@attested-intelligence/aga-mcp-server 2.1.0 → 2.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +209 -124
- package/dist/adapters/openclaw.d.ts +0 -1
- package/dist/adapters/openclaw.d.ts.map +1 -1
- package/dist/adapters/openclaw.js +0 -1
- package/dist/adapters/openclaw.js.map +1 -1
- package/dist/core/bundle.d.ts +9 -2
- package/dist/core/bundle.d.ts.map +1 -1
- package/dist/core/bundle.js +16 -2
- package/dist/core/bundle.js.map +1 -1
- package/dist/core/identity.d.ts +19 -10
- package/dist/core/identity.d.ts.map +1 -1
- package/dist/core/identity.js +45 -11
- package/dist/core/identity.js.map +1 -1
- package/dist/core/portal.d.ts +10 -1
- package/dist/core/portal.d.ts.map +1 -1
- package/dist/core/portal.js +16 -12
- package/dist/core/portal.js.map +1 -1
- package/dist/core/types.d.ts +29 -2
- package/dist/core/types.d.ts.map +1 -1
- package/dist/crypto/index.d.ts +5 -6
- package/dist/crypto/index.d.ts.map +1 -1
- package/dist/crypto/index.js +5 -6
- package/dist/crypto/index.js.map +1 -1
- package/dist/crypto/sign.d.ts +2 -0
- package/dist/crypto/sign.d.ts.map +1 -1
- package/dist/crypto/sign.js +6 -0
- package/dist/crypto/sign.js.map +1 -1
- package/dist/index.js +1 -1
- package/dist/index.js.map +1 -1
- package/dist/middleware/governance.d.ts +7 -1
- package/dist/middleware/governance.d.ts.map +1 -1
- package/dist/middleware/governance.js +18 -11
- package/dist/middleware/governance.js.map +1 -1
- package/dist/proxy/evaluator.d.ts +0 -1
- package/dist/proxy/evaluator.d.ts.map +1 -1
- package/dist/proxy/evaluator.js +0 -1
- package/dist/proxy/evaluator.js.map +1 -1
- package/dist/proxy/index.d.ts +0 -1
- package/dist/proxy/index.d.ts.map +1 -1
- package/dist/proxy/index.js +0 -1
- package/dist/proxy/index.js.map +1 -1
- package/dist/proxy/profiles.d.ts +0 -1
- package/dist/proxy/profiles.d.ts.map +1 -1
- package/dist/proxy/profiles.js +0 -1
- package/dist/proxy/profiles.js.map +1 -1
- package/dist/proxy/server.d.ts +0 -1
- package/dist/proxy/server.d.ts.map +1 -1
- package/dist/proxy/server.js +0 -1
- package/dist/proxy/server.js.map +1 -1
- package/dist/proxy/stdio-bridge.d.ts +0 -1
- package/dist/proxy/stdio-bridge.d.ts.map +1 -1
- package/dist/proxy/stdio-bridge.js +0 -1
- package/dist/proxy/stdio-bridge.js.map +1 -1
- package/dist/proxy/types.d.ts +0 -1
- package/dist/proxy/types.d.ts.map +1 -1
- package/dist/proxy/types.js +0 -1
- package/dist/proxy/types.js.map +1 -1
- package/dist/proxy/verify.d.ts +0 -1
- package/dist/proxy/verify.d.ts.map +1 -1
- package/dist/proxy/verify.js +0 -1
- package/dist/proxy/verify.js.map +1 -1
- package/dist/server.d.ts +7 -3
- package/dist/server.d.ts.map +1 -1
- package/dist/server.js +342 -214
- package/dist/server.js.map +1 -1
- package/dist/storage/sqlite.js +6 -6
- package/package.json +28 -12
- package/dist/context.d.ts +0 -39
- package/dist/context.d.ts.map +0 -1
- package/dist/context.js +0 -113
- package/dist/context.js.map +0 -1
- package/dist/core/measurement.d.ts +0 -16
- package/dist/core/measurement.d.ts.map +0 -1
- package/dist/core/measurement.js +0 -18
- package/dist/core/measurement.js.map +0 -1
- package/dist/crypto/canonicalize.d.ts +0 -7
- package/dist/crypto/canonicalize.d.ts.map +0 -1
- package/dist/crypto/canonicalize.js +0 -21
- package/dist/crypto/canonicalize.js.map +0 -1
- package/dist/crypto/keys.d.ts +0 -10
- package/dist/crypto/keys.d.ts.map +0 -1
- package/dist/crypto/keys.js +0 -19
- package/dist/crypto/keys.js.map +0 -1
- package/dist/prompts/drift-analysis.d.ts +0 -13
- package/dist/prompts/drift-analysis.d.ts.map +0 -1
- package/dist/prompts/drift-analysis.js +0 -43
- package/dist/prompts/drift-analysis.js.map +0 -1
- package/dist/prompts/governance-report.d.ts +0 -7
- package/dist/prompts/governance-report.d.ts.map +0 -1
- package/dist/prompts/governance-report.js +0 -26
- package/dist/prompts/governance-report.js.map +0 -1
- package/dist/prompts/nccoe-demo.d.ts +0 -14
- package/dist/prompts/nccoe-demo.d.ts.map +0 -1
- package/dist/prompts/nccoe-demo.js +0 -47
- package/dist/prompts/nccoe-demo.js.map +0 -1
- package/dist/resources/cosai-mapping.d.ts +0 -24
- package/dist/resources/cosai-mapping.d.ts.map +0 -1
- package/dist/resources/cosai-mapping.js +0 -127
- package/dist/resources/cosai-mapping.js.map +0 -1
- package/dist/resources/crypto-primitives.d.ts +0 -3
- package/dist/resources/crypto-primitives.d.ts.map +0 -1
- package/dist/resources/crypto-primitives.js +0 -52
- package/dist/resources/crypto-primitives.js.map +0 -1
- package/dist/resources/sample-bundle.d.ts +0 -6
- package/dist/resources/sample-bundle.d.ts.map +0 -1
- package/dist/resources/sample-bundle.js +0 -58
- package/dist/resources/sample-bundle.js.map +0 -1
- package/dist/resources/specification.d.ts +0 -3
