@awiki/cli 0.0.1-beta.2

package/internal/message/http_client.go

@@ -0,0 +1,334 @@
+package message
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/agentconnect/awiki-cli/internal/authsdk"
+	appconfig "github.com/agentconnect/awiki-cli/internal/config"
+)
+
+type Transport interface {
+	SendDirect(context.Context, SendRequest) (*directSendResult, error)
+	SendGroup(context.Context, SendRequest) (*groupSendResult, error)
+	GetInbox(context.Context, InboxRequest) (map[string]any, error)
+	GetHistory(context.Context, HistoryRequest) (map[string]any, error)
+	MarkRead(context.Context, MarkReadRequest) (map[string]any, error)
+	CreateGroup(context.Context, GroupCreateRequest) (map[string]any, error)
+	GetGroupInfo(context.Context, GroupInfoRequest) (map[string]any, error)
+	JoinGroup(context.Context, GroupJoinRequest) (map[string]any, error)
+	AddGroupMember(context.Context, GroupMemberRequest) (map[string]any, error)
+	RemoveGroupMember(context.Context, GroupMemberRequest) (map[string]any, error)
+	LeaveGroup(context.Context, GroupLeaveRequest) (map[string]any, error)
+	GetGroup(context.Context, GroupGetRequest) (map[string]any, error)
+	ListGroupMembers(context.Context, GroupMembersRequest) (map[string]any, error)
+	ListGroupMessages(context.Context, GroupMessagesRequest) (map[string]any, error)
+	UpdateGroupProfile(context.Context, GroupGetRequest, map[string]any) (map[string]any, error)
+	UpdateGroupPolicy(context.Context, GroupGetRequest, map[string]any) (map[string]any, error)
+}
+
+type ServiceError struct {
+	StatusCode int
+	RPCCode    int
+	Message    string
+	Data       any
+}
+
+func (e *ServiceError) Error() string {
+	if e == nil {
+		return ""
+	}
+	switch {
+	case e.RPCCode != 0:
+		return fmt.Sprintf("message service rpc error %d: %s", e.RPCCode, e.Message)
+	case e.StatusCode != 0:
+		return fmt.Sprintf("message service http error %d: %s", e.StatusCode, e.Message)
+	default:
+		return e.Message
+	}
+}
+
+type rpcResponse struct {
+	Result json.RawMessage `json:"result"`
+	Error  *struct {
+		Code    int    `json:"code"`
+		Message string `json:"message"`
+		Data    any    `json:"data,omitempty"`
+	} `json:"error,omitempty"`
+}
+
+type HTTPTransport struct {
+	resolved       *appconfig.Resolved
+	auth           *authContext
+	httpClient     *http.Client
+	baseMessageURL string
+}
+
+func NewHTTPTransport(resolved *appconfig.Resolved, auth *authContext, httpClient *http.Client) *HTTPTransport {
+	if httpClient == nil {
+		httpClient = http.DefaultClient
+	}
+	return &HTTPTransport{
+		resolved:       resolved,
+		auth:           auth,
+		httpClient:     httpClient,
+		baseMessageURL: strings.TrimRight(resolved.MessageServiceURL, "/"),
+	}
+}
+
+func (t *HTTPTransport) SendDirect(ctx context.Context, request SendRequest) (*directSendResult, error) {
+	payload, err := buildDirectTextPayload(t.auth.record.DID, request.Target, request.Text, contentTypeForMessageType(request.MessageType))
+	if err != nil {
+		return nil, err
+	}
+	senderProof, err := buildSenderProof(t.auth, payload, request.Target)
+	if err != nil {
+		return nil, err
+	}
+	params := map[string]any{
+		"meta": payload.Meta,
+		"auth": map[string]any{
+			"scheme":       OriginProofScheme,
+			"sender_proof": senderProof,
+		},
+		"body": payload.Body,
+	}
+	var result directSendResult
+	if err := t.rpcCall(ctx, payload.Method, params, &result); err != nil {
+		return nil, err
+	}
+	if result.MessageID == "" {
+		result.MessageID = stringFromAny(payload.Meta["message_id"])
+	}
+	if result.OperationID == "" {
+		result.OperationID = stringFromAny(payload.Meta["operation_id"])
+	}
+	if result.TargetDID == "" {
+		result.TargetDID = request.Target
+	}
+	return &result, nil
+}
+
