@bolyra/sdk 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +201 -0
- package/NOTICE +63 -0
- package/README.md +2 -2
- package/dist/delegation.d.ts +64 -16
- package/dist/delegation.d.ts.map +1 -1
- package/dist/delegation.js +200 -17
- package/dist/delegation.js.map +1 -1
- package/dist/errors.d.ts +12 -0
- package/dist/errors.d.ts.map +1 -1
- package/dist/errors.js +32 -1
- package/dist/errors.js.map +1 -1
- package/dist/handshake.d.ts +2 -0
- package/dist/handshake.d.ts.map +1 -1
- package/dist/handshake.js +55 -13
- package/dist/handshake.js.map +1 -1
- package/dist/identity.d.ts +24 -0
- package/dist/identity.d.ts.map +1 -1
- package/dist/identity.js +46 -0
- package/dist/identity.js.map +1 -1
- package/dist/index.d.ts +8 -3
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +26 -3
- package/dist/index.js.map +1 -1
- package/dist/model-binding.d.ts +113 -0
- package/dist/model-binding.d.ts.map +1 -0
- package/dist/model-binding.js +195 -0
- package/dist/model-binding.js.map +1 -0
- package/dist/offchain.d.ts +89 -0
- package/dist/offchain.d.ts.map +1 -0
- package/dist/offchain.js +300 -0
- package/dist/offchain.js.map +1 -0
- package/dist/prover.d.ts +21 -0
- package/dist/prover.d.ts.map +1 -0
- package/dist/prover.js +171 -0
- package/dist/prover.js.map +1 -0
- package/dist/types.d.ts +29 -0
- package/dist/types.d.ts.map +1 -1
- package/dist/utils.d.ts +4 -0
- package/dist/utils.d.ts.map +1 -1
- package/dist/utils.js +14 -0
- package/dist/utils.js.map +1 -1
- package/package.json +5 -3
- package/src/delegation.ts +268 -30
- package/src/errors.ts +46 -0
- package/src/handshake.ts +69 -20
- package/src/identity.ts +55 -1
- package/src/index.ts +29 -2
- package/src/offchain.ts +344 -0
- package/src/prover.ts +178 -0
- package/src/types.ts +32 -0
- package/src/utils.ts +23 -0
package/dist/errors.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,WAAY,SAAQ,KAAK;IAG3B,IAAI,EAAE,MAAM;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;gBAFxC,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,YAAA;CAK3C;AAED,qBAAa,oBAAqB,SAAQ,WAAW;gBACvC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAO5C;AAED,qBAAa,iBAAkB,SAAQ,WAAW;gBACpC,MAAM,EAAE,MAAM;CAO3B;AAED,qBAAa,sBAAuB,SAAQ,WAAW;gBACzC,OAAO,EAAE,MAAM;CAG5B;AAED,qBAAa,sBAAuB,SAAQ,WAAW;gBACzC,eAAe,EAAE,MAAM;CAOpC;AAED,qBAAa,oBAAqB,SAAQ,WAAW;gBACvC,cAAc,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM;CAU3D;AAED,qBAAa,eAAgB,SAAQ,WAAW;gBAClC,QAAQ,EAAE,OAAO,GAAG,OAAO;CAOxC"}
|
|
1
|
+
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,WAAY,SAAQ,KAAK;IAG3B,IAAI,EAAE,MAAM;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;gBAFxC,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,YAAA;CAK3C;AAED,qBAAa,oBAAqB,SAAQ,WAAW;gBACvC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAO5C;AAED,qBAAa,iBAAkB,SAAQ,WAAW;gBACpC,MAAM,EAAE,MAAM;CAO3B;AAED,qBAAa,sBAAuB,SAAQ,WAAW;gBACzC,OAAO,EAAE,MAAM;CAG5B;AAED,qBAAa,sBAAuB,SAAQ,WAAW;gBACzC,eAAe,EAAE,MAAM;CAOpC;AAED,qBAAa,oBAAqB,SAAQ,WAAW;gBACvC,cAAc,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM;CAU3D;AAED,qBAAa,eAAgB,SAAQ,WAAW;gBAClC,QAAQ,EAAE,OAAO,GAAG,OAAO;CAOxC;AAED,qBAAa,kBAAmB,SAAQ,WAAW;gBACrC,MAAM,EAAE,MAAM;CAO3B;AAED,qBAAa,4BAA6B,SAAQ,oBAAoB;gBACxD,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM;CAWzE;AAED,qBAAa,eAAgB,SAAQ,WAAW;gBAClC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAQ9D;AAED,qBAAa,kBAAmB,SAAQ,WAAW;gBACrC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAQ1C"}
|
package/dist/errors.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.StaleProofError = exports.ScopeEscalationError = exports.ExpiredCredentialError = exports.InvalidPermissionError = exports.VerificationError = exports.ProofGenerationError = exports.BolyraError = void 0;
|
|
3
|
+
exports.ConfigurationError = exports.MerkleTreeError = exports.CircuitArtifactNotFoundError = exports.InvalidSecretError = exports.StaleProofError = exports.ScopeEscalationError = exports.ExpiredCredentialError = exports.InvalidPermissionError = exports.VerificationError = exports.ProofGenerationError = exports.BolyraError = void 0;
|
|
4
4
|
class BolyraError extends Error {
|
|
5
5
|
code;
|
|
6
6
|
details;
|
|
@@ -51,4 +51,35 @@ class StaleProofError extends BolyraError {
|
|
|
51
51
|
}
|
|
52
52
|
}
|
|
53
53
|
exports.StaleProofError = StaleProofError;
|
|
54
|
+
class InvalidSecretError extends BolyraError {
|
|
55
|
+
constructor(reason) {
|
|
56
|
+
super(`Invalid secret: ${reason}. Provide a non-zero bigint less than the BN254 scalar field order (approx 2^254).`, 'INVALID_SECRET', { reason });
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
exports.InvalidSecretError = InvalidSecretError;
|
|
60
|
+
class CircuitArtifactNotFoundError extends ProofGenerationError {
|
|
61
|
+
constructor(artifactPath, artifactType) {
|
|
62
|
+
super(artifactType === 'vkey' ? 'verification' : 'proof generation', `Circuit artifact not found: ${artifactPath}. ` +
|
|
63
|
+
`Ensure the ${artifactType} file exists at this path. ` +
|
|
64
|
+
`If using a custom circuitDir, verify it contains the compiled circuit outputs. ` +
|
|
65
|
+
