@clanker-chain/identity-node-client 0.0.1

package/README.md

@@ -0,0 +1,87 @@
+### identity-node-client
+
+Node/TypeScript client for the Bun-based identity service in this repo.
+
+---
+
+## Purpose
+
+- Manage Ed25519 keys for a bot under `~/.openclaw/keys/{bot_id}.key`.
+- Talk to the identity service over HTTP:
+  - `init()` — **verify only**: ensures the operator and bot exist and this bot's public key is registered (no POSTs; operator must mint the bot first).
+  - `GET /v1/operators/{id}`, `GET /v1/bots/{id}` for lookups.
+- Produce canonical Ed25519 signatures for identity-aware messages that match the `bot-comms.md` design.
+
+This is intended to be wrapped in an OpenClaw skill/tool so agents can call `identity_init` and `identity_sign` without handling HTTP or key management directly.
+
+---
+
+## Installation
+
+From this repo:
+
+```bash
+cd identity-node-client
+npm install
+npm run build
+```
+
+You can then import the built library from `dist/` or reference the TypeScript source in your own tooling.
+
+---
+
+## Basic usage
+
+```ts
+import { IdentityClient, type IdentityMessageEnvelope } from "./dist/index.js";
+
+const client = new IdentityClient({
+  botId: "openclaw.france.prod-1",
+  operatorId: "org.openclaw.pat",
+  identityServiceUrl: "http://localhost:8080",
+});
+
+// One-time (idempotent) init on startup: verifies operator and bot exist and this bot's key is registered.
+// The operator must have minted the bot (e.g. via identity-service CLI mint-bot) with this bot's public key first.
+await client.init();
+
+// Later, when sending a message:
+const envelope: IdentityMessageEnvelope = {
+  from: "france-bot",
+  from_id: "openclaw.france.prod-1",
+  operator_id: "org.openclaw.pat",
+  to: "tooter-bot",
+  to_id: "openclaw.tooter.prod-1",
+  type: "coordination",
+  subtype: "task-claim",
+  timestamp: new Date().toISOString(),
+  message_id: "uuid-here",
+  correlation_id: undefined,
+  body: {
+    action: "claim_task",
+    task_id: "task-123",
+  },
+};
+
+const { signature, signature_scheme } = await client.signMessage(envelope);
+const signedEnvelope = { ...envelope, signature, signature_scheme };
+```
+
+---
+
+## Environment variables
+
+- `IDENTITY_SERVICE_URL` — default base URL for the identity service (fallback: `http://localhost:8080`).
+- The identity service uses proof-based auth (signatures); no admin token is required for init or lookups.
+
+---
+
+## Integration with OpenClaw skills (sketch)
+
+In an OpenClaw workspace skill, you can wrap this client behind a tool like:
+
+- `identity_init(bot_id, operator_id)` — calls `client.init()`.
+- `identity_sign(envelope)` — calls `client.signMessage(envelope)` and returns the signature to the agent.
+
+That way, the agent never needs to know about HTTP details or key storage locations; it just invokes the skill’s tools.
+

