@agentunion/fastaun 0.4.5 → 0.4.6

package/dist/crypto.d.ts

@@ -36,6 +36,6 @@ export declare class CryptoProvider {
 /**
  * 统一的证书 SHA-256 指纹计算（对齐 Python certificate_sha256_fingerprint）。
  * 返回 "sha256:{hex}" 格式的指纹。
- * e2ee.ts 与 keystore/file.ts 共用此函数，避免两套实现不一致。
+ * e2ee.ts 与本地存储实现共用此函数，避免两套实现不一致。
  */
 export declare function certificateSha256Fingerprint(certPem: string | Buffer): string;

package/dist/crypto.js

@@ -54,7 +54,7 @@ export class CryptoProvider {
 /**
  * 统一的证书 SHA-256 指纹计算（对齐 Python certificate_sha256_fingerprint）。
  * 返回 "sha256:{hex}" 格式的指纹。
- * e2ee.ts 与 keystore/file.ts 共用此函数，避免两套实现不一致。
+ * e2ee.ts 与本地存储实现共用此函数，避免两套实现不一致。
  */
 export function certificateSha256Fingerprint(certPem) {
     const raw = Buffer.isBuffer(certPem) ? certPem : Buffer.from(certPem, 'utf-8');

package/dist/index.d.ts

@@ -13,8 +13,9 @@ export { AUNError, ConnectionError, TimeoutError, AuthError, PermissionError, Va
 export { EventDispatcher, Subscription, type EventHandler } from './events.js';
 export { ConnectionState, type JsonValue, type JsonObject, type RpcParams, type RpcResult, type RpcErrorObject, type RpcMessage, type GatewayEntry, type GatewayDiscoveryDocument, type KeyPairRecord, type MetadataRecord, type IdentityRecord, type SecretRecord, type Message, type SendResult, type AckResult, type PullResult, isJsonObject, } from './types.js';
 export { CryptoProvider, type IdentityKeyPair } from './crypto.js';
-export type { KeyStore } from './keystore/index.js';
-export { FileKeyStore } from './keystore/file.js';
+export type { KeyStore, TokenStore } from './keystore/index.js';
+export { LocalIdentityStore } from './keystore/local-identity-store.js';
+export { LocalTokenStore } from './keystore/local-token-store.js';
 export type { SecretStore } from './secret-store/index.js';
 export { createDefaultSecretStore } from './secret-store/index.js';
 export { FileSecretStore, SeedMigrationError, type SeedChangeResult } from './secret-store/file-store.js';

package/dist/index.js

@@ -19,7 +19,8 @@ export { EventDispatcher, Subscription } from './events.js';
 export { ConnectionState, isJsonObject, } from './types.js';
 // ── 密码学 ───────────────────────────────────────────────────
 export { CryptoProvider } from './crypto.js';
-export { FileKeyStore } from './keystore/file.js';
+export { LocalIdentityStore } from './keystore/local-identity-store.js';
+export { LocalTokenStore } from './keystore/local-token-store.js';
 export { createDefaultSecretStore } from './secret-store/index.js';
 export { FileSecretStore, SeedMigrationError } from './secret-store/file-store.js';
 // ── 传输层 ───────────────────────────────────────────────────

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,4DAA4D;AAC5D,OAAO,EAAE,SAAS,EAA0B,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,GAAG,EAAqB,MAAM,UAAU,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAkC,MAAM,gBAAgB,CAAC;AAC1E,OAAO,EAA+B,QAAQ,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE/E,8DAA8D;AAC9D,OAAO,EAAE,WAAW,EAAkB,aAAa,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAExF,4DAA4D;AAC5D,OAAO,EACL,QAAQ,EACR,eAAe,EACf,YAAY,EACZ,SAAS,EACT,eAAe,EACf,eAAe,EACf,aAAa,EACb,cAAc,EACd,UAAU,EACV,kBAAkB,EAClB,YAAY,EACZ,UAAU,EACV,kBAAkB,EAClB,eAAe,EACf,SAAS,EACT,sBAAsB,EACtB,+BAA+B,EAC/B,uBAAuB,EACvB,2BAA2B,EAC3B,uBAAuB,EACvB,iBAAiB,EACjB,oBAAoB,EACpB,cAAc,GACf,MAAM,aAAa,CAAC;AAErB,8DAA8D;AAC9D,OAAO,EAAE,eAAe,EAAE,YAAY,EAAqB,MAAM,aAAa,CAAC;AAE/E,8DAA8D;AAC9D,OAAO,EACL,eAAe,EAiBf,YAAY,GACb,MAAM,YAAY,CAAC;AAEpB,6DAA6D;AAC7D,OAAO,EAAE,cAAc,EAAwB,MAAM,aAAa,CAAC;AAInE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAIlD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAyB,MAAM,8BAA8B,CAAC;AAE1G,6DAA6D;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,8DAA8D;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAElD,4DAA4D;AAC5D,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,EAAE,YAAY