@auths-dev/sdk 0.0.1 → 0.1.0

package/src/device.rs

@@ -0,0 +1,212 @@
+use std::path::PathBuf;
+use std::sync::Arc;
+
+use auths_core::signing::PrefilledPassphraseProvider;
+use auths_core::storage::keychain::get_platform_keychain_with_config;
+use auths_sdk::context::AuthsContext;
+use auths_sdk::device::extend_device;
+use auths_sdk::device::{link_device, revoke_device};
+use auths_sdk::types::{DeviceExtensionConfig, DeviceLinkConfig};
+use auths_storage::git::{
+    GitRegistryBackend, RegistryAttestationStorage, RegistryConfig, RegistryIdentityStorage,
+};
+use auths_verifier::clock::SystemClock;
+use auths_verifier::core::Capability;
+use auths_verifier::types::DeviceDID;
+use napi_derive::napi;
+
+use crate::error::format_error;
+use crate::helpers::{make_env_config, resolve_key_alias, resolve_passphrase};
+use crate::types::{NapiExtensionResult, NapiLinkResult};
+
+fn open_backend(repo: &PathBuf) -> napi::Result<Arc<GitRegistryBackend>> {
+    let config = RegistryConfig::single_tenant(repo);
+    let backend = GitRegistryBackend::open_existing(config).map_err(|e| {
+        format_error(
+            "AUTHS_REGISTRY_ERROR",
+            format!("Failed to open registry: {e}"),
+        )
+    })?;
+    Ok(Arc::new(backend))
+}
+
+#[napi]
+pub fn link_device_to_identity(
+    identity_key_alias: String,
+    capabilities: Vec<String>,
+    repo_path: String,
+    passphrase: Option<String>,
+    expires_in: Option<i64>,
+) -> napi::Result<NapiLinkResult> {
+    let passphrase_str = resolve_passphrase(passphrase);
+    let env_config = make_env_config(&passphrase_str, &repo_path);
+    let provider = Arc::new(PrefilledPassphraseProvider::new(&passphrase_str));
+    let clock = Arc::new(SystemClock);
+
+    let repo = PathBuf::from(shellexpand::tilde(&repo_path).as_ref());
+    let backend = open_backend(&repo)?;
+
+    let keychain = get_platform_keychain_with_config(&env_config)
+        .map_err(|e| format_error("AUTHS_KEYCHAIN_ERROR", format!("Keychain error: {e}")))?;
+
+    let alias = resolve_key_alias(&identity_key_alias, keychain.as_ref())?;
+
+    let parsed_caps: Vec<Capability> = capabilities
+        .iter()
+        .map(|c| {
+            Capability::parse(c).map_err(|e| {
+                format_error(
+                    "AUTHS_INVALID_INPUT",
+                    format!("Invalid capability '{c}': {e}"),
+                )
+            })
+        })
+        .collect::<napi::Result<Vec<_>>>()?;
+
+    let link_config = DeviceLinkConfig {
+        identity_key_alias: alias,
+        device_key_alias: None,
+        device_did: None,
+        capabilities: parsed_caps,
+        expires_in: expires_in.map(|s| s as u64),
+        note: None,
+        payload: None,
+    };
+
+    let keychain: Arc<dyn auths_core::storage::keychain::KeyStorage + Send + Sync> =
+        Arc::from(keychain);
+    let identity_storage = Arc::new(RegistryIdentityStorage::new(&repo));
+    let attestation_storage = Arc::new(RegistryAttestationStorage::new(&repo));
+
+    let ctx = AuthsContext::builder()
+        .registry(backend)
+        .key_storage(keychain)
+        .clock(clock.clone())
+        .identity_storage(identity_storage)
+        .attestation_sink(attestation_storage.clone())
+        .attestation_source(attestation_storage)
+        .passphrase_provider(provider)
+        .build();
+
+    let result = link_device(link_config, &ctx, clock.as_ref())
+        .map_err(|e| format_error("AUTHS_DEVICE_ERROR", format!("Device linking failed: {e}")))?;
+
+    Ok(NapiLinkResult {
+        device_did: result.device_did.to_string(),
+        attestation_id: result.attestation_id.to_string(),
+    })
+}
+
+#[napi]
+pub fn revoke_device_from_identity(
+    device_did: String,
+    identity_key_alias: String,
+    repo_path: String,
+    passphrase: Option<String>,
+    note: Option<String>,
+) -> napi::Result<()> {
