@blink-authority-com/claude-code-plugin 1.0.0

package/dist/templates/audit-trail.js

@@ -0,0 +1,396 @@
+/**
+ * Audit trail scaffold template.
+ * Generates a hash-chained audit log with BLINK signatures.
+ */
+export function generateAuditTrail(name, features) {
+    const files = {};
+    // --- package.json ---
+    files['package.json'] = JSON.stringify({
+        name,
+        version: '0.1.0',
+        description: `${name} — Hash-chained audit trail with BLINK Authority signatures`,
+        type: 'module',
+        scripts: {
+            build: 'tsc',
+            start: 'node dist/server.js',
+            dev: 'tsx src/server.ts',
+        },
+        dependencies: {
+            '@blink-technology/sdk': '^0.14.0',
+            express: '^4.21.0',
+            dotenv: '^16.4.0',
+        },
+        devDependencies: {
+            '@types/express': '^4.17.21',
+            '@types/node': '^22.15.2',
+            typescript: '^5.8.3',
+            tsx: '^4.19.0',
+        },
+    }, null, 2);
+    // --- tsconfig.json ---
+    files['tsconfig.json'] = JSON.stringify({
+        compilerOptions: {
+            target: 'ES2022',
+            module: 'Node16',
+            moduleResolution: 'Node16',
+            outDir: 'dist',
+            rootDir: 'src',
+            strict: true,
+            esModuleInterop: true,
+            skipLibCheck: true,
+            forceConsistentCasingInFileNames: true,
+            declaration: true,
+            sourceMap: true,
+        },
+        include: ['src/**/*'],
+        exclude: ['node_modules', 'dist'],
+    }, null, 2);
+    // --- .env.example ---
+    files['.env.example'] = `# BLINK Secure Engine connection
+BSEC_URL=http://localhost:9100
+BSEC_TOKEN=your-bsec-token-here
+SLOT_NAME=default
+
+# Server
+PORT=3000
+`;
+    // --- src/blink.ts ---
+    files['src/blink.ts'] = `/**
+ * BLINK Secure Engine connection management.
+ *
+ * BLINK Authority — https://blink-authority.com
+ */
+
+import { BlinkSigner, BlinkVerifier, AlgoSuiteId } from '@blink-technology/sdk';
+
+let signer: BlinkSigner;
+let vrfPublicKey: Uint8Array;
+
+export async function initBlink(bsecUrl: string, slotName: string): Promise<void> {
+  signer = await BlinkSigner.connect(bsecUrl, slotName, AlgoSuiteId.Ed25519);
+  vrfPublicKey = await signer.vrfPublicKey();
+  console.log(
+    \`[blink] Connected to BSEC at \${bsecUrl} \` +
+    \`(slot=\${slotName}, pk=\${Buffer.from(vrfPublicKey).toString('hex').slice(0, 16)}...)\`,
+  );
+}
+
+export function getSigner(): BlinkSigner { return signer; }
+export function getVrfPublicKey(): Uint8Array { return vrfPublicKey; }
+export function getVrfPublicKeyHex(): string { return Buffer.from(vrfPublicKey).toString('hex'); }
+
+export function createVerifier(): BlinkVerifier {
+  return new BlinkVerifier(vrfPublicKey, {
+    freshnessWindowMs: 10 * 365.25 * 24 * 60 * 60 * 1000, // 10 years
+    clockSkewToleranceMs: 60_000,
+  });
+}
+
+export async function shutdownBlink(): Promise<void> {
+  if (signer) {
+    await signer.close();
+    console.log('[blink] Disconnected from BLINK Secure Engine');
+  }
+}
+`;
+    // --- src/hash-chain.ts ---
+    files['src/hash-chain.ts'] = `/**
+ * Hash-chain utilities for the audit trail.
+ *
+ * Each audit entry includes a \`previousEntryHash\` field, creating a tamper-evident
+ * chain. The hash of each entry is computed from its BLINK envelope (not the payload),
+ * so tampering with any entry breaks the chain.