- package/dist/resources/specification.d.ts.map +0 -1
- package/dist/resources/specification.js +0 -161
- package/dist/resources/specification.js.map +0 -1
- package/dist/tools/create-artifact.d.ts +0 -25
- package/dist/tools/create-artifact.d.ts.map +0 -1
- package/dist/tools/create-artifact.js +0 -85
- package/dist/tools/create-artifact.js.map +0 -1
- package/dist/tools/delegate-subagent.d.ts +0 -18
- package/dist/tools/delegate-subagent.d.ts.map +0 -1
- package/dist/tools/delegate-subagent.js +0 -50
- package/dist/tools/delegate-subagent.js.map +0 -1
- package/dist/tools/disclose-claim.d.ts +0 -14
- package/dist/tools/disclose-claim.d.ts.map +0 -1
- package/dist/tools/disclose-claim.js +0 -23
- package/dist/tools/disclose-claim.js.map +0 -1
- package/dist/tools/export-bundle.d.ts +0 -8
- package/dist/tools/export-bundle.d.ts.map +0 -1
- package/dist/tools/export-bundle.js +0 -25
- package/dist/tools/export-bundle.js.map +0 -1
- package/dist/tools/full-lifecycle.d.ts +0 -16
- package/dist/tools/full-lifecycle.d.ts.map +0 -1
- package/dist/tools/full-lifecycle.js +0 -121
- package/dist/tools/full-lifecycle.js.map +0 -1
- package/dist/tools/generate-receipt.d.ts +0 -16
- package/dist/tools/generate-receipt.d.ts.map +0 -1
- package/dist/tools/generate-receipt.js +0 -31
- package/dist/tools/generate-receipt.js.map +0 -1
- package/dist/tools/get-chain.d.ts +0 -14
- package/dist/tools/get-chain.d.ts.map +0 -1
- package/dist/tools/get-chain.js +0 -45
- package/dist/tools/get-chain.js.map +0 -1
- package/dist/tools/get-portal-state.d.ts +0 -8
- package/dist/tools/get-portal-state.d.ts.map +0 -1
- package/dist/tools/get-portal-state.js +0 -15
- package/dist/tools/get-portal-state.js.map +0 -1
- package/dist/tools/init-chain.d.ts +0 -10
- package/dist/tools/init-chain.d.ts.map +0 -1
- package/dist/tools/init-chain.js +0 -13
- package/dist/tools/init-chain.js.map +0 -1
- package/dist/tools/measure-behavior.d.ts +0 -12
- package/dist/tools/measure-behavior.d.ts.map +0 -1
- package/dist/tools/measure-behavior.js +0 -29
- package/dist/tools/measure-behavior.js.map +0 -1
- package/dist/tools/measure-subject.d.ts +0 -15
- package/dist/tools/measure-subject.d.ts.map +0 -1
- package/dist/tools/measure-subject.js +0 -106
- package/dist/tools/measure-subject.js.map +0 -1
- package/dist/tools/quarantine-status.d.ts +0 -8
- package/dist/tools/quarantine-status.d.ts.map +0 -1
- package/dist/tools/quarantine-status.js +0 -16
- package/dist/tools/quarantine-status.js.map +0 -1
- package/dist/tools/revoke-artifact.d.ts +0 -13
- package/dist/tools/revoke-artifact.d.ts.map +0 -1
- package/dist/tools/revoke-artifact.js +0 -24
- package/dist/tools/revoke-artifact.js.map +0 -1
- package/dist/tools/rotate-keys.d.ts +0 -13
- package/dist/tools/rotate-keys.d.ts.map +0 -1
- package/dist/tools/rotate-keys.js +0 -39
- package/dist/tools/rotate-keys.js.map +0 -1
- package/dist/tools/server-info.d.ts +0 -8
- package/dist/tools/server-info.d.ts.map +0 -1
- package/dist/tools/server-info.js +0 -23
- package/dist/tools/server-info.js.map +0 -1
- package/dist/tools/set-verification-tier.d.ts +0 -11
- package/dist/tools/set-verification-tier.d.ts.map +0 -1
- package/dist/tools/set-verification-tier.js +0 -31
- package/dist/tools/set-verification-tier.js.map +0 -1
- package/dist/tools/start-monitoring.d.ts +0 -12
- package/dist/tools/start-monitoring.d.ts.map +0 -1
- package/dist/tools/start-monitoring.js +0 -17
- package/dist/tools/start-monitoring.js.map +0 -1
- package/dist/tools/trigger-measurement.d.ts +0 -15
- package/dist/tools/trigger-measurement.d.ts.map +0 -1
- package/dist/tools/trigger-measurement.js +0 -86
- package/dist/tools/trigger-measurement.js.map +0 -1
- package/dist/tools/verify-artifact.d.ts +0 -13
- package/dist/tools/verify-artifact.d.ts.map +0 -1
- package/dist/tools/verify-artifact.js +0 -6
- package/dist/tools/verify-artifact.js.map +0 -1
- package/dist/tools/verify-bundle.d.ts +0 -13
- package/dist/tools/verify-bundle.d.ts.map +0 -1
- package/dist/tools/verify-bundle.js +0 -6
- package/dist/tools/verify-bundle.js.map +0 -1
- package/dist/types.d.ts +0 -261
- package/dist/types.d.ts.map +0 -1
- package/dist/types.js +0 -8
- package/dist/types.js.map +0 -1
package/README.md
CHANGED
|
@@ -1,124 +1,209 @@
|
|
|
1
|
-
#
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
|
43
|
-
|
|
44
|
-
|
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
|
49
|
-
|
|
50
|
-
|
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
|
71
|
-
|
|
72
|
-
|
|
|
73
|
-
|
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
|
118
|
-
|
|
119
|
-
|
|
|
120
|
-
|
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
1
|
+
# AGA - Attested Governance Artifacts
|
|
2
|
+
|
|
3
|
+
Cryptographic runtime governance for AI agents and autonomous systems.