+    let passphrase_str = resolve_passphrase(passphrase);
+    let env_config = make_env_config(&passphrase_str, &repo_path);
+    let provider = Arc::new(PrefilledPassphraseProvider::new(&passphrase_str));
+    let clock = Arc::new(SystemClock);
+
+    let repo = PathBuf::from(shellexpand::tilde(&repo_path).as_ref());
+    let backend = open_backend(&repo)?;
+
+    let keychain = get_platform_keychain_with_config(&env_config)
+        .map_err(|e| format_error("AUTHS_KEYCHAIN_ERROR", format!("Keychain error: {e}")))?;
+
+    let alias = resolve_key_alias(&identity_key_alias, keychain.as_ref())?;
+
+    let keychain: Arc<dyn auths_core::storage::keychain::KeyStorage + Send + Sync> =
+        Arc::from(keychain);
+    let identity_storage = Arc::new(RegistryIdentityStorage::new(&repo));
+    let attestation_storage = Arc::new(RegistryAttestationStorage::new(&repo));
+
+    let ctx = AuthsContext::builder()
+        .registry(backend)
+        .key_storage(keychain)
+        .clock(clock.clone())
+        .identity_storage(identity_storage)
+        .attestation_sink(attestation_storage.clone())
+        .attestation_source(attestation_storage)
+        .passphrase_provider(provider)
+        .build();
+
+    revoke_device(&device_did, &alias, &ctx, note, clock.as_ref()).map_err(|e| {
+        format_error(
+            "AUTHS_DEVICE_ERROR",
+            format!("Device revocation failed: {e}"),
+        )
+    })?;
+
+    Ok(())
+}
+
+#[napi]
+pub fn extend_device_authorization(
+    device_did: String,
+    identity_key_alias: String,
+    expires_in: i64,
+    repo_path: String,
+    passphrase: Option<String>,
+) -> napi::Result<NapiExtensionResult> {
+    if expires_in <= 0 {
+        return Err(format_error(
+            "AUTHS_INVALID_INPUT",
+            "expires_in must be positive (> 0)",
+        ));
+    }
+
+    let passphrase_str = resolve_passphrase(passphrase);
+    let env_config = make_env_config(&passphrase_str, &repo_path);
+    let provider = Arc::new(PrefilledPassphraseProvider::new(&passphrase_str));
+    let clock = Arc::new(SystemClock);
+
+    let repo = PathBuf::from(shellexpand::tilde(&repo_path).as_ref());
+    let backend = open_backend(&repo)?;
+
+    let keychain = get_platform_keychain_with_config(&env_config)
+        .map_err(|e| format_error("AUTHS_KEYCHAIN_ERROR", format!("Keychain error: {e}")))?;
+    let keychain: Arc<dyn auths_core::storage::keychain::KeyStorage + Send + Sync> =
+        Arc::from(keychain);
+
+    let identity_storage = Arc::new(RegistryIdentityStorage::new(&repo));
+    let attestation_storage = Arc::new(RegistryAttestationStorage::new(&repo));
+
+    let alias = resolve_key_alias(&identity_key_alias, keychain.as_ref())?;
+
+    let ext_config = DeviceExtensionConfig {
+        repo_path: repo,
+        device_did: DeviceDID::parse(&device_did)
+            .map_err(|e| format_error("AUTHS_INVALID_INPUT", e))?,
+        expires_in: expires_in as u64,
+        identity_key_alias: alias,
+        device_key_alias: None,
+    };
+
+    let ctx = AuthsContext::builder()
+        .registry(backend)
+        .key_storage(keychain)
+        .clock(clock.clone())
+        .identity_storage(identity_storage)
+        .attestation_sink(attestation_storage.clone())
+        .attestation_source(attestation_storage)
+        .passphrase_provider(provider)
+        .build();
+
+    let result = extend_device(ext_config, &ctx, clock.as_ref()).map_err(|e| {
+        format_error(
+            "AUTHS_DEVICE_ERROR",
+            format!("Device extension failed: {e}"),
+        )
+    })?;
+
+    Ok(NapiExtensionResult {
+        device_did: result.device_did.to_string(),
+        new_expires_at: result.new_expires_at.to_rfc3339(),
+        previous_expires_at: result
+            .previous_expires_at
+            .map(|t: chrono::DateTime<chrono::Utc>| t.to_rfc3339()),
+    })
+}