,EAAuB,MAAM,oBAAoB,CAAC;AAEvE,gEAAgE;AAChE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG1D,gEAAgE;AAChE,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,cAAc,GACf,MAAM,oBAAoB,CAAC;AAQ5B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAE9D,OAAO,EAAE,sBAAsB,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,4DAA4D;AAC5D,OAAO,EAAE,SAAS,EAA0B,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,GAAG,EAAqB,MAAM,UAAU,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAkC,MAAM,gBAAgB,CAAC;AAC1E,OAAO,EAA+B,QAAQ,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE/E,8DAA8D;AAC9D,OAAO,EAAE,WAAW,EAAkB,aAAa,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAExF,4DAA4D;AAC5D,OAAO,EACL,QAAQ,EACR,eAAe,EACf,YAAY,EACZ,SAAS,EACT,eAAe,EACf,eAAe,EACf,aAAa,EACb,cAAc,EACd,UAAU,EACV,kBAAkB,EAClB,YAAY,EACZ,UAAU,EACV,kBAAkB,EAClB,eAAe,EACf,SAAS,EACT,sBAAsB,EACtB,+BAA+B,EAC/B,uBAAuB,EACvB,2BAA2B,EAC3B,uBAAuB,EACvB,iBAAiB,EACjB,oBAAoB,EACpB,cAAc,GACf,MAAM,aAAa,CAAC;AAErB,8DAA8D;AAC9D,OAAO,EAAE,eAAe,EAAE,YAAY,EAAqB,MAAM,aAAa,CAAC;AAE/E,8DAA8D;AAC9D,OAAO,EACL,eAAe,EAiBf,YAAY,GACb,MAAM,YAAY,CAAC;AAEpB,6DAA6D;AAC7D,OAAO,EAAE,cAAc,EAAwB,MAAM,aAAa,CAAC;AAInE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oCAAoC,CAAC;AACxE,OAAO,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAIlE,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAyB,MAAM,8BAA8B,CAAC;AAE1G,6DAA6D;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,8DAA8D;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAElD,4DAA4D;AAC5D,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,EAAE,YAAY,EAAuB,MAAM,oBAAoB,CAAC;AAEvE,gEAAgE;AAChE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG1D,gEAAgE;AAChE,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,cAAc,GACf,MAAM,oBAAoB,CAAC;AAQ5B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAE9D,OAAO,EAAE,sBAAsB,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/keystore/index.d.ts

@@ -62,6 +62,12 @@ export interface TokenStore {
 }
 /** 私钥/完整身份存储接口，仅 AIDStore / RegisterFlow 持有。 */
 export interface KeyStore {
+    /** 加载证书 */
+    loadCert(aid: string, certFingerprint?: string): string | null;
+    /** 保存证书 */
+    saveCert(aid: string, certPem: string, certFingerprint?: string, opts?: {
+        makeActive?: boolean;
+    }): void;
     /** 加载密钥对 */
     loadKeyPair(aid: string): KeyPairRecord | null;
     /** 保存密钥对 */
@@ -89,5 +95,3 @@ export interface KeyStore {
     /** 列出所有已存储的 AID */
     listIdentities?(): string[];
 }
-/** 物理实现通常同时实现 TokenStore 与 KeyStore；注册流程显式要求组合类型。 */
-export type FullKeyStore = TokenStore & KeyStore;

package/dist/keystore/local-identity-store.d.ts

@@ -0,0 +1,70 @@
+/**
+ * LocalIdentityStore — 基于文件系统 + SQLite 的 KeyStore 实现（含私钥操作）。
+ * AIDStore / RegisterFlow 持有此类型。
+ */
+import type { KeyStore } from './index.js';
+import type { SecretStore } from '../secret-store/index.js';
+import type { ModuleLogger } from '../logger.js';
+import { type SeedChangeResult } from '../secret-store/file-store.js';
+import { type IdentityRecord, type KeyPairRecord, type MetadataRecord } from '../types.js';
+export declare class LocalIdentityStore implements KeyStore {
+    private _root;
+    private _aidsRoot;
+    private _secretStore;
+    private _aidDBs;
+    readonly deviceId: string;
+    private _logger;
+    constructor(root?: string, opts?: {
+        secretStore?: SecretStore;
+        encryptionSeed?: string;
+        logger?: ModuleLogger;
+        secretStoreLogger?: ModuleLogger;
+    });
+    close(): void;
+    static ChangeSeed(root: string, oldSeed: string, newSeed: string): SeedChangeResult;
+    changeSeed(oldSeed: string, newSeed: string): SeedChangeResult;
+    private _prepareRoot;
+    private _getDB;
+    loadKeyPair(aid: string): KeyPairRecord | null;
+    saveKeyPair(aid: string, keyPair: KeyPairRecord): void;
+    private _saveKeyPairAtPath;
+    private _restoreKeyPair;