`Run the circuit build script or download trusted artifacts from the Bolyra release.`);
|
|
66
|
+
this.code = 'CIRCUIT_ARTIFACT_NOT_FOUND';
|
|
67
|
+
this.details = { ...this.details, artifactPath, artifactType };
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
exports.CircuitArtifactNotFoundError = CircuitArtifactNotFoundError;
|
|
71
|
+
class MerkleTreeError extends BolyraError {
|
|
72
|
+
constructor(reason, details) {
|
|
73
|
+
super(`Merkle tree operation failed: ${reason}. ` +
|
|
74
|
+
`Check that the tree is properly initialized and the leaf index is within bounds.`, 'MERKLE_TREE_ERROR', { reason, ...details });
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
exports.MerkleTreeError = MerkleTreeError;
|
|
78
|
+
class ConfigurationError extends BolyraError {
|
|
79
|
+
constructor(field, reason) {
|
|
80
|
+
super(`Invalid SDK configuration for "${field}": ${reason}. ` +
|
|
81
|
+
`Review the BolyraConfig interface and ensure all required fields are set correctly.`, 'CONFIGURATION_ERROR', { field, reason });
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
exports.ConfigurationError = ConfigurationError;
|
|
54
85
|
//# sourceMappingURL=errors.js.map
|
package/dist/errors.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":";;;AAAA,MAAa,WAAY,SAAQ,KAAK;IAG3B;IACA;IAHT,YACE,OAAe,EACR,IAAY,EACZ,OAAiC;QAExC,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,SAAI,GAAJ,IAAI,CAAQ;QACZ,YAAO,GAAP,OAAO,CAA0B;QAGxC,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AATD,kCASC;AAED,MAAa,oBAAqB,SAAQ,WAAW;IACnD,YAAY,OAAe,EAAE,MAAc;QACzC,KAAK,CACH,sBAAsB,OAAO,WAAW,MAAM,EAAE,EAChD,yBAAyB,EACzB,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IACJ,CAAC;CACF;AARD,oDAQC;AAED,MAAa,iBAAkB,SAAQ,WAAW;IAChD,YAAY,MAAc;QACxB,KAAK,CACH,iCAAiC,MAAM,EAAE,EACzC,qBAAqB,EACrB,EAAE,MAAM,EAAE,CACX,CAAC;IACJ,CAAC;CACF;AARD,8CAQC;AAED,MAAa,sBAAuB,SAAQ,WAAW;IACrD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC;IACvC,CAAC;CACF;AAJD,wDAIC;AAED,MAAa,sBAAuB,SAAQ,WAAW;IACrD,YAAY,eAAuB;QACjC,KAAK,CACH,+BAA+B,eAAe,EAAE,EAChD,oBAAoB,EACpB,EAAE,eAAe,EAAE,eAAe,CAAC,QAAQ,EAAE,EAAE,CAChD,CAAC;IACJ,CAAC;CACF;AARD,wDAQC;AAED,MAAa,oBAAqB,SAAQ,WAAW;IACnD,YAAY,cAAsB,EAAE,cAAsB;QACxD,KAAK,CACH,iDAAiD,cAAc,yCAAyC,cAAc,GAAG,EACzH,kBAAkB,EAClB;YACE,cAAc,EAAE,cAAc,CAAC,QAAQ,EAAE;YACzC,cAAc,EAAE,cAAc,CAAC,QAAQ,EAAE;SAC1C,CACF,CAAC;IACJ,CAAC;CACF;AAXD,oDAWC;AAED,MAAa,eAAgB,SAAQ,WAAW;IAC9C,YAAY,QAA2B;QACrC,KAAK,CACH,GAAG,QAAQ,4FAA4F,EACvG,mBAAmB,EACnB,EAAE,QAAQ,EAAE,CACb,CAAC;IACJ,CAAC;CACF;AARD,0CAQC"}
|
|
1
|
+
{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":";;;AAAA,MAAa,WAAY,SAAQ,KAAK;IAG3B;IACA;IAHT,YACE,OAAe,EACR,IAAY,EACZ,OAAiC;QAExC,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,SAAI,GAAJ,IAAI,CAAQ;QACZ,YAAO,GAAP,OAAO,CAA0B;QAGxC,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AATD,kCASC;AAED,MAAa,oBAAqB,SAAQ,WAAW;IACnD,YAAY,OAAe,EAAE,MAAc;QACzC,KAAK,CACH,sBAAsB,OAAO,WAAW,MAAM,EAAE,EAChD,yBAAyB,EACzB,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IACJ,CAAC;CACF;AARD,oDAQC;AAED,MAAa,iBAAkB,SAAQ,WAAW;IAChD,YAAY,MAAc;QACxB,KAAK,CACH,iCAAiC,MAAM,EAAE,EACzC,qBAAqB,EACrB,EAAE,MAAM,EAAE,CACX,CAAC;IACJ,CAAC;CACF;AARD,8CAQC;AAED,MAAa,sBAAuB,SAAQ,WAAW;IACrD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC;IACvC,CAAC;CACF;AAJD,wDAIC;AAED,MAAa,sBAAuB,SAAQ,WAAW;IACrD,YAAY,eAAuB;QACjC,KAAK,CACH,+BAA+B,eAAe,EAAE,EAChD,oBAAoB,EACpB,EAAE,eAAe,EAAE,eAAe,CAAC,QAAQ,EAAE,EAAE,CAChD,CAAC;IACJ,CAAC;CACF;AARD,wDAQC;AAED,MAAa,oBAAqB,SAAQ,WAAW;IACnD,YAAY,cAAsB,EAAE,cAAsB;QACxD,KAAK,CACH,iDAAiD,cAAc,yCAAyC,cAAc,GAAG,EACzH,kBAAkB,EAClB;YACE,cAAc,EAAE,cAAc,CAAC,QAAQ,EAAE;YACzC,cAAc,EAAE,cAAc,CAAC,QAAQ,EAAE;SAC1C,CACF,CAAC;IACJ,CAAC;CACF;AAXD,oDAWC;AAED,MAAa,eAAgB,SAAQ,WAAW;IAC9C,YAAY,QAA2B;QACrC,KAAK,CACH,GAAG,QAAQ,4FAA4F,EACvG,mBAAmB,EACnB,EAAE,QAAQ,EAAE,CACb,CAAC;IACJ,CAAC;CACF;AARD,0CAQC;AAED,MAAa,kBAAmB,SAAQ,WAAW;IACjD,YAAY,MAAc;QACxB,KAAK,CACH,mBAAmB,MAAM,oFAAoF,EAC7G,gBAAgB,EAChB,EAAE,MAAM,EAAE,CACX,CAAC;IACJ,CAAC;CACF;AARD,gDAQC;AAED,MAAa,4BAA6B,SAAQ,oBAAoB;IACpE,YAAY,YAAoB,EAAE,YAAsC;QACtE,KAAK,CACH,YAAY,KAAK,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,kBAAkB,EAC7D,+BAA+B,YAAY,IAAI;YAC7C,cAAc,YAAY,6BAA6B;YACvD,iFAAiF;YACjF,qFAAqF,CACxF,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAC;QACzC,IAAI,CAAC,OAAO,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC;IACjE,CAAC;CACF;AAZD,oEAYC;AAED,MAAa,eAAgB,SAAQ,WAAW;IAC9C,YAAY,MAAc,EAAE,OAAiC;QAC3D,KAAK,CACH,iCAAiC,MAAM,IAAI;YACzC,kFAAkF,EACpF,mBAAmB,EACnB,EAAE,MAAM,EAAE,GAAG,OAAO,EAAE,CACvB,CAAC;IACJ,CAAC;CACF;AATD,0CASC;AAED,MAAa,kBAAmB,SAAQ,WAAW;IACjD,YAAY,KAAa,EAAE,MAAc;QACvC,KAAK,CACH,kCAAkC,KAAK,MAAM,MAAM,IAAI;YACrD,qFAAqF,EACvF,qBAAqB,EACrB,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAC;IACJ,CAAC;CACF;AATD,gDASC"}
|
package/dist/handshake.d.ts
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { HumanIdentity, AgentCredential, HandshakeResult, Proof, BolyraConfig } from './types';
|
|
2
|
+
import { ProverBackend } from './prover';
|
|
2
3
|
/**
|
|
3
4
|
* Generate a mutual handshake proof (human + agent).
|
|
4
5
|
* Both proofs can be generated in parallel for wall-clock optimization.