|
|
4
|
+
|
|
5
|
+
[](https://www.npmjs.com/package/@attested-intelligence/aga-mcp-server)
|
|
6
|
+
[](https://pypi.org/project/aga-governance/)
|
|
7
|
+
[](LICENSE)
|
|
8
|
+
[](https://github.com/attestedintelligence/AGA)
|
|
9
|
+
|
|
10
|
+
```bash
|
|
11
|
+
# Try it now
|
|
12
|
+
pip install aga-governance
|
|
13
|
+
python -m aga demo
|
|
14
|
+
python -m aga verify demo-bundle.json
|
|
15
|
+
```
|
|
16
|
+
|
|
17
|
+
## What This Does
|
|
18
|
+
|
|
19
|
+
Every tool call an AI agent makes passes through the AGA gateway. Each call is evaluated against policy, and the decision (PERMITTED or DENIED) is recorded as a signed, hash-linked governance receipt. Receipts are collected into evidence bundles that any third party can verify offline using standard cryptography.
|
|
20
|
+
|
|
21
|
+
**Record. Prove. Verify.**
|
|
22
|
+
|
|
23
|
+
## Use with Claude Desktop
|
|
24
|
+
|
|
25
|
+
Add to your Claude Desktop MCP config (`claude_desktop_config.json`):
|
|
26
|
+
|
|
27
|
+
```json
|
|
28
|
+
{
|
|
29
|
+
"mcpServers": {
|
|
30
|
+
"aga": {
|
|
31
|
+
"command": "npx",
|
|
32
|
+
"args": ["-y", "@attested-intelligence/aga-mcp-server"]
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
Claude can then seal artifacts, measure integrity, generate evidence bundles, and verify compliance through natural language.
|
|
39
|
+
|
|
40
|
+
## MCP Tools (20)
|
|
41
|
+
|
|
42
|
+
| Category | Tools |
|
|
43
|
+
|----------|-------|
|
|
44
|
+
| **Identity** | `get_server_info`, `get_portal_state` |
|
|
45
|
+
| **Lifecycle** | `init_chain`, `attest_subject`, `revoke_artifact` |
|
|
46
|
+
| **Enforcement** | `measure_integrity`, `measure_behavior`, `verify_chain` |
|
|
47
|
+
| **Evidence** | `create_checkpoint`, `generate_evidence_bundle`, `verify_bundle_offline` |
|
|
48
|
+
| **Privacy** | `request_claim`, `list_claims` |
|
|
49
|
+
| **Delegation** | `delegate_to_subagent` |
|
|
50
|
+
| **Audit** | `get_receipts`, `get_chain_events` |
|
|
51
|
+
|
|
52
|
+
## Quick Start
|
|
53
|
+
|
|
54
|
+
### Verify an evidence bundle (3 commands)
|
|
55
|
+
|
|
56
|
+
```bash
|
|
57
|
+
pip install aga-governance
|
|
58
|
+
curl -s https://aga-mcp-gateway.attestedintelligence.workers.dev/bundle -o evidence-bundle.json
|
|
59
|
+
python -m aga verify evidence-bundle.json
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
### Or verify in your browser
|
|
63
|
+
|
|
64
|
+
Go to [attestedintelligence.com/verify](https://attestedintelligence.com/verify) and click "Run Verification." Zero installs required.
|
|
65
|
+
|
|
66
|
+
## How It Works
|
|
67
|
+
|
|
68
|
+
```
|
|
69
|
+
AI Agent AGA Gateway Verifier
|
|
70
|
+
| | |
|
|
71
|
+
|-- tools/call ----------->| |
|
|
72
|
+
| [Evaluate Policy] |
|
|
73
|
+
| [Sign Receipt] |
|
|
74
|
+
| [Chain to Previous] |
|
|
75
|
+
|<-- PERMITTED/DENIED -----| |
|
|
76
|
+
| | |
|
|
77
|
+
| [Export Bundle] |
|
|
78
|
+
| |--------- evidence.json ----->|
|
|
79
|
+
| | [Verify Signatures]
|
|
80
|
+
| | [Verify Chain]
|
|
81
|
+
| | [Verify Merkle Tree]
|
|
82
|
+
| | [PASS / FAIL]
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
## MCP Governance Proxy
|
|
86
|
+
|
|
87
|
+
Run AGA as a transparent proxy between any MCP client and any MCP server. Every tool call gets evaluated against policy and produces a signed receipt.
