guarantee the master signer can only broadcast, never
+// sign on the user's authority.
+import { buildSignerBackend } from './factories';
+export function getRelayOnlySigner(opts) {
+    const inner = buildSignerBackend(opts);
+    return {
+        // Report the wrapped backend's real kind (audit F-6) — the relay-only
+        // shim changes capability, not provenance.
+        provider: inner.provider,
+        async getSignerAddress() {
+            return inner.getSignerAddress();
+        },
+        async signA2AAction() {
+            throw new Error('getRelayOnlySigner: signA2AAction called on relay-only signer. The master key is restricted to broadcast operations only.');
+        },
+    };
+}
+//# sourceMappingURL=relay-only.js.map

package/dist/relay-only.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay-only.js","sourceRoot":"","sources":["../src/relay-only.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,2EAA2E;AAC3E,gCAAgC;AAGhC,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAGjD,MAAM,UAAU,kBAAkB,CAAC,IAAe;IAChD,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;IACvC,OAAO;QACL,sEAAsE;QACtE,2CAA2C;QAC3C,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,KAAK,CAAC,gBAAgB;YACpB,OAAO,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAClC,CAAC;QACD,KAAK,CAAC,aAAa;YACjB,MAAM,IAAI,KAAK,CACb,2HAA2H,CAC5H,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,134 @@
+import type { Address } from '@agenticprimitives/types';
+import type { AuditSink } from '@agenticprimitives/audit';
+export type KmsBackend = 'local-aes' | 'aws-kms' | 'gcp-kms';
+/**
+ * H7-F.5 / PKG-KEY-CUSTODY-005 closure — opaque branded type for
+ * sensitive config values (raw private keys, KMS service-account JSON,
+ * session secrets, derivation masters, etc.).
+ *
+ * Previously `BuildOpts.config: Record<string, string>` shipped raw
+ * private keys + KMS service-account JSON as plain strings. A consumer
+ * who logged `opts.config` for debugging silently dumped the master
+ * private key to logs (and worse, to any structured-log backend that
+ * indexed it).
+ *
+ * `Secret<T>` is a `BrandedSecret` wrapper that:
+ *   - Cannot be `JSON.stringify`d to its underlying value (the brand
+ *     wins; the value field is non-enumerable + has a custom toJSON
+ *     that returns `'[redacted secret]'`).
+ *   - Cannot be `console.log`'d in a useful way (custom `inspect`
+ *     symbol + `Symbol.toPrimitive` return the redaction marker).
+ *   - Exposes the underlying value ONLY through {@link unwrapSecret}.
+ *
+ * Loaders (`loadSecret`, `loadSecretFromEnv`) are the only constructors.
+ * Existing `Record<string, string>` config still works (back-compat);
+ * new code should use the branded shape via `secretConfig`.
+ */
+declare const SECRET_BRAND: unique symbol;
+export interface Secret<T extends string = string> {
+    readonly [SECRET_BRAND]: true;
+    /** Phantom — for compile-time discrimination of value shapes. */
+    readonly _kind?: T;
+}
+/**
+ * Wrap a plain string as an opaque secret. The returned object will
+ * NOT survive `JSON.stringify`, `console.log`, or `util.inspect`.
+ */
+export declare function loadSecret<T extends string = string>(value: string): Secret<T>;
+/** Load a secret from a process env var. Throws if the var is missing or empty. */
+export declare function loadSecretFromEnv<T extends string = string>(name: string): Secret<T>;
+/** Unwrap a secret to its underlying string. Use AT THE LAST POSSIBLE MOMENT. */
+export declare function unwrapSecret<T extends string>(s: Secret<T>): string;
+/** Type guard. */
+export declare function isSecret<T extends string = string>(v: unknown): v is Secret<T>;
+export interface BuildOpts {
+    /**
+     * Backend selection. Recommended explicit value. When omitted, the
+     * factory falls back to `A2A_KMS_BACKEND` env, then to `local-aes` in
+     * development. In production with neither set, the factory THROWS at
+     * construction time (audit H1: no silent local-aes default).
+     */
+    backend?: KmsBackend;
+    /**
+     * Plain config bag (back-compat). H7-F.5 callers should prefer
+     * {@link secretConfig} for any value that's a private key, session
+     * secret, KMS service-account JSON, or derivation master.
+     */
+    config?: Record<string, string>;
+    /**
+     * H7-F.5 / PKG-KEY-CUSTODY-005 — sensitive config values wrapped in
+     * `Secret<T>` so they don't survive logging / JSON.stringify.
+     * Factories that need to unwrap call {@link unwrapSecret} at the
+     * latest possible moment + never store the unwrapped value.
+     */
+    secretConfig?: Record<string, Secret<string>>;
+    /**