+func (t *HTTPTransport) SendGroup(ctx context.Context, request SendRequest) (*groupSendResult, error) {
+	params, err := BuildGroupSendRPCParams(t.auth.record, nil, request.Group, request.Text, request.MessageType)
+	if err != nil {
+		return nil, err
+	}
+	var result groupSendResult
+	if err := t.rpcCall(ctx, "group.send", params, &result); err != nil {
+		return nil, err
+	}
+	if result.GroupDID == "" {
+		result.GroupDID = request.Group
+	}
+	return &result, nil
+}
+
+func (t *HTTPTransport) GetInbox(ctx context.Context, request InboxRequest) (map[string]any, error) {
+	params := map[string]any{
+		"meta": map[string]any{
+			"anp_version":      "1.0",
+			"profile":          "anp.inbox.local.v1",
+			"security_profile": "transport-protected",
+			"sender_did":       t.auth.record.DID,
+			"operation_id":     "op-" + generateOperationID(),
+			"created_at":       nowRFC3339(),
+		},
+		"body": map[string]any{
+			"user_did": t.auth.record.DID,
+			"limit":    request.Limit,
+		},
+	}
+	return t.rpcMapCall(ctx, "inbox.get", params)
+}
+
+func (t *HTTPTransport) GetHistory(ctx context.Context, request HistoryRequest) (map[string]any, error) {
+	body := map[string]any{
+		"user_did": t.auth.record.DID,
+		"peer_did": request.With,
+		"limit":    request.Limit,
+	}
+	if strings.TrimSpace(request.Cursor) != "" {
+		body["since_seq"] = request.Cursor
+	}
+	params := map[string]any{
+		"meta": map[string]any{
+			"anp_version":      "1.0",
+			"profile":          "anp.direct.local.v1",
+			"security_profile": "transport-protected",
+			"sender_did":       t.auth.record.DID,
+			"operation_id":     "op-" + generateOperationID(),
+			"created_at":       nowRFC3339(),
+		},
+		"body": body,
+	}
+	return t.rpcMapCall(ctx, "direct.get_history", params)
+}
+
+func (t *HTTPTransport) MarkRead(ctx context.Context, request MarkReadRequest) (map[string]any, error) {
+	params := map[string]any{
+		"meta": map[string]any{
+			"anp_version":      "1.0",
+			"profile":          "anp.inbox.local.v1",
+			"security_profile": "transport-protected",
+			"sender_did":       t.auth.record.DID,
+			"operation_id":     "op-" + generateOperationID(),
+			"created_at":       nowRFC3339(),
+		},
+		"body": map[string]any{
+			"user_did":    t.auth.record.DID,
+			"message_ids": request.MessageIDs,
+		},
+	}
+	return t.rpcMapCall(ctx, "inbox.mark_read", params)
+}
+
+func (t *HTTPTransport) CreateGroup(ctx context.Context, request GroupCreateRequest) (map[string]any, error) {
+	serviceDID, err := t.GetMessageServiceDID(ctx)
+	if err != nil {
+		return nil, err
+	}
+	params, err := BuildGroupCreateRPCParams(t.auth.record, nil, serviceDID, request)
+	if err != nil {
+		return nil, err
+	}
+	return t.rpcMapCall(ctx, "group.create", params)
+}
+
+func (t *HTTPTransport) GetGroupInfo(ctx context.Context, request GroupInfoRequest) (map[string]any, error) {
+	params, err := BuildGroupGetInfoRPCParams(t.auth.record, request)
+	if err != nil {
+		return nil, err
+	}
+	return t.rpcMapCall(ctx, "group.get_info", params)
+}
+
+func (t *HTTPTransport) JoinGroup(ctx context.Context, request GroupJoinRequest) (map[string]any, error) {
+	params, err := BuildGroupJoinRPCParams(t.auth.record, nil, request)
+	if err != nil {
+		return nil, err
+	}
+	return t.rpcMapCall(ctx, "group.join", params)
+}
+
+func (t *HTTPTransport) AddGroupMember(ctx context.Context, request GroupMemberRequest) (map[string]any, error) {
+	params, err := BuildGroupAddRPCParams(t.auth.record, nil, request)
+	if err != nil {
+		return nil, err
+	}
+	return t.rpcMapCall(ctx, "group.add", params)
+}
+
+func (t *HTTPTransport) RemoveGroupMember(ctx context.Context, request GroupMemberRequest) (map[string]any, error) {
+	params, err := BuildGroupRemoveRPCParams(t.auth.record, nil, request)