|
|
88
|
+
|
|
89
|
+
```bash
|
|
90
|
+
# Start the proxy with an upstream MCP server
|
|
91
|
+
npx tsx src/proxy/index.ts start --upstream "npx -y @modelcontextprotocol/server-filesystem /tmp/test" --profile standard
|
|
92
|
+
|
|
93
|
+
# Export the evidence bundle
|
|
94
|
+
npx tsx src/proxy/index.ts export --output evidence.json
|
|
95
|
+
|
|
96
|
+
# Verify
|
|
97
|
+
npx tsx src/proxy/index.ts verify evidence.json
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
The proxy intercepts `tools/call` requests, evaluates them against a sealed policy artifact, and generates signed receipts. Permitted calls are forwarded to the downstream server. Denied calls return an MCP error. Every decision is hash-linked into a tamper-evident chain.
|
|
101
|
+
|
|
102
|
+
Three built-in policy profiles:
|
|
103
|
+
- **permissive** - log everything, block nothing (default)
|
|
104
|
+
- **standard** - rate limits + blocks destructive operations
|
|
105
|
+
- **restrictive** - explicit tool allowlist, all unknown tools denied
|
|
106
|
+
|
|
107
|
+
## Verification (5 steps)
|
|
108
|
+
|
|
109
|
+
1. **Algorithm Check** - Bundle declares Ed25519-SHA256-JCS, fail closed on anything else
|
|
110
|
+
2. **Receipt Signatures** - Ed25519 over RFC 8785 canonical JSON (signature field excluded)
|
|
111
|
+
3. **Chain Integrity** - Each receipt's `previous_receipt_hash` = SHA-256 of the preceding receipt
|
|
112
|
+
4. **Merkle Proofs** - Walk siblings/directions to root, compare against bundle root
|
|
113
|
+
5. **Bundle Consistency** - Proof count = receipt count, leaf hashes match receipt hashes
|
|
114
|
+
|
|
115
|
+
## Cryptographic Primitives
|
|
116
|
+
|
|
117
|
+
| Primitive | Purpose |
|
|
118
|
+
|-----------|---------|
|
|
119
|
+
| Ed25519 | Receipt signatures |
|
|
120
|
+
| SHA-256 | Hash chaining, Merkle trees, leaf computation |
|
|
121
|
+
| RFC 8785 (JCS) | Canonical JSON for deterministic signing |
|
|
122
|
+
| Merkle Trees | Binding all receipts to a single verifiable root |
|
|
123
|
+
|
|
124
|
+
## Live Gateway
|
|
125
|
+
|
|
126
|
+
The demo gateway is deployed on Cloudflare Workers:
|
|
127
|
+
|
|
128
|
+
```bash
|
|
129
|
+
# Check status
|
|
130
|
+
curl https://aga-mcp-gateway.attestedintelligence.workers.dev/health
|
|
131
|
+
|
|
132
|
+
# Export evidence bundle
|
|
133
|
+
curl https://aga-mcp-gateway.attestedintelligence.workers.dev/bundle -o evidence-bundle.json
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
## Python SDK
|
|
137
|
+
|
|
138
|
+
```bash
|
|
139
|
+
pip install aga-governance
|
|
140
|
+
```
|
|
141
|
+
|
|
142
|
+
```python
|
|
143
|
+
from aga import AgentSession
|
|
144
|
+
|
|
145
|
+
with AgentSession(gateway_id="my-gateway") as session:
|
|
146
|
+
session.record_tool_call(
|
|
147
|
+
tool_name="search_web",
|
|
148
|
+
decision="PERMITTED",
|
|
149
|
+
reason="tool in allowlist",
|
|
150
|
+
request_id="req-1",
|
|
151
|
+
)
|
|
152
|
+
bundle = session.export_bundle()
|
|
153
|
+
result = session.verify()
|
|
154
|
+
assert result["overall_valid"]
|
|
155
|
+
```
|
|
156
|
+
|
|
157
|
+
## Test Suite
|
|
158
|
+
|
|
159
|
+
355+ automated tests across TypeScript and Python:
|
|
160
|
+
|
|
161
|
+
- **TypeScript MCP Server:** 218 tests (vitest)
|
|
162
|
+
- **Python SDK:** 137 tests (pytest)
|
|
163
|
+
- **Cross-language test vectors:** 37 vectors across 9 categories
|
|
164
|
+
|
|
165
|
+
```bash
|
|
166
|
+
npm test # TypeScript tests
|
|
167
|
+
cd aga-python && python -m pytest # Python tests
|
|
168
|
+
```
|
|
169
|
+
|
|
170
|
+
## Project Structure
|
|
171
|
+
|
|
172
|
+
```
|
|
173
|
+
src/ # Core protocol: artifacts, receipts, chain, Merkle, crypto, portal state machine
|
|
174
|
+
core/ # Governance primitives (artifact, receipt, chain, portal, bundle)
|
|
175
|
+
crypto/ # Ed25519, SHA-256, BLAKE2b, Merkle, JCS canonicalization
|
|
176
|
+
proxy/ # MCP governance proxy (transparent interception + policy enforcement)
|
|
177
|
+
tools/ # MCP tool handlers (20 tools)
|
|
178
|
+
middleware/ # Zero-trust governance enforcement wrapper
|
|
179
|
+
aga-python/ # Python SDK with @governed decorator (PyPI: aga-governance)
|
|
180
|
+
independent-verifier/ # Standalone verifier with zero AGA imports
|
|
181
|
+
scenarios/ # Deployment scenarios (SCADA, drone, AI agent)
|
|
182
|
+
tests/ # TypeScript test suite (218 tests)
|
|
183
|
+
```
|
|
184
|
+
|
|
185
|
+
## Links
|
|
186
|
+
|
|
187
|
+
- [Website](https://attestedintelligence.com)
|
|
188
|
+
- [Technology](https://attestedintelligence.com/technology)
|
|
189
|
+
- [Live Verifier](https://attestedintelligence.com/verify)
|
|
190
|
+
- [Trust and Scope](https://attestedintelligence.com/trust)
|
|
191
|
+
- [Diligence Materials](https://attestedintelligence.com/diligence)
