@auths-dev/sdk 0.0.1 → 0.1.0

package/src/sign.rs

@@ -0,0 +1,215 @@
+use auths_core::signing::{PrefilledPassphraseProvider, SecureSigner, StorageSigner};
+use auths_core::storage::keychain::{KeyAlias, get_platform_keychain_with_config};
+use auths_verifier::core::MAX_ATTESTATION_JSON_SIZE;
+use auths_verifier::types::IdentityDID;
+use napi_derive::napi;
+
+use crate::error::format_error;
+use crate::helpers::{make_env_config, resolve_passphrase};
+use crate::types::{NapiActionEnvelope, NapiCommitSignResult};
+
+fn make_signer(
+    passphrase: &str,
+    repo_path: &str,
+) -> napi::Result<(
+    StorageSigner<Box<dyn auths_core::storage::keychain::KeyStorage + Send + Sync>>,
+    PrefilledPassphraseProvider,
+)> {
+    let env_config = make_env_config(passphrase, repo_path);
+    let keychain = get_platform_keychain_with_config(&env_config)
+        .map_err(|e| format_error("AUTHS_KEYCHAIN_ERROR", format!("Keychain error: {e}")))?;
+    let signer = StorageSigner::new(keychain);
+    let provider = PrefilledPassphraseProvider::new(passphrase);
+    Ok((signer, provider))
+}
+
+#[napi]
+pub fn sign_as_identity(
+    message: napi::bindgen_prelude::Buffer,
+    identity_did: String,
+    repo_path: String,
+    passphrase: Option<String>,
+) -> napi::Result<NapiCommitSignResult> {
+    let passphrase_str = resolve_passphrase(passphrase);
+    let (signer, provider) = make_signer(&passphrase_str, &repo_path)?;
+    let did =
+        IdentityDID::parse(&identity_did).map_err(|e| format_error("AUTHS_INVALID_INPUT", e))?;
+
+    let sig_bytes = signer
+        .sign_for_identity(&did, &provider, message.as_ref())
+        .map_err(|e| format_error("AUTHS_SIGNING_FAILED", format!("Signing failed: {e}")))?;
+
+    Ok(NapiCommitSignResult {
+        signature: hex::encode(sig_bytes),
+        signer_did: identity_did,
+    })
+}
+
+#[napi]
+pub fn sign_action_as_identity(
+    action_type: String,
+    payload_json: String,
+    identity_did: String,
+    repo_path: String,
+    passphrase: Option<String>,
+) -> napi::Result<NapiActionEnvelope> {
+    if payload_json.len() > MAX_ATTESTATION_JSON_SIZE {
+        return Err(format_error(
+            "AUTHS_INVALID_INPUT",
+            format!(
+                "Payload JSON too large: {} bytes, max {MAX_ATTESTATION_JSON_SIZE}",
+                payload_json.len()
+            ),
+        ));
+    }
+
+    let payload: serde_json::Value = serde_json::from_str(&payload_json)
+        .map_err(|e| format_error("AUTHS_INVALID_INPUT", format!("Invalid payload JSON: {e}")))?;
+
+    #[allow(clippy::disallowed_methods)] // Presentation boundary
+    let timestamp = chrono::Utc::now().to_rfc3339_opts(chrono::SecondsFormat::Secs, true);
+
+    let signing_data = serde_json::json!({
+        "version": "1.0",
+        "type": action_type,
+        "identity": identity_did,
+        "payload": payload,
+        "timestamp": &timestamp,
+    });
+
+    let canonical = json_canon::to_string(&signing_data).map_err(|e| {
+        format_error(
+            "AUTHS_SERIALIZATION_ERROR",
+            format!("Canonicalization failed: {e}"),
+        )
+    })?;
+
+    let passphrase_str = resolve_passphrase(passphrase);
+    let (signer, provider) = make_signer(&passphrase_str, &repo_path)?;
+    let did =
+        IdentityDID::parse(&identity_did).map_err(|e| format_error("AUTHS_INVALID_INPUT", e))?;
+
+    let sig_bytes = signer
+        .sign_for_identity(&did, &provider, canonical.as_bytes())
+        .map_err(|e| format_error("AUTHS_SIGNING_FAILED", format!("Signing failed: {e}")))?;
+
+    let sig_hex = hex::encode(sig_bytes);
+
+    let envelope = serde_json::json!({
+        "version": "1.0",
+        "type": action_type,
+        "identity": identity_did,
+        "payload": payload,
+        "timestamp": timestamp,
+        "signature": sig_hex,
