@blink-authority-com/claude-code-plugin 1.0.0

package/dist/templates/cli-tool.js

@@ -0,0 +1,346 @@
+/**
+ * CLI tool scaffold template.
+ * Generates a Commander.js CLI with sign/verify/inspect commands.
+ */
+export function generateCliTool(name, features) {
+    const hasMultiAlgo = features.includes('multi-algorithm') || features.includes('post-quantum');
+    const files = {};
+    // --- package.json ---
+    files['package.json'] = JSON.stringify({
+        name,
+        version: '0.1.0',
+        description: `${name} — CLI tool with BLINK Authority signing`,
+        type: 'module',
+        bin: { [name]: 'dist/cli.js' },
+        scripts: {
+            build: 'tsc',
+            start: 'node dist/cli.js',
+            dev: 'tsx src/cli.ts',
+        },
+        dependencies: {
+            '@blink-technology/sdk': '^0.14.0',
+            commander: '^12.1.0',
+            dotenv: '^16.4.0',
+        },
+        devDependencies: {
+            '@types/node': '^22.15.2',
+            typescript: '^5.8.3',
+            tsx: '^4.19.0',
+        },
+    }, null, 2);
+    // --- tsconfig.json ---
+    files['tsconfig.json'] = JSON.stringify({
+        compilerOptions: {
+            target: 'ES2022',
+            module: 'Node16',
+            moduleResolution: 'Node16',
+            outDir: 'dist',
+            rootDir: 'src',
+            strict: true,
+            esModuleInterop: true,
+            skipLibCheck: true,
+            forceConsistentCasingInFileNames: true,
+            declaration: true,
+            sourceMap: true,
+        },
+        include: ['src/**/*'],
+        exclude: ['node_modules', 'dist'],
+    }, null, 2);
+    // --- src/blink.ts ---
+    files['src/blink.ts'] = `/**
+ * BLINK Secure Engine connection management for CLI usage.
+ *
+ * BLINK Authority — https://blink-authority.com
+ */
+
+import { BlinkSigner, BlinkVerifier, AlgoSuiteId } from '@blink-technology/sdk';
+
+${hasMultiAlgo ? `const ALGO_MAP: Record<string, AlgoSuiteId> = {
+  standard: AlgoSuiteId.Ed25519,
+  'post-quantum': AlgoSuiteId.MlDsa44,
+};
+
+` : ''}/**
+ * Create a signer connected to BSEC.
+ */
+export async function createSigner(
+  bsecUrl: string,
+  slotName: string,${hasMultiAlgo ? `\n  algorithm?: string,` : ''}
+): Promise<BlinkSigner> {
+${hasMultiAlgo
+        ? `  const algoSuiteId = ALGO_MAP[algorithm ?? 'standard'] ?? AlgoSuiteId.Ed25519;
+  return BlinkSigner.connect(bsecUrl, slotName, algoSuiteId);`
+        : `  return BlinkSigner.connect(bsecUrl, slotName, AlgoSuiteId.Ed25519);`}
+}
+
+/**
+ * Create a verifier from a hex-encoded public key.
+ */
+export function createVerifier(publicKeyHex: string): BlinkVerifier {
+  const keyBytes = Buffer.from(publicKeyHex, 'hex');
+  return new BlinkVerifier(new Uint8Array(keyBytes), {
+    freshnessWindowMs: 10 * 365.25 * 24 * 60 * 60 * 1000, // 10 years
+    clockSkewToleranceMs: 60_000,
+  });
+}
+`;
+    // --- src/cli.ts ---
+    files['src/cli.ts'] = `#!/usr/bin/env node
+
+/**
+ * ${name} — CLI tool with BLINK Authority signing.