package/src/diagnostics.rs

@@ -0,0 +1,106 @@
+use std::process::Command;
+
+use auths_sdk::ports::diagnostics::{
+    CheckCategory, CheckResult, CryptoDiagnosticProvider, DiagnosticError, GitDiagnosticProvider,
+};
+use auths_sdk::workflows::diagnostics::DiagnosticsWorkflow;
+use napi_derive::napi;
+
+use crate::error::format_error;
+
+struct FfiDiagnosticAdapter;
+
+impl GitDiagnosticProvider for FfiDiagnosticAdapter {
+    fn check_git_version(&self) -> Result<CheckResult, DiagnosticError> {
+        let output = Command::new("git").arg("--version").output();
+        let (passed, message) = match output {
+            Ok(out) if out.status.success() => {
+                let version = String::from_utf8_lossy(&out.stdout).trim().to_string();
+                (true, Some(version))
+            }
+            _ => (false, Some("git command not found on PATH".to_string())),
+        };
+        Ok(CheckResult {
+            name: "Git installed".to_string(),
+            passed,
+            message,
+            config_issues: vec![],
+            category: CheckCategory::Advisory,
+        })
+    }
+
+    fn get_git_config(&self, key: &str) -> Result<Option<String>, DiagnosticError> {
+        let output = Command::new("git")
+            .args(["config", "--global", "--get", key])
+            .output()
+            .map_err(|e| DiagnosticError::ExecutionFailed(e.to_string()))?;
+
+        if output.status.success() {
+            Ok(String::from_utf8(output.stdout)
+                .ok()
+                .map(|s| s.trim().to_string()))
+        } else {
+            Ok(None)
+        }
+    }
+}
+
+impl CryptoDiagnosticProvider for FfiDiagnosticAdapter {
+    fn check_ssh_keygen_available(&self) -> Result<CheckResult, DiagnosticError> {
+        let output = Command::new("ssh-keygen").arg("-V").output();
+        let (passed, message) = match output {
+            Ok(out) if out.status.success() => (true, Some("ssh-keygen found on PATH".to_string())),
+            _ => (
+                false,
+                Some("ssh-keygen command not found on PATH".to_string()),
+            ),
+        };
+        Ok(CheckResult {
+            name: "ssh-keygen installed".to_string(),
+            passed,
+            message,
+            config_issues: vec![],
+            category: CheckCategory::Advisory,
+        })
+    }
+}
+
+#[napi]
+pub fn run_diagnostics(repo_path: String, passphrase: Option<String>) -> napi::Result<String> {
+    let _repo = repo_path;
+    let _passphrase = passphrase;
+
+    let adapter = FfiDiagnosticAdapter;
+    let workflow = DiagnosticsWorkflow::new(&adapter, &adapter);
+    let report = workflow
+        .run()
+        .map_err(|e| format_error("AUTHS_DIAGNOSTIC_ERROR", e))?;
+
+    let all_passed = report.checks.iter().all(|c| c.passed);
+
+    let checks: Vec<serde_json::Value> = report
+        .checks
+        .iter()
+        .map(|c| {
+            let fix_hint = if !c.passed {
+                Some("Run: auths init --profile developer")
+            } else {
+                None
+            };
+            serde_json::json!({
+                "name": c.name,
+                "passed": c.passed,
+                "message": c.message,
+                "fix_hint": fix_hint,
+            })
+        })
+        .collect();
+
+    let result = serde_json::json!({
+        "checks": checks,
+        "all_passed": all_passed,
+        "version": env!("CARGO_PKG_VERSION"),
+    });
+
+    serde_json::to_string(&result).map_err(|e| format_error("AUTHS_DIAGNOSTIC_ERROR", e))
+}