package/dist/index.d.ts

@@ -0,0 +1,66 @@
+import type { BotRecord, IdentityMessageEnvelope } from "./types.js";
+export interface IdentityClientOptions {
+    botId: string;
+    operatorId: string;
+    /**
+     * Base URL of the identity service, e.g. "http://localhost:8080".
+     * Defaults to process.env.IDENTITY_SERVICE_URL or http://localhost:8080.
+     */
+    identityServiceUrl?: string;
+    /**
+     * Path to the private key file. Defaults to ~/.openclaw/keys/{botId}.key
+     */
+    keyPath?: string;
+    /**
+     * Admin token for write calls if required by the service.
+     * Defaults to process.env.IDENTITY_ADMIN_TOKEN.
+     */
+    adminToken?: string;
+}
+export declare class IdentityClient {
+    private readonly botId;
+    private readonly operatorId;
+    private readonly baseUrl;
+    private readonly keyPath;
+    private readonly adminToken?;
+    constructor(options: IdentityClientOptions);
+    /**
+     * Ensure a private key exists on disk, returning the 32-byte private key.
+     */
+    private loadOrCreatePrivateKey;
+    /**
+     * Derive the base64-encoded public key from the local private key.
+     */
+    getPublicKeyBase64(): Promise<string>;
+    private authHeaders;
+    private postJson;
+    private getJson;
+    /**
+     * Verify that the operator and bot exist in the identity service and that
+     * this instance's public key is registered on the bot. Does not create
+     * operator or bot; they must be minted by the operator first.
+     * Safe to call multiple times.
+     */
+    init(): Promise<void>;
+    getBot(): Promise<BotRecord>;
+    /**
+     * Canonical JSON serialization used for signing, following bot-comms.md.
+     */
+    private static canonicalizeForSignature;
+    /**
+     * Sign a message envelope using the local Ed25519 private key.
+     * Returns base64(signature) and signature_scheme.
+     */
+    signMessage(msg: IdentityMessageEnvelope): Promise<{
+        signature: string;
+        signature_scheme: "ed25519";
+    }>;
+    /**
+     * Issue a short-lived JWT for MQTT broker authentication (EdDSA / Ed25519).
+     * Use as the MQTT CONNECT password with username = bot_id.
+     * @param ttlSec Token lifetime in seconds (default 300).
+     * @returns Compact JWT string.
+     */
+    issueMqttToken(ttlSec?: number): Promise<string>;
+}
+export * from "./types.js";