+    });
+
+    let envelope_json = serde_json::to_string(&envelope).map_err(|e| {
+        format_error(
+            "AUTHS_SERIALIZATION_ERROR",
+            format!("Failed to serialize envelope: {e}"),
+        )
+    })?;
+
+    Ok(NapiActionEnvelope {
+        envelope_json,
+        signature_hex: sig_hex,
+        signer_did: identity_did,
+    })
+}
+
+#[napi]
+pub fn sign_as_agent(
+    message: napi::bindgen_prelude::Buffer,
+    key_alias: String,
+    repo_path: String,
+    passphrase: Option<String>,
+) -> napi::Result<NapiCommitSignResult> {
+    let passphrase_str = resolve_passphrase(passphrase);
+    let (signer, provider) = make_signer(&passphrase_str, &repo_path)?;
+    let alias = KeyAlias::new(&key_alias)
+        .map_err(|e| format_error("AUTHS_KEY_NOT_FOUND", format!("Invalid key alias: {e}")))?;
+
+    let sig_bytes = signer
+        .sign_with_alias(&alias, &provider, message.as_ref())
+        .map_err(|e| format_error("AUTHS_SIGNING_FAILED", format!("Signing failed: {e}")))?;
+
+    Ok(NapiCommitSignResult {
+        signature: hex::encode(sig_bytes),
+        signer_did: key_alias,
+    })
+}
+
+#[napi]
+pub fn sign_action_as_agent(
+    action_type: String,
+    payload_json: String,
+    key_alias: String,
+    agent_did: String,
+    repo_path: String,
+    passphrase: Option<String>,
+) -> napi::Result<NapiActionEnvelope> {
+    if payload_json.len() > MAX_ATTESTATION_JSON_SIZE {
+        return Err(format_error(
+            "AUTHS_INVALID_INPUT",
+            format!(
+                "Payload JSON too large: {} bytes, max {MAX_ATTESTATION_JSON_SIZE}",
+                payload_json.len()
+            ),
+        ));
+    }
+
+    let payload: serde_json::Value = serde_json::from_str(&payload_json)
+        .map_err(|e| format_error("AUTHS_INVALID_INPUT", format!("Invalid payload JSON: {e}")))?;
+
+    #[allow(clippy::disallowed_methods)]
+    let timestamp = chrono::Utc::now().to_rfc3339_opts(chrono::SecondsFormat::Secs, true);
+
+    let signing_data = serde_json::json!({
+        "version": "1.0",
+        "type": action_type,
+        "identity": agent_did,
+        "payload": payload,
+        "timestamp": &timestamp,
+    });
+
+    let canonical = json_canon::to_string(&signing_data).map_err(|e| {
+        format_error(
+            "AUTHS_SERIALIZATION_ERROR",
+            format!("Canonicalization failed: {e}"),
+        )
+    })?;
+
+    let passphrase_str = resolve_passphrase(passphrase);
+    let (signer, provider) = make_signer(&passphrase_str, &repo_path)?;
+    let alias = KeyAlias::new(&key_alias)
+        .map_err(|e| format_error("AUTHS_KEY_NOT_FOUND", format!("Invalid key alias: {e}")))?;
+
+    let sig_bytes = signer
+        .sign_with_alias(&alias, &provider, canonical.as_bytes())
+        .map_err(|e| format_error("AUTHS_SIGNING_FAILED", format!("Signing failed: {e}")))?;
+
+    let sig_hex = hex::encode(sig_bytes);
+
+    let envelope = serde_json::json!({
+        "version": "1.0",
+        "type": action_type,
+        "identity": agent_did,
+        "payload": payload,
+        "timestamp": timestamp,
+        "signature": sig_hex,
+    });
+
+    let envelope_json = serde_json::to_string(&envelope).map_err(|e| {
+        format_error(
+            "AUTHS_SERIALIZATION_ERROR",
+            format!("Failed to serialize envelope: {e}"),
+        )
+    })?;
+
+    Ok(NapiActionEnvelope {
+        envelope_json,
+        signature_hex: sig_hex,
+        signer_did: agent_did,
+    })
+}

package/src/trust.rs

@@ -0,0 +1,189 @@
+use std::path::PathBuf;
+use std::sync::Arc;
+
+use auths_core::trust::pinned::{PinnedIdentity, PinnedIdentityStore, TrustLevel};
+use auths_id::identity::resolve::{DefaultDidResolver, DidResolver, RegistryDidResolver};
+use auths_storage::git::{GitRegistryBackend, RegistryConfig};