+    loadCert(aid: string, certFingerprint?: string): string | null;
+    saveCert(aid: string, certPem: string, certFingerprint?: string, opts?: {
+        makeActive?: boolean;
+    }): void;
+    private _normalizeCertFingerprint;
+    loadIdentity(aid: string): IdentityRecord | null;
+    saveIdentity(aid: string, identity: IdentityRecord): void;
+    loadAnyIdentity(): IdentityRecord | null;
+    listIdentities(): string[];
+    loadMetadata(aid: string): Record<string, unknown> | null;
+    saveMetadata(aid: string, metadata: Record<string, unknown>): void;
+    loadInstanceState(aid: string, deviceId: string, slotId?: string): MetadataRecord | null;
+    saveInstanceState(aid: string, deviceId: string, slotId: string, state: MetadataRecord): void;
+    saveSeq(aid: string, deviceId: string, slotId: string, namespace: string, contiguousSeq: number): void;
+    loadSeq(aid: string, deviceId: string, slotId: string, namespace: string): number;
+    loadAllSeqs(aid: string, deviceId: string, slotId: string): Record<string, number>;
+    trustRootDir(): string;
+    trustRootBundlePath(): string;
+    saveTrustRoots(trustList: Record<string, unknown>, rootCerts: Array<{
+        id?: string;
+        cert_pem: string;
+        fingerprint_sha256?: string;
+    }>): string;
+    saveIssuerRootCert(issuer: string, certPem: string, fingerprintSha256?: string): [string, string];
+    private _pemFingerprint;
+    pendingIdentityDir(aid: string): string;
+    listPendingIdentityDirs(aid: string): string[];
+    savePendingKeyPair(pendingDir: string, aid: string, keyPair: KeyPairRecord): void;
+    loadPendingKeyPair(pendingDir: string, aid: string): KeyPairRecord | null;
+    savePendingCert(pendingDir: string, certPem: string): void;
+    promotePendingIdentity(pendingDir: string, aid: string): string;
+    discardPendingIdentity(pendingDir: string): void;
+    cleanupPendingDirs(maxAgeMs?: number): number;
+    private _ensurePendingKeyPairProtected;
+    private _pendingRoot;
+    private _keyPairPath;
+    private _certPath;
+    private _certVersionPath;
+}

package/dist/keystore/local-identity-store.js

@@ -0,0 +1,525 @@
+/**
+ * LocalIdentityStore — 基于文件系统 + SQLite 的 KeyStore 实现（含私钥操作）。
+ * AIDStore / RegisterFlow 持有此类型。
+ */
+import * as crypto from 'node:crypto';
+import { existsSync, mkdirSync, readFileSync, writeFileSync, readdirSync, chmodSync, renameSync, unlinkSync, rmSync as fsRmSync, renameSync as fsRenameSync, statSync, } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { homedir } from 'node:os';
+import { AIDDatabase } from './aid-db.js';
+import { getDeviceId } from '../config.js';
+import { certificateSha256Fingerprint } from '../crypto.js';
+import { createDefaultSecretStore } from '../secret-store/index.js';
+import { FileSecretStore } from '../secret-store/file-store.js';
+import { isJsonObject, } from '../types.js';
+const _noopLogger = { error: () => { }, warn: () => { }, info: () => { }, debug: () => { } };
+function secureFilePermissions(path) {
+    if (process.platform !== 'win32') {
+        try {
+            chmodSync(path, 0o600);
+        }
+        catch { /* ignore */ }
+    }
+}
+function replaceFileSync(tmpPath, targetPath) {
+    try {
+        renameSync(tmpPath, targetPath);
+        return;
+    }
+    catch (renameErr) {
+        try {
+            unlinkSync(targetPath);
+        }
+        catch (unlinkErr) {
+            if (unlinkErr.code !== 'ENOENT') {
+                throw new Error(`replace target cleanup failed: ${unlinkErr instanceof Error ? unlinkErr.message : String(unlinkErr)}`);
+            }
+        }
+        renameSync(tmpPath, targetPath);
+    }
+}
+function safeAid(aid) {
+    return aid.replace(/[/\\:]/g, '_');
+}
+export class LocalIdentityStore {
+    _root;
+    _aidsRoot;
+    _secretStore;
+    _aidDBs = new Map();
+    deviceId;
+    _logger;
+    constructor(root, opts) {