package/dist/index.js

@@ -0,0 +1,198 @@
+import { promises as fs } from "fs";
+import path from "path";
+import os from "os";
+import * as ed25519 from "@noble/ed25519";
+import { SignJWT, importJWK } from "jose";
+const MQTT_TOKEN_AUD = "clanker-mqtt";
+function base64url(buf) {
+    return Buffer.from(buf)
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+export class IdentityClient {
+    constructor(options) {
+        this.botId = options.botId;
+        this.operatorId = options.operatorId;
+        this.baseUrl = options.identityServiceUrl ?? process.env.IDENTITY_SERVICE_URL ?? "http://localhost:8080";
+        const defaultKeyPath = path.join(os.homedir(), ".openclaw", "keys", `${this.botId}.key`);
+        this.keyPath = options.keyPath ?? defaultKeyPath;
+        this.adminToken = options.adminToken ?? process.env.IDENTITY_ADMIN_TOKEN;
+    }
+    /**
+     * Ensure a private key exists on disk, returning the 32-byte private key.
+     */
+    async loadOrCreatePrivateKey() {
+        try {
+            const raw = await fs.readFile(this.keyPath, "utf8");
+            const bytes = Buffer.from(raw.trim(), "base64");
+            if (bytes.length !== 32) {
+                throw new Error("invalid key length");
+            }
+            return new Uint8Array(bytes);
+        }
+        catch {
+            await fs.mkdir(path.dirname(this.keyPath), { recursive: true });
+            const priv = ed25519.utils.randomPrivateKey();
+            const b64 = Buffer.from(priv).toString("base64");
+            await fs.writeFile(this.keyPath, `${b64}\n`, { encoding: "utf8", mode: 0o600 });
+            return priv;
+        }
+    }
+    /**
+     * Derive the base64-encoded public key from the local private key.
+     */
+    async getPublicKeyBase64() {
+        const priv = await this.loadOrCreatePrivateKey();
+        const pub = await ed25519.getPublicKeyAsync(priv);
+        return Buffer.from(pub).toString("base64");
+    }
+    authHeaders() {
+        const headers = { "content-type": "application/json" };
+        if (this.adminToken) {
+            headers["authorization"] = `Bearer ${this.adminToken}`;
+        }
+        return headers;
+    }
+    async postJson(pathName, body, requireAuth = false) {
+        const url = new URL(pathName, this.baseUrl).toString();
+        const headers = { "content-type": "application/json" };
+        if (requireAuth && this.adminToken) {
+            headers["authorization"] = `Bearer ${this.adminToken}`;
+        }
+        const res = await fetch(url, {
+            method: "POST",
+            headers,
+            body: JSON.stringify(body),
+        });
+        const text = await res.text();
+        let parsed;
+        try {
+            parsed = JSON.parse(text);
+        }
+        catch {
+            throw new Error(`Unexpected response from identity service: ${text}`);
+        }
+        if (!res.ok) {
+            const err = parsed;
+            throw new Error(err.message || err.error || `HTTP ${res.status}`);
+        }
+        return parsed;
+    }
+    async getJson(pathName) {
+        const url = new URL(pathName, this.baseUrl).toString();
+        const res = await fetch(url, { method: "GET" });
+        const text = await res.text();
+        let parsed;
+        try {
+            parsed = JSON.parse(text);
+        }
+        catch {
+            throw new Error(`Unexpected response from identity service: ${text}`);
+        }
+        if (!res.ok) {
+            const err = parsed;
+            throw new Error(err.message || err.error || `HTTP ${res.status}`);
+        }
+        return parsed;
+    }
+    /**
+     * Verify that the operator and bot exist in the identity service and that
+     * this instance's public key is registered on the bot. Does not create
+     * operator or bot; they must be minted by the operator first.
+     * Safe to call multiple times.
+     */
+    async init() {
+        try {
+            await this.getJson(`/v1/operators/${encodeURIComponent(this.operatorId)}`);
+        }
+        catch {
+            throw new Error("Operator not registered. Operator must be minted first (genesis or mint-operator).");
+        }
+        let bot;
+        try {
+            bot = await this.getJson(`/v1/bots/${encodeURIComponent(this.botId)}`);
+        }
+        catch {
+            throw new Error("Bot not registered or key not found; operator must mint this bot with your public key.");
+        }
+        const publicKey = await this.getPublicKeyBase64();
+        const hasKey = bot.public_keys?.some((k) => k.public_key === publicKey && k.status === "active") ?? false;
+        if (!hasKey) {
+            throw new Error("Bot not registered or key not found; operator must mint this bot with your public key.");
+        }
+    }
+    async getBot() {
+        return this.getJson(`/v1/bots/${encodeURIComponent(this.botId)}`);
+    }
+    /**
+     * Canonical JSON serialization used for signing, following bot-comms.md.
+     */
+    static canonicalizeForSignature(msg) {
+        const canonicalFields = {
+            body: msg.body,
+            correlation_id: msg.correlation_id,
+            from: msg.from,
+            from_id: msg.from_id,
+            message_id: msg.message_id,
+            operator_id: msg.operator_id,
+            subtype: msg.subtype,
+            timestamp: msg.timestamp,
+            to: msg.to,
+            to_id: msg.to_id,
+            type: msg.type,
+        };
+        for (const key of Object.keys(canonicalFields)) {
+            if (canonicalFields[key] === undefined || canonicalFields[key] === null) {
+                // eslint-disable-next-line @typescript-eslint/no-dynamic-delete
+                delete canonicalFields[key];
+            }
+        }
+        const sortedKeys = Object.keys(canonicalFields).sort();
+        return JSON.stringify(canonicalFields, sortedKeys);
+    }
+    /**
+     * Sign a message envelope using the local Ed25519 private key.
+     * Returns base64(signature) and signature_scheme.
+     */
+    async signMessage(msg) {
+        const priv = await this.loadOrCreatePrivateKey();
+        const canonical = IdentityClient.canonicalizeForSignature(msg);
+        const bytes = new TextEncoder().encode(canonical);
+        const sig = await ed25519.signAsync(bytes, priv);
+        return {
+            signature: Buffer.from(sig).toString("base64"),
+            signature_scheme: "ed25519",
+        };
+    }
+    /**
+     * Issue a short-lived JWT for MQTT broker authentication (EdDSA / Ed25519).
+     * Use as the MQTT CONNECT password with username = bot_id.
+     * @param ttlSec Token lifetime in seconds (default 300).
+     * @returns Compact JWT string.
+     */
+    async issueMqttToken(ttlSec = 300) {
+        const priv = await this.loadOrCreatePrivateKey();
+        const pub = await ed25519.getPublicKeyAsync(priv);
+        const jwk = {
+            kty: "OKP",
+            crv: "Ed25519",
+            d: base64url(priv),
+            x: base64url(pub),
+        };
+        const key = await importJWK(jwk, "EdDSA");
+        if (!key) {
+            throw new Error("Failed to import key for MQTT token");
+        }
+        const exp = Math.floor(Date.now() / 1000) + ttlSec;
+        const jwt = await new SignJWT({})
+            .setProtectedHeader({ alg: "EdDSA", typ: "JWT" })
+            .setSubject(this.botId)
+            .setAudience(MQTT_TOKEN_AUD)
+            .setExpirationTime(exp)
+            .sign(key);
+        return jwt;
+    }
+}
+export * from "./types.js";