+use auths_verifier::PublicKeyHex;
+use napi_derive::napi;
+
+use crate::error::format_error;
+
+fn resolve_repo(repo_path: &str) -> PathBuf {
+    PathBuf::from(shellexpand::tilde(repo_path).as_ref())
+}
+
+fn store_path(repo_path: &str) -> PathBuf {
+    resolve_repo(repo_path).join("known_identities.json")
+}
+
+fn parse_trust_level(s: &str) -> napi::Result<TrustLevel> {
+    match s {
+        "tofu" => Ok(TrustLevel::Tofu),
+        "manual" => Ok(TrustLevel::Manual),
+        "org_policy" => Ok(TrustLevel::OrgPolicy),
+        _ => Err(format_error(
+            "AUTHS_INVALID_INPUT",
+            format!(
+                "Invalid trust_level '{}': must be one of 'tofu', 'manual', 'org_policy'",
+                s
+            ),
+        )),
+    }
+}
+
+fn trust_level_str(tl: &TrustLevel) -> &'static str {
+    match tl {
+        TrustLevel::Tofu => "tofu",
+        TrustLevel::Manual => "manual",
+        TrustLevel::OrgPolicy => "org_policy",
+    }
+}
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiPinnedIdentity {
+    pub did: String,
+    pub label: Option<String>,
+    pub trust_level: String,
+    pub first_seen: String,
+    pub kel_sequence: Option<u32>,
+    pub pinned_at: String,
+}
+
+#[napi]
+pub fn pin_identity(
+    did: String,
+    repo_path: String,
+    label: Option<String>,
+    trust_level: Option<String>,
+) -> napi::Result<NapiPinnedIdentity> {
+    let tl = parse_trust_level(&trust_level.unwrap_or_else(|| "manual".to_string()))?;
+    let store = PinnedIdentityStore::new(store_path(&repo_path));
+    let repo = resolve_repo(&repo_path);
+
+    let resolved = DefaultDidResolver::with_repo(&repo)
+        .resolve(&did)
+        .or_else(|_| {
+            let backend: Arc<dyn auths_id::ports::registry::RegistryBackend + Send + Sync> =
+                Arc::new(GitRegistryBackend::from_config_unchecked(
+                    RegistryConfig::single_tenant(&repo),
+                ));
+            RegistryDidResolver::new(backend).resolve(&did)
+        })
+        .map_err(|e| {
+            format_error(
+                "AUTHS_TRUST_ERROR",
+                format!("Cannot resolve public key for {did}: {e}"),
+            )
+        })?;
+    #[allow(clippy::disallowed_methods)] // INVARIANT: hex::encode always produces valid hex
+    let public_key_hex = PublicKeyHex::new_unchecked(hex::encode(resolved.public_key().as_bytes()));
+
+    #[allow(clippy::disallowed_methods)]
+    let now = chrono::Utc::now();
+
+    if let Ok(Some(existing)) = store.lookup(&did) {
+        let _ = store.remove(&did);
+        let pin = PinnedIdentity {
+            did: did.clone(),
+            public_key_hex: if public_key_hex.as_ref().is_empty() {
+                existing.public_key_hex
+            } else {
+                public_key_hex
+            },
+            kel_tip_said: existing.kel_tip_said,
+            kel_sequence: existing.kel_sequence,
+            first_seen: existing.first_seen,
+            origin: label.clone().unwrap_or(existing.origin),
+            trust_level: tl.clone(),
+        };
+        store
+            .pin(pin.clone())
+            .map_err(|e| format_error("AUTHS_TRUST_ERROR", e))?;
+        return Ok(NapiPinnedIdentity {
+            did: pin.did,
+            label,
+            trust_level: trust_level_str(&pin.trust_level).to_string(),
+            first_seen: pin.first_seen.to_rfc3339(),
+            kel_sequence: pin.kel_sequence.map(|s| s as u32),
+            pinned_at: now.to_rfc3339(),
+        });
+    }
+
+    let pin = PinnedIdentity {
+        did: did.clone(),
+        public_key_hex,
+        kel_tip_said: None,
+        kel_sequence: None,
+        first_seen: now,
+        origin: label.clone().unwrap_or_else(|| "manual".to_string()),
+        trust_level: tl.clone(),
+    };
+
+    store