+ *
+ * Commands:
+ *   sign    — Sign a file or stdin
+ *   verify  — Verify a BLINK envelope
+ *   inspect — Decode and display envelope contents
+ */
+
+import 'dotenv/config';
+import { Command } from 'commander';
+import { signCommand } from './commands/sign.js';
+import { verifyCommand } from './commands/verify.js';
+import { inspectCommand } from './commands/inspect.js';
+
+const program = new Command();
+
+program
+  .name('${name}')
+  .description('CLI tool with BLINK Authority signing')
+  .version('0.1.0');
+
+// --- sign ---
+program
+  .command('sign')
+  .description('Sign a file or stdin with BLINK')
+  .requiredOption('-f, --file <path>', 'File to sign (use - for stdin)')
+  .option('--bsec-url <url>', 'BSEC endpoint', process.env['BSEC_URL'] ?? 'http://localhost:9100')
+  .option('--slot <name>', 'BSEC slot name', process.env['SLOT_NAME'] ?? 'default')
+  .option('-o, --output <path>', 'Output path for signed envelope (default: <file>.blink)')
+  .action(async (opts) => {
+    try {
+      await signCommand({
+        file: opts.file,
+        bsecUrl: opts.bsecUrl,
+        slot: opts.slot,
+        output: opts.output,
+      });
+    } catch (err) {
+      console.error('Error:', err instanceof Error ? err.message : err);
+      process.exit(1);
+    }
+  });
+
+// --- verify ---
+program
+  .command('verify')
+  .description('Verify a BLINK-signed envelope')
+  .requiredOption('-f, --file <path>', 'Original file')
+  .requiredOption('-e, --envelope <path>', 'Envelope file (.blink)')
+  .requiredOption('-k, --public-key <hex>', 'VRF public key (hex)')
+  .action(async (opts) => {
+    try {
+      await verifyCommand({
+        file: opts.file,
+        envelope: opts.envelope,
+        publicKey: opts.publicKey,
+      });
+    } catch (err) {
+      console.error('Error:', err instanceof Error ? err.message : err);
+      process.exit(1);
+    }
+  });
+
+// --- inspect ---
+program
+  .command('inspect')
+  .description('Decode and display a BLINK envelope')
+  .requiredOption('-e, --envelope <path>', 'Envelope file (.blink)')
+  .action(async (opts) => {
+    try {
+      await inspectCommand({ envelope: opts.envelope });
+    } catch (err) {
+      console.error('Error:', err instanceof Error ? err.message : err);
+      process.exit(1);
+    }
+  });
+
+program.parse();
+`;
+    // --- src/commands/sign.ts ---
+    files['src/commands/sign.ts'] = `/**
+ * Sign command — reads a file, signs it with BLINK, outputs the envelope.
+ */
+
+import { readFile, writeFile } from 'node:fs/promises';
+import { createSigner } from '../blink.js';
+
+interface SignOptions {
+  file: string;
+  bsecUrl: string;
+  slot: string;
+  output?: string;
+}
+
+export async function signCommand(opts: SignOptions): Promise<void> {
+  // Read the input file (or stdin)
+  let data: Buffer;
+  if (opts.file === '-') {
+    const chunks: Buffer[] = [];
+    for await (const chunk of process.stdin) {
+      chunks.push(chunk as Buffer);
+    }
+    data = Buffer.concat(chunks);
+  } else {
+    data = await readFile(opts.file);
+  }
+
+  console.error(\`[sign] Read \${data.length} bytes from \${opts.file}\`);
+
+  // Connect to BSEC and sign
+  const signer = await createSigner(opts.bsecUrl, opts.slot);
+  const vrfPublicKey = await signer.vrfPublicKey();
+
+  console.error(\`[sign] Signer public key: \${Buffer.from(vrfPublicKey).toString('hex').slice(0, 16)}...\`);
+
+  const envelopeBytes = await signer.sign(new Uint8Array(data));
+  const envelopeBase64 = Buffer.from(envelopeBytes).toString('base64');
+
+  // Write envelope
+  const outputPath = opts.output ?? (opts.file === '-' ? 'stdin.blink' : \`\${opts.file}.blink\`);
+
+  const result = {
+    envelope: envelopeBase64,
+    signerPublicKey: Buffer.from(vrfPublicKey).toString('hex'),
+    sourceFile: opts.file === '-' ? '(stdin)' : opts.file,
+    sourceSize: data.length,
+    signedAt: new Date().toISOString(),
+  };
+
+  await writeFile(outputPath, JSON.stringify(result, null, 2));
+  console.log(\`Signed envelope written to \${outputPath}\`);
+  console.log(\`Public key: \${result.signerPublicKey}\`);
+
+  // Clean up
+  await signer.close();
+}
+`;
+    // --- src/commands/verify.ts ---
+    files['src/commands/verify.ts'] = `/**
+ * Verify command — verify a BLINK-signed envelope against the original file.