package/dist/types.d.ts

@@ -0,0 +1,47 @@
+export type PublicKeyStatus = "active" | "revoked";
+export interface PublicKeyRecord {
+    key_id: string;
+    algorithm: string;
+    public_key: string;
+    created: string;
+    status: PublicKeyStatus;
+    metadata?: Record<string, unknown>;
+}
+export interface OperatorRecord {
+    operator_id: string;
+    display_name?: string;
+    public_keys?: PublicKeyRecord[];
+    status: "active" | "suspended" | "retired";
+    created: string;
+    updated: string;
+    metadata?: Record<string, unknown>;
+}
+export interface BotRecord {
+    bot_id: string;
+    display_name?: string;
+    operator_id: string;
+    aliases?: string[];
+    public_keys?: PublicKeyRecord[];
+    status: "active" | "suspended" | "retired";
+    created: string;
+    updated: string;
+    metadata?: Record<string, unknown>;
+}
+export interface IdentityMessageEnvelope {
+    from: string;
+    from_id: string;
+    operator_id: string;
+    to?: string;
+    to_id?: string;
+    type: string;
+    subtype?: string;
+    channel?: string;
+    timestamp: string;
+    message_id: string;
+    correlation_id?: string;
+    privacy?: "default" | "private" | "encrypted";
+    encrypted?: boolean;
+    encryption_scheme?: string | null;
+    identity_token?: string | null;
+    body: unknown;
+}

package/dist/types.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -0,0 +1,20 @@
+{
+  "name": "@clanker-chain/identity-node-client",
+  "version": "0.0.1",
+  "private": false,
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc -p tsconfig.json"
+  },
+  "dependencies": {
+    "@noble/ed25519": "^2.1.0",
+    "jose": "^5.9.6"
+  },
+  "devDependencies": {
+    "typescript": "^5.7.0",
+    "@types/node": "^22.10.2"
+  }
+}
+