package/src/error.rs

@@ -0,0 +1,5 @@
+use napi::Status;
+
+pub fn format_error(code: &str, message: impl std::fmt::Display) -> napi::Error {
+    napi::Error::new(Status::GenericFailure, format!("[{code}] {message}"))
+}

package/src/helpers.rs

@@ -0,0 +1,60 @@
+use std::path::PathBuf;
+
+use auths_core::config::{EnvironmentConfig, KeychainConfig};
+use auths_core::storage::keychain::{
+    IdentityDID, KeyAlias, KeyRole, KeyStorage, get_platform_keychain_with_config,
+};
+
+use crate::error::format_error;
+
+#[allow(clippy::disallowed_methods)] // Presentation boundary: env var read is intentional
+pub fn resolve_passphrase(passphrase: Option<String>) -> String {
+    passphrase.unwrap_or_else(|| std::env::var("AUTHS_PASSPHRASE").unwrap_or_default())
+}
+
+#[allow(clippy::disallowed_methods)] // Presentation boundary: env var read is intentional
+pub fn resolve_repo_path(path: Option<String>) -> PathBuf {
+    let raw = path
+        .unwrap_or_else(|| std::env::var("AUTHS_HOME").unwrap_or_else(|_| "~/.auths".to_string()));
+    let expanded = shellexpand::tilde(&raw);
+    PathBuf::from(expanded.as_ref())
+}
+
+pub fn make_env_config(passphrase: &str, repo_path: &str) -> EnvironmentConfig {
+    let mut keychain = KeychainConfig::from_env();
+    if keychain.backend.is_none() {
+        keychain.backend = Some("file".to_string());
+    }
+    keychain.passphrase = Some(passphrase.to_string());
+    EnvironmentConfig {
+        auths_home: Some(repo_path.into()),
+        keychain,
+        ssh_agent_socket: None,
+    }
+}
+
+pub fn get_keychain(config: &EnvironmentConfig) -> napi::Result<Box<dyn KeyStorage + Send + Sync>> {
+    get_platform_keychain_with_config(config).map_err(|e| format_error("AUTHS_KEYCHAIN_ERROR", e))
+}
+
+pub fn resolve_key_alias(
+    identity_ref: &str,
+    keychain: &(dyn KeyStorage + Send + Sync),
+) -> napi::Result<KeyAlias> {
+    if identity_ref.starts_with("did:") {
+        let did =
+            IdentityDID::parse(identity_ref).map_err(|e| format_error("AUTHS_INVALID_INPUT", e))?;
+        let aliases = keychain
+            .list_aliases_for_identity_with_role(&did, KeyRole::Primary)
+            .map_err(|e| format_error("AUTHS_KEY_NOT_FOUND", format!("Key lookup failed: {e}")))?;
+        aliases.into_iter().next().ok_or_else(|| {
+            format_error(
+                "AUTHS_KEY_NOT_FOUND",
+                format!("No primary key found for identity '{identity_ref}'"),
+            )
+        })
+    } else {
+        KeyAlias::new(identity_ref)
+            .map_err(|e| format_error("AUTHS_KEY_NOT_FOUND", format!("Invalid key alias: {e}")))
+    }
+}