+ */
+
+import { readFile } from 'node:fs/promises';
+import { createVerifier } from '../blink.js';
+
+interface VerifyOptions {
+  file: string;
+  envelope: string;
+  publicKey: string;
+}
+
+export async function verifyCommand(opts: VerifyOptions): Promise<void> {
+  // Read original file and envelope
+  const fileData = await readFile(opts.file);
+  const envelopeJson = JSON.parse(await readFile(opts.envelope, 'utf-8'));
+  const envelopeBytes = new Uint8Array(Buffer.from(envelopeJson.envelope, 'base64'));
+
+  console.error(\`[verify] File: \${opts.file} (\${fileData.length} bytes)\`);
+  console.error(\`[verify] Envelope: \${opts.envelope}\`);
+
+  // Verify the envelope
+  const verifier = createVerifier(opts.publicKey);
+  const result = verifier.verify(envelopeBytes);
+
+  if (result.valid) {
+    console.log('VALID: Signature verification passed');
+    console.log(\`  Algorithm: \${result.algorithm ?? 'unknown'}\`);
+    console.log(\`  Signed at: \${result.timestamp ?? 'unknown'}\`);
+    process.exit(0);
+  } else {
+    console.error('INVALID: Signature verification failed');
+    console.error(\`  Reason: \${result.reason ?? 'unknown'}\`);
+    process.exit(1);
+  }
+}
+`;
+    // --- src/commands/inspect.ts ---
+    files['src/commands/inspect.ts'] = `/**
+ * Inspect command — decode and display the contents of a BLINK envelope.
+ */
+
+import { readFile } from 'node:fs/promises';
+
+interface InspectOptions {
+  envelope: string;
+}
+
+export async function inspectCommand(opts: InspectOptions): Promise<void> {
+  const envelopeJson = JSON.parse(await readFile(opts.envelope, 'utf-8'));
+
+  console.log('BLINK Envelope Details');
+  console.log('='.repeat(50));
+  console.log(\`Source file:      \${envelopeJson.sourceFile ?? '(unknown)'}\`);
+  console.log(\`Source size:      \${envelopeJson.sourceSize ?? '(unknown)'} bytes\`);
+  console.log(\`Signed at:        \${envelopeJson.signedAt ?? '(unknown)'}\`);
+  console.log(\`Signer public key: \${envelopeJson.signerPublicKey ?? '(unknown)'}\`);
+
+  // Decode the base64 envelope to show raw size
+  if (envelopeJson.envelope) {
+    const envelopeBytes = Buffer.from(envelopeJson.envelope, 'base64');
+    console.log(\`Envelope size:    \${envelopeBytes.length} bytes\`);
+
+    // Try to parse the envelope structure (BLINK envelope binary format)
+    // Version byte + algorithm byte + fields
+    if (envelopeBytes.length >= 2) {
+      console.log(\`Envelope version: \${envelopeBytes[0]}\`);
+      const algoId = envelopeBytes[1];
+      const algoName = algoId === 1 ? 'Ed25519' : algoId === 2 ? 'ML-DSA-44' : \`unknown (\${algoId})\`;
+      console.log(\`Algorithm:        \${algoName}\`);
+    }
+  }
+}
+`;
+    // --- README.md ---
+    files['README.md'] = `# ${name}
+
+CLI tool with **BLINK Authority** signing. Sign files, verify envelopes, and inspect
+signature metadata from the command line.
