@brightchain/brightchain-lib 0.14.0 → 0.15.0

package/src/lib/services/identity/deviceProvisioningService.js

@@ -0,0 +1,219 @@
+"use strict";
+/**
+ * Device Provisioning Service for the BrightChain identity system.
+ *
+ * Handles the complete device provisioning workflow: validating a paper key,
+ * recovering the member identity, generating device-specific keys via BIP32
+ * hierarchical deterministic derivation, and persisting device metadata
+ * through a platform-independent storage interface.
+ *
+ * Device keys are derived using the BIP32 path `m/44'/60'/0'/1/<deviceIndex>`
+ * where `deviceIndex` is a monotonically increasing counter per member. This
+ * keeps device keys deterministic (reproducible from the same mnemonic) while
+ * ensuring each device gets a unique key pair.
+ *
+ * Requirements: 3.1, 3.2, 3.3, 3.4
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeviceProvisioningService = exports.DeviceKeyStorageError = exports.DeviceKeyGenerationError = exports.InvalidPaperKeyError = void 0;
+const ecies_lib_1 = require("@digitaldefiance/ecies-lib");
+const bip32_1 = require("@scure/bip32");
+const bip39_1 = require("@scure/bip39");
+const uuid_1 = require("uuid");
+const paperKeyService_1 = require("./paperKeyService");
+// ─── Constants ──────────────────────────────────────────────────────────────
+/**
+ * BIP32 derivation path prefix for device keys.
+ *
+ * Uses BIP44 structure: `m / purpose' / coin_type' / account' / change / index`
+ * - purpose = 44 (BIP44)
+ * - coin_type = 60 (Ethereum, reused for BrightChain compatibility)
+ * - account = 0 (default account)
+ * - change = 1 (internal chain — used for device keys to avoid collision
+ *               with external wallet addresses on change=0)
+ *
+ * The final `/<index>` segment is appended per device.
+ */
+const DEVICE_KEY_DERIVATION_PREFIX = "m/44'/60'/0'/1";
+// ─── Error classes ──────────────────────────────────────────────────────────
+/**
+ * Error thrown when a paper key fails validation during device provisioning.
+ */
+class InvalidPaperKeyError extends Error {
+    constructor(message = 'Invalid paper key: not a valid 24-word BIP39 mnemonic') {
+        super(message);
+        this.name = 'InvalidPaperKeyError';
+    }
+}
+exports.InvalidPaperKeyError = InvalidPaperKeyError;
+/**
+ * Error thrown when device key generation fails.
+ */
+class DeviceKeyGenerationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'DeviceKeyGenerationError';
+    }
+}
+exports.DeviceKeyGenerationError = DeviceKeyGenerationError;
+/**
+ * Error thrown when device key storage fails.
+ */
+class DeviceKeyStorageError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'DeviceKeyStorageError';
+    }
+}
+exports.DeviceKeyStorageError = DeviceKeyStorageError;
+// ─── Service ────────────────────────────────────────────────────────────────
+/**
+ * Service for provisioning new devices on a BrightChain member account.
+ *
+ * The provisioning flow:
+ * 1. Validate the paper key (Requirement 3.1)
+ * 2. Recover the member identity from the paper key (Requirement 3.2)
+ * 3. Generate device-specific keys via BIP32 derivation (Requirement 3.3)
+ * 4. Store device metadata in platform-independent storage (Requirement 3.4)
+ *
+ * All methods are static — the service is stateless and safe to call
+ * from any context (browser or Node.js).
+ *
+ * @example
+ * ```typescript
+ * const eciesService = ServiceProvider.getInstance().eciesService;
+ * const storage = new InMemoryDeviceKeyStorage();
+ *
+ * const result = await DeviceProvisioningService.provisionDevice(
+ *   'abandon abandon abandon ... about',
+ *   'Work Laptop',
+ *   DeviceType.DESKTOP,
+ *   eciesService,
+ *   storage,
+ *   0,
+ * );
+ *
+ * console.log(result.deviceMetadata.publicKey); // hex-encoded public key
+ * console.log(result.member.name);              // 'Recovered User'
+ * ```
+ */
+class DeviceProvisioningService {
+    /**
+     * Provision a new device using a paper key.
+     *
+     * Performs the complete provisioning workflow: validates the paper key,
+     * recovers the member identity, generates device-specific keys, and
+     * stores the device metadata.