+        this._logger = opts?.logger ?? _noopLogger;
+        const preferred = root ?? join(homedir(), '.aun');
+        const fallback = join(process.cwd(), '.aun');
+        this._root = this._prepareRoot(preferred, fallback);
+        this._secretStore = opts?.secretStore ?? createDefaultSecretStore(this._root, opts?.encryptionSeed, undefined, { logger: opts?.secretStoreLogger ?? this._logger });
+        this._aidsRoot = join(this._root, 'AIDs');
+        mkdirSync(this._aidsRoot, { recursive: true });
+        this.deviceId = getDeviceId(this._root);
+    }
+    close() {
+        for (const db of this._aidDBs.values())
+            db.close();
+        this._aidDBs.clear();
+    }
+    static ChangeSeed(root, oldSeed, newSeed) {
+        return FileSecretStore.changeSeed(root, oldSeed, newSeed);
+    }
+    changeSeed(oldSeed, newSeed) {
+        this.close();
+        const result = FileSecretStore.changeSeed(this._root, oldSeed, newSeed, { logger: this._logger });
+        this._secretStore = createDefaultSecretStore(this._root, newSeed, undefined, { logger: this._logger });
+        return result;
+    }
+    _prepareRoot(preferred, fallback) {
+        try {
+            mkdirSync(preferred, { recursive: true });
+            return preferred;
+        }
+        catch {
+            this._logger.warn(`preferred path ${preferred} unavailable, falling back to ${fallback}`);
+            mkdirSync(fallback, { recursive: true });
+            return fallback;
+        }
+    }
+    _getDB(aid) {
+        const safe = safeAid(aid);
+        let db = this._aidDBs.get(safe);
+        if (!db) {
+            const dbPath = join(this._aidsRoot, safe, 'aun.db');
+            try {
+                db = new AIDDatabase(dbPath, this._secretStore, safe, this._logger);
+            }
+            catch (exc) {
+                this._logger.warn(`database corrupted, backing up and rebuilding: aid=${aid} err=${exc instanceof Error ? exc.message : String(exc)}`);
+                const ts = new Date().toISOString().replace(/[:.]/g, '-');
+                const bakPath = dbPath + `.corrupt_${ts}.bak`;
+                try {
+                    renameSync(dbPath, bakPath);
+                }
+                catch (renameErr) {
+                    this._logger.warn(`backup rename failed: ${renameErr instanceof Error ? renameErr.message : String(renameErr)}`);
+                }
+                for (const suffix of ['-wal', '-shm', '-journal']) {
+                    try {
+                        unlinkSync(dbPath + suffix);
+                    }
+                    catch { /* ignore */ }
+                }
+                db = new AIDDatabase(dbPath, this._secretStore, safe, this._logger);
+            }
+            this._aidDBs.set(safe, db);
+        }
+        return db;
+    }
+    // ── KeyPair ──────────────────────────────────────────────
+    loadKeyPair(aid) {
+        const path = this._keyPairPath(aid);
+        if (!existsSync(path))
+            return null;
+        let raw;
+        try {
+            raw = JSON.parse(readFileSync(path, 'utf-8'));
+        }
+        catch {
+            this._logger.warn('key.json read or parse failed, treating as non-existent');
+            return null;
+        }
+        return this._restoreKeyPair(aid, raw, path);
+    }
+    saveKeyPair(aid, keyPair) {
+        this._saveKeyPairAtPath(aid, this._keyPairPath(aid), keyPair);
+    }
+    _saveKeyPairAtPath(aid, path, keyPair) {
+        mkdirSync(dirname(path), { recursive: true });
+        const protected_ = JSON.parse(JSON.stringify(keyPair));
+        const pem = protected_.private_key_pem;
+        if (typeof pem === 'string' && pem) {
+            delete protected_.private_key_pem;
+            const rec = this._secretStore.protect(safeAid(aid), 'identity/private_key', Buffer.from(pem, 'utf-8'));
+            protected_.private_key_protection = rec;