+	if err != nil {
+		return nil, err
+	}
+	return t.rpcMapCall(ctx, "group.remove", params)
+}
+
+func (t *HTTPTransport) LeaveGroup(ctx context.Context, request GroupLeaveRequest) (map[string]any, error) {
+	params, err := BuildGroupLeaveRPCParams(t.auth.record, nil, request)
+	if err != nil {
+		return nil, err
+	}
+	return t.rpcMapCall(ctx, "group.leave", params)
+}
+
+func (t *HTTPTransport) GetGroup(ctx context.Context, request GroupGetRequest) (map[string]any, error) {
+	params, err := BuildGroupGetRPCParams(t.auth.record, request)
+	if err != nil {
+		return nil, err
+	}
+	return t.rpcMapCall(ctx, "group.get", params)
+}
+
+func (t *HTTPTransport) ListGroupMembers(ctx context.Context, request GroupMembersRequest) (map[string]any, error) {
+	params, err := BuildGroupMembersRPCParams(t.auth.record, request)
+	if err != nil {
+		return nil, err
+	}
+	return t.rpcMapCall(ctx, "group.list_members", params)
+}
+
+func (t *HTTPTransport) ListGroupMessages(ctx context.Context, request GroupMessagesRequest) (map[string]any, error) {
+	params, err := BuildGroupMessagesRPCParams(t.auth.record, request)
+	if err != nil {
+		return nil, err
+	}
+	return t.rpcMapCall(ctx, "group.list_messages", params)
+}
+
+func (t *HTTPTransport) UpdateGroupProfile(ctx context.Context, request GroupGetRequest, patch map[string]any) (map[string]any, error) {
+	params, err := BuildGroupUpdateProfileRPCParams(t.auth.record, nil, request.Group, patch)
+	if err != nil {
+		return nil, err
+	}
+	return t.rpcMapCall(ctx, "group.update_profile", params)
+}
+
+func (t *HTTPTransport) UpdateGroupPolicy(ctx context.Context, request GroupGetRequest, patch map[string]any) (map[string]any, error) {
+	params, err := BuildGroupUpdatePolicyRPCParams(t.auth.record, nil, request.Group, patch)
+	if err != nil {
+		return nil, err
+	}
+	return t.rpcMapCall(ctx, "group.update_policy", params)
+}
+
+func (t *HTTPTransport) GetMessageServiceDID(ctx context.Context) (string, error) {
+	result, err := t.rpcMapCall(ctx, "anp.get_capabilities", map[string]any{
+		"meta": map[string]any{
+			"anp_version":      "1.0",
+			"profile":          "anp.core.binding.v1",
+			"security_profile": "transport-protected",
+			"sender_did":       t.auth.record.DID,
+			"operation_id":     "op-" + generateOperationID(),
+			"created_at":       nowRFC3339(),
+		},
+		"body": map[string]any{},
+		"client": map[string]any{
+			"response_mode": "wait-final",
+		},
+	})
+	if err != nil {
+		return "", err
+	}
+	serviceDID := stringFromAny(result["service_did"])
+	if serviceDID == "" {
+		return "", fmt.Errorf("message service capabilities response is missing service_did")
+	}
+	return serviceDID, nil
+}
+
+func (t *HTTPTransport) rpcMapCall(ctx context.Context, method string, params map[string]any) (map[string]any, error) {
+	var result map[string]any
+	if err := t.rpcCall(ctx, method, params, &result); err != nil {
+		return nil, err
+	}
+	if result == nil {
+		return map[string]any{}, nil
+	}
+	return result, nil
+}
+
+func (t *HTTPTransport) rpcCall(ctx context.Context, method string, params map[string]any, out any) error {
+	requestURL := t.baseMessageURL + MessageRPCEndpoint
+	err := t.auth.session.DoJSONRPC(ctx, t.httpClient, requestURL, http.MethodPost, method, params, out)
+	if err == nil {
+		t.auth.record.JWTToken = t.auth.session.CurrentJWT()
+		return nil
+	}
+	var rpcErr *authsdk.RPCError
+	if errors.As(err, &rpcErr) {
+		return &ServiceError{RPCCode: rpcErr.Code, Message: rpcErr.Message, Data: rpcErr.Data}
+	}
+	var httpErr *authsdk.HTTPError
+	if errors.As(err, &httpErr) {
+		return &ServiceError{StatusCode: httpErr.StatusCode, Message: httpErr.Message}
+	}
+	return err
+}