+     *
+     * **Validates: Requirements 3.1, 3.2, 3.3, 3.4**
+     *
+     * @param paperKey     - The 24-word BIP39 mnemonic paper key
+     * @param deviceName   - Human-readable name for the device (e.g. "Work Laptop")
+     * @param deviceType   - Category of the device (desktop, mobile, web)
+     * @param eciesService - The ECIES service instance for key operations
+     * @param storage      - Platform-independent device key storage
+     * @param deviceIndex  - The BIP32 child index for this device (0-based)
+     * @returns A promise resolving to the full provisioning result
+     * @throws {InvalidPaperKeyError} If the paper key is invalid
+     * @throws {DeviceKeyGenerationError} If key derivation fails
+     * @throws {DeviceKeyStorageError} If storage fails
+     */
+    static async provisionDevice(paperKey, deviceName, deviceType, eciesService, storage, deviceIndex) {
+        // Requirement 3.1: Validate paper key before provisioning
+        if (!paperKeyService_1.PaperKeyService.validatePaperKey(paperKey, eciesService)) {
+            throw new InvalidPaperKeyError();
+        }
+        // Requirement 3.2: Recover member identity from paper key
+        const member = paperKeyService_1.PaperKeyService.recoverFromPaperKey(paperKey, eciesService);
+        // Requirement 3.3: Generate device-specific keys
+        const deviceKeys = DeviceProvisioningService.generateDeviceKeys(paperKey, deviceIndex);
+        // Build device metadata
+        const now = new Date();
+        const deviceMetadata = {
+            id: (0, uuid_1.v4)(),
+            memberId: (0, ecies_lib_1.uint8ArrayToHex)(member.idBytes),
+            deviceName,
+            deviceType,
+            publicKey: deviceKeys.publicKeyHex,
+            provisionedAt: now,
+            lastSeenAt: now,
+        };
+        // Requirement 3.4: Store device keys in local secure storage
+        await DeviceProvisioningService.storeDeviceKeys(deviceMetadata, storage);
+        return {
+            deviceMetadata,
+            member,
+            deviceKeys,
+        };
+    }
+    /**
+     * Generate device-specific keys from a paper key mnemonic using BIP32
+     * hierarchical deterministic derivation.
+     *
+     * The derivation path is `m/44'/60'/0'/1/<deviceIndex>` where the
+     * `change=1` branch is reserved for device keys (as opposed to
+     * `change=0` which is used for external wallet addresses).
+     *
+     * **Validates: Requirement 3.3** — Generate device-specific keys derived
+     * from member identity
+     *
+     * @param paperKey    - The 24-word BIP39 mnemonic
+     * @param deviceIndex - The child index for this device (0-based, non-hardened)
+     * @returns The derived device key result
+     * @throws {DeviceKeyGenerationError} If BIP32 derivation fails
+     */
+    static generateDeviceKeys(paperKey, deviceIndex) {
+        if (!Number.isInteger(deviceIndex) || deviceIndex < 0) {
+            throw new DeviceKeyGenerationError(`Device index must be a non-negative integer, got ${deviceIndex}`);
+        }
+        const derivationPath = `${DEVICE_KEY_DERIVATION_PREFIX}/${deviceIndex}`;
+        try {
+            // Convert mnemonic → 64-byte seed
+            const seed = (0, bip39_1.mnemonicToSeedSync)(paperKey);
+            // Create HD master key from seed
+            const masterKey = bip32_1.HDKey.fromMasterSeed(seed);
+            // Derive the device-specific child key
+            const deviceKey = masterKey.derive(derivationPath);
+            const publicKey = deviceKey.publicKey;
+            if (!publicKey) {
+                throw new DeviceKeyGenerationError('BIP32 derivation produced no public key');
+            }
+            return {
+                publicKey: new Uint8Array(publicKey),
+                publicKeyHex: (0, ecies_lib_1.uint8ArrayToHex)(new Uint8Array(publicKey)),
+                derivationPath,
+                deviceIndex,
+            };
+        }
+        catch (error) {
+            if (error instanceof DeviceKeyGenerationError) {
+                throw error;
+            }
+            const message = error instanceof Error ? error.message : String(error);
+            throw new DeviceKeyGenerationError(`Failed to derive device keys at path ${derivationPath}: ${message}`);
+        }
+    }
+    /**
+     * Store device metadata in the provided platform-independent storage.
+     *
+     * This method wraps the storage call with error handling to produce
+     * a consistent {@link DeviceKeyStorageError} on failure.