+
+## Quick Start
+
+\`\`\`bash
+npm install
+npm run build
+npm link  # optional: install globally
+
+# Sign a file
+${name} sign -f document.pdf --bsec-url http://localhost:9100
+
+# Verify a signature
+${name} verify -f document.pdf -e document.pdf.blink -k <public-key-hex>
+
+# Inspect an envelope
+${name} inspect -e document.pdf.blink
+\`\`\`
+
+## Environment Variables
+
+Set these in \`.env\` or as environment variables:
+
+- \`BSEC_URL\` — BLINK Secure Engine endpoint (default: http://localhost:9100)
+- \`SLOT_NAME\` — BSEC signing slot (default: "default")
+
+## Project Structure
+
+- \`src/blink.ts\` — BSEC connection helpers
+- \`src/cli.ts\` — Commander.js entry point
+- \`src/commands/sign.ts\` — Sign a file
+- \`src/commands/verify.ts\` — Verify an envelope
+- \`src/commands/inspect.ts\` — Inspect envelope contents
+
+Built with [BLINK Authority](https://blink-authority.com).
+`;
+    return files;
+}
+//# sourceMappingURL=cli-tool.js.map

package/dist/templates/cli-tool.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-tool.js","sourceRoot":"","sources":["../../src/templates/cli-tool.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,UAAU,eAAe,CAC7B,IAAY,EACZ,QAAkB;IAElB,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;IAE/F,MAAM,KAAK,GAA2B,EAAE,CAAC;IAEzC,uBAAuB;IACvB,KAAK,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC,SAAS,CACpC;QACE,IAAI;QACJ,OAAO,EAAE,OAAO;QAChB,WAAW,EAAE,GAAG,IAAI,0CAA0C;QAC9D,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,aAAa,EAAE;QAC9B,OAAO,EAAE;YACP,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,kBAAkB;YACzB,GAAG,EAAE,gBAAgB;SACtB;QACD,YAAY,EAAE;YACZ,uBAAuB,EAAE,SAAS;YAClC,SAAS,EAAE,SAAS;YACpB,MAAM,EAAE,SAAS;SAClB;QACD,eAAe,EAAE;YACf,aAAa,EAAE,UAAU;YACzB,UAAU,EAAE,QAAQ;YACpB,GAAG,EAAE,SAAS;SACf;KACF,EACD,IAAI,EACJ,CAAC,CACF,CAAC;IAEF,wBAAwB;IACxB,KAAK,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC,SAAS,CACrC;QACE,eAAe,EAAE;YACf,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,QAAQ;YAChB,gBAAgB,EAAE,QAAQ;YAC1B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,IAAI;YACZ,eAAe,EAAE,IAAI;YACrB,YAAY,EAAE,IAAI;YAClB,gCAAgC,EAAE,IAAI;YACtC,WAAW,EAAE,IAAI;YACjB,SAAS,EAAE,IAAI;SAChB;QACD,OAAO,EAAE,CAAC,UAAU,CAAC;QACrB,OAAO,EAAE,CAAC,cAAc,EAAE,MAAM,CAAC;KAClC,EACD,IAAI,EACJ,CAAC,CACF,CAAC;IAEF,uBAAuB;IACvB,KAAK,CAAC,cAAc,CAAC,GAAG;;;;;;;;EAQxB,YAAY,CAAC,CAAC,CAAC;;;;;CAKhB,CAAC,CAAC,CAAC,EAAE;;;;;qBAKe,YAAY,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,EAAE;;EAEhE,YAAY;QACV,CAAC,CAAC;8DACwD;QAC1D,CAAC,CAAC,uEAAuE;;;;;;;;;;;;;CAa5E,CAAC;IAEA,qBAAqB;IACrB,KAAK,CAAC,YAAY,CAAC,GAAG;;;KAGnB,IAAI;;;;;;;;;;;;;;;;;WAiBE,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6Dd,CAAC;IAEA,+BAA+B;IAC/B,KAAK,CAAC,sBAAsB,CAAC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAwDjC,CAAC;IAEA,iCAAiC;IACjC,KAAK,CAAC,wBAAwB,CAAC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAqCnC,CAAC;IAEA,kCAAkC;IAClC,KAAK,CAAC,yBAAyB,CAAC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmCpC,CAAC;IAEA,oBAAoB;IACpB,KAAK,CAAC,WAAW,CAAC,GAAG,KAAK,IAAI;;;;;;;;;;;;;EAa9B,IAAI;;;EAGJ,IAAI;;;EAGJ,IAAI;;;;;;;;;;;;;;;;;;;CAmBL,CAAC;IAEA,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/templates/express-api.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Express API scaffold template.