package/internal/message/proof.go

@@ -0,0 +1,156 @@
+package message
+
+import (
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/sha256"
+	"fmt"
+	"math/big"
+	"strings"
+	"time"
+
+	"github.com/agentconnect/awiki-cli/internal/anpsdk"
+	secp256k1 "github.com/decred/dcrd/dcrec/secp256k1/v4"
+	"github.com/google/uuid"
+)
+
+type directPayload struct {
+	Method string         `json:"method"`
+	Meta   map[string]any `json:"meta"`
+	Body   map[string]any `json:"body"`
+}
+
+type signedPayload = directPayload
+
+const OriginProofScheme = "anp-rfc9421-origin-proof-v1"
+
+func buildDirectTextPayload(senderDID string, targetDID string, text string, contentType string) (directPayload, error) {
+	if senderDID == "" || targetDID == "" {
+		return directPayload{}, fmt.Errorf("sender and target did are required")
+	}
+	if text == "" {
+		return directPayload{}, ErrTextRequired
+	}
+	if contentType == "" {
+		contentType = "text/plain"
+	}
+	operationID := "op-" + uuid.NewString()
+	messageID := "msg-" + uuid.NewString()
+	meta := map[string]any{
+		"anp_version":      "1.0",
+		"profile":          "anp.direct.base.v1",
+		"security_profile": "transport-protected",
+		"sender_did":       senderDID,
+		"target": map[string]any{
+			"kind": "agent",
+			"did":  targetDID,
+		},
+		"operation_id": operationID,
+		"message_id":   messageID,
+		"created_at":   time.Now().UTC().Format(time.RFC3339),
+		"content_type": contentType,
+	}
+	body := map[string]any{"text": text}
+	return directPayload{Method: "direct.send", Meta: meta, Body: body}, nil
+}
+
+func buildSenderProof(auth *authContext, payload directPayload, targetDID string) (map[string]any, error) {
+	return buildActorProof(auth, signedPayload(payload), "anp://agent/"+strictPercentEncode(targetDID))
+}
+
+func buildActorProof(auth *authContext, payload signedPayload, logicalTargetURI string) (map[string]any, error) {
+	keyID := verificationMethodID(auth.record.DIDDocument)
+	if keyID == "" {
+		return nil, fmt.Errorf("identity %s is missing an authentication verification method", auth.record.IdentityName)
+	}
+	payloadMap := map[string]any{
+		"method": payload.Method,
+		"meta":   payload.Meta,
+		"body":   payload.Body,
+	}
+	canonicalPayload, err := canonicalJSON(payloadMap)
+	if err != nil {
+		return nil, fmt.Errorf("canonicalize direct payload: %w", err)
+	}
+	signatureInput, err := anpsdk.BuildIMSignatureInput(keyID, anpsdk.IMGenerationOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("build actor proof signatureInput: %w", err)
+	}
+	parsed, err := anpsdk.ParseIMSignatureInput(signatureInput)
+	if err != nil {
+		return nil, fmt.Errorf("parse actor proof signatureInput: %w", err)
+	}
+	contentDigest := anpsdk.BuildIMContentDigest(canonicalPayload)
+	signatureBase, err := buildBusinessSignatureBase(payload.Method, logicalTargetURI, contentDigest, parsed)
+	if err != nil {
+		return nil, err
+	}
+	signatureBytes, err := signBusinessProof(auth.privateKey, []byte(signatureBase))
+	if err != nil {
+		return nil, fmt.Errorf("sign actor proof: %w", err)
+	}
+	return map[string]any{
+		"contentDigest":  contentDigest,
+		"signatureInput": signatureInput,
+		"signature":      anpsdk.EncodeIMSignature(signatureBytes, parsed.Label),
+	}, nil
+}
+
+func strictPercentEncode(value string) string {
+	var builder strings.Builder
+	builder.Grow(len(value) * 3)
+	for i := 0; i < len(value); i++ {
+		ch := value[i]
+		if (ch >= 'A' && ch <= 'Z') ||
+			(ch >= 'a' && ch <= 'z') ||
+			(ch >= '0' && ch <= '9') ||
+			ch == '-' || ch == '.' || ch == '_' || ch == '~' {
+			builder.WriteByte(ch)
+			continue
+		}
+		builder.WriteString(fmt.Sprintf("%%%02X", ch))
+	}
+	return builder.String()
+}
+
+func signBusinessProof(privateKey anpsdk.PrivateKeyMaterial, message []byte) ([]byte, error) {