+     *
+     * **Validates: Requirement 3.4** — Store device keys in local secure storage
+     *
+     * @param deviceMetadata - The device metadata to persist
+     * @param storage        - The platform-independent storage implementation
+     * @throws {DeviceKeyStorageError} If the storage operation fails
+     */
+    static async storeDeviceKeys(deviceMetadata, storage) {
+        try {
+            await storage.store(deviceMetadata);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            throw new DeviceKeyStorageError(`Failed to store device keys for device "${deviceMetadata.deviceName}": ${message}`);
+        }
+    }
+}
+exports.DeviceProvisioningService = DeviceProvisioningService;
+//# sourceMappingURL=deviceProvisioningService.js.map

package/src/lib/services/identity/deviceProvisioningService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deviceProvisioningService.js","sourceRoot":"","sources":["../../../../../../brightchain-lib/src/lib/services/identity/deviceProvisioningService.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;AAEH,0DAKoC;AACpC,wCAAqC;AACrC,wCAAkD;AAClD,+BAAoC;AAKpC,uDAAoD;AAEpD,+EAA+E;AAE/E;;;;;;;;;;;GAWG;AACH,MAAM,4BAA4B,GAAG,gBAAgB,CAAC;AAEtD,+EAA+E;AAE/E;;GAEG;AACH,MAAa,oBAAqB,SAAQ,KAAK;IAC7C,YACE,OAAO,GAAG,uDAAuD;QAEjE,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;IACrC,CAAC;CACF;AAPD,oDAOC;AAED;;GAEG;AACH,MAAa,wBAAyB,SAAQ,KAAK;IACjD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;IACzC,CAAC;CACF;AALD,4DAKC;AAED;;GAEG;AACH,MAAa,qBAAsB,SAAQ,KAAK;IAC9C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AALD,sDAKC;AAoCD,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAa,yBAAyB;IACpC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,MAAM,CAAC,KAAK,CAAC,eAAe,CAC1B,QAAgB,EAChB,UAAkB,EAClB,UAAsB,EACtB,YAA+B,EAC/B,OAA0B,EAC1B,WAAmB;QAEnB,0DAA0D;QAC1D,IAAI,CAAC,iCAAe,CAAC,gBAAgB,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,oBAAoB,EAAE,CAAC;QACnC,CAAC;QAED,0DAA0D;QAC1D,MAAM,MAAM,GAAG,iCAAe,CAAC,mBAAmB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAE3E,iDAAiD;QACjD,MAAM,UAAU,GAAG,yBAAyB,CAAC,kBAAkB,CAC7D,QAAQ,EACR,WAAW,CACZ,CAAC;QAEF,wBAAwB;QACxB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,cAAc,GAAoB;YACtC,EAAE,EAAE,IAAA,SAAM,GAAE;YACZ,QAAQ,EAAE,IAAA,2BAAe,EAAC,MAAM,CAAC,OAAO,CAAC;YACzC,UAAU;YACV,UAAU;YACV,SAAS,EAAE,UAAU,CAAC,YAAY;YAClC,aAAa,EAAE,GAAG;YAClB,UAAU,EAAE,GAAG;SAChB,CAAC;QAEF,6DAA6D;QAC7D,MAAM,yBAAyB,CAAC,eAAe,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QAEzE,OAAO;YACL,cAAc;YACd,MAAM;YACN,UAAU;SACX,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,MAAM,CAAC,kBAAkB,CACvB,QAAgB,EAChB,WAAmB;QAEnB,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,wBAAwB,CAChC,oDAAoD,WAAW,EAAE,CAClE,CAAC;QACJ,CAAC;QAED,MAAM,cAAc,GAAG,GAAG,4BAA4B,IAAI,WAAW,EAAE,CAAC;QAExE,IAAI,CAAC;YACH,kCAAkC;YAClC,MAAM,IAAI,GAAG,IAAA,0BAAkB,EAAC,QAAQ,CAAC,CAAC;YAE1C,iCAAiC;YACjC,MAAM,SAAS,GAAG,aAAK,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YAE7C,uCAAuC;YACvC,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;YAEnD,MAAM,SAAS,GAAG,SAAS,CAAC,SAAS,CAAC;YACtC,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,wBAAwB,CAChC,yCAAyC,CAC1C,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,SAAS,EAAE,IAAI,UAAU,CAAC,SAAS,CAAC;gBACpC,YAAY,EAAE,IAAA,2BAAe,EAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;gBACxD,cAAc;gBACd,WAAW;aACZ,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,wBAAwB,EAAE,CAAC;gBAC9C,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,IAAI,wBAAwB,CAChC,wCAAwC,cAAc,KAAK,OAAO,EAAE,CACrE,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;;;;OAWG;IACH,MAAM,CAAC,KAAK,CAAC,eAAe,CAC1B,cAA+B,EAC/B,OAA0B;QAE1B,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QACtC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,IAAI,qBAAqB,CAC7B,2CAA2C,cAAc,CAAC,UAAU,MAAM,OAAO,EAAE,CACpF,CAAC;QACJ,CAAC;IACH,CAAC;CACF;AAxJD,8DAwJC"}

package/src/lib/services/identity/identityProofService.d.ts

@@ -0,0 +1,139 @@
+/**
+ * Identity Proof Service for the BrightChain identity system.
+ *
+ * Creates, verifies, and manages cryptographic identity proofs that link
+ * a BrightChain member to external platform accounts (Twitter, GitHub,
+ * Reddit, personal websites, and blockchain addresses).
+ *
+ * Each proof contains a signed statement produced with the member's
+ * SECP256k1 private key. Anyone with the member's public key can
+ * independently verify the proof without contacting BrightChain.