|
|
@@ -22,6 +23,7 @@ export declare function proveHandshake(human: HumanIdentity, agent: AgentCredent
|
|
|
22
23
|
scope?: bigint;
|
|
23
24
|
nonce?: bigint;
|
|
24
25
|
config?: BolyraConfig;
|
|
26
|
+
backend?: ProverBackend;
|
|
25
27
|
}): Promise<{
|
|
26
28
|
humanProof: Proof;
|
|
27
29
|
agentProof: Proof;
|
package/dist/handshake.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"handshake.d.ts","sourceRoot":"","sources":["../src/handshake.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"handshake.d.ts","sourceRoot":"","sources":["../src/handshake.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,aAAa,EACb,eAAe,EACf,eAAe,EACf,KAAK,EACL,YAAY,EACb,MAAM,SAAS,CAAC;AAEjB,OAAO,EAAgB,aAAa,EAAE,MAAM,UAAU,CAAC;AAKvD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,aAAa,EACpB,KAAK,EAAE,eAAe,EACtB,OAAO,CAAC,EAAE;IACR,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,OAAO,CAAC,EAAE,aAAa,CAAC;CACzB,GACA,OAAO,CAAC;IAAE,UAAU,EAAE,KAAK,CAAC;IAAC,UAAU,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAgClE;AAiFD;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CACnC,UAAU,EAAE,KAAK,EACjB,UAAU,EAAE,KAAK,EACjB,KAAK,EAAE,MAAM,EACb,MAAM,CAAC,EAAE,YAAY,GACpB,OAAO,CAAC,eAAe,CAAC,CA8D1B"}
|
package/dist/handshake.js
CHANGED
|
@@ -37,7 +37,9 @@ exports.proveHandshake = proveHandshake;
|
|
|
37
37
|
exports.verifyHandshake = verifyHandshake;
|
|
38
38
|
const snarkjs = __importStar(require("snarkjs"));
|
|
39
39
|
const path = __importStar(require("path"));
|
|
40
|
+
const fs = __importStar(require("fs"));
|
|
40
41
|
const errors_1 = require("./errors");
|
|
42
|
+
const prover_1 = require("./prover");
|
|
41
43
|
// Default paths to circuit artifacts (relative to package root)
|
|
42
44
|
const DEFAULT_CIRCUIT_DIR = path.join(__dirname, '../../circuits/build');
|
|
43
45
|
/**
|
|
@@ -63,14 +65,32 @@ async function proveHandshake(human, agent, options) {
|
|
|
63
65
|
const scope = options?.scope ?? 1n;
|
|
64
66
|
const nonce = options?.nonce ?? BigInt(Date.now());
|
|
65
67
|
const circuitDir = options?.config?.circuitDir ?? DEFAULT_CIRCUIT_DIR;
|
|
68
|
+
const backend = options?.backend ?? 'auto';
|
|
69
|
+
// Validate circuit artifacts exist before attempting proof generation
|
|
70
|
+
const humanWasm = path.join(circuitDir, 'HumanUniqueness_js/HumanUniqueness.wasm');
|
|
71
|
+
const humanZkey = path.join(circuitDir, 'HumanUniqueness_final.zkey');
|
|
72
|
+
const agentWasm = path.join(circuitDir, 'AgentPolicy_js/AgentPolicy.wasm');
|
|
73
|
+
const agentZkey = path.join(circuitDir, 'AgentPolicy_final.zkey');
|
|
74
|
+
if (!fs.existsSync(humanWasm)) {
|
|
75
|
+
throw new errors_1.CircuitArtifactNotFoundError(humanWasm, 'wasm');
|
|
76
|
+
}
|
|
77
|
+
if (!fs.existsSync(humanZkey)) {
|
|
78
|
+
throw new errors_1.CircuitArtifactNotFoundError(humanZkey, 'zkey');
|
|
79
|
+
}
|
|
80
|
+
if (!fs.existsSync(agentWasm)) {
|
|
81
|
+
throw new errors_1.CircuitArtifactNotFoundError(agentWasm, 'wasm');
|
|
82
|
+
}
|
|
83
|
+
if (!fs.existsSync(agentZkey)) {
|
|
84
|
+
throw new errors_1.CircuitArtifactNotFoundError(agentZkey, 'zkey');
|
|
85
|
+
}
|
|
66
86
|
// Generate both proofs in parallel
|
|
67
87
|
const [humanProof, agentProof] = await Promise.all([
|
|
68
|
-
generateHumanProof(human, scope, nonce, circuitDir),
|
|
69
|
-
generateAgentProof(agent, nonce, circuitDir),
|
|
88
|
+
generateHumanProof(human, scope, nonce, circuitDir, backend),
|
|
89
|
+
generateAgentProof(agent, nonce, circuitDir, backend),
|
|
70
90
|
]);
|
|
71
91
|
return { humanProof, agentProof, nonce };
|
|
72
92
|
}
|
|
73
|
-
async function generateHumanProof(human, scope, nonce, circuitDir) {
|
|
93
|
+
async function generateHumanProof(human, scope, nonce, circuitDir, backend) {
|
|
74
94
|
const wasmPath = path.join(circuitDir, 'HumanUniqueness_js/HumanUniqueness.wasm');
|
|
75
95
|
const zkeyPath = path.join(circuitDir, 'HumanUniqueness_final.zkey');
|
|
76
96
|
// Build Merkle proof inputs (single leaf: depth 0, padded to 20)
|
|
@@ -84,16 +104,15 @@ async function generateHumanProof(human, scope, nonce, circuitDir) {
|
|
|
84
104
|
sessionNonce: nonce.toString(),
|
|
85
105
|
};
|
|
86
106
|
try {
|
|
87
|
-
|
|
88
|
-
return { proof, publicSignals };
|
|
107
|
+
return await (0, prover_1.proveGroth16)(input, wasmPath, zkeyPath, backend);
|
|
89
108
|
}
|
|
90
109
|
catch (err) {
|
|
91
110
|
throw new errors_1.ProofGenerationError('HumanUniqueness', err.message ?? String(err));
|
|
92
111
|
}
|
|
93
112
|
}
|
|
94
|
-
async function generateAgentProof(agent, nonce, circuitDir) {
|
|
113
|
+
async function generateAgentProof(agent, nonce, circuitDir, backend) {
|
|
95
114
|
const wasmPath = path.join(circuitDir, 'AgentPolicy_js/AgentPolicy.wasm');
|
|
96
|
-
const zkeyPath = path.join(circuitDir, '
|
|
115
|
+
const zkeyPath = path.join(circuitDir, 'AgentPolicy_final.zkey');
|
|
97
116
|
const currentTimestamp = BigInt(Math.floor(Date.now() / 1000));
|
|
98
117
|
const requiredScopeMask = 0n; // no required scope for basic handshake
|
|
99
118
|
const siblings = new Array(20).fill('0');
|
|
@@ -114,8 +133,7 @@ async function generateAgentProof(agent, nonce, circuitDir) {
|
|
|
114
133
|
sessionNonce: nonce.toString(),
|
|
115
134
|
};
|
|
116
135
|
try {
|
|
117
|
-
|
|
118
|
-
return { proof, publicSignals };
|
|
136
|
+
return await (0, prover_1.proveGroth16)(input, wasmPath, zkeyPath, backend);
|
|
119
137
|
}
|
|
120
138
|
catch (err) {
|
|
121
139
|
throw new errors_1.ProofGenerationError('AgentPolicy', err.message ?? String(err));
|
|
@@ -133,14 +151,38 @@ async function generateAgentProof(agent, nonce, circuitDir) {
|
|
|
133
151
|
*/
|
|
134
152
|
async function verifyHandshake(humanProof, agentProof, nonce, config) {
|
|
135
153
|
const circuitDir = config?.circuitDir ?? DEFAULT_CIRCUIT_DIR;
|
|
136
|
-
//
|
|
154
|
+
// Validate proof structure before verification
|
|
155
|
+
if (!humanProof || !humanProof.proof || !Array.isArray(humanProof.publicSignals)) {
|
|
156
|
+
throw new errors_1.VerificationError('Invalid humanProof structure: expected { proof: object, publicSignals: string[] }. ' +
|
|
157
|
+
'Ensure you are passing the proof object returned by proveHandshake().');
|
|
158
|
+
}
|
|
159
|
+
if (!agentProof || !agentProof.proof || !Array.isArray(agentProof.publicSignals)) {
|
|
160
|
+
throw new errors_1.VerificationError('Invalid agentProof structure: expected { proof: object, publicSignals: string[] }. ' +
|
|
161
|
+
'Ensure you are passing the proof object returned by proveHandshake().');
|
|
162
|
+
}
|
|
163
|
+
if (humanProof.publicSignals.length < 2) {
|
|
164
|
+
throw new errors_1.VerificationError(`humanProof has ${humanProof.publicSignals.length} public signals, expected at least 2. ` +
|
|
165
|
+
'The proof may have been generated with an incompatible circuit version.');
|
|
166
|
+
}
|
|
167
|
+
if (agentProof.publicSignals.length < 3) {
|
|
168
|
+
throw new errors_1.VerificationError(`agentProof has ${agentProof.publicSignals.length} public signals, expected at least 3. ` +
|
|
169
|
+
'The proof may have been generated with an incompatible circuit version.');
|
|
170
|
+
}
|
|
171
|
+
// Verify vkey files exist
|
|
137
172
|
const humanVkeyPath = path.join(circuitDir, 'HumanUniqueness_vkey.json');
|
|
173
|
+
if (!fs.existsSync(humanVkeyPath)) {
|
|
174
|
+
throw new errors_1.CircuitArtifactNotFoundError(humanVkeyPath, 'vkey');
|
|
175
|
+
}
|
|
176
|
+
const agentVkeyPath = path.join(circuitDir, 'AgentPolicy_groth16_vkey.json');
|
|
177
|
+
if (!fs.existsSync(agentVkeyPath)) {
|
|
178
|
+
throw new errors_1.CircuitArtifactNotFoundError(agentVkeyPath, 'vkey');
|
|
179
|
+
}
|
|
180
|
+
// Verify human proof (Groth16)
|
|
138
181
|
const humanVkey = require(humanVkeyPath);
|
|
139
182
|
const humanValid = await snarkjs.groth16.verify(humanVkey, humanProof.publicSignals, humanProof.proof);
|
|
140
|
-
// Verify agent proof (
|
|
141
|
-
const agentVkeyPath = path.join(circuitDir, 'AgentPolicy_vkey.json');
|
|
183
|
+
// Verify agent proof (Groth16)
|
|
142
184
|
const agentVkey = require(agentVkeyPath);
|
|
143
|
-
const agentValid = await snarkjs.