+ * Generates a complete Express app with BLINK signing middleware.
+ */
+export declare function generateExpressApi(name: string, features: string[]): Record<string, string>;
+//# sourceMappingURL=express-api.d.ts.map

package/dist/templates/express-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"express-api.d.ts","sourceRoot":"","sources":["../../src/templates/express-api.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAAE,GACjB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAsUxB"}

package/dist/templates/express-api.js

@@ -0,0 +1,314 @@
+/**
+ * Express API scaffold template.
+ * Generates a complete Express app with BLINK signing middleware.
+ */
+export function generateExpressApi(name, features) {
+    const hasHealthCheck = features.includes('health-check');
+    const hasGracefulShutdown = features.includes('graceful-shutdown');
+    const hasMultiAlgo = features.includes('multi-algorithm') || features.includes('post-quantum');
+    const files = {};
+    // --- package.json ---
+    files['package.json'] = JSON.stringify({
+        name,
+        version: '0.1.0',
+        description: `${name} — Express API with BLINK Authority signing`,
+        type: 'module',
+        scripts: {
+            build: 'tsc',
+            start: 'node dist/server.js',
+            dev: 'tsx src/server.ts',
+        },
+        dependencies: {
+            '@blink-technology/sdk': '^0.14.0',
+            express: '^4.21.0',
+            dotenv: '^16.4.0',
+        },
+        devDependencies: {
+            '@types/express': '^4.17.21',
+            '@types/node': '^22.15.2',
+            typescript: '^5.8.3',
+            tsx: '^4.19.0',
+        },
+    }, null, 2);
+    // --- tsconfig.json ---
+    files['tsconfig.json'] = JSON.stringify({
+        compilerOptions: {
+            target: 'ES2022',
+            module: 'Node16',
+            moduleResolution: 'Node16',
+            outDir: 'dist',
+            rootDir: 'src',
+            strict: true,
+            esModuleInterop: true,
+            skipLibCheck: true,
+            forceConsistentCasingInFileNames: true,
+            declaration: true,
+            sourceMap: true,
+        },
+        include: ['src/**/*'],
+        exclude: ['node_modules', 'dist'],
+    }, null, 2);
+    // --- .env.example ---
+    files['.env.example'] = `# BLINK Secure Engine connection
+BSEC_URL=http://localhost:9100
+BSEC_TOKEN=your-bsec-token-here
+SLOT_NAME=default
+
+# Server
+PORT=3000
+`;
+    // --- src/blink.ts ---
+    files['src/blink.ts'] = `/**
+ * BLINK Secure Engine connection management.
+ * Handles signer lifecycle: connect, sign, graceful shutdown.
+ *
+ * BLINK Authority — https://blink-authority.com
+ */
+
+import { BlinkSigner, BlinkVerifier, AlgoSuiteId } from '@blink-technology/sdk';
+
+let signer: BlinkSigner;
+let vrfPublicKey: Uint8Array;
+
+${hasMultiAlgo ? `const ALGO_MAP: Record<string, AlgoSuiteId> = {
+  ed25519: AlgoSuiteId.Ed25519,
+  'ml-dsa-44': AlgoSuiteId.MlDsa44,
+};
+` : ''}
+/**
+ * Connect to the BLINK Secure Engine.
+ * Must be called before any signing operations.