|
|
192
|
+
- [MCP Server (npm)](https://www.npmjs.com/package/@attested-intelligence/aga-mcp-server)
|
|
193
|
+
- [Python SDK (PyPI)](https://pypi.org/project/aga-governance/)
|
|
194
|
+
|
|
195
|
+
## Security
|
|
196
|
+
|
|
197
|
+
See [SECURITY.md](SECURITY.md) for vulnerability reporting.
|
|
198
|
+
|
|
199
|
+
## Contributing
|
|
200
|
+
|
|
201
|
+
See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.
|
|
202
|
+
|
|
203
|
+
## License
|
|
204
|
+
|
|
205
|
+
[MIT](LICENSE)
|
|
206
|
+
|
|
207
|
+
---
|
|
208
|
+
|
|
209
|
+
Attested Intelligence Holdings LLC
|
|
@@ -5,7 +5,6 @@
|
|
|
5
5
|
* All OpenClaw assumptions are documented inline. When a real OpenClaw instance
|
|
6
6
|
* becomes available, validate each assumption.
|
|
7
7
|
*
|
|
8
|
-
* Patent: USPTO App. No. 19/433,835
|
|
9
8
|
* Copyright (c) 2026 Attested Intelligence Holdings LLC
|
|
10
9
|
* SPDX-License-Identifier: MIT
|
|
11
10
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"openclaw.d.ts","sourceRoot":"","sources":["../../src/adapters/openclaw.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"openclaw.d.ts","sourceRoot":"","sources":["../../src/adapters/openclaw.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAmBH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACzF,cAAc,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;IAC7C,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChF,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED,qBAAa,eAAgB,YAAW,kBAAkB;IACxD,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,UAAU,CAAuB;IAEzC,OAAO,CAAC,cAAc;IAIhB,MAAM,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAqBxF,cAAc,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;IAW5C,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IA6B/E,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAU/B"}
|
|
@@ -5,7 +5,6 @@
|
|
|
5
5
|
* All OpenClaw assumptions are documented inline. When a real OpenClaw instance
|
|
6
6
|
* becomes available, validate each assumption.
|
|
7
7
|
*
|
|
8
|
-
* Patent: USPTO App. No. 19/433,835
|
|
9
8
|
* Copyright (c) 2026 Attested Intelligence Holdings LLC
|
|
10
9
|
* SPDX-License-Identifier: MIT
|
|
11
10
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"openclaw.js","sourceRoot":"","sources":["../../src/adapters/openclaw.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"openclaw.js","sourceRoot":"","sources":["../../src/adapters/openclaw.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AA+B9B,MAAM,OAAO,eAAe;IAClB,UAAU,GAAkB,IAAI,CAAC;IACjC,UAAU,GAAkB,IAAI,CAAC;IAEjC,cAAc;QACpB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,UAAmB;QAC9B,MAAM,CAAC,GAAG,UAAU,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QAC9C,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,UAAU,GAAG,CAAC,GAAG,aAAa,CAAC;QAEpC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;YACvD,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,IAAI,EAAE,CAAC;gBACP,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,gBAAgB,IAAI,SAAS;aAChE,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACnC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAE7D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;QACrE,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;QACxC,OAAO,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACrD,IAAI;YACJ,GAAI,KAAiC;SACtC,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,SAAiB,EAAE,SAA4B;QACnE,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAEjF,kBAAkB;QAClB,MAAM,eAAe,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAClE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC;QAEnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QAE3C,sDAAsD;QACtD,qDAAqD;QACrD,KAAK,MAAM,MAAM,IAAI,SAAS,EAAE,CAAC;YAC/B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAEhD,6CAA6C;gBAC7C,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;oBAC/B,yBAAyB;oBACzB,GAAG,EAAE,oBAAoB,SAAS,EAAE;oBACpC,oBAAoB;oBACpB,aAAa,EAAE,QAAQ;oBACvB,aAAa,EAAE,IAAI;iBACpB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAEjF,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YACnC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;YAClD,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;CACF"}
|
package/dist/core/bundle.d.ts
CHANGED
|
@@ -1,6 +1,13 @@
|
|
|
1
1
|
import type { KeyPair, MerkleInclusionProof } from '../crypto/types.js';
|
|
2
|
-
import type { EvidenceBundle, PolicyArtifact, SignedReceipt, CheckpointReference } from './types.js';
|
|
3
|
-
|
|
2
|
+
import type { EvidenceBundle, PolicyArtifact, SignedReceipt, CheckpointReference, VerificationTier } from './types.js';
|
|
3
|
+
/**
|
|
4
|
+
* Generate an evidence bundle. Original signature preserved for backward compatibility.