+     * Optional audit sink threaded into signers so every signing op emits
+     * `key-custody.sign`. Consumers share one sink across all primitives
+     * so rows land in one trail. Fail-soft if the sink throws.
+     */
+    auditSink?: AuditSink;
+    /**
+     * Production-readiness gate (audit H1). Inverted default: factories
+     * treat the runtime as `'production'` unless either:
+     *   - `developmentMode: true` is set explicitly, or
+     *   - `process.env.NODE_ENV !== 'production'`.
+     * In production with no explicit backend AND no `A2A_KMS_BACKEND`
+     * env, the factory throws. Pass `environment: 'production'` to force
+     * production semantics in tests; pass `'development'` (or
+     * `developmentMode: true`) to opt into the dev fallback.
+     */
+    environment?: 'production' | 'development';
+    /** Shorthand for `environment: 'development'`. */
+    developmentMode?: boolean;
+}
+export interface A2AKeyProvider {
+    readonly keyVersion: string;
+    generateSessionDataKey(input: {
+        aadContext: Record<string, string>;
+    }): Promise<{
+        plaintextDataKey: Uint8Array;
+        encryptedDataKey: Uint8Array;
+        keyId: string;
+        keyVersion: string;
+    }>;
+    decryptSessionDataKey(input: {
+        encryptedDataKey: Uint8Array;
+        aadContext: Record<string, string>;
+        keyId: string;
+        keyVersion: string;
+    }): Promise<Uint8Array>;
+    signA2AAction?(input: {
+        digest: Uint8Array;
+        auditContext?: {
+            toolId?: string;
+            sessionId?: string;
+            actionId?: string;
+        };
+    }): Promise<{
+        signature: Uint8Array;
+        keyId: string;
+        signerAddress: Address;
+    }>;
+    generateMac?(input: {
+        canonicalMessage: Uint8Array;
+        service: string;
+        audience: string;
+    }): Promise<{
+        mac: Uint8Array;
+        keyId: string;
+    }>;
+}
+export interface KmsAccountBackend {
+    /**
+     * The concrete backend kind. `createKmsAccount` reads this so the
+     * emitted `provider` / `keyId` reflect the REAL backend (audit
+     * provenance), instead of a defaulted `'local-aes'` label that could
+     * mislabel a production GCP signer (audit F-6).
+     */
+    readonly provider: 'local-aes' | 'aws-kms' | 'gcp-kms';
+    signA2AAction: NonNullable<A2AKeyProvider['signA2AAction']>;
+    getSignerAddress(): Promise<Address>;
+}
+export {};
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAE1D,MAAM,MAAM,UAAU,GAAG,WAAW,GAAG,SAAS,GAAG,SAAS,CAAC;AAE7D;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,QAAA,MAAM,YAAY,EAAE,OAAO,MAA+C,CAAC;AAE3E,MAAM,WAAW,MAAM,CAAC,CAAC,SAAS,MAAM,GAAG,MAAM;IAC/C,QAAQ,CAAC,CAAC,YAAY,CAAC,EAAE,IAAI,CAAC;IAC9B,iEAAiE;IACjE,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;CACpB;AAQD;;;GAGG;AACH,wBAAgB,UAAU,CAAC,CAAC,SAAS,MAAM,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,CAqB9E;AAED,mFAAmF;AACnF,wBAAgB,iBAAiB,CAAC,CAAC,SAAS,MAAM,GAAG,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,CAWpF;AAED,iFAAiF;AACjF,wBAAgB,YAAY,CAAC,CAAC,SAAS,MAAM,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,CAEnE;AAED,kBAAkB;AAClB,wBAAgB,QAAQ,CAAC,CAAC,SAAS,MAAM,GAAG,MAAM,EAAE,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,CAE9E;AAED,MAAM,WAAW,SAAS;IACxB;;;;;OAKG;IACH,OAAO,CAAC,EAAE,UAAU,CAAC;IACrB;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IAC9C;;;;OAIG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB;;;;;;;;;OASG;IACH,WAAW,CAAC,EAAE,YAAY,GAAG,aAAa,CAAC;IAC3C,kDAAkD;IAClD,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,sBAAsB,CAAC,KAAK,EAAE;QAC5B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACpC,GAAG,OAAO,CAAC;QACV,gBAAgB,EAAE,UAAU,CAAC;QAC7B,gBAAgB,EAAE,UAAU,CAAC;QAC7B,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC,CAAC;IACH,qBAAqB,CAAC,KAAK,EAAE;QAC3B,gBAAgB,EAAE,UAAU,CAAC;QAC7B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACnC,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,EAAE,MAAM,CAAC;KACpB,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACxB,aAAa,CAAC,CAAC,KAAK,EAAE;QACpB,MAAM,EAAE,UAAU,CAAC;QACnB,YAAY,CAAC,EAAE;YAAE,MAAM,CAAC,EAAE,MAAM,CAAC;YAAC,SAAS,CAAC,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;KAC3E,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,UAAU,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAC9E,WAAW,CAAC,CAAC,KAAK,EAAE;QAClB,gBAAgB,EAAE,UAAU,CAAC;QAC7B,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,iBAAiB;IAChC;;;;;OAKG;IACH,QAAQ,CAAC,QAAQ,EAAE,WAAW,GAAG,SAAS,GAAG,SAAS,CAAC;IACvD,aAAa,EAAE,WAAW,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC,CAAC;IAC5D,gBAAgB,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;CACtC"}