+ *
+ * The signed statement format (Requirement 4.8):
+ *   "I am {username} on {platform}. My BrightChain ID is {memberId}. Timestamp: {ISO8601}"
+ *
+ * Requirements: 4.1, 4.2, 4.3, 4.4, 4.6, 4.9
+ */
+import { ECIESService, Member, PlatformID } from '@digitaldefiance/ecies-lib';
+import { ProofPlatform } from '../../enumerations/proofPlatform';
+import { IIdentityProof } from '../../interfaces/identity/identityProof';
+/**
+ * Error thrown when an unsupported platform is specified.
+ */
+export declare class UnsupportedPlatformError extends Error {
+    constructor(platform: string);
+}
+/**
+ * Error thrown when proof creation fails (e.g. member has no private key).
+ */
+export declare class ProofCreationError extends Error {
+    constructor(message: string);
+}
+/**
+ * Error thrown when proof URL validation fails.
+ */
+export declare class ProofUrlError extends Error {
+    constructor(message: string);
+}
+/**
+ * Service for creating and verifying cryptographic identity proofs.
+ *
+ * Identity proofs link a BrightChain member to an external platform
+ * account by signing a standardised statement with the member's
+ * SECP256k1 private key. The proof can be independently verified by
+ * anyone with the member's public key.
+ *
+ * All methods are static — the service is stateless and safe to call
+ * from any context (browser or Node.js).
+ *
+ * @example
+ * ```typescript
+ * const eciesService = ServiceProvider.getInstance().eciesService;
+ * const member = PaperKeyService.recoverFromPaperKey(paperKey, eciesService);
+ *
+ * // Create a proof
+ * const proof = IdentityProofService.create(member, ProofPlatform.GITHUB, 'octocat');
+ *
+ * // Verify the proof
+ * const isValid = IdentityProofService.verify(proof, member.publicKey, eciesService);
+ *
+ * // Get posting instructions
+ * const instructions = IdentityProofService.getInstructions(ProofPlatform.GITHUB);
+ * ```
+ */
+export declare class IdentityProofService {
+    /**
+     * Create a new identity proof by signing a statement with the member's
+     * SECP256k1 private key.
+     *
+     * The signed statement follows the format defined in Requirement 4.8:
+     *   "I am {username} on {platform}. My BrightChain ID is {memberId}. Timestamp: {ISO8601}"
+     *
+     * **Validates: Requirements 4.1, 4.2, 4.3**
+     *
+     * @param member   - The member creating the proof (must have private key loaded)
+     * @param platform - The target platform (must be a valid {@link ProofPlatform} value)
+     * @param username - The member's username on the target platform
+     * @returns A new {@link IIdentityProof} with status {@link VerificationStatus.PENDING}
+     * @throws {UnsupportedPlatformError} If the platform is not a valid {@link ProofPlatform}
+     * @throws {ProofCreationError} If the member has no private key loaded
+     */
+    static create<TID extends PlatformID = Uint8Array>(member: Member<TID>, platform: ProofPlatform, username: string): IIdentityProof;
+    /**
+     * Verify an identity proof's signature using a public key.
+     *
+     * Reconstructs the signature from its hex encoding and verifies it
+     * against the signed statement using the ECIESService's ECDSA
+     * verification.
+     *
+     * **Validates: Requirement 4.4**
+     *
+     * @param proof        - The identity proof to verify
+     * @param publicKey    - The SECP256k1 public key to verify against (raw bytes)
+     * @param eciesService - The ECIES service instance for signature verification
+     * @returns `true` if the signature is valid for the given public key
+     */
+    static verify<TID extends PlatformID = Uint8Array>(proof: IIdentityProof, publicKey: Uint8Array, eciesService: ECIESService<TID>): boolean;
+    /**
+     * Check whether a proof URL contains the expected signed statement.
+     *
+     * Fetches the proof URL and checks that the response body includes
+     * the full signed statement text. This is used for initial verification
+     * and periodic re-verification (Requirement 4.10).
+     *
+     * **Validates: Requirement 4.6**
+     *
+     * @param proof - The identity proof whose URL to check
+     * @returns A promise resolving to `true` if the URL is accessible and
+     *          contains the signed statement, `false` otherwise
+     */
+    static checkProofUrl(proof: IIdentityProof): Promise<boolean>;
+    /**
+     * Get platform-specific instructions for posting an identity proof.
+     *
+     * Returns human-readable instructions explaining how to post the
+     * signed statement on the specified platform and what URL to provide
+     * for verification.
+     *
+     * **Validates: Requirement 4.9**
+     *
+     * @param platform - The target platform
+     * @returns Instructions string for the specified platform, or a generic
+     *          fallback for unrecognised platforms
+     */
+    static getInstructions(platform: ProofPlatform | string): string;
+    /**
+     * Build the signed statement string for a given set of parameters.
+     *
+     * This is a utility method that produces the statement text without
+     * signing it. Useful for previewing the statement before creation.