|
|
5
|
+
* Tiered bundle generation (CAISI §3b):
|
|
6
|
+
* BRONZE - artifact + receipts only (proofs omitted)
|
|
7
|
+
* SILVER - artifact + receipts + Merkle proofs
|
|
8
|
+
* GOLD - artifact + receipts + Merkle proofs + anchor checkpoint reference
|
|
9
|
+
*/
|
|
10
|
+
export declare function generateBundle(artifact: PolicyArtifact, receipts: SignedReceipt[], proofs: MerkleInclusionProof[], checkpoint: CheckpointReference, kp: KeyPair, tier?: VerificationTier): EvidenceBundle;
|
|
4
11
|
export interface VerificationResult {
|
|
5
12
|
step1_artifact_sig: boolean;
|
|
6
13
|
step2_receipt_sigs: boolean;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bundle.d.ts","sourceRoot":"","sources":["../../src/core/bundle.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,KAAK,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"bundle.d.ts","sourceRoot":"","sources":["../../src/core/bundle.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,KAAK,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAEvH;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,cAAc,EAAE,QAAQ,EAAE,aAAa,EAAE,EAAE,MAAM,EAAE,oBAAoB,EAAE,EAAE,UAAU,EAAE,mBAAmB,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,gBAAgB,GAAG,cAAc,CAUzM;AAED,MAAM,WAAW,kBAAkB;IACjC,kBAAkB,EAAE,OAAO,CAAC;IAAC,kBAAkB,EAAE,OAAO,CAAC;IACzD,mBAAmB,EAAE,OAAO,CAAC;IAAC,YAAY,EAAE,iBAAiB,GAAG,OAAO,CAAC;IACxE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAC;CACpC;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG,kBAAkB,CAanG"}
|
package/dist/core/bundle.js
CHANGED
|
@@ -1,8 +1,22 @@
|
|
|
1
1
|
import { signStr, sigToB64, b64ToSig, hexToPk, verifyStr, pkToHex } from '../crypto/sign.js';
|
|
2
2
|
import { verifyProof } from '../crypto/merkle.js';
|
|
3
3
|
import { canonicalize } from '../utils/canonical.js';
|
|
4
|
-
|
|
5
|
-
|
|
4
|
+
/**
|
|
5
|
+
* Generate an evidence bundle. Original signature preserved for backward compatibility.
|
|
6
|
+
* Tiered bundle generation (CAISI §3b):
|
|
7
|
+
* BRONZE - artifact + receipts only (proofs omitted)
|
|
8
|
+
* SILVER - artifact + receipts + Merkle proofs
|
|
9
|
+
* GOLD - artifact + receipts + Merkle proofs + anchor checkpoint reference
|
|
10
|
+
*/
|
|
11
|
+
export function generateBundle(artifact, receipts, proofs, checkpoint, kp, tier) {
|
|
12
|
+
const effectiveTier = tier ?? 'GOLD';
|
|
13
|
+
const bundleProofs = effectiveTier === 'BRONZE' ? [] : proofs;
|
|
14
|
+
const bundleCheckpoint = effectiveTier === 'GOLD' ? checkpoint : {
|
|
15
|
+
...checkpoint,
|
|
16
|
+
transaction_id: effectiveTier === 'BRONZE' ? '' : checkpoint.transaction_id,
|
|
17
|
+
anchor_network: effectiveTier === 'BRONZE' ? '' : checkpoint.anchor_network,
|
|
18
|
+
};
|
|
19
|
+
const unsigned = { artifact, receipts, merkle_proofs: bundleProofs, checkpoint_reference: bundleCheckpoint, public_key: pkToHex(kp.publicKey), verification_tier: effectiveTier };
|
|
6
20
|
return { ...unsigned, bundle_signature: sigToB64(signStr(canonicalize(unsigned), kp.secretKey)) };
|
|
7
21
|
}
|
|
8
22
|
export function verifyBundleOffline(bundle, pinnedPkHex) {
|
package/dist/core/bundle.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bundle.js","sourceRoot":"","sources":["../../src/core/bundle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC7F,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAIrD,MAAM,UAAU,cAAc,CAAC,QAAwB,EAAE,QAAyB,EAAE,MAA8B,EAAE,UAA+B,EAAE,EAAW;
|
|
1
|
+
{"version":3,"file":"bundle.js","sourceRoot":"","sources":["../../src/core/bundle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC7F,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAIrD;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,QAAwB,EAAE,QAAyB,EAAE,MAA8B,EAAE,UAA+B,EAAE,EAAW,EAAE,IAAuB;IACvL,MAAM,aAAa,GAAG,IAAI,IAAI,MAAM,CAAC;IACrC,MAAM,YAAY,GAAG,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;IAC9D,MAAM,gBAAgB,GAAwB,aAAa,KAAK,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;QACpF,GAAG,UAAU;QACb,cAAc,EAAE,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,cAAc;QAC3E,cAAc,EAAE,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,cAAc;KAC5E,CAAC;IACF,MAAM,QAAQ,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,aAAa,EAAE,CAAC;IAClL,OAAO,EAAE,GAAG,QAAQ,EAAE,gBAAgB,EAAE,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;AACpG,CAAC;AAQD,MAAM,UAAU,mBAAmB,CAAC,MAAsB,EAAE,WAAmB;IAC7E,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;IACnD,MAAM,EAAE,GAAG,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;IAC7E,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAClD,IAAI,EAAE,GAAG,IAAI,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAAC,EAAE,GAAG,KAAK,CAAC;YAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,UAAU,aAAa,CAAC,CAAC;QAAC,CAAC;IAC9J,CAAC;IACD,IAAI,EAAE,GAAG,IAAI,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;YAAC,EAAE,GAAG,KAAK,CAAC;YAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;QAAC,CAAC;IAAC,CAAC;IACtI,OAAO,EAAE,kBAAkB,EAAE,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE,mBAAmB,EAAE,EAAE,EAAE,YAAY,EAAE,iBAAiB,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC;AACvJ,CAAC"}
|
package/dist/core/identity.d.ts
CHANGED
|
@@ -1,14 +1,23 @@
|
|
|
1
|
+
import type { KeyPair } from '../crypto/types.js';
|
|
2
|
+
import type { ContinuityEvent } from './types.js';
|
|
3
|
+
export { keyFingerprint } from '../crypto/sign.js';
|
|
1
4
|
/**
|
|
2
|
-
*
|
|
5
|
+
* Check whether a key is still valid given its issuance time and TTL.
|
|
6
|
+
* NCCoE §2: non-biometric identity validity check.
|
|
3
7
|
*/
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
+
export declare function isKeyValid(issuedAt: string, ttlSeconds: number): boolean;
|
|
9
|
+
/**
|
|
10
|
+
* Generate a new key pair for rotation, returning both old and new for
|
|
11
|
+
* a transition period defined by policy. NCCoE §3: key rotation.
|
|
12
|
+
*/
|
|
13
|
+
export declare function rotateKeyPair(currentKeyPair: KeyPair): {
|
|
14
|
+
oldKeyPair: KeyPair;
|
|
8
15
|
newKeyPair: KeyPair;
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
16
|
+
};
|
|
17
|
+
/**
|
|
18
|
+
* Record a key rotation event on the continuity chain.
|
|
19
|
+
* NCCoE §3: "Key rotation is handled by including both old and new public keys
|
|
20
|
+
* during a transition period defined by policy."
|
|
21
|
+
*/
|
|
22
|
+
export declare function recordKeyRotation(prevEvent: ContinuityEvent, keypairType: string, oldPublicKeyHex: string, newPublicKeyHex: string, reason: string, signingKeyPair: KeyPair): ContinuityEvent;
|
|
14
23
|
//# sourceMappingURL=identity.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,eAAe,EAAqB,MAAM,YAAY,CAAC;AAGrE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;;GAGG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAExE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,cAAc,EAAE,OAAO,GAAG;IAAE,UAAU,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,OAAO,CAAA;CAAE,CAGnG;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,eAAe,EAC1B,WAAW,EAAE,MAAM,EACnB,eAAe,EAAE,MAAM,EACvB,eAAe,EAAE,MAAM,EACvB,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,OAAO,GACtB,eAAe,CAUjB"}
|
package/dist/core/identity.js
CHANGED
|
@@ -1,16 +1,50 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Identity
|
|
2
|
+
* Identity and Key Lifecycle.
|
|
3
|
+
*
|
|
4
|
+
* Non-biometric cryptographic identity: agent identity derived from
|
|
5
|
+
* cryptographic key pair bound to append-only attestation history in
|
|
6
|
+
* continuity chain. Authority from valid signature history, not biometric traits.
|
|
7
|
+
*
|
|
8
|
+
* Functions:
|
|
9
|
+
* - keyFingerprint: re-exported from crypto/sign.ts for convenience
|
|
10
|
+
* - isKeyValid: check key TTL expiry
|
|
11
|
+
* - rotateKeyPair: generate new key pair for rotation
|
|
12
|
+
* - recordKeyRotation: append KEY_ROTATION event to chain
|
|
3
13
|
*/
|
|
4
|
-
import {
|
|
5
|
-
import {
|
|
6
|
-
|
|
7
|
-
export
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
+
import { generateKeyPair } from '../crypto/sign.js';
|
|
15
|
+
import { isExpired } from '../utils/timestamp.js';
|
|
16
|
+
import { appendEvent } from './chain.js';
|
|
17
|
+
// Re-export keyFingerprint for identity module consumers (NCCoE §2)
|
|
18
|
+
export { keyFingerprint } from '../crypto/sign.js';
|
|
19
|
+
/**
|
|
20
|
+
* Check whether a key is still valid given its issuance time and TTL.
|
|
21
|
+
* NCCoE §2: non-biometric identity validity check.