|
|
185
|
+
const agentValid = await snarkjs.groth16.verify(agentVkey, agentProof.publicSignals, agentProof.proof);
|
|
144
186
|
return {
|
|
145
187
|
humanNullifier: BigInt(humanProof.publicSignals[1]),
|
|
146
188
|
agentNullifier: BigInt(agentProof.publicSignals[1]),
|
package/dist/handshake.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"handshake.js","sourceRoot":"","sources":["../src/handshake.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"handshake.js","sourceRoot":"","sources":["../src/handshake.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmCA,wCAyCC;AA2FD,0CAmEC;AA1OD,iDAAmC;AACnC,2CAA6B;AAC7B,uCAAyB;AAQzB,qCAAiG;AACjG,qCAAuD;AAEvD,gEAAgE;AAChE,MAAM,mBAAmB,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,sBAAsB,CAAC,CAAC;AAEzE;;;;;;;;;;;;;;;;;;GAkBG;AACI,KAAK,UAAU,cAAc,CAClC,KAAoB,EACpB,KAAsB,EACtB,OAKC;IAED,MAAM,KAAK,GAAG,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,EAAE,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,mBAAmB,CAAC;IACtE,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,MAAM,CAAC;IAE3C,sEAAsE;IACtE,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,yCAAyC,CAAC,CAAC;IACnF,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,4BAA4B,CAAC,CAAC;IACtE,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,iCAAiC,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,wBAAwB,CAAC,CAAC;IAElE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,qCAA4B,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,qCAA4B,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,qCAA4B,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,qCAA4B,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC5D,CAAC;IAED,mCAAmC;IACnC,MAAM,CAAC,UAAU,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACjD,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC;QAC5D,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC;KACtD,CAAC,CAAC;IAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;AAC3C,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,KAAoB,EACpB,KAAa,EACb,KAAa,EACb,UAAkB,EAClB,OAAsB;IAEtB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,UAAU,EACV,yCAAyC,CAC1C,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,4BAA4B,CAAC,CAAC;IAErE,iEAAiE;IACjE,MAAM,QAAQ,GAAG,IAAI,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEzC,MAAM,KAAK,GAAG;QACZ,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE;QAC/B,iBAAiB,EAAE,GAAG,EAAE,+BAA+B;QACvD,gBAAgB,EAAE,GAAG;QACrB,mBAAmB,EAAE,QAAQ;QAC7B,KAAK,EAAE,KAAK,CAAC,QAAQ,EAAE;QACvB,YAAY,EAAE,KAAK,CAAC,QAAQ,EAAE;KAC/B,CAAC;IAEF,IAAI,CAAC;QACH,OAAO,MAAM,IAAA,qBAAY,EAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChE,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,IAAI,6BAAoB,CAC5B,iBAAiB,EACjB,GAAG,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,CAC3B,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,KAAsB,EACtB,KAAa,EACb,UAAkB,EAClB,OAAsB;IAEtB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,UAAU,EACV,iCAAiC,CAClC,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,wBAAwB,CAAC,CAAC;IAEjE,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAC/D,MAAM,iBAAiB,GAAG,EAAE,CAAC,CAAC,wCAAwC;IAEtE,MAAM,QAAQ,GAAG,IAAI,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEzC,MAAM,KAAK,GAAG;QACZ,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,QAAQ,EAAE;QACrC,gBAAgB,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,QAAQ,EAAE;QACtD,gBAAgB,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,QAAQ,EAAE;QACtD,iBAAiB,EAAE,KAAK,CAAC,iBAAiB,CAAC,QAAQ,EAAE;QACrD,eAAe,EAAE,KAAK,CAAC,eAAe,CAAC,QAAQ,EAAE;QACjD,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;QACvC,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;QACvC,IAAI,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE;QAClC,iBAAiB,EAAE,GAAG;QACtB,gBAAgB,EAAE,GAAG;QACrB,mBAAmB,EAAE,QAAQ;QAC7B,iBAAiB,EAAE,iBAAiB,CAAC,QAAQ,EAAE;QAC/C,gBAAgB,EAAE,gBAAgB,CAAC,QAAQ,EAAE;QAC7C,YAAY,EAAE,KAAK,CAAC,QAAQ,EAAE;KAC/B,CAAC;IAEF,IAAI,CAAC;QACH,OAAO,MAAM,IAAA,qBAAY,EAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChE,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,IAAI,6BAAoB,CAC5B,aAAa,EACb,GAAG,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,CAC3B,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACI,KAAK,UAAU,eAAe,CACnC,UAAiB,EACjB,UAAiB,EACjB,KAAa,EACb,MAAqB;IAErB,MAAM,UAAU,GAAG,MAAM,EAAE,UAAU,IAAI,mBAAmB,CAAC;IAE7D,+CAA+C;IAC/C,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACjF,MAAM,IAAI,0BAAiB,CACzB,qFAAqF;YACnF,uEAAuE,CAC1E,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACjF,MAAM,IAAI,0BAAiB,CACzB,qFAAqF;YACnF,uEAAuE,CAC1E,CAAC;IACJ,CAAC;IACD,IAAI,UAAU,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,0BAAiB,CACzB,kBAAkB,UAAU,CAAC,aAAa,CAAC,MAAM,wCAAwC;YACvF,yEAAyE,CAC5E,CAAC;IACJ,CAAC;IACD,IAAI,UAAU,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,0BAAiB,CACzB,kBAAkB,UAAU,CAAC,aAAa,CAAC,MAAM,wCAAwC;YACvF,yEAAyE,CAC5E,CAAC;IACJ,CAAC;IAED,0BAA0B;IAC1B,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,2BAA2B,CAAC,CAAC;IACzE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,qCAA4B,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,+BAA+B,CAAC,CAAC;IAC7E,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,qCAA4B,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;IAChE,CAAC;IAED,+BAA+B;IAC/B,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,MAAM,CAC7C,SAAS,EACT,UAAU,CAAC,aAAa,EACxB,UAAU,CAAC,KAAK,CACjB,CAAC;IAEF,+BAA+B;IAC/B,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,MAAM,CAC7C,SAAS,EACT,UAAU,CAAC,aAAa,EACxB,UAAU,CAAC,KAAK,CACjB,CAAC;IAEF,OAAO;QACL,cAAc,EAAE,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACnD,cAAc,EAAE,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACnD,YAAY,EAAE,KAAK;QACnB,eAAe,EAAE,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACpD,QAAQ,EAAE,UAAU,IAAI,UAAU;KACnC,CAAC;AACJ,CAAC"}
|
package/dist/identity.d.ts
CHANGED
|
@@ -1,4 +1,28 @@
|
|
|
1
1
|
import { HumanIdentity, AgentCredential, Permission } from './types';
|
|
2
|
+
export declare const BN254_FIELD_ORDER = 21888242871839275222246405745257275088548364400416034343698204186575808495617n;
|
|
3
|
+
/**
|
|
4
|
+
* Validate a secret value for use with createHumanIdentity.
|
|
5
|
+
* Throws InvalidSecretError if the secret is zero, negative, or exceeds BN254 field.
|
|
6
|
+
*
|
|
7
|
+
* Call this before createHumanIdentity() for strict input validation.
|
|
8
|
+
* createHumanIdentity itself is permissive (the crypto layer handles reduction),
|
|
9
|
+
* but using an invalid secret will produce an identity that fails proof generation.