+        .pin(pin)
+        .map_err(|e| format_error("AUTHS_TRUST_ERROR", e))?;
+
+    Ok(NapiPinnedIdentity {
+        did,
+        label,
+        trust_level: trust_level_str(&tl).to_string(),
+        first_seen: now.to_rfc3339(),
+        kel_sequence: None,
+        pinned_at: now.to_rfc3339(),
+    })
+}
+
+#[napi]
+pub fn remove_pinned_identity(did: String, repo_path: String) -> napi::Result<()> {
+    let store = PinnedIdentityStore::new(store_path(&repo_path));
+    store
+        .remove(&did)
+        .map_err(|e| format_error("AUTHS_TRUST_ERROR", e))?;
+    Ok(())
+}
+
+#[napi]
+pub fn list_pinned_identities(repo_path: String) -> napi::Result<String> {
+    let store = PinnedIdentityStore::new(store_path(&repo_path));
+    let entries = store
+        .list()
+        .map_err(|e| format_error("AUTHS_TRUST_ERROR", e))?;
+
+    let json_entries: Vec<serde_json::Value> = entries
+        .iter()
+        .map(|e| {
+            serde_json::json!({
+                "did": e.did,
+                "label": e.origin,
+                "trust_level": trust_level_str(&e.trust_level),
+                "first_seen": e.first_seen.to_rfc3339(),
+                "kel_sequence": e.kel_sequence,
+                "pinned_at": e.first_seen.to_rfc3339(),
+            })
+        })
+        .collect();
+
+    serde_json::to_string(&json_entries).map_err(|e| format_error("AUTHS_TRUST_ERROR", e))
+}
+
+#[napi]
+pub fn get_pinned_identity(
+    did: String,
+    repo_path: String,
+) -> napi::Result<Option<NapiPinnedIdentity>> {
+    let store = PinnedIdentityStore::new(store_path(&repo_path));
+    let entry = store
+        .lookup(&did)
+        .map_err(|e| format_error("AUTHS_TRUST_ERROR", e))?;
+
+    Ok(entry.map(|e| NapiPinnedIdentity {
+        did: e.did,
+        label: Some(e.origin),
+        trust_level: trust_level_str(&e.trust_level).to_string(),
+        first_seen: e.first_seen.to_rfc3339(),
+        kel_sequence: e.kel_sequence.map(|s| s as u32),
+        pinned_at: e.first_seen.to_rfc3339(),
+    }))
+}

package/src/types.rs

@@ -0,0 +1,205 @@
+use napi_derive::napi;
+
+use auths_verifier::types::{
+    ChainLink as RustChainLink, VerificationReport as RustVerificationReport,
+    VerificationStatus as RustVerificationStatus,
+};
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiVerificationResult {
+    pub valid: bool,
+    pub error: Option<String>,
+    pub error_code: Option<String>,
+}
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiVerificationStatus {
+    pub status_type: String,
+    pub at: Option<String>,
+    pub step: Option<u32>,
+    pub missing_link: Option<String>,
+    pub required: Option<u32>,
+    pub verified: Option<u32>,
+}
+
+impl NapiVerificationStatus {
+    pub fn is_valid(&self) -> bool {
+        self.status_type == "Valid"
+    }
+}
+
+impl From<RustVerificationStatus> for NapiVerificationStatus {
+    fn from(status: RustVerificationStatus) -> Self {
+        match status {
+            RustVerificationStatus::Valid => NapiVerificationStatus {
+                status_type: "Valid".to_string(),
+                at: None,
+                step: None,
+                missing_link: None,
+                required: None,
+                verified: None,
+            },
+            RustVerificationStatus::Expired { at } => NapiVerificationStatus {
+                status_type: "Expired".to_string(),
+                at: Some(at.to_rfc3339()),
+                step: None,
+                missing_link: None,
+                required: None,
+                verified: None,
+            },
+            RustVerificationStatus::Revoked { at } => NapiVerificationStatus {
+                status_type: "Revoked".to_string(),
+                at: at.map(|t| t.to_rfc3339()),
+                step: None,
+                missing_link: None,