+ */
+export async function initBlink(
+  bsecUrl: string,
+  slotName: string,
+  token?: string,${hasMultiAlgo ? `\n  algorithm?: string,` : ''}
+): Promise<void> {
+${hasMultiAlgo
+        ? `  const algoSuiteId = ALGO_MAP[algorithm ?? 'ed25519'] ?? AlgoSuiteId.Ed25519;
+  signer = await BlinkSigner.connect(bsecUrl, slotName, algoSuiteId);`
+        : `  signer = await BlinkSigner.connect(bsecUrl, slotName, AlgoSuiteId.Ed25519);`}
+  vrfPublicKey = await signer.vrfPublicKey();
+
+  console.log(
+    \`[blink] Connected to BSEC at \${bsecUrl} \` +
+    \`(slot=\${slotName}, pk=\${Buffer.from(vrfPublicKey).toString('hex').slice(0, 16)}...)\`,
+  );
+}
+
+/** Get the active signer instance. */
+export function getSigner(): BlinkSigner {
+  return signer;
+}
+
+/** Get the VRF public key (cached at connect time). */
+export function getVrfPublicKey(): Uint8Array {
+  return vrfPublicKey;
+}
+
+/** Get the VRF public key as hex string. */
+export function getVrfPublicKeyHex(): string {
+  return Buffer.from(vrfPublicKey).toString('hex');
+}
+
+/** Create a verifier using the cached VRF public key. */
+export function createVerifier(): BlinkVerifier {
+  return new BlinkVerifier(vrfPublicKey, {
+    freshnessWindowMs: 365 * 24 * 60 * 60 * 1000, // 1 year
+    clockSkewToleranceMs: 60_000,
+  });
+}
+
+/** Gracefully close the BSEC connection. */
+export async function shutdownBlink(): Promise<void> {
+  if (signer) {
+    await signer.close();
+    console.log('[blink] Disconnected from BLINK Secure Engine');
+  }
+}
+`;
+    // --- src/middleware/signing.ts ---
+    files['src/middleware/signing.ts'] = `/**
+ * BLINK signing middleware.
+ * Intercepts JSON responses and adds a BLINK signature envelope.
+ *
+ * The signature is attached as HTTP headers:
+ *   X-BLINK-Signature: base64-encoded envelope
+ *   X-BLINK-PublicKey: hex-encoded VRF public key
+ *   X-BLINK-Signed: "true"
+ */
+
+import { Request, Response, NextFunction } from 'express';
+import { getSigner, getVrfPublicKeyHex } from '../blink.js';
+
+export function blinkSigningMiddleware() {
+  return (req: Request, res: Response, next: NextFunction) => {
+    const originalJson = res.json.bind(res);
+
+    // Override res.json to sign the response before sending
+    res.json = ((body: unknown) => {
+      signAndSend(res, originalJson, body).catch((err) => {
+        console.error('[blink] Signing failed, sending unsigned:', err);
+        res.setHeader('X-BLINK-Signed', 'false');
+        originalJson(body);
+      });
+      return res;
+    }) as typeof res.json;
+
+    next();
+  };
+}
+
+async function signAndSend(
+  res: Response,
+  originalJson: (body: unknown) => Response,
+  body: unknown,
+): Promise<void> {
+  // Canonical JSON for deterministic signatures
+  const bodyStr = JSON.stringify(body);
+  const payload = new TextEncoder().encode(bodyStr);
+
+  // Sign the payload via BLINK Secure Engine
+  const envelopeBytes = await getSigner().sign(payload);
+  const envelopeBase64 = Buffer.from(envelopeBytes).toString('base64');
+
+  // Attach signature metadata as HTTP headers
+  res.setHeader('X-BLINK-Signature', envelopeBase64);
+  res.setHeader('X-BLINK-PublicKey', getVrfPublicKeyHex());
+  res.setHeader('X-BLINK-Signed', 'true');
+
+  originalJson(body);
+}
+`;
+    // --- src/routes/health.ts ---
+    files['src/routes/health.ts'] = `/**
+ * Health check endpoint.
+ * Reports server status and BLINK connection info.