|
|
10
|
+
*
|
|
11
|
+
* @param secret - The secret to validate
|
|
12
|
+
* @throws InvalidSecretError if validation fails
|
|
13
|
+
*/
|
|
14
|
+
export declare function validateHumanSecret(secret: bigint): void;
|
|
15
|
+
/**
|
|
16
|
+
* Validate an expiry timestamp for use with createAgentCredential.
|
|
17
|
+
* Throws InvalidPermissionError if the timestamp is in the past.
|
|
18
|
+
*
|
|
19
|
+
* Call this before createAgentCredential() to catch expired timestamps early.
|
|
20
|
+
* The circuit enforces expiry at verification time, but this provides an early check.
|
|
21
|
+
*
|
|
22
|
+
* @param expiryTimestamp - Unix timestamp to validate
|
|
23
|
+
* @throws InvalidPermissionError if timestamp is not in the future
|
|
24
|
+
*/
|
|
25
|
+
export declare function validateAgentExpiry(expiryTimestamp: bigint): void;
|
|
2
26
|
/**
|
|
3
27
|
* Create a human identity (EdDSA keypair + commitment).
|
|
4
28
|
* Compatible with Semaphore v4 identity scheme.
|
package/dist/identity.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAKrE,eAAO,MAAM,iBAAiB,iFAAiF,CAAC;AAEhH;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAgBxD;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,IAAI,CAQjE;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CAOxB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,MAAM,EACjB,kBAAkB,EAAE,MAAM,GAAG,MAAM,EACnC,WAAW,EAAE,UAAU,EAAE,EACzB,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,eAAe,CAAC,CA6B1B;AAED,+DAA+D;AAC/D,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,MAAM,CAMtE;AAED,2EAA2E;AAC3E,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAoBnE"}
|
package/dist/identity.js
CHANGED
|
@@ -1,11 +1,55 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.BN254_FIELD_ORDER = void 0;
|
|
4
|
+
exports.validateHumanSecret = validateHumanSecret;
|
|
5
|
+
exports.validateAgentExpiry = validateAgentExpiry;
|
|
3
6
|
exports.createHumanIdentity = createHumanIdentity;
|
|
4
7
|
exports.createAgentCredential = createAgentCredential;
|
|
5
8
|
exports.permissionsToBitmask = permissionsToBitmask;
|
|
6
9
|
exports.validateCumulativeBitEncoding = validateCumulativeBitEncoding;
|
|
7
10
|
const utils_1 = require("./utils");
|
|
8
11
|
const errors_1 = require("./errors");
|
|
12
|
+
// BN254 scalar field order (Baby Jubjub subgroup order)
|
|
13
|
+
exports.BN254_FIELD_ORDER = 21888242871839275222246405745257275088548364400416034343698204186575808495617n;
|
|
14
|
+
/**
|
|
15
|
+
* Validate a secret value for use with createHumanIdentity.
|
|
16
|
+
* Throws InvalidSecretError if the secret is zero, negative, or exceeds BN254 field.
|
|
17
|
+
*
|
|
18
|
+
* Call this before createHumanIdentity() for strict input validation.
|
|
19
|
+
* createHumanIdentity itself is permissive (the crypto layer handles reduction),
|
|
20
|
+
* but using an invalid secret will produce an identity that fails proof generation.
|
|
21
|
+
*
|
|
22
|
+
* @param secret - The secret to validate
|
|
23
|
+
* @throws InvalidSecretError if validation fails
|
|
24
|
+
*/
|
|
25
|
+
function validateHumanSecret(secret) {
|
|
26
|
+
if (secret === 0n) {
|
|
27
|
+
throw new errors_1.InvalidSecretError('secret must be non-zero — a zero secret produces a trivial identity that cannot generate valid proofs');
|
|
28
|
+
}
|
|
29
|
+
if (secret < 0n) {
|
|
30
|
+
throw new errors_1.InvalidSecretError('secret must be positive — negative values are not valid field elements');
|
|
31
|
+
}
|
|
32
|
+
if (secret >= exports.BN254_FIELD_ORDER) {
|
|
33
|
+
throw new errors_1.InvalidSecretError(`secret exceeds BN254 scalar field order (got ${secret.toString().slice(0, 20)}..., max is ~2^254). Use a value less than ${exports.BN254_FIELD_ORDER}`);
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
/**
|
|
37
|
+
* Validate an expiry timestamp for use with createAgentCredential.
|
|
38
|
+
* Throws InvalidPermissionError if the timestamp is in the past.
|
|
39
|
+
*
|
|
40
|
+
* Call this before createAgentCredential() to catch expired timestamps early.
|
|
41
|
+
* The circuit enforces expiry at verification time, but this provides an early check.
|
|
42
|
+
*
|
|
43
|
+
* @param expiryTimestamp - Unix timestamp to validate
|
|
44
|
+
* @throws InvalidPermissionError if timestamp is not in the future
|
|
45
|
+
*/
|
|
46
|
+
function validateAgentExpiry(expiryTimestamp) {
|
|
47
|
+
const nowSeconds = BigInt(Math.floor(Date.now() / 1000));
|
|
48
|
+
if (expiryTimestamp <= nowSeconds) {
|
|
49
|
+
throw new errors_1.InvalidPermissionError(`expiryTimestamp (${expiryTimestamp}) is not in the future (current time: ${nowSeconds}). ` +
|
|
50
|
+
`Set expiryTimestamp to a Unix timestamp after the current time, e.g. BigInt(Math.floor(Date.now() / 1000) + 86400) for +1 day.`);
|
|
51
|
+
}
|
|
52
|
+
}
|
|
9
53
|
/**
|
|
10
54
|
* Create a human identity (EdDSA keypair + commitment).
|
|
11
55
|
* Compatible with Semaphore v4 identity scheme.
|
|
@@ -21,6 +65,7 @@ const errors_1 = require("./errors");
|
|
|
21
65
|
* ```
|
|
22
66
|
*/
|
|
23
67
|
async function createHumanIdentity(secret) {
|
|
68
|
+
validateHumanSecret(secret);
|
|
24
69
|
// HumanUniqueness circuit uses BabyPbk (direct scalar multiply),
|
|
25
70
|
// NOT EdDSA prv2pub. Use derivePublicKeyScalar here.