+     *
+     * @param username  - The member's username on the target platform
+     * @param platform  - The target platform
+     * @param memberId  - The member's hex-encoded ID
+     * @param timestamp - ISO 8601 timestamp string
+     * @returns The formatted statement string per Requirement 4.8
+     */
+    static buildStatement(username: string, platform: ProofPlatform | string, memberId: string, timestamp: string): string;
+}
+//# sourceMappingURL=identityProofService.d.ts.map

package/src/lib/services/identity/identityProofService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identityProofService.d.ts","sourceRoot":"","sources":["../../../../../../brightchain-lib/src/lib/services/identity/identityProofService.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EACL,YAAY,EAEZ,MAAM,EACN,UAAU,EAGX,MAAM,4BAA4B,CAAC;AAIpC,OAAO,EAAE,aAAa,EAAE,MAAM,kCAAkC,CAAC;AAEjE,OAAO,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAC;AAIzE;;GAEG;AACH,qBAAa,wBAAyB,SAAQ,KAAK;gBACrC,QAAQ,EAAE,MAAM;CAI7B;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,qBAAa,aAAc,SAAQ,KAAK;gBAC1B,OAAO,EAAE,MAAM;CAI5B;AAqCD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,oBAAoB;IAC/B;;;;;;;;;;;;;;;OAeG;IACH,MAAM,CAAC,MAAM,CAAC,GAAG,SAAS,UAAU,GAAG,UAAU,EAC/C,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,EACnB,QAAQ,EAAE,aAAa,EACvB,QAAQ,EAAE,MAAM,GACf,cAAc;IA2CjB;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,MAAM,CAAC,GAAG,SAAS,UAAU,GAAG,UAAU,EAC/C,KAAK,EAAE,cAAc,EACrB,SAAS,EAAE,UAAU,EACrB,YAAY,EAAE,YAAY,CAAC,GAAG,CAAC,GAC9B,OAAO;IAiBV;;;;;;;;;;;;OAYG;WACU,aAAa,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAiBnE;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,eAAe,CAAC,QAAQ,EAAE,aAAa,GAAG,MAAM,GAAG,MAAM;IAOhE;;;;;;;;;;;OAWG;IACH,MAAM,CAAC,cAAc,CACnB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,aAAa,GAAG,MAAM,EAChC,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAChB,MAAM;CAGV"}

package/src/lib/services/identity/identityProofService.js

@@ -0,0 +1,245 @@
+"use strict";
+/**
+ * Identity Proof Service for the BrightChain identity system.
+ *
+ * Creates, verifies, and manages cryptographic identity proofs that link
+ * a BrightChain member to external platform accounts (Twitter, GitHub,
+ * Reddit, personal websites, and blockchain addresses).
+ *
+ * Each proof contains a signed statement produced with the member's
+ * SECP256k1 private key. Anyone with the member's public key can
+ * independently verify the proof without contacting BrightChain.
+ *
+ * The signed statement format (Requirement 4.8):
+ *   "I am {username} on {platform}. My BrightChain ID is {memberId}. Timestamp: {ISO8601}"
+ *
+ * Requirements: 4.1, 4.2, 4.3, 4.4, 4.6, 4.9
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IdentityProofService = exports.ProofUrlError = exports.ProofCreationError = exports.UnsupportedPlatformError = void 0;
+const ecies_lib_1 = require("@digitaldefiance/ecies-lib");
+const uuid_1 = require("uuid");
+const bufferUtils_1 = require("../../bufferUtils");
+const proofPlatform_1 = require("../../enumerations/proofPlatform");
+const verificationStatus_1 = require("../../enumerations/verificationStatus");
+// ─── Error classes ──────────────────────────────────────────────────────────
+/**
+ * Error thrown when an unsupported platform is specified.
+ */
+class UnsupportedPlatformError extends Error {
+    constructor(platform) {
+        super(`Unsupported proof platform: "${platform}"`);
+        this.name = 'UnsupportedPlatformError';
+    }
+}
+exports.UnsupportedPlatformError = UnsupportedPlatformError;
+/**
+ * Error thrown when proof creation fails (e.g. member has no private key).
+ */
+class ProofCreationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ProofCreationError';
+    }
+}
+exports.ProofCreationError = ProofCreationError;
+/**
+ * Error thrown when proof URL validation fails.
+ */
+class ProofUrlError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ProofUrlError';
+    }
+}
+exports.ProofUrlError = ProofUrlError;
+// ─── Constants ──────────────────────────────────────────────────────────────
+/**
+ * Set of valid platform values derived from the ProofPlatform enum.
+ */
+const VALID_PLATFORMS = new Set(Object.values(proofPlatform_1.ProofPlatform));
+/**
+ * Platform-specific instructions for posting identity proofs.
+ *
+ * Requirement 4.9: Return instructions for posting the signed statement.