package/dist/types.js

@@ -0,0 +1,70 @@
+/**
+ * H7-F.5 / PKG-KEY-CUSTODY-005 closure — opaque branded type for
+ * sensitive config values (raw private keys, KMS service-account JSON,
+ * session secrets, derivation masters, etc.).
+ *
+ * Previously `BuildOpts.config: Record<string, string>` shipped raw
+ * private keys + KMS service-account JSON as plain strings. A consumer
+ * who logged `opts.config` for debugging silently dumped the master
+ * private key to logs (and worse, to any structured-log backend that
+ * indexed it).
+ *
+ * `Secret<T>` is a `BrandedSecret` wrapper that:
+ *   - Cannot be `JSON.stringify`d to its underlying value (the brand
+ *     wins; the value field is non-enumerable + has a custom toJSON
+ *     that returns `'[redacted secret]'`).
+ *   - Cannot be `console.log`'d in a useful way (custom `inspect`
+ *     symbol + `Symbol.toPrimitive` return the redaction marker).
+ *   - Exposes the underlying value ONLY through {@link unwrapSecret}.
+ *
+ * Loaders (`loadSecret`, `loadSecretFromEnv`) are the only constructors.
+ * Existing `Record<string, string>` config still works (back-compat);
+ * new code should use the branded shape via `secretConfig`.
+ */
+const SECRET_BRAND = Symbol.for('agenticprimitives.secret');
+const REDACTED = '[redacted secret]';
+/**
+ * Wrap a plain string as an opaque secret. The returned object will
+ * NOT survive `JSON.stringify`, `console.log`, or `util.inspect`.
+ */
+export function loadSecret(value) {
+    const inner = {
+        [SECRET_BRAND]: true,
+        __value: value,
+        toJSON: () => REDACTED,
+        toString: () => REDACTED,
+        [Symbol.toPrimitive]: () => REDACTED,
+    };
+    // Hide `__value` from enumeration so naive iteration (Object.keys,
+    // spread, JSON.stringify) cannot reach it.
+    Object.defineProperty(inner, '__value', { enumerable: false, writable: false });
+    // Node's util.inspect honors this symbol.
+    Object.defineProperty(inner, Symbol.for('nodejs.util.inspect.custom'), {
+        enumerable: false,
+        value: () => REDACTED,
+    });
+    return inner;
+}
+/** Load a secret from a process env var. Throws if the var is missing or empty. */
+export function loadSecretFromEnv(name) {
+    let value;
+    try {
+        value = process.env?.[name];
+    }
+    catch {
+        /* SES / Workers may throw on process access */
+    }
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new Error(`[key-custody] loadSecretFromEnv: env var ${name} is missing or empty`);
+    }
+    return loadSecret(value);
+}
+/** Unwrap a secret to its underlying string. Use AT THE LAST POSSIBLE MOMENT. */
+export function unwrapSecret(s) {
+    return s.__value;
+}
+/** Type guard. */
+export function isSecret(v) {
+    return typeof v === 'object' && v !== null && v[SECRET_BRAND] === true;
+}
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,YAAY,GAAkB,MAAM,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;AAY3E,MAAM,QAAQ,GAAG,mBAA4B,CAAC;AAE9C;;;GAGG;AACH,MAAM,UAAU,UAAU,CAA4B,KAAa;IACjE,MAAM,KAAK,GAAsB;QAC/B,CAAC,YAAY,CAAC,EAAE,IAAI;QACpB,OAAO,EAAE,KAAK;QACd,MAAM,EAAE,GAAG,EAAE,CAAC,QAAQ;QACtB,QAAQ,EAAE,GAAG,EAAE,CAAC,QAAQ;QACxB,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,GAAG,EAAE,CAAC,QAAQ;KAKrC,CAAC;IACF,mEAAmE;IACnE,2CAA2C;IAC3C,MAAM,CAAC,cAAc,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;IAChF,0CAA0C;IAC1C,MAAM,CAAC,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,4BAA4B,CAAC,EAAE;QACrE,UAAU,EAAE,KAAK;QACjB,KAAK,EAAE,GAAG,EAAE,CAAC,QAAQ;KACtB,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,iBAAiB,CAA4B,IAAY;IACvE,IAAI,KAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,KAAK,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,+CAA+C;IACjD,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,4CAA4C,IAAI,sBAAsB,CAAC,CAAC;IAC1F,CAAC;IACD,OAAO,UAAU,CAAI,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,YAAY,CAAmB,CAAY;IACzD,OAAQ,CAAuB,CAAC,OAAO,CAAC;AAC1C,CAAC;AAED,kBAAkB;AAClB,MAAM,UAAU,QAAQ,CAA4B,CAAU;IAC5D,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAK,CAAkC,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC;AAC3G,CAAC"}