+ */
+
+import { Router } from 'express';
+import { getVrfPublicKeyHex } from '../blink.js';
+
+const router = Router();
+
+router.get('/health', (_req, res) => {
+  res.json({
+    status: 'ok',
+    service: '${name}',
+    signerPublicKey: getVrfPublicKeyHex(),
+    timestamp: new Date().toISOString(),
+  });
+});
+
+export default router;
+`;
+    // --- src/server.ts ---
+    files['src/server.ts'] = `/**
+ * ${name} — Express API with BLINK Authority signing.
+ *
+ * Every JSON response is signed with a single-use BLINK credential.
+ * The signing middleware attaches the signature as HTTP headers.
+ */
+
+import 'dotenv/config';
+import express from 'express';
+import { initBlink, shutdownBlink } from './blink.js';
+import { blinkSigningMiddleware } from './middleware/signing.js';
+import healthRouter from './routes/health.js';
+
+async function main(): Promise<void> {
+  const bsecUrl = process.env['BSEC_URL'] ?? 'http://localhost:9100';
+  const bsecToken = process.env['BSEC_TOKEN'];
+  const slotName = process.env['SLOT_NAME'] ?? 'default';
+  const port = parseInt(process.env['PORT'] ?? '3000', 10);
+
+  // Connect to BLINK Secure Engine
+  await initBlink(bsecUrl, slotName, bsecToken);
+
+  const app = express();
+  app.use(express.json());
+
+  // Sign all JSON responses with BLINK
+  app.use(blinkSigningMiddleware());
+
+  // Routes
+  app.use(healthRouter);
+
+  // Example API route — add your own routes here
+  app.get('/api/example', (_req, res) => {
+    res.json({ message: 'This response is BLINK-signed', timestamp: new Date().toISOString() });
+  });
+
+  const server = app.listen(port, () => {
+    console.log(\`[server] ${name} listening on port \${port}\`);
+  });
+
+  // Graceful shutdown — close BSEC connection on exit
+  const shutdown = async (signal: string) => {
+    console.log(\`[server] Received \${signal}, shutting down...\`);
+    server.close();
+    await shutdownBlink();
+    process.exit(0);
+  };
+
+  process.on('SIGINT', () => shutdown('SIGINT'));
+  process.on('SIGTERM', () => shutdown('SIGTERM'));
+}
+
+main().catch((err) => {
+  console.error('[server] Fatal error:', err);
+  process.exit(1);
+});
+`;
+    // --- README.md ---
+    files['README.md'] = `# ${name}
+
+Express API with **BLINK Authority** signing. Every JSON response is cryptographically
+signed using the BLINK Signing Protocol via the BLINK Secure Engine (BSEC).
+
+## Quick Start
+
+\`\`\`bash
+npm install
+cp .env.example .env
+# Edit .env with your BSEC connection details
+npm run dev
+\`\`\`
+
+## How It Works
+
+1. The server connects to a BLINK Secure Engine at startup
+2. The signing middleware intercepts every \`res.json()\` call
+3. Each response is signed with a single-use credential (Temporal Key Assurance)
+4. The signature envelope is attached as HTTP headers:
+   - \`X-BLINK-Signature\`: base64-encoded BLINK envelope
+   - \`X-BLINK-PublicKey\`: hex-encoded VRF public key
+   - \`X-BLINK-Signed\`: "true" if signed successfully
+
+## Verifying Responses
+
+Clients can verify any response using the BLINK SDK:
+
+\`\`\`typescript
+import { BlinkVerifier } from '@blink-technology/sdk';
+
+const publicKey = new Uint8Array(Buffer.from(headers['x-blink-publickey'], 'hex'));
+const envelope = new Uint8Array(Buffer.from(headers['x-blink-signature'], 'base64'));
+
+const verifier = new BlinkVerifier(publicKey, { freshnessWindowMs: 60_000 });
+const result = verifier.verify(envelope);
+console.log('Valid:', result.valid);
+\`\`\`
+
+## Project Structure
+
+- \`src/blink.ts\` — BSEC connection management
+- \`src/server.ts\` — Express app entry point
+- \`src/middleware/signing.ts\` — BLINK signing middleware
+- \`src/routes/health.ts\` — Health check endpoint
+
+Built with [BLINK Authority](https://blink-authority.com).