+ */
+const PLATFORM_INSTRUCTIONS = {
+    [proofPlatform_1.ProofPlatform.TWITTER]: 'Post the signed statement as a tweet on Twitter/X and provide the tweet URL.',
+    [proofPlatform_1.ProofPlatform.GITHUB]: 'Create a public GitHub Gist containing the signed statement and provide the Gist URL.',
+    [proofPlatform_1.ProofPlatform.REDDIT]: 'Post the signed statement as a Reddit comment or text post and provide the permalink URL.',
+    [proofPlatform_1.ProofPlatform.WEBSITE]: 'Add the signed statement to a publicly accessible page on your website and provide the page URL.',
+    [proofPlatform_1.ProofPlatform.BITCOIN]: 'Sign a message with your Bitcoin address containing the signed statement and provide a verification URL.',
+    [proofPlatform_1.ProofPlatform.ETHEREUM]: 'Sign a message with your Ethereum address containing the signed statement and provide a verification URL.',
+};
+/**
+ * Default instruction returned for unrecognised platforms.
+ */
+const DEFAULT_INSTRUCTION = 'Post the signed statement publicly and provide the URL where it can be verified.';
+// ─── Service ────────────────────────────────────────────────────────────────
+/**
+ * Service for creating and verifying cryptographic identity proofs.
+ *
+ * Identity proofs link a BrightChain member to an external platform
+ * account by signing a standardised statement with the member's
+ * SECP256k1 private key. The proof can be independently verified by
+ * anyone with the member's public key.
+ *
+ * All methods are static — the service is stateless and safe to call
+ * from any context (browser or Node.js).
+ *
+ * @example
+ * ```typescript
+ * const eciesService = ServiceProvider.getInstance().eciesService;
+ * const member = PaperKeyService.recoverFromPaperKey(paperKey, eciesService);
+ *
+ * // Create a proof
+ * const proof = IdentityProofService.create(member, ProofPlatform.GITHUB, 'octocat');
+ *
+ * // Verify the proof
+ * const isValid = IdentityProofService.verify(proof, member.publicKey, eciesService);
+ *
+ * // Get posting instructions
+ * const instructions = IdentityProofService.getInstructions(ProofPlatform.GITHUB);
+ * ```
+ */
+class IdentityProofService {
+    /**
+     * Create a new identity proof by signing a statement with the member's
+     * SECP256k1 private key.
+     *
+     * The signed statement follows the format defined in Requirement 4.8:
+     *   "I am {username} on {platform}. My BrightChain ID is {memberId}. Timestamp: {ISO8601}"
+     *
+     * **Validates: Requirements 4.1, 4.2, 4.3**
+     *
+     * @param member   - The member creating the proof (must have private key loaded)
+     * @param platform - The target platform (must be a valid {@link ProofPlatform} value)
+     * @param username - The member's username on the target platform
+     * @returns A new {@link IIdentityProof} with status {@link VerificationStatus.PENDING}
+     * @throws {UnsupportedPlatformError} If the platform is not a valid {@link ProofPlatform}
+     * @throws {ProofCreationError} If the member has no private key loaded
+     */
+    static create(member, platform, username) {
+        // Validate platform
+        if (!VALID_PLATFORMS.has(platform)) {
+            throw new UnsupportedPlatformError(platform);
+        }
+        // Validate member has private key for signing
+        if (!member.hasPrivateKey) {
+            throw new ProofCreationError('Member must have a private key loaded to create identity proofs');
+        }
+        // Validate username is non-empty
+        if (!username || username.trim().length === 0) {
+            throw new ProofCreationError('Username must not be empty');
+        }
+        const trimmedUsername = username.trim();
+        const timestamp = new Date().toISOString();
+        const memberId = (0, ecies_lib_1.uint8ArrayToHex)(member.idBytes);
+        // Requirement 4.8: Signed statement format
+        const statement = `I am ${trimmedUsername} on ${platform}. My BrightChain ID is ${memberId}. Timestamp: ${timestamp}`;
+        // Requirement 4.3: Sign with SECP256k1 private key
+        const statementBytes = (0, bufferUtils_1.stringToUint8Array)(statement);
+        const signature = member.sign(statementBytes);
+        const signatureHex = (0, ecies_lib_1.uint8ArrayToHex)(signature);
+        return {
+            id: (0, uuid_1.v4)(),
+            memberId,
+            platform,
+            username: trimmedUsername,
+            proofUrl: '',
+            signedStatement: statement,
+            signature: signatureHex,
+            createdAt: new Date(),
+            verificationStatus: verificationStatus_1.VerificationStatus.PENDING,
+        };
+    }
+    /**
+     * Verify an identity proof's signature using a public key.
+     *
+     * Reconstructs the signature from its hex encoding and verifies it
+     * against the signed statement using the ECIESService's ECDSA
+     * verification.