+        }
+        const tmpPath = `${path}.tmp-${process.pid}-${Date.now()}-${crypto.randomBytes(4).toString('hex')}`;
+        writeFileSync(tmpPath, JSON.stringify(protected_, null, 2), { mode: 0o600 });
+        secureFilePermissions(tmpPath);
+        try {
+            replaceFileSync(tmpPath, path);
+        }
+        catch (exc) {
+            try {
+                unlinkSync(tmpPath);
+            }
+            catch { /* ignore */ }
+            throw exc;
+        }
+        secureFilePermissions(path);
+    }
+    _restoreKeyPair(aid, kp, persistPath) {
+        const out = JSON.parse(JSON.stringify(kp));
+        const rec = out.private_key_protection;
+        if (isJsonObject(rec)) {
+            const plain = this._secretStore.reveal(safeAid(aid), 'identity/private_key', rec);
+            if (!plain)
+                throw new Error(`private key decrypt failed for aid ${aid}: seed_password mismatch or key.json corrupted`);
+            out.private_key_pem = plain.toString('utf-8');
+            return out;
+        }
+        if (persistPath && typeof out.private_key_pem === 'string' && out.private_key_pem) {
+            this._saveKeyPairAtPath(aid, persistPath, out);
+        }
+        return out;
+    }
+    // ── Cert ─────────────────────────────────────────────────
+    loadCert(aid, certFingerprint) {
+        try {
+            const norm = this._normalizeCertFingerprint(certFingerprint);
+            if (norm) {
+                const vp = this._certVersionPath(aid, norm);
+                if (existsSync(vp))
+                    return readFileSync(vp, 'utf-8');
+                const active = this._certPath(aid);
+                if (existsSync(active)) {
+                    const certPem = readFileSync(active, 'utf-8');
+                    if (certificateSha256Fingerprint(certPem) === norm)
+                        return certPem;
+                }
+                return null;
+            }
+            const path = this._certPath(aid);
+            return existsSync(path) ? readFileSync(path, 'utf-8') : null;
+        }
+        catch {
+            this._logger.warn('cert.pem read failed, treating as non-existent');
+            return null;
+        }
+    }
+    saveCert(aid, certPem, certFingerprint, opts) {
+        const norm = this._normalizeCertFingerprint(certFingerprint);
+        if (norm) {
+            const vp = this._certVersionPath(aid, norm);
+            mkdirSync(dirname(vp), { recursive: true });
+            writeFileSync(vp, certPem);
+            if (!opts?.makeActive)
+                return;
+        }
+        const path = this._certPath(aid);
+        mkdirSync(dirname(path), { recursive: true });
+        writeFileSync(path, certPem);
+    }
+    _normalizeCertFingerprint(fp) {
+        const v = String(fp ?? '').trim().toLowerCase();
+        if (!v.startsWith('sha256:') || v.length !== 71)
+            return '';
+        if (/[^0-9a-f]/.test(v.slice(7)))
+            return '';
+        return v;
+    }
+    // ── Identity ─────────────────────────────────────────────
+    loadIdentity(aid) {
+        const identityDir = join(this._aidsRoot, safeAid(aid));
+        if (!existsSync(identityDir))
+            return null;
+        const kp = this.loadKeyPair(aid);
+        const cert = this.loadCert(aid);
+        const db = this._getDB(aid);
+        const kv = db.getAllMetadata();
+        const hasMeta = Object.keys(kv).length > 0;
+        if (!kp && !cert && !hasMeta)
+            return null;
+        const identity = {};
+        for (const [k, v] of Object.entries(kv)) {
+            try {
+                identity[k] = JSON.parse(v);
+            }
+            catch {
+                identity[k] = v;
+            }
+        }
+        if (kp)
+            Object.assign(identity, kp);
+        if (cert) {
+            const localPubB64 = kp?.public_key_der_b64;