|
|
26
71
|
const publicKey = await (0, utils_1.derivePublicKeyScalar)(secret);
|
|
@@ -48,6 +93,7 @@ async function createHumanIdentity(secret) {
|
|
|
48
93
|
* ```
|
|
49
94
|
*/
|
|
50
95
|
async function createAgentCredential(modelHash, operatorPrivateKey, permissions, expiryTimestamp) {
|
|
96
|
+
validateAgentExpiry(expiryTimestamp);
|
|
51
97
|
const bitmask = permissionsToBitmask(permissions);
|
|
52
98
|
validateCumulativeBitEncoding(bitmask);
|
|
53
99
|
const operatorPublicKey = await (0, utils_1.derivePublicKey)(typeof operatorPrivateKey === 'bigint'
|
package/dist/identity.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":";;;AAkBA,kDAgBC;AAYD,kDAQC;AAgBD,kDASC;AAsBD,sDAkCC;AAGD,oDAMC;AAGD,sEAoBC;AAtKD,mCAAkG;AAClG,qCAAsE;AAEtE,wDAAwD;AAC3C,QAAA,iBAAiB,GAAG,8EAA8E,CAAC;AAEhH;;;;;;;;;;GAUG;AACH,SAAgB,mBAAmB,CAAC,MAAc;IAChD,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QAClB,MAAM,IAAI,2BAAkB,CAC1B,uGAAuG,CACxG,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,GAAG,EAAE,EAAE,CAAC;QAChB,MAAM,IAAI,2BAAkB,CAC1B,wEAAwE,CACzE,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,IAAI,yBAAiB,EAAE,CAAC;QAChC,MAAM,IAAI,2BAAkB,CAC1B,gDAAgD,MAAM,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,8CAA8C,yBAAiB,EAAE,CAChJ,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,mBAAmB,CAAC,eAAuB;IACzD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IACzD,IAAI,eAAe,IAAI,UAAU,EAAE,CAAC;QAClC,MAAM,IAAI,+BAAsB,CAC9B,oBAAoB,eAAe,yCAAyC,UAAU,KAAK;YACzF,gIAAgI,CACnI,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACI,KAAK,UAAU,mBAAmB,CACvC,MAAc;IAEd,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC5B,iEAAiE;IACjE,qDAAqD;IACrD,MAAM,SAAS,GAAG,MAAM,IAAA,6BAAqB,EAAC,MAAM,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,MAAM,IAAA,iBAAS,EAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IAC7D,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACI,KAAK,UAAU,qBAAqB,CACzC,SAAiB,EACjB,kBAAmC,EACnC,WAAyB,EACzB,eAAuB;IAEvB,mBAAmB,CAAC,eAAe,CAAC,CAAC;IACrC,MAAM,OAAO,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;IAClD,6BAA6B,CAAC,OAAO,CAAC,CAAC;IAEvC,MAAM,iBAAiB,GAAG,MAAM,IAAA,uBAAe,EAC7C,OAAO,kBAAkB,KAAK,QAAQ;QACpC,CAAC,CAAC,kBAAkB;QACpB,CAAC,CAAC,MAAM,CAAC,IAAI,GAAG,kBAAkB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CACtD,CAAC;IAEF,MAAM,UAAU,GAAG,MAAM,IAAA,iBAAS,EAChC,SAAS,EACT,iBAAiB,CAAC,CAAC,EACnB,iBAAiB,CAAC,CAAC,EACnB,OAAO,EACP,eAAe,CAChB,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,IAAA,iBAAS,EAAC,kBAAkB,EAAE,UAAU,CAAC,CAAC;IAElE,OAAO;QACL,SAAS;QACT,iBAAiB;QACjB,iBAAiB,EAAE,OAAO;QAC1B,eAAe;QACf,SAAS;QACT,UAAU;KACX,CAAC;AACJ,CAAC;AAED,+DAA+D;AAC/D,SAAgB,oBAAoB,CAAC,WAAyB;IAC5D,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,OAAO,IAAI,EAAE,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,2EAA2E;AAC3E,SAAgB,6BAA6B,CAAC,OAAe;IAC3D,MAAM,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,GAAG,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,GAAG,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,GAAG,EAAE,CAAC;IAElC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,IAAI,+BAAsB,CAC9B,+DAA+D,CAChE,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,IAAI,+BAAsB,CAC9B,8DAA8D,CAC/D,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,IAAI,+BAAsB,CAC9B,2DAA2D,CAC5D,CAAC;IACJ,CAAC;AACH,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -1,7 +1,12 @@
|
|
|
1
|
-
export type { HumanIdentity, AgentCredential, HandshakeResult, DelegationResult, Proof, BolyraConfig, } from './types';
|
|
1
|
+
export type { HumanIdentity, AgentCredential, HandshakeResult, DelegationResult, DelegateeMerkleProof, Proof, BolyraConfig, OffchainVerificationResult, BatchCheckpoint, } from './types';
|
|
2
2
|
export { Permission } from './types';
|
|
3
|
-
export { createHumanIdentity, createAgentCredential, permissionsToBitmask, validateCumulativeBitEncoding, } from './identity';
|
|
3
|
+
export { createHumanIdentity, createAgentCredential, permissionsToBitmask, validateCumulativeBitEncoding, validateHumanSecret, validateAgentExpiry, BN254_FIELD_ORDER, } from './identity';
|
|
4
4
|
export { proveHandshake, verifyHandshake } from './handshake';
|
|
5
|
+
export { proveGroth16, activeProverBackend } from './prover';
|
|
6
|
+
export type { ProverBackend } from './prover';
|
|
7
|
+
export { verifyHandshakeOffchain, OffchainVerificationBatch, postBatchRoot, computeSessionCommitment, verifyMerkleInclusion, } from './offchain';
|
|
5
8
|
export { delegate, verifyDelegation } from './delegation';
|
|
6
|
-
export {
|
|
9
|
+
export type { DelegateInput } from './delegation';
|
|
10
|
+
export { poseidon2, poseidon3, poseidon4 } from './utils';
|
|
11
|
+
export { BolyraError, ProofGenerationError, VerificationError, InvalidPermissionError, ExpiredCredentialError, ScopeEscalationError, StaleProofError, InvalidSecretError, CircuitArtifactNotFoundError, MerkleTreeError, ConfigurationError, } from './errors';
|
|
7
12
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EACV,aAAa,EACb,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,KAAK,EACL,YAAY,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EACV,aAAa,EACb,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,KAAK,EACL,YAAY,EACZ,0BAA0B,EAC1B,eAAe,GAChB,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAGrC,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,oBAAoB,EACpB,6BAA6B,EAC7B,mBAAmB,EACnB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9D,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAC7D,YAAY,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAG9C,OAAO,EACL,uBAAuB,EACvB,yBAAyB,EACzB,aAAa,EACb,wBAAwB,EACxB,qBAAqB,GACtB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAC1D,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAGlD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAG1D,OAAO,EACL,WAAW,EACX,oBAAoB,EACpB,iBAAiB,EACjB,sBAAsB,EACtB,sBAAsB,EACtB,oBAAoB,EACpB,eAAe,EACf,kBAAkB,EAClB,4BAA4B,EAC5B,eAAe,EACf,kBAAkB,GACnB,MAAM,UAAU,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.StaleProofError = exports.ScopeEscalationError = exports.ExpiredCredentialError = exports.InvalidPermissionError = exports.VerificationError = exports.ProofGenerationError = exports.BolyraError = exports.verifyDelegation = exports.delegate = exports.verifyHandshake = exports.proveHandshake = exports.validateCumulativeBitEncoding = exports.permissionsToBitmask = exports.createAgentCredential = exports.createHumanIdentity = exports.Permission = void 0;
|
|
3
|
+
exports.ConfigurationError = exports.MerkleTreeError = exports.CircuitArtifactNotFoundError = exports.InvalidSecretError = exports.StaleProofError = exports.ScopeEscalationError = exports.ExpiredCredentialError = exports.InvalidPermissionError = exports.VerificationError = exports.ProofGenerationError = exports.BolyraError = exports.poseidon4 = exports.poseidon3 = exports.poseidon2 = exports.verifyDelegation = exports.delegate = exports.verifyMerkleInclusion = exports.computeSessionCommitment = exports.postBatchRoot = exports.OffchainVerificationBatch = exports.verifyHandshakeOffchain = exports.activeProverBackend = exports.proveGroth16 = exports.verifyHandshake = exports.proveHandshake = exports.BN254_FIELD_ORDER = exports.validateAgentExpiry = exports.validateHumanSecret = exports.validateCumulativeBitEncoding = exports.permissionsToBitmask = exports.createAgentCredential = exports.createHumanIdentity = exports.Permission = void 0;