+	if privateKey.Type != anpsdk.KeyTypeSecp256k1 {
+		return nil, fmt.Errorf("unsupported business proof key type: %s", privateKey.Type)
+	}
+	secpPrivateKey := secp256k1.PrivKeyFromBytes(privateKey.Bytes)
+	ecdsaPrivateKey := secpPrivateKey.ToECDSA()
+	digest := sha256.Sum256(message)
+	r, s, err := ecdsa.Sign(rand.Reader, ecdsaPrivateKey, digest[:])
+	if err != nil {
+		return nil, err
+	}
+	curveOrder := secp256k1.S256().Params().N
+	halfOrder := new(big.Int).Rsh(new(big.Int).Set(curveOrder), 1)
+	if s.Cmp(halfOrder) > 0 {
+		s.Sub(curveOrder, s)
+	}
+	signature := make([]byte, 64)
+	copy(signature[32-len(r.Bytes()):32], r.Bytes())
+	copy(signature[64-len(s.Bytes()):], s.Bytes())
+	return signature, nil
+}
+
+func buildBusinessSignatureBase(method string, logicalTargetURI string, contentDigest string, parsed anpsdk.ParsedIMSignatureInput) (string, error) {
+	lines := make([]string, 0, len(parsed.Components)+1)
+	for _, component := range parsed.Components {
+		var value string
+		switch component {
+		case "@method":
+			value = method
+		case "@target-uri":
+			value = logicalTargetURI
+		case "content-digest":
+			value = contentDigest
+		default:
+			return "", fmt.Errorf("unsupported business proof component: %s", component)
+		}
+		lines = append(lines, fmt.Sprintf("\"%s\": %s", component, value))
+	}
+	lines = append(lines, fmt.Sprintf("\"@signature-params\": %s", parsed.SignatureParams))
+	return strings.Join(lines, "\n"), nil
+}

package/internal/message/proof_test.go

@@ -0,0 +1,61 @@
+package message
+
+import (
+	"testing"
+
+	"github.com/agentconnect/awiki-cli/internal/anpsdk"
+	"github.com/agentconnect/awiki-cli/internal/identity"
+)
+
+func TestBuildSenderProofRoundTrip(t *testing.T) {
+	t.Parallel()
+
+	generated, err := identity.GenerateIdentity(identity.GenerateOptions{
+		Hostname:    "awiki.ai",
+		PathPrefix:  []string{"user"},
+		ProofDomain: "awiki.ai",
+	})
+	if err != nil {
+		t.Fatalf("GenerateIdentity() error = %v", err)
+	}
+	record := &identity.StoredIdentity{
+		IdentityName:   "default",
+		DID:            generated.DID,
+		DIDDocument:    generated.DIDDocument,
+		Key1PrivatePEM: generated.Key1PrivatePEM,
+	}
+	auth, err := newAuthContext(record, nil)
+	if err != nil {
+		t.Fatalf("newAuthContext() error = %v", err)
+	}
+	payload, err := buildDirectTextPayload(generated.DID, "did:wba:awiki.ai:user:bob", "hello", "text/plain")
+	if err != nil {
+		t.Fatalf("buildDirectTextPayload() error = %v", err)
+	}
+	proofMap, err := buildSenderProof(auth, payload, "did:wba:awiki.ai:user:bob")
+	if err != nil {
+		t.Fatalf("buildSenderProof() error = %v", err)
+	}
+	signatureInput, _ := proofMap["signatureInput"].(string)
+	parsed, err := anpsdk.ParseIMSignatureInput(signatureInput)
+	if err != nil {
+		t.Fatalf("ParseIMSignatureInput() error = %v", err)
+	}
+	payloadMap := map[string]any{"method": payload.Method, "meta": payload.Meta, "body": payload.Body}
+	canonicalPayload, err := canonicalJSON(payloadMap)
+	if err != nil {
+		t.Fatalf("canonicalJSON() error = %v", err)
+	}
+	signatureBase, err := buildBusinessSignatureBase(payload.Method, "anp://agent/"+strictPercentEncode("did:wba:awiki.ai:user:bob"), proofMap["contentDigest"].(string), parsed)
+	if err != nil {
+		t.Fatalf("buildBusinessSignatureBase() error = %v", err)
+	}
+	proof := anpsdk.IMProof{
+		ContentDigest:  proofMap["contentDigest"].(string),
+		SignatureInput: signatureInput,
+		Signature:      proofMap["signature"].(string),
+	}
+	if _, err := anpsdk.VerifyIMProofWithDocument(proof, canonicalPayload, []byte(signatureBase), generated.DIDDocument, generated.DID); err != nil {
+		t.Fatalf("VerifyIMProofWithDocument() error = %v", err)
+	}
+}