+            if (typeof localPubB64 === 'string' && localPubB64) {
+                try {
+                    const x = new crypto.X509Certificate(cert);
+                    const certPubDer = x.publicKey.export({ type: 'spki', format: 'der' });
+                    const localPubDer = Buffer.from(localPubB64, 'base64');
+                    if (!certPubDer.equals(localPubDer)) {
+                        this._logger.error('key.json public key does not match cert.pem public key, discarding cert');
+                    }
+                    else {
+                        identity.cert = cert;
+                    }
+                }
+                catch {
+                    identity.cert = cert;
+                }
+            }
+            else {
+                identity.cert = cert;
+            }
+        }
+        return identity;
+    }
+    saveIdentity(aid, identity) {
+        const kp = {};
+        for (const k of ['private_key_pem', 'public_key_der_b64', 'curve']) {
+            if (k in identity)
+                kp[k] = identity[k];
+        }
+        if (Object.keys(kp).length > 0)
+            this.saveKeyPair(aid, kp);
+        if (typeof identity.cert === 'string' && identity.cert)
+            this.saveCert(aid, identity.cert);
+        const db = this._getDB(aid);
+        const skip = new Set(['private_key_pem', 'public_key_der_b64', 'curve', 'cert']);
+        for (const [k, v] of Object.entries(identity)) {
+            if (skip.has(k))
+                continue;
+            db.setMetadata(k, JSON.stringify(v));
+        }
+    }
+    loadAnyIdentity() {
+        if (!existsSync(this._aidsRoot))
+            return null;
+        for (const entry of readdirSync(this._aidsRoot, { withFileTypes: true })) {
+            if (!entry.isDirectory() || entry.name.startsWith('_'))
+                continue;
+            const identity = this.loadIdentity(entry.name);
+            if (identity)
+                return identity;
+        }
+        return null;
+    }
+    listIdentities() {
+        if (!existsSync(this._aidsRoot))
+            return [];
+        const aids = [];
+        for (const entry of readdirSync(this._aidsRoot, { withFileTypes: true })) {
+            if (!entry.isDirectory() || entry.name.startsWith('_'))
+                continue;
+            aids.push(entry.name);
+        }
+        return aids;
+    }
+    loadMetadata(aid) {
+        try {
+            const dbPath = join(this._aidsRoot, safeAid(aid), 'aun.db');
+            if (!existsSync(dbPath))
+                return null;
+            const kv = this._getDB(aid).getAllMetadata();
+            if (Object.keys(kv).length === 0)
+                return null;
+            const result = {};
+            for (const [k, v] of Object.entries(kv)) {
+                try {
+                    result[k] = JSON.parse(v);
+                }
+                catch {
+                    result[k] = v;
+                }
+            }
+            return result;
+        }
+        catch {
+            return null;
+        }
+    }
+    saveMetadata(aid, metadata) {
+        const db = this._getDB(aid);
+        for (const [k, v] of Object.entries(metadata)) {
+            if (v === undefined) {
+                db.deleteMetadata(k);
+                continue;
+            }
+            db.setMetadata(k, JSON.stringify(v));
+        }
+    }
+    // ── Instance State ───────────────────────────────────────
+    loadInstanceState(aid, deviceId, slotId = '') {
+        return this._getDB(aid).loadInstanceState(deviceId, slotId);
+    }
+    saveInstanceState(aid, deviceId, slotId, state) {
+        this._getDB(aid).saveInstanceState(deviceId, slotId, state);
+    }
+    // ── Seq Tracker ───────────────────────────────────────────
+    saveSeq(aid, deviceId, slotId, namespace, contiguousSeq) {