|
|
4
4
|
// Permission enum
|
|
5
5
|
var types_1 = require("./types");
|
|
6
6
|
Object.defineProperty(exports, "Permission", { enumerable: true, get: function () { return types_1.Permission; } });
|
|
@@ -10,14 +10,33 @@ Object.defineProperty(exports, "createHumanIdentity", { enumerable: true, get: f
|
|
|
10
10
|
Object.defineProperty(exports, "createAgentCredential", { enumerable: true, get: function () { return identity_1.createAgentCredential; } });
|
|
11
11
|
Object.defineProperty(exports, "permissionsToBitmask", { enumerable: true, get: function () { return identity_1.permissionsToBitmask; } });
|
|
12
12
|
Object.defineProperty(exports, "validateCumulativeBitEncoding", { enumerable: true, get: function () { return identity_1.validateCumulativeBitEncoding; } });
|
|
13
|
-
|
|
13
|
+
Object.defineProperty(exports, "validateHumanSecret", { enumerable: true, get: function () { return identity_1.validateHumanSecret; } });
|
|
14
|
+
Object.defineProperty(exports, "validateAgentExpiry", { enumerable: true, get: function () { return identity_1.validateAgentExpiry; } });
|
|
15
|
+
Object.defineProperty(exports, "BN254_FIELD_ORDER", { enumerable: true, get: function () { return identity_1.BN254_FIELD_ORDER; } });
|
|
16
|
+
// Handshake (v0.2 — real proof generation via snarkjs / rapidsnark)
|
|
14
17
|
var handshake_1 = require("./handshake");
|
|
15
18
|
Object.defineProperty(exports, "proveHandshake", { enumerable: true, get: function () { return handshake_1.proveHandshake; } });
|
|
16
19
|
Object.defineProperty(exports, "verifyHandshake", { enumerable: true, get: function () { return handshake_1.verifyHandshake; } });
|
|
17
|
-
//
|
|
20
|
+
// Prover backend (v0.4 — rapidsnark for sub-200ms proofs)
|
|
21
|
+
var prover_1 = require("./prover");
|
|
22
|
+
Object.defineProperty(exports, "proveGroth16", { enumerable: true, get: function () { return prover_1.proveGroth16; } });
|
|
23
|
+
Object.defineProperty(exports, "activeProverBackend", { enumerable: true, get: function () { return prover_1.activeProverBackend; } });
|
|
24
|
+
// Off-chain verification (v0.3 — batch mode, ~100x gas reduction)
|
|
25
|
+
var offchain_1 = require("./offchain");
|
|
26
|
+
Object.defineProperty(exports, "verifyHandshakeOffchain", { enumerable: true, get: function () { return offchain_1.verifyHandshakeOffchain; } });
|
|
27
|
+
Object.defineProperty(exports, "OffchainVerificationBatch", { enumerable: true, get: function () { return offchain_1.OffchainVerificationBatch; } });
|
|
28
|
+
Object.defineProperty(exports, "postBatchRoot", { enumerable: true, get: function () { return offchain_1.postBatchRoot; } });
|
|
29
|
+
Object.defineProperty(exports, "computeSessionCommitment", { enumerable: true, get: function () { return offchain_1.computeSessionCommitment; } });
|
|
30
|
+
Object.defineProperty(exports, "verifyMerkleInclusion", { enumerable: true, get: function () { return offchain_1.verifyMerkleInclusion; } });
|
|
31
|
+
// Delegation (v0.3 — scope-narrowing one-way delegation, chain-linked on-chain)
|
|
18
32
|
var delegation_1 = require("./delegation");
|
|
19
33
|
Object.defineProperty(exports, "delegate", { enumerable: true, get: function () { return delegation_1.delegate; } });
|
|
20
34
|
Object.defineProperty(exports, "verifyDelegation", { enumerable: true, get: function () { return delegation_1.verifyDelegation; } });
|
|
35
|
+
// Poseidon hashes (exposed for chain-link verification in integrations)
|
|
36
|
+
var utils_1 = require("./utils");
|
|
37
|
+
Object.defineProperty(exports, "poseidon2", { enumerable: true, get: function () { return utils_1.poseidon2; } });
|
|
38
|
+
Object.defineProperty(exports, "poseidon3", { enumerable: true, get: function () { return utils_1.poseidon3; } });
|
|
39
|
+
Object.defineProperty(exports, "poseidon4", { enumerable: true, get: function () { return utils_1.poseidon4; } });
|
|
21
40
|
// Errors
|
|
22
41
|
var errors_1 = require("./errors");
|
|
23
42
|
Object.defineProperty(exports, "BolyraError", { enumerable: true, get: function () { return errors_1.BolyraError; } });
|
|
@@ -27,4 +46,8 @@ Object.defineProperty(exports, "InvalidPermissionError", { enumerable: true, get
|
|
|
27
46
|
Object.defineProperty(exports, "ExpiredCredentialError", { enumerable: true, get: function () { return errors_1.ExpiredCredentialError; } });
|
|
28
47
|
Object.defineProperty(exports, "ScopeEscalationError", { enumerable: true, get: function () { return errors_1.ScopeEscalationError; } });
|
|
29
48
|
Object.defineProperty(exports, "StaleProofError", { enumerable: true, get: function () { return errors_1.StaleProofError; } });
|
|
49
|
+
Object.defineProperty(exports, "InvalidSecretError", { enumerable: true, get: function () { return errors_1.InvalidSecretError; } });
|
|
50
|
+
Object.defineProperty(exports, "CircuitArtifactNotFoundError", { enumerable: true, get: function () { return errors_1.CircuitArtifactNotFoundError; } });
|
|
51
|
+
Object.defineProperty(exports, "MerkleTreeError", { enumerable: true, get: function () { return errors_1.MerkleTreeError; } });
|
|
52
|
+
Object.defineProperty(exports, "ConfigurationError", { enumerable: true, get: function () { return errors_1.ConfigurationError; } });
|
|
30
53
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAaA,kBAAkB;AAClB,iCAAqC;AAA5B,mGAAA,UAAU,OAAA;AAEnB,oBAAoB;AACpB,uCAQoB;AAPlB,+GAAA,mBAAmB,OAAA;AACnB,iHAAA,qBAAqB,OAAA;AACrB,gHAAA,oBAAoB,OAAA;AACpB,yHAAA,6BAA6B,OAAA;AAC7B,+GAAA,mBAAmB,OAAA;AACnB,+GAAA,mBAAmB,OAAA;AACnB,6GAAA,iBAAiB,OAAA;AAGnB,oEAAoE;AACpE,yCAA8D;AAArD,2GAAA,cAAc,OAAA;AAAE,4GAAA,eAAe,OAAA;AAExC,0DAA0D;AAC1D,mCAA6D;AAApD,sGAAA,YAAY,OAAA;AAAE,6GAAA,mBAAmB,OAAA;AAG1C,kEAAkE;AAClE,uCAMoB;AALlB,mHAAA,uBAAuB,OAAA;AACvB,qHAAA,yBAAyB,OAAA;AACzB,yGAAA,aAAa,OAAA;AACb,oHAAA,wBAAwB,OAAA;AACxB,iHAAA,qBAAqB,OAAA;AAGvB,gFAAgF;AAChF,2CAA0D;AAAjD,sGAAA,QAAQ,OAAA;AAAE,8GAAA,gBAAgB,OAAA;AAGnC,wEAAwE;AACxE,iCAA0D;AAAjD,kGAAA,SAAS,OAAA;AAAE,kGAAA,SAAS,OAAA;AAAE,kGAAA,SAAS,OAAA;AAExC,SAAS;AACT,mCAYkB;AAXhB,qGAAA,WAAW,OAAA;AACX,8GAAA,oBAAoB,OAAA;AACpB,2GAAA,iBAAiB,OAAA;AACjB,gHAAA,sBAAsB,OAAA;AACtB,gHAAA,sBAAsB,OAAA;AACtB,8GAAA,oBAAoB,OAAA;AACpB,yGAAA,eAAe,OAAA;AACf,4GAAA,kBAAkB,OAAA;AAClB,sHAAA,4BAA4B,OAAA;AAC5B,yGAAA,eAAe,OAAA;AACf,4GAAA,kBAAkB,OAAA"}
|
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
import { AgentCredential, Proof, BolyraConfig } from './types';
|
|
2
|
+
import { ProverBackend } from './prover';
|
|
3
|
+
/** Provider attestation produced by a model provider's deployment-signing service.
|
|
4
|
+
* In dev/test this is minted by `examples/provider-mock/`. */
|
|
5
|
+
export interface ProviderAttestation {
|
|
6
|
+
/** Provider's Baby Jubjub public key (must match a leaf in the on-chain provider tree) */
|
|
7
|
+
providerPublicKey: {
|
|
8
|
+
x: bigint;
|
|
9
|
+
y: bigint;
|
|
10
|
+
};
|
|
11
|
+
/** EdDSA signature of providerPrivateKey over the credentialCommitment
|
|
12
|
+
* (= Poseidon5(modelHash, opPkAx, opPkAy, permissionBitmask, expiryTimestamp)).