+`;
+    return files;
+}
+//# sourceMappingURL=express-api.js.map

package/dist/templates/express-api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"express-api.js","sourceRoot":"","sources":["../../src/templates/express-api.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,UAAU,kBAAkB,CAChC,IAAY,EACZ,QAAkB;IAElB,MAAM,cAAc,GAAG,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;IACzD,MAAM,mBAAmB,GAAG,QAAQ,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;IACnE,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;IAE/F,MAAM,KAAK,GAA2B,EAAE,CAAC;IAEzC,uBAAuB;IACvB,KAAK,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC,SAAS,CACpC;QACE,IAAI;QACJ,OAAO,EAAE,OAAO;QAChB,WAAW,EAAE,GAAG,IAAI,6CAA6C;QACjE,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE;YACP,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,qBAAqB;YAC5B,GAAG,EAAE,mBAAmB;SACzB;QACD,YAAY,EAAE;YACZ,uBAAuB,EAAE,SAAS;YAClC,OAAO,EAAE,SAAS;YAClB,MAAM,EAAE,SAAS;SAClB;QACD,eAAe,EAAE;YACf,gBAAgB,EAAE,UAAU;YAC5B,aAAa,EAAE,UAAU;YACzB,UAAU,EAAE,QAAQ;YACpB,GAAG,EAAE,SAAS;SACf;KACF,EACD,IAAI,EACJ,CAAC,CACF,CAAC;IAEF,wBAAwB;IACxB,KAAK,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC,SAAS,CACrC;QACE,eAAe,EAAE;YACf,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,QAAQ;YAChB,gBAAgB,EAAE,QAAQ;YAC1B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,IAAI;YACZ,eAAe,EAAE,IAAI;YACrB,YAAY,EAAE,IAAI;YAClB,gCAAgC,EAAE,IAAI;YACtC,WAAW,EAAE,IAAI;YACjB,SAAS,EAAE,IAAI;SAChB;QACD,OAAO,EAAE,CAAC,UAAU,CAAC;QACrB,OAAO,EAAE,CAAC,cAAc,EAAE,MAAM,CAAC;KAClC,EACD,IAAI,EACJ,CAAC,CACF,CAAC;IAEF,uBAAuB;IACvB,KAAK,CAAC,cAAc,CAAC,GAAG;;;;;;;CAOzB,CAAC;IAEA,uBAAuB;IACvB,KAAK,CAAC,cAAc,CAAC,GAAG;;;;;;;;;;;;EAYxB,YAAY,CAAC,CAAC,CAAC;;;;CAIhB,CAAC,CAAC,CAAC,EAAE;;;;;;;;mBAQa,YAAY,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,EAAE;;EAE9D,YAAY;QACV,CAAC,CAAC;sEACgE;QAClE,CAAC,CAAC,+EAA+E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuCpF,CAAC;IAEA,oCAAoC;IACpC,KAAK,CAAC,2BAA2B,CAAC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmDtC,CAAC;IAEA,+BAA+B;IAC/B,KAAK,CAAC,sBAAsB,CAAC,GAAG;;;;;;;;;;;;;gBAalB,IAAI;;;;;;;CAOnB,CAAC;IAEA,wBAAwB;IACxB,KAAK,CAAC,eAAe,CAAC,GAAG;KACtB,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAoCoB,IAAI;;;;;;;;;;;;;;;;;;;CAmBhC,CAAC;IAEA,oBAAoB;IACpB,KAAK,CAAC,WAAW,CAAC,GAAG,KAAK,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+C/B,CAAC;IAEA,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/templates/notary.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Document notary scaffold template.
+ * Generates a notarization service: upload, hash, sign, verify.
+ */
+export declare function generateNotary(name: string, features: string[]): Record<string, string>;
+//# sourceMappingURL=notary.d.ts.map

package/dist/templates/notary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"notary.d.ts","sourceRoot":"","sources":["../../src/templates/notary.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAAE,GACjB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAoXxB"}