+        this._getDB(aid).saveSeq(deviceId, slotId, namespace, contiguousSeq);
+    }
+    loadSeq(aid, deviceId, slotId, namespace) {
+        return this._getDB(aid).loadSeq(deviceId, slotId, namespace);
+    }
+    loadAllSeqs(aid, deviceId, slotId) {
+        return this._getDB(aid).loadAllSeqs(deviceId, slotId);
+    }
+    // ── 信任根管理 ─────────────────────────────────────────────
+    trustRootDir() {
+        const dir = join(this._root, 'CA', 'root');
+        mkdirSync(dir, { recursive: true });
+        return dir;
+    }
+    trustRootBundlePath() {
+        return join(this.trustRootDir(), 'trust-roots.pem');
+    }
+    saveTrustRoots(trustList, rootCerts) {
+        const dir = this.trustRootDir();
+        for (let i = 0; i < rootCerts.length; i++) {
+            const item = rootCerts[i];
+            const certId = item.id || item.fingerprint_sha256 || `root-${i + 1}`;
+            writeFileSync(join(dir, `${certId.replace(/[^A-Za-z0-9_.-]+/g, '_').slice(0, 120)}.crt`), item.cert_pem, 'utf-8');
+        }
+        const bundlePath = this.trustRootBundlePath();
+        writeFileSync(bundlePath, rootCerts.map(i => i.cert_pem.trim()).join('\n') + '\n', 'utf-8');
+        writeFileSync(join(dir, 'trust-roots.json'), JSON.stringify(trustList, null, 2), 'utf-8');
+        return bundlePath;
+    }
+    saveIssuerRootCert(issuer, certPem, fingerprintSha256 = '') {
+        const dir = this.trustRootDir();
+        const issuersDir = join(dir, 'issuers');
+        mkdirSync(issuersDir, { recursive: true });
+        const certPath = join(issuersDir, `${(issuer || 'issuer').replace(/[^A-Za-z0-9_.-]+/g, '_').slice(0, 120)}.root.crt`);
+        const normalizedPem = certPem.trim() + '\n';
+        writeFileSync(certPath, normalizedPem, 'utf-8');
+        const bundlePath = this.trustRootBundlePath();
+        const existingPems = new Map();
+        try {
+            for (const pem of readFileSync(bundlePath, 'utf-8').split(/(?<=-----END CERTIFICATE-----)\s*/).map(s => s.trim()).filter(s => s.startsWith('-----BEGIN CERTIFICATE-----'))) {
+                existingPems.set(this._pemFingerprint(pem), pem);
+            }
+        }
+        catch { /* ignore */ }
+        const newFp = fingerprintSha256 ? fingerprintSha256.toLowerCase().replace(/^sha256:/, '') : this._pemFingerprint(normalizedPem);
+        existingPems.set(newFp, normalizedPem);
+        writeFileSync(bundlePath, Array.from(existingPems.values()).map(p => p.trim()).join('\n') + '\n', 'utf-8');
+        return [certPath, bundlePath];
+    }
+    _pemFingerprint(pem) {
+        try {
+            const der = pem.replace(/-----[A-Z ]+-----/g, '').replace(/\s/g, '');
+            return crypto.createHash('sha256').update(Buffer.from(der, 'base64')).digest('hex');
+        }
+        catch {
+            return crypto.createHash('sha256').update(pem, 'utf-8').digest('hex');
+        }
+    }
+    // ── Pending 身份管理 ─────────────────────────────────────
+    pendingIdentityDir(aid) {
+        const nonce = crypto.randomBytes(4).toString('hex');
+        const ts = Math.floor(Date.now() / 1000);
+        const dir = join(this._pendingRoot(), `${safeAid(aid)}-${nonce}-${ts}`);
+        mkdirSync(join(dir, 'private'), { recursive: true });
+        mkdirSync(join(dir, 'public'), { recursive: true });
+        return dir;
+    }
+    listPendingIdentityDirs(aid) {
+        const root = this._pendingRoot();
+        if (!existsSync(root))
+            return [];
+        const prefix = `${safeAid(aid)}-`;
+        const items = [];
+        for (const entry of readdirSync(root, { withFileTypes: true })) {
+            if (!entry.isDirectory() || !entry.name.startsWith(prefix))
+                continue;
+            const path = join(root, entry.name);
+            try {
+                items.push({ path, mtimeMs: statSync(path).mtimeMs });
+            }
+            catch { /* ignore */ }