|
|
13
|
+
* Post Phase 2 hardening — earlier shape was Poseidon3(modelHash, opPkAx, opPkAy)
|
|
14
|
+
* which let the operator self-grant permissions/expiry the provider never saw. */
|
|
15
|
+
signature: {
|
|
16
|
+
R8: {
|
|
17
|
+
x: bigint;
|
|
18
|
+
y: bigint;
|
|
19
|
+
};
|
|
20
|
+
S: bigint;
|
|
21
|
+
};
|
|
22
|
+
}
|
|
23
|
+
/** Merkle proof of provider key inclusion in the on-chain providerRegistryRoot. */
|
|
24
|
+
export interface ProviderMerkleProof {
|
|
25
|
+
/** Actual depth used (0..PROVIDER_TREE_DEPTH); siblings beyond are zero-padded */
|
|
26
|
+
length: number;
|
|
27
|
+
/** Leaf index */
|
|
28
|
+
index: number;
|
|
29
|
+
/** Sibling hashes, padded with zeros to PROVIDER_TREE_DEPTH */
|
|
30
|
+
siblings: bigint[];
|
|
31
|
+
/** The provider tree root that this proof must reproduce */
|
|
32
|
+
root: bigint;
|
|
33
|
+
}
|
|
34
|
+
/** Merkle proof of agent credential inclusion in the on-chain agentTree root. */
|
|
35
|
+
export interface AgentMerkleProof {
|
|
36
|
+
length: number;
|
|
37
|
+
index: number;
|
|
38
|
+
siblings: bigint[];
|
|
39
|
+
}
|
|
40
|
+
export interface BindModelInstanceInput {
|
|
41
|
+
/** Agent credential signed by the operator (output of createAgentCredential). */
|
|
42
|
+
credential: AgentCredential;
|
|
43
|
+
/** Provider attestation binding the operator to this model. */
|
|
44
|
+
providerAttestation: ProviderAttestation;
|
|
45
|
+
/** Provider Merkle proof. */
|
|
46
|
+
providerMerkleProof: ProviderMerkleProof;
|
|
47
|
+
/** Agent Merkle proof. Defaults to an empty single-leaf proof. */
|
|
48
|
+
agentMerkleProof?: AgentMerkleProof;
|
|
49
|
+
/** Tool-call payload digest (BN254-reduced). Caller pre-hashes off-circuit. */
|
|
50
|
+
message: bigint;
|
|
51
|
+
/** Verifier-provided session nonce (replay protection). */
|
|
52
|
+
sessionNonce: bigint;
|
|
53
|
+
/** Required permission bitmask (0n means no required scope). */
|
|
54
|
+
requiredScopeMask?: bigint;
|
|
55
|
+
/** Verifier-provided current time (defaults to now). */
|
|
56
|
+
currentTimestamp?: bigint;
|
|
57
|
+
/** SDK config + prover backend overrides. */
|
|
58
|
+
config?: BolyraConfig;
|
|
59
|
+
backend?: ProverBackend;
|
|
60
|
+
}
|
|
61
|
+
export interface BindModelInstanceResult {
|
|
62
|
+
proof: Proof;
|
|
63
|
+
/** Circuit public outputs, parsed for caller convenience. Order matches publicSignals[0..9]. */
|
|
64
|
+
publicOutputs: {
|
|
65
|
+
agentMerkleRoot: bigint;
|
|
66
|
+
nullifierHash: bigint;
|
|
67
|
+
scopeCommitment: bigint;
|
|
68
|
+
messageHash: bigint;
|
|
69
|
+
modelOperatorFingerprint: bigint;
|
|
70
|
+
/** Poseidon2(provPkAx, provPkAy) — exposes WHICH enrolled provider signed
|
|
71
|
+
* (Phase 2 hardening; closes the provider-anonymity attack). */
|
|
72
|
+
providerKeyCommitment: bigint;
|
|
73
|
+
requiredScopeMask: bigint;
|
|
74
|
+
currentTimestamp: bigint;
|
|
75
|
+
sessionNonce: bigint;
|
|
76
|
+
providerRegistryRoot: bigint;
|
|
77
|
+
};
|
|
78
|
+
}
|
|
79
|
+
/**
|
|
80
|
+
* Generate a ModelInstanceBinding ZK proof.
|
|
81
|
+
*
|
|
82
|
+
* The proof attests (in zero knowledge):
|
|
83
|
+
* - The agent credential is enrolled in the on-chain agent tree.
|
|
84
|
+
* - An enrolled provider signed the FULL `credentialCommitment`
|
|
85
|
+
* (= Poseidon5(modelHash, opPkAx, opPkAy, permissionBitmask, expiry)),
|
|
86
|
+
* which binds permissions and expiry — not just (model, operator).
|
|
87
|
+
* - The operator signed the same `credentialCommitment`.
|
|
88
|
+
* - The credential satisfies `requiredScopeMask` and is unexpired.
|
|
89
|
+
* - The tool-call message digest is bound to this proof.
|
|
90
|
+
* - `publicOutputs.providerKeyCommitment` identifies WHICH enrolled provider
|
|
91
|
+
* signed (closes the provider-anonymity attack found in codex challenge).
|
|
92
|
+
*
|
|
93
|
+
* @example
|
|
94
|
+
* ```ts
|
|
95
|
+
* const result = await bindModelInstance({
|
|
96
|
+
* credential,
|
|
97
|
+
* providerAttestation,
|
|
98
|
+
* providerMerkleProof,
|
|
99
|
+
* message: BigInt('0x' + sha256(payload).slice(0, 62)), // mod p
|
|
100
|
+
* sessionNonce: BigInt(Date.now()),
|
|
101
|
+
* requiredScopeMask: 0b101n, // READ_DATA | FINANCIAL_SMALL
|
|
102
|
+
* });
|
|
103
|
+
* // Submit result.proof to IdentityRegistry.verifyModelInstanceBinding(...)
|
|
104
|
+
* ```
|
|
105
|
+
*/
|
|
106
|
+
export declare function bindModelInstance(input: BindModelInstanceInput): Promise<BindModelInstanceResult>;
|
|
107
|
+
/**
|
|
108
|
+
* Verify a ModelInstanceBinding proof off-chain (snarkjs-side).
|
|
109
|
+
* For on-chain verification, submit the proof to
|
|
110
|
+
* IdentityRegistry.verifyModelInstanceBinding(...).
|
|
111
|
+
*/
|
|
112
|
+
export declare function verifyModelInstanceBinding(proof: Proof, config?: BolyraConfig): Promise<boolean>;
|
|
113
|
+
//# sourceMappingURL=model-binding.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"model-binding.d.ts","sourceRoot":"","sources":["../src/model-binding.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAM/D,OAAO,EAAgB,aAAa,EAAE,MAAM,UAAU,CAAC;AAQvD;+DAC+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,0FAA0F;IAC1F,iBAAiB,EAAE;QAAE,CAAC,EAAE,MAAM,CAAC;QAAC,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5C;;;uFAGmF;IACnF,SAAS,EAAE;QAAE,EAAE,EAAE;YAAE,CAAC,EAAE,MAAM,CAAC;YAAC,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QAAC,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CACxD;AAED,mFAAmF;AACnF,MAAM,WAAW,mBAAmB;IAClC,kFAAkF;IAClF,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,4DAA4D;IAC5D,IAAI,EAAE,MAAM,CAAC;CACd;AAED,iFAAiF;AACjF,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,sBAAsB;IACrC,iFAAiF;IACjF,UAAU,EAAE,eAAe,CAAC;IAC5B,+DAA+D;IAC/D,mBAAmB,EAAE,mBAAmB,CAAC;IACzC,6BAA6B;IAC7B,mBAAmB,EAAE,mBAAmB,CAAC;IACzC,kEAAkE;IAClE,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,+EAA+E;IAC/E,OAAO,EAAE,MAAM,CAAC;IAChB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,gEAAgE;IAChE,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,6CAA6C;IAC7C,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,OAAO,CAAC,EAAE,aAAa,CAAC;CACzB;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,KAAK,CAAC;IACb,gGAAgG;IAChG,aAAa,EAAE;QACb,eAAe,EAAE,MAAM,CAAC;QACxB,aAAa,EAAE,MAAM,CAAC;QACtB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,wBAAwB,EAAE,MAAM,CAAC;QACjC;yEACiE;QACjE,qBAAqB,EAAE,MAAM,CAAC;QAC9B,iBAAiB,EAAE,MAAM,CAAC;QAC1B,gBAAgB,EAAE,MAAM,CAAC;QACzB,YAAY,EAAE,MAAM,CAAC;QACrB,oBAAoB,EAAE,MAAM,CAAC;KAC9B,CAAC;CACH;AAaD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,sBAAsB,GAC5B,OAAO,CAAC,uBAAuB,CAAC,CAoHlC;AAED;;;;GAIG;AACH,wBAAsB,0BAA0B,CAC9C,KAAK,EAAE,KAAK,EACZ,MAAM,CAAC,EAAE,YAAY,GACpB,OAAO,CAAC,OAAO,CAAC,CAQlB"}
|