+ *
+ * Chain structure:
+ *   GENESIS -> Entry 1 -> Entry 2 -> ... -> Entry N
+ *   Each entry's previousEntryHash = SHA-256(previous entry's envelope)
+ */
+
+import { createHash } from 'node:crypto';
+
+/** The genesis hash — the previousEntryHash for the first entry in the chain. */
+export const GENESIS_HASH = '0'.repeat(64);
+
+/** Audit entry before signing (no envelope or signerPublicKey yet). */
+export interface UnsignedAuditEntry {
+  id: string;
+  sequenceNumber: number;
+  timestamp: string;
+  actor: string;
+  action: string;
+  resource: string;
+  detail?: string;
+  metadata?: Record<string, unknown>;
+  previousEntryHash: string;
+}
+
+/** Audit entry after signing. */
+export interface AuditEntry extends UnsignedAuditEntry {
+  envelope: string;
+  signerPublicKey: string;
+}
+
+/**
+ * Build the canonical JSON payload to sign.
+ * Excludes envelope and signerPublicKey (those are outputs of signing).
+ */
+export function buildSignPayload(entry: UnsignedAuditEntry): Uint8Array {
+  const canonical: Record<string, unknown> = {
+    id: entry.id,
+    sequenceNumber: entry.sequenceNumber,
+    timestamp: entry.timestamp,
+    actor: entry.actor,
+    action: entry.action,
+    resource: entry.resource,
+  };
+
+  if (entry.detail !== undefined) canonical['detail'] = entry.detail;
+  if (entry.metadata !== undefined) canonical['metadata'] = entry.metadata;
+  canonical['previousEntryHash'] = entry.previousEntryHash;
+
+  return new TextEncoder().encode(JSON.stringify(canonical));
+}
+
+/**
+ * Compute the chain link hash from a BLINK envelope.
+ * This hash becomes the previousEntryHash for the next entry.
+ */
+export function computeEnvelopeHash(envelopeBase64: string): string {
+  const envelopeBytes = Buffer.from(envelopeBase64, 'base64');
+  return createHash('sha256').update(envelopeBytes).digest('hex');
+}
+
+/** Format an audit entry ID from a sequence number. */
+export function formatEntryId(seq: number): string {
+  return \`AUD-\${seq.toString().padStart(8, '0')}\`;
+}
+`;
+    // --- src/audit-log.ts ---
+    files['src/audit-log.ts'] = `/**
+ * In-memory audit log with hash-chained BLINK signatures.
+ *
+ * Each new entry is:
+ * 1. Assigned a sequence number and linked to the previous entry's hash
+ * 2. Signed with BLINK (single-use credential via Temporal Key Assurance)
+ * 3. Stored in the chain
+ */
+
+import { getSigner, getVrfPublicKeyHex } from './blink.js';
+import {
+  GENESIS_HASH,
+  buildSignPayload,
+  computeEnvelopeHash,
+  formatEntryId,
+  type AuditEntry,
+  type UnsignedAuditEntry,
+} from './hash-chain.js';
+
+// In-memory storage (replace with a database in production)
+const entries: AuditEntry[] = [];
+
+/**
+ * Append a new entry to the audit trail.
+ * Automatically handles sequencing, hash-chaining, and BLINK signing.
+ */
+export async function appendEntry(input: {
+  actor: string;
+  action: string;
+  resource: string;
+  detail?: string;
+  metadata?: Record<string, unknown>;
+}): Promise<AuditEntry> {
+  const seq = entries.length + 1;
+  const lastEntry = entries.length > 0 ? entries[entries.length - 1] : undefined;
+
+  // Link to previous entry via hash chain
+  const previousEntryHash = lastEntry
+    ? computeEnvelopeHash(lastEntry.envelope)
+    : GENESIS_HASH;
+
+  const unsigned: UnsignedAuditEntry = {
+    id: formatEntryId(seq),
+    sequenceNumber: seq,
+    timestamp: new Date().toISOString(),
+    actor: input.actor,
+    action: input.action,
+    resource: input.resource,
+    detail: input.detail,
+    metadata: input.metadata,
+    previousEntryHash,
+  };
+
+  // Sign the entry with BLINK
+  const payload = buildSignPayload(unsigned);
+  const envelopeBytes = await getSigner().sign(payload);
+
+  const entry: AuditEntry = {
+    ...unsigned,
+    envelope: Buffer.from(envelopeBytes).toString('base64'),
+    signerPublicKey: getVrfPublicKeyHex(),
+  };
+
+  entries.push(entry);
+  return entry;
+}
+
+/** List entries with pagination and optional filters. */
+export function listEntries(opts: {
+  limit?: number;
+  offset?: number;
+  actor?: string;
+  action?: string;
+}): { entries: AuditEntry[]; total: number } {
+  let filtered = entries;
+  if (opts.actor) filtered = filtered.filter(e => e.actor === opts.actor);
+  if (opts.action) filtered = filtered.filter(e => e.action === opts.action);
+
+  const offset = opts.offset ?? 0;
+  const limit = opts.limit ?? 50;
+  return {
+    entries: filtered.slice(offset, offset + limit),
+    total: filtered.length,
+  };
+}
+
+/** Get a single entry by ID. */
+export function getEntryById(id: string): AuditEntry | undefined {
+  return entries.find(e => e.id === id);
+}
+
+/** Get the latest entry (tail of the chain). */
+export function getLatestEntry(): AuditEntry | undefined {
+  return entries.length > 0 ? entries[entries.length - 1] : undefined;
+}
+`;
+    // --- src/server.ts ---
+    files['src/server.ts'] = `/**
+ * ${name} — Hash-chained audit trail with BLINK Authority signatures.