package/package.json

@@ -0,0 +1,84 @@
+{
+  "name": "@agenticprimitives/key-custody",
+  "version": "0.1.0-alpha.2",
+  "description": "Pluggable envelope encryption + signers + HMAC providers (local-AES / AWS KMS / GCP KMS). Pure crypto primitives; no session lifecycle (that's in delegation).",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/agentictrustlabs/agenticprimitives.git",
+    "directory": "packages/key-custody"
+  },
+  "homepage": "https://github.com/agentictrustlabs/agenticprimitives/tree/master/packages/key-custody",
+  "bugs": {
+    "url": "https://github.com/agentictrustlabs/agenticprimitives/issues"
+  },
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./local": {
+      "types": "./dist/providers/local.d.ts",
+      "import": "./dist/providers/local.js"
+    },
+    "./aws": {
+      "types": "./dist/providers/aws.d.ts",
+      "import": "./dist/providers/aws.js"
+    },
+    "./gcp": {
+      "types": "./dist/providers/gcp.d.ts",
+      "import": "./dist/providers/gcp.js"
+    },
+    "./mac": {
+      "types": "./dist/mac.d.ts",
+      "import": "./dist/mac.js"
+    },
+    "./kms-viem": {
+      "types": "./dist/kms-viem-account.d.ts",
+      "import": "./dist/kms-viem-account.js"
+    }
+  },
+  "files": [
+    "LICENSE",
+    "dist",
+    "spec.md",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "test": "vitest run",
+    "test:unit": "vitest run test/unit",
+    "test:integration": "vitest run test/integration --passWithNoTests",
+    "test:watch": "vitest",
+    "clean": "rm -rf dist"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@noble/curves": "^1.6.0",
+    "@noble/hashes": "^1.5.0"
+  },
+  "peerDependencies": {
+    "@agenticprimitives/audit": "workspace:*",
+    "@agenticprimitives/connect-auth": "workspace:*",
+    "@agenticprimitives/types": "workspace:*",
+    "viem": "^2.50.0"
+  },
+  "devDependencies": {
+    "vitest": "^2.1.0"
+  },
+  "keywords": [
+    "kms",
+    "aws-kms",
+    "gcp-kms",
+    "envelope-encryption",
+    "secp256k1",
+    "hmac",
+    "agentic"
+  ]
+}

package/spec.md

@@ -0,0 +1,6 @@
+# @agenticprimitives/key-custody — spec
+
+The authoritative specification lives at:
+**[`../../specs/203-key-custody.md`](../../specs/203-key-custody.md)**
+
+Do not edit a divergent copy here.