|
|
22
|
+
*/
|
|
23
|
+
export function isKeyValid(issuedAt, ttlSeconds) {
|
|
24
|
+
return !isExpired(issuedAt, ttlSeconds);
|
|
25
|
+
}
|
|
26
|
+
/**
|
|
27
|
+
* Generate a new key pair for rotation, returning both old and new for
|
|
28
|
+
* a transition period defined by policy. NCCoE §3: key rotation.
|
|
29
|
+
*/
|
|
30
|
+
export function rotateKeyPair(currentKeyPair) {
|
|
31
|
+
const newKeyPair = generateKeyPair();
|
|
32
|
+
return { oldKeyPair: currentKeyPair, newKeyPair };
|
|
33
|
+
}
|
|
34
|
+
/**
|
|
35
|
+
* Record a key rotation event on the continuity chain.
|
|
36
|
+
* NCCoE §3: "Key rotation is handled by including both old and new public keys
|
|
37
|
+
* during a transition period defined by policy."
|
|
38
|
+
*/
|
|
39
|
+
export function recordKeyRotation(prevEvent, keypairType, oldPublicKeyHex, newPublicKeyHex, reason, signingKeyPair) {
|
|
40
|
+
const payload = {
|
|
41
|
+
keypair_type: keypairType,
|
|
42
|
+
old_public_key: oldPublicKeyHex,
|
|
43
|
+
new_public_key: newPublicKeyHex,
|
|
44
|
+
reason,
|
|
45
|
+
rotation_timestamp: new Date().toISOString(),
|
|
46
|
+
chain_sequence: prevEvent.sequence_number + 1,
|
|
14
47
|
};
|
|
48
|
+
return appendEvent('KEY_ROTATION', payload, prevEvent, signingKeyPair);
|
|
15
49
|
}
|
|
16
50
|
//# sourceMappingURL=identity.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/core/identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,eAAe,EAA2B,MAAM,mBAAmB,CAAC;AAC7E,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAIzC,oEAAoE;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,QAAgB,EAAE,UAAkB;IAC7D,OAAO,CAAC,SAAS,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,cAAuB;IACnD,MAAM,UAAU,GAAG,eAAe,EAAE,CAAC;IACrC,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;AACpD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAA0B,EAC1B,WAAmB,EACnB,eAAuB,EACvB,eAAuB,EACvB,MAAc,EACd,cAAuB;IAEvB,MAAM,OAAO,GAAsB;QACjC,YAAY,EAAE,WAAW;QACzB,cAAc,EAAE,eAAe;QAC/B,cAAc,EAAE,eAAe;QAC/B,MAAM;QACN,kBAAkB,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5C,cAAc,EAAE,SAAS,CAAC,eAAe,GAAG,CAAC;KAC9C,CAAC;IACF,OAAO,WAAW,CAAC,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC;AACzE,CAAC"}
|
package/dist/core/portal.d.ts
CHANGED
|
@@ -8,6 +8,14 @@ export interface MeasurementResult {
|
|
|
8
8
|
expectedMetaHash: HashHex;
|
|
9
9
|
ttl_ok: boolean;
|
|
10
10
|
revoked: boolean;
|
|
11
|
+
degraded?: boolean;
|
|
12
|
+
}
|
|
13
|
+
/** Degradation event record for the continuity chain. */
|
|
14
|
+
export interface DegradationEvent {
|
|
15
|
+
reason: string;
|
|
16
|
+
timestamp: string;
|
|
17
|
+
artifact_reference: HashHex;
|
|
18
|
+
previous_state: string;
|
|
11
19
|
}
|
|
12
20
|
export declare class Portal {
|
|
13
21
|
state: PortalState;
|
|
@@ -15,13 +23,14 @@ export declare class Portal {
|
|
|
15
23
|
sequenceCounter: number;
|
|
16
24
|
lastLeafHash: HashHex | null;
|
|
17
25
|
revocations: Set<string>;
|
|
26
|
+
degradationLog: DegradationEvent[];
|
|
18
27
|
loadArtifact(artifact: PolicyArtifact, pinnedPkHex: string): {
|
|
19
28
|
ok: boolean;
|
|
20
29
|
error?: string;
|
|
21
30
|
};
|
|
22
31
|
measure(subjectBytes: Uint8Array, meta: SubjectMetadata): MeasurementResult;
|
|
23
32
|
enforce(action: EnforcementAction): void;
|
|
24
|
-
revoke(sealedHash: string
|
|
33
|
+
revoke(sealedHash: string): void;
|
|
25
34
|
isRevoked(sealedHash: string): boolean;
|
|
26
35
|
reset(): void;
|
|
27
36
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClG,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,gBAAgB,EAAE,OAAO,CAAC;IAC1B,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;
|
|
1
|
+
{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../src/core/portal.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClG,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,gBAAgB,EAAE,OAAO,CAAC;IAC1B,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,yDAAyD;AACzD,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,qBAAa,MAAM;IACjB,KAAK,EAAE,WAAW,CAAoB;IACtC,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAQ;IACvC,eAAe,SAAK;IACpB,YAAY,EAAE,OAAO,GAAG,IAAI,CAAQ;IACpC,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAa;IACrC,cAAc,EAAE,gBAAgB,EAAE,CAAM;IAExC,YAAY,CAAC,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAiB5F,OAAO,CAAC,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,eAAe,GAAG,iBAAiB;IAuC3E,OAAO,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI;IAUxC,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAKhC,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAEtC,KAAK,IAAI,IAAI;CAId"}
|