+ *
+ * Every audit entry is signed with a single-use BLINK credential and
+ * linked to the previous entry via a hash chain, creating a tamper-evident log.
+ */
+
+import 'dotenv/config';
+import express from 'express';
+import { initBlink, shutdownBlink, getVrfPublicKeyHex } from './blink.js';
+import { appendEntry, listEntries, getEntryById } from './audit-log.js';
+
+async function main(): Promise<void> {
+  const bsecUrl = process.env['BSEC_URL'] ?? 'http://localhost:9100';
+  const slotName = process.env['SLOT_NAME'] ?? 'default';
+  const port = parseInt(process.env['PORT'] ?? '3000', 10);
+
+  await initBlink(bsecUrl, slotName);
+
+  const app = express();
+  app.use(express.json());
+
+  // POST /entries — Create a new audit entry
+  app.post('/entries', async (req, res, next) => {
+    try {
+      const { actor, action, resource, detail, metadata } = req.body;
+      if (!actor || !action || !resource) {
+        res.status(400).json({ error: 'Missing required fields: actor, action, resource' });
+        return;
+      }
+      const entry = await appendEntry({ actor, action, resource, detail, metadata });
+      res.status(201).json(entry);
+    } catch (err) {
+      next(err);
+    }
+  });
+
+  // GET /entries — List entries with optional filters
+  app.get('/entries', (req, res) => {
+    const limit = parseInt(req.query['limit'] as string, 10) || 50;
+    const offset = parseInt(req.query['offset'] as string, 10) || 0;
+    const actor = req.query['actor'] as string | undefined;
+    const action = req.query['action'] as string | undefined;
+    const result = listEntries({ limit, offset, actor, action });
+    res.json({ ...result, limit, offset });
+  });
+
+  // GET /entries/:id — Get a single entry
+  app.get('/entries/:id', (req, res) => {
+    const entry = getEntryById(req.params['id']!);
+    if (!entry) {
+      res.status(404).json({ error: 'Entry not found' });
+      return;
+    }
+    res.json(entry);
+  });
+
+  // GET /health
+  app.get('/health', (_req, res) => {
+    res.json({
+      status: 'ok',
+      service: '${name}',
+      signerPublicKey: getVrfPublicKeyHex(),
+      timestamp: new Date().toISOString(),
+    });
+  });
+
+  const server = app.listen(port, () => {
+    console.log(\`[server] ${name} listening on port \${port}\`);
+  });
+
+  // Graceful shutdown
+  const shutdown = async (signal: string) => {
+    console.log(\`[server] Received \${signal}, shutting down...\`);
+    server.close();
+    await shutdownBlink();
+    process.exit(0);
+  };
+
+  process.on('SIGINT', () => shutdown('SIGINT'));
+  process.on('SIGTERM', () => shutdown('SIGTERM'));
+}
+
+main().catch((err) => {
+  console.error('[server] Fatal error:', err);
+  process.exit(1);
+});
+`;
+    // --- README.md ---
+    files['README.md'] = `# ${name}
+
+Hash-chained audit trail with **BLINK Authority** signatures. Every audit entry is
+cryptographically signed and linked to the previous entry, creating a tamper-evident log.
+
+## Quick Start
+
+\`\`\`bash
+npm install
+cp .env.example .env
+npm run dev
+\`\`\`
+
+## API
+
+### POST /entries
+Create a new audit entry. Automatically signed and hash-chained.