+     *
+     * **Validates: Requirement 4.4**
+     *
+     * @param proof        - The identity proof to verify
+     * @param publicKey    - The SECP256k1 public key to verify against (raw bytes)
+     * @param eciesService - The ECIES service instance for signature verification
+     * @returns `true` if the signature is valid for the given public key
+     */
+    static verify(proof, publicKey, eciesService) {
+        try {
+            const statementBytes = (0, bufferUtils_1.stringToUint8Array)(proof.signedStatement);
+            const signatureBytes = (0, ecies_lib_1.hexToUint8Array)(proof.signature);
+            return eciesService.verifyMessage(publicKey, statementBytes, signatureBytes);
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Check whether a proof URL contains the expected signed statement.
+     *
+     * Fetches the proof URL and checks that the response body includes
+     * the full signed statement text. This is used for initial verification
+     * and periodic re-verification (Requirement 4.10).
+     *
+     * **Validates: Requirement 4.6**
+     *
+     * @param proof - The identity proof whose URL to check
+     * @returns A promise resolving to `true` if the URL is accessible and
+     *          contains the signed statement, `false` otherwise
+     */
+    static async checkProofUrl(proof) {
+        if (!proof.proofUrl || proof.proofUrl.trim().length === 0) {
+            return false;
+        }
+        try {
+            const response = await fetch(proof.proofUrl);
+            if (!response.ok) {
+                return false;
+            }
+            const content = await response.text();
+            return content.includes(proof.signedStatement);
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Get platform-specific instructions for posting an identity proof.
+     *
+     * Returns human-readable instructions explaining how to post the
+     * signed statement on the specified platform and what URL to provide
+     * for verification.
+     *
+     * **Validates: Requirement 4.9**
+     *
+     * @param platform - The target platform
+     * @returns Instructions string for the specified platform, or a generic
+     *          fallback for unrecognised platforms
+     */
+    static getInstructions(platform) {
+        if (VALID_PLATFORMS.has(platform)) {
+            return PLATFORM_INSTRUCTIONS[platform];
+        }
+        return DEFAULT_INSTRUCTION;
+    }
+    /**
+     * Build the signed statement string for a given set of parameters.
+     *
+     * This is a utility method that produces the statement text without
+     * signing it. Useful for previewing the statement before creation.
+     *
+     * @param username  - The member's username on the target platform
+     * @param platform  - The target platform
+     * @param memberId  - The member's hex-encoded ID
+     * @param timestamp - ISO 8601 timestamp string
+     * @returns The formatted statement string per Requirement 4.8
+     */
+    static buildStatement(username, platform, memberId, timestamp) {
+        return `I am ${username} on ${platform}. My BrightChain ID is ${memberId}. Timestamp: ${timestamp}`;
+    }
+}
+exports.IdentityProofService = IdentityProofService;
+//# sourceMappingURL=identityProofService.js.map

package/src/lib/services/identity/identityProofService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identityProofService.js","sourceRoot":"","sources":["../../../../../../brightchain-lib/src/lib/services/identity/identityProofService.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AAEH,0DAOoC;AACpC,+BAAoC;AAEpC,mDAAuD;AACvD,oEAAiE;AACjE,8EAA2E;AAG3E,+EAA+E;AAE/E;;GAEG;AACH,MAAa,wBAAyB,SAAQ,KAAK;IACjD,YAAY,QAAgB;QAC1B,KAAK,CAAC,gCAAgC,QAAQ,GAAG,CAAC,CAAC;QACnD,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;IACzC,CAAC;CACF;AALD,4DAKC;AAED;;GAEG;AACH,MAAa,kBAAmB,SAAQ,KAAK;IAC3C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AALD,gDAKC;AAED;;GAEG;AACH,MAAa,aAAc,SAAQ,KAAK;IACtC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AALD,sCAKC;AAED,+EAA+E;AAE/E;;GAEG;AACH,MAAM,eAAe,GAAG,IAAI,GAAG,CAAS,MAAM,CAAC,MAAM,CAAC,6BAAa,CAAC,CAAC,CAAC;AAEtE;;;;GAIG;AACH,MAAM,qBAAqB,GAA4C;IACrE,CAAC,6BAAa,CAAC,OAAO,CAAC,EACrB,8EAA8E;IAChF,CAAC,6BAAa,CAAC,MAAM,CAAC,EACpB,uFAAuF;IACzF,CAAC,6BAAa,CAAC,MAAM,CAAC,EACpB,2FAA2F;IAC7F,CAAC,6BAAa,CAAC,OAAO,CAAC,EACrB,kGAAkG;IACpG,CAAC,6BAAa,CAAC,OAAO,CAAC,EACrB,0GAA0G;IAC5G,CAAC,6BAAa,CAAC,QAAQ,CAAC,EACtB,2GAA2G;CAC9G,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GACvB,kFAAkF,CAAC;AAErF,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAa,oBAAoB;IAC/B;;;;;;;;;;;;;;;OAeG;IACH,MAAM,CAAC,MAAM,CACX,MAAmB,EACnB,QAAuB,EACvB,QAAgB;QAEhB,oBAAoB;QACpB,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,wBAAwB,CAAC,QAAQ,CAAC,CAAC;QAC/C,CAAC;QAED,8CAA8C;QAC9C,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1B,MAAM,IAAI,kBAAkB,CAC1B,iEAAiE,CAClE,CAAC;QACJ,CAAC;QAED,iCAAiC;QACjC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9C,MAAM,IAAI,kBAAkB,CAAC,4BAA4B,CAAC,CAAC;QAC7D,CAAC;QAED,MAAM,eAAe,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;QACxC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAA,2BAAe,EAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAEjD,2CAA2C;QAC3C,MAAM,SAAS,GAAG,QAAQ,eAAe,OAAO,QAAQ,0BAA0B,QAAQ,gBAAgB,SAAS,EAAE,CAAC;QAEtH,mDAAmD;QACnD,MAAM,cAAc,GAAG,IAAA,gCAAkB,EAAC,SAAS,CAAC,CAAC;QACrD,MAAM,SAAS,GAAwB,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACnE,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,SAAS,CAAC,CAAC;QAEhD,OAAO;YACL,EAAE,EAAE,IAAA,SAAM,GAAE;YACZ,QAAQ;YACR,QAAQ;YACR,QAAQ,EAAE,eAAe;YACzB,QAAQ,EAAE,EAAE;YACZ,eAAe,EAAE,SAAS;YAC1B,SAAS,EAAE,YAAY;YACvB,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,kBAAkB,EAAE,uCAAkB,CAAC,OAAO;SAC/C,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,MAAM,CACX,KAAqB,EACrB,SAAqB,EACrB,YAA+B;QAE/B,IAAI,CAAC;YACH,MAAM,cAAc,GAAG,IAAA,gCAAkB,EAAC,KAAK,CAAC,eAAe,CAAC,CAAC;YACjE,MAAM,cAAc,GAAG,IAAA,2BAAe,EACpC,KAAK,CAAC,SAAS,CACO,CAAC;YAEzB,OAAO,YAAY,CAAC,aAAa,CAC/B,SAAS,EACT,cAAc,EACd,cAAc,CACf,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,KAAqB;QAC9C,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1D,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAC7C,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACtC,OAAO,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,eAAe,CAAC,QAAgC;QACrD,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,OAAO,qBAAqB,CAAC,QAAyB,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO,mBAAmB,CAAC;IAC7B,CAAC;IAED;;;;;;;;;;;OAWG;IACH,MAAM,CAAC,cAAc,CACnB,QAAgB,EAChB,QAAgC,EAChC,QAAgB,EAChB,SAAiB;QAEjB,OAAO,QAAQ,QAAQ,OAAO,QAAQ,0BAA0B,QAAQ,gBAAgB,SAAS,EAAE,CAAC;IACtG,CAAC;CACF;AAzKD,oDAyKC"}

package/src/lib/services/identity/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Identity services for the BrightChain identity system.
+ *
+ * Provides paper key management, split paper keys, device provisioning,
+ * identity proofs, and public key directory services.
+ */
+export * from './deviceProvisioningService';
+export * from './identityProofService';
+export * from './memberIdentityProofService';
+export * from './memberPaperKeyService';
+export * from './paperKeyService';
+export * from './publicKeyDirectoryService';
+export * from './splitPaperKeyService';
+//# sourceMappingURL=index.d.ts.map

package/src/lib/services/identity/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../brightchain-lib/src/lib/services/identity/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,6BAA6B,CAAC;AAC5C,cAAc,wBAAwB,CAAC;AACvC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,yBAAyB,CAAC;AACxC,cAAc,mBAAmB,CAAC;AAClC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,wBAAwB,CAAC"}

package/src/lib/services/identity/index.js

@@ -0,0 +1,17 @@
+"use strict";
+/**
+ * Identity services for the BrightChain identity system.
+ *
+ * Provides paper key management, split paper keys, device provisioning,
+ * identity proofs, and public key directory services.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+tslib_1.__exportStar(require("./deviceProvisioningService"), exports);
+tslib_1.__exportStar(require("./identityProofService"), exports);
+tslib_1.__exportStar(require("./memberIdentityProofService"), exports);
+tslib_1.__exportStar(require("./memberPaperKeyService"), exports);
+tslib_1.__exportStar(require("./paperKeyService"), exports);
+tslib_1.__exportStar(require("./publicKeyDirectoryService"), exports);
+tslib_1.__exportStar(require("./splitPaperKeyService"), exports);
+//# sourceMappingURL=index.js.map

package/src/lib/services/identity/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../brightchain-lib/src/lib/services/identity/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEH,sEAA4C;AAC5C,iEAAuC;AACvC,uEAA6C;AAC7C,kEAAwC;AACxC,4DAAkC;AAClC,sEAA4C;AAC5C,iEAAuC"}