+        }
+        return items.sort((a, b) => b.mtimeMs - a.mtimeMs).map(item => item.path);
+    }
+    savePendingKeyPair(pendingDir, aid, keyPair) {
+        this._saveKeyPairAtPath(aid, join(pendingDir, 'private', 'key.json'), keyPair);
+    }
+    loadPendingKeyPair(pendingDir, aid) {
+        const keyPath = join(pendingDir, 'private', 'key.json');
+        if (!existsSync(keyPath))
+            return null;
+        let raw;
+        try {
+            raw = JSON.parse(readFileSync(keyPath, 'utf-8'));
+        }
+        catch {
+            return null;
+        }
+        return this._restoreKeyPair(aid, raw, keyPath);
+    }
+    savePendingCert(pendingDir, certPem) {
+        const certPath = join(pendingDir, 'public', 'cert.pem');
+        mkdirSync(dirname(certPath), { recursive: true });
+        writeFileSync(certPath, certPem, { encoding: 'utf-8', mode: 0o600 });
+    }
+    promotePendingIdentity(pendingDir, aid) {
+        this._ensurePendingKeyPairProtected(pendingDir, aid);
+        const target = join(this._aidsRoot, safeAid(aid));
+        if (existsSync(target))
+            throw new Error(`promotePendingIdentity: target exists: ${target}`);
+        const safe = safeAid(aid);
+        const db = this._aidDBs.get(safe);
+        if (db) {
+            try {
+                db.close();
+            }
+            catch { /* ignore */ }
+            this._aidDBs.delete(safe);
+        }
+        mkdirSync(this._aidsRoot, { recursive: true });
+        fsRenameSync(pendingDir, target);
+        return target;
+    }
+    discardPendingIdentity(pendingDir) {
+        fsRmSync(pendingDir, { recursive: true, force: true });
+    }
+    cleanupPendingDirs(maxAgeMs = 600_000) {
+        const root = this._pendingRoot();
+        if (!existsSync(root))
+            return 0;
+        let removed = 0;
+        const now = Date.now();
+        try {
+            for (const entry of readdirSync(root, { withFileTypes: true })) {
+                if (!entry.isDirectory())
+                    continue;
+                const path = join(root, entry.name);
+                try {
+                    if (now - statSync(path).mtimeMs < maxAgeMs)
+                        continue;
+                    fsRmSync(path, { recursive: true, force: true });
+                    removed++;
+                }
+                catch (e) {
+                    this._logger.warn(`cleanupPendingDirs entry failed: ${path} err=${e instanceof Error ? e.message : String(e)}`);
+                }
+            }
+        }
+        catch (e) {
+            this._logger.warn(`cleanupPendingDirs read root failed: ${root} err=${e instanceof Error ? e.message : String(e)}`);
+        }
+        return removed;
+    }
+    _ensurePendingKeyPairProtected(pendingDir, aid) {
+        const keyPath = join(pendingDir, 'private', 'key.json');
+        if (!existsSync(keyPath))
+            throw new Error(`pending identity missing key pair for ${aid}`);
+        const raw = JSON.parse(readFileSync(keyPath, 'utf-8'));
+        if (typeof raw.private_key_pem === 'string' && raw.private_key_pem)
+            throw new Error(`pending identity private key is plaintext for ${aid}`);
+        if (!isJsonObject(raw.private_key_protection))
+            throw new Error(`pending identity private key is not encrypted for ${aid}`);
+    }
+    _pendingRoot() {
+        return join(this._aidsRoot, '_pending');
+    }
+    // ── 路径辅助 ─────────────────────────────────────────────
+    _keyPairPath(aid) {
+        return join(this._aidsRoot, safeAid(aid), 'private', 'key.json');
+    }
+    _certPath(aid) {
+        return join(this._aidsRoot, safeAid(aid), 'public', 'cert.pem');
+    }
+    _certVersionPath(aid, fp) {
+        return join(this._aidsRoot, safeAid(aid), 'public', 'certs', `${fp.replace(/:/g, '_')}.pem`);
+    }
+}
+//# sourceMappingURL=local-identity-store.js.map