+
+\`\`\`bash
+curl -X POST http://localhost:3000/entries \\
+  -H "Content-Type: application/json" \\
+  -d '{"actor":"alice","action":"approve","resource":"order-123"}'
+\`\`\`
+
+### GET /entries
+List entries with pagination. Supports \`?actor=\` and \`?action=\` filters.
+
+### GET /entries/:id
+Get a single entry by ID.
+
+## How the Hash Chain Works
+
+1. Each entry includes a \`previousEntryHash\` field
+2. The hash is computed from the previous entry's BLINK envelope
+3. The first entry links to a well-known genesis hash
+4. Tampering with any entry breaks the chain from that point forward
+
+Built with [BLINK Authority](https://blink-authority.com).
+`;
+    return files;
+}
+//# sourceMappingURL=audit-trail.js.map

package/dist/templates/audit-trail.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-trail.js","sourceRoot":"","sources":["../../src/templates/audit-trail.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,UAAU,kBAAkB,CAChC,IAAY,EACZ,QAAkB;IAElB,MAAM,KAAK,GAA2B,EAAE,CAAC;IAEzC,uBAAuB;IACvB,KAAK,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC,SAAS,CACpC;QACE,IAAI;QACJ,OAAO,EAAE,OAAO;QAChB,WAAW,EAAE,GAAG,IAAI,6DAA6D;QACjF,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE;YACP,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,qBAAqB;YAC5B,GAAG,EAAE,mBAAmB;SACzB;QACD,YAAY,EAAE;YACZ,uBAAuB,EAAE,SAAS;YAClC,OAAO,EAAE,SAAS;YAClB,MAAM,EAAE,SAAS;SAClB;QACD,eAAe,EAAE;YACf,gBAAgB,EAAE,UAAU;YAC5B,aAAa,EAAE,UAAU;YACzB,UAAU,EAAE,QAAQ;YACpB,GAAG,EAAE,SAAS;SACf;KACF,EACD,IAAI,EACJ,CAAC,CACF,CAAC;IAEF,wBAAwB;IACxB,KAAK,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC,SAAS,CACrC;QACE,eAAe,EAAE;YACf,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,QAAQ;YAChB,gBAAgB,EAAE,QAAQ;YAC1B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,IAAI;YACZ,eAAe,EAAE,IAAI;YACrB,YAAY,EAAE,IAAI;YAClB,gCAAgC,EAAE,IAAI;YACtC,WAAW,EAAE,IAAI;YACjB,SAAS,EAAE,IAAI;SAChB;QACD,OAAO,EAAE,CAAC,UAAU,CAAC;QACrB,OAAO,EAAE,CAAC,cAAc,EAAE,MAAM,CAAC;KAClC,EACD,IAAI,EACJ,CAAC,CACF,CAAC;IAEF,uBAAuB;IACvB,KAAK,CAAC,cAAc,CAAC,GAAG;;;;;;;CAOzB,CAAC;IAEA,uBAAuB;IACvB,KAAK,CAAC,cAAc,CAAC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAqCzB,CAAC;IAEA,4BAA4B;IAC5B,KAAK,CAAC,mBAAmB,CAAC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsE9B,CAAC;IAEA,2BAA2B;IAC3B,KAAK,CAAC,kBAAkB,CAAC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+F7B,CAAC;IAEA,wBAAwB;IACxB,KAAK,CAAC,eAAe,CAAC,GAAG;KACtB,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA4DS,IAAI;;;;;;;6BAOO,IAAI;;;;;;;;;;;;;;;;;;;CAmBhC,CAAC;IAEA,oBAAoB;IACpB,KAAK,CAAC,WAAW,CAAC,GAAG,KAAK,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsC/B,CAAC;IAEA,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/templates/cli-tool.d.ts

@@ -0,0 +1,6 @@
+/**
+ * CLI tool scaffold template.
+ * Generates a Commander.js CLI with sign/verify/inspect commands.
+ */
+export declare function generateCliTool(name: string, features: string[]): Record<string, string>;
+//# sourceMappingURL=cli-tool.d.ts.map

package/dist/templates/cli-tool.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-tool.d.ts","sourceRoot":"","sources":["../../src/templates/cli-tool.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,wBAAgB,eAAe,CAC7B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAAE,GACjB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAsWxB"}