+                required: None,
+                verified: None,
+            },
+            RustVerificationStatus::InvalidSignature { step } => NapiVerificationStatus {
+                status_type: "InvalidSignature".to_string(),
+                at: None,
+                step: Some(step as u32),
+                missing_link: None,
+                required: None,
+                verified: None,
+            },
+            RustVerificationStatus::BrokenChain { missing_link } => NapiVerificationStatus {
+                status_type: "BrokenChain".to_string(),
+                at: None,
+                step: None,
+                missing_link: Some(missing_link),
+                required: None,
+                verified: None,
+            },
+            RustVerificationStatus::InsufficientWitnesses { required, verified } => {
+                NapiVerificationStatus {
+                    status_type: "InsufficientWitnesses".to_string(),
+                    at: None,
+                    step: None,
+                    missing_link: None,
+                    required: Some(required as u32),
+                    verified: Some(verified as u32),
+                }
+            }
+        }
+    }
+}
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiChainLink {
+    pub issuer: String,
+    pub subject: String,
+    pub valid: bool,
+    pub error: Option<String>,
+}
+
+impl From<RustChainLink> for NapiChainLink {
+    fn from(link: RustChainLink) -> Self {
+        NapiChainLink {
+            issuer: link.issuer,
+            subject: link.subject,
+            valid: link.valid,
+            error: link.error,
+        }
+    }
+}
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiVerificationReport {
+    pub status: NapiVerificationStatus,
+    pub chain: Vec<NapiChainLink>,
+    pub warnings: Vec<String>,
+}
+
+impl NapiVerificationReport {
+    pub fn is_valid(&self) -> bool {
+        self.status.is_valid()
+    }
+}
+
+impl From<RustVerificationReport> for NapiVerificationReport {
+    fn from(report: RustVerificationReport) -> Self {
+        NapiVerificationReport {
+            status: report.status.into(),
+            chain: report.chain.into_iter().map(|l| l.into()).collect(),
+            warnings: report.warnings,
+        }
+    }
+}
+
+// Identity types
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiIdentityResult {
+    pub did: String,
+    pub key_alias: String,
+    pub public_key_hex: String,
+}
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiAgentIdentityBundle {
+    pub agent_did: String,
+    pub key_alias: String,
+    pub attestation_json: String,
+    pub public_key_hex: String,
+    pub repo_path: Option<String>,
+}
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiDelegatedAgentBundle {
+    pub agent_did: String,
+    pub key_alias: String,
+    pub attestation_json: String,
+    pub public_key_hex: String,
+    pub repo_path: Option<String>,
+}
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiRotationResult {
+    pub controller_did: String,
+    pub new_key_fingerprint: String,
+    pub previous_key_fingerprint: String,
+    pub sequence: i64,
+}
+
+// Device types
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiLinkResult {
+    pub device_did: String,
+    pub attestation_id: String,
+}
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiExtensionResult {
+    pub device_did: String,
+    pub new_expires_at: String,
+    pub previous_expires_at: Option<String>,
+}
+
+// Signing types
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiCommitSignResult {
+    pub signature: String,
+    pub signer_did: String,
+}
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiActionEnvelope {
+    pub envelope_json: String,
+    pub signature_hex: String,
+    pub signer_did: String,
+}