package/src/index.ts

@@ -0,0 +1,252 @@
+import { promises as fs } from "fs";
+import path from "path";
+import os from "os";
+import * as ed25519 from "@noble/ed25519";
+import { SignJWT, importJWK } from "jose";
+import type { BotRecord, IdentityMessageEnvelope, OperatorRecord, PublicKeyRecord } from "./types.js";
+
+const MQTT_TOKEN_AUD = "clanker-mqtt";
+
+function base64url(buf: Uint8Array): string {
+  return Buffer.from(buf)
+    .toString("base64")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+}
+
+export interface IdentityClientOptions {
+  botId: string;
+  operatorId: string;
+  /**
+   * Base URL of the identity service, e.g. "http://localhost:8080".
+   * Defaults to process.env.IDENTITY_SERVICE_URL or http://localhost:8080.
+   */
+  identityServiceUrl?: string;
+  /**
+   * Path to the private key file. Defaults to ~/.openclaw/keys/{botId}.key
+   */
+  keyPath?: string;
+  /**
+   * Admin token for write calls if required by the service.
+   * Defaults to process.env.IDENTITY_ADMIN_TOKEN.
+   */
+  adminToken?: string;
+}
+
+export class IdentityClient {
+  private readonly botId: string;
+  private readonly operatorId: string;
+  private readonly baseUrl: string;
+  private readonly keyPath: string;
+  private readonly adminToken?: string;
+
+  constructor(options: IdentityClientOptions) {
+    this.botId = options.botId;
+    this.operatorId = options.operatorId;
+    this.baseUrl = options.identityServiceUrl ?? process.env.IDENTITY_SERVICE_URL ?? "http://localhost:8080";
+    const defaultKeyPath = path.join(os.homedir(), ".openclaw", "keys", `${this.botId}.key`);
+    this.keyPath = options.keyPath ?? defaultKeyPath;
+    this.adminToken = options.adminToken ?? process.env.IDENTITY_ADMIN_TOKEN;
+  }
+
+  /**
+   * Ensure a private key exists on disk, returning the 32-byte private key.
+   */
+  private async loadOrCreatePrivateKey(): Promise<Uint8Array> {
+    try {
+      const raw = await fs.readFile(this.keyPath, "utf8");
+      const bytes = Buffer.from(raw.trim(), "base64");
+      if (bytes.length !== 32) {
+        throw new Error("invalid key length");
+      }
+      return new Uint8Array(bytes);
+    } catch {
+      await fs.mkdir(path.dirname(this.keyPath), { recursive: true });
+      const priv = ed25519.utils.randomPrivateKey();
+      const b64 = Buffer.from(priv).toString("base64");
+      await fs.writeFile(this.keyPath, `${b64}\n`, { encoding: "utf8", mode: 0o600 });
+      return priv;
+    }
+  }
+
+  /**
+   * Derive the base64-encoded public key from the local private key.
+   */
+  async getPublicKeyBase64(): Promise<string> {
+    const priv = await this.loadOrCreatePrivateKey();
+    const pub = await ed25519.getPublicKeyAsync(priv);
+    return Buffer.from(pub).toString("base64");
+  }
+
+  private authHeaders(): HeadersInit {
+    const headers: HeadersInit = { "content-type": "application/json" };
+    if (this.adminToken) {
+      headers["authorization"] = `Bearer ${this.adminToken}`;
+    }
+    return headers;
+  }
+
+  private async postJson<T>(pathName: string, body: unknown, requireAuth = false): Promise<T> {
+    const url = new URL(pathName, this.baseUrl).toString();
+    const headers: HeadersInit = { "content-type": "application/json" };
+    if (requireAuth && this.adminToken) {
+      headers["authorization"] = `Bearer ${this.adminToken}`;
+    }
+    const res = await fetch(url, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body),
+    });
+    const text = await res.text();
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+      throw new Error(`Unexpected response from identity service: ${text}`);
+    }
+    if (!res.ok) {
+      const err = parsed as { error?: string; message?: string };
+      throw new Error(err.message || err.error || `HTTP ${res.status}`);
+    }
+    return parsed as T;
+  }
+
+  private async getJson<T>(pathName: string): Promise<T> {
+    const url = new URL(pathName, this.baseUrl).toString();
+    const res = await fetch(url, { method: "GET" });
+    const text = await res.text();
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+      throw new Error(`Unexpected response from identity service: ${text}`);
+    }
+    if (!res.ok) {
+      const err = parsed as { error?: string; message?: string };
+      throw new Error(err.message || err.error || `HTTP ${res.status}`);
+    }
+    return parsed as T;
+  }
+
+  /**
+   * Verify that the operator and bot exist in the identity service and that
+   * this instance's public key is registered on the bot. Does not create
+   * operator or bot; they must be minted by the operator first.
+   * Safe to call multiple times.
+   */
+  async init(): Promise<void> {
+    try {
+      await this.getJson<OperatorRecord>(
+        `/v1/operators/${encodeURIComponent(this.operatorId)}`,
+      );
+    } catch {
+      throw new Error(
+        "Operator not registered. Operator must be minted first (genesis or mint-operator).",
+      );
+    }
+
+    let bot: BotRecord;
+    try {
+      bot = await this.getJson<BotRecord>(
+        `/v1/bots/${encodeURIComponent(this.botId)}`,
+      );
+    } catch {
+      throw new Error(
+        "Bot not registered or key not found; operator must mint this bot with your public key.",
+      );
+    }
+
+    const publicKey = await this.getPublicKeyBase64();
+    const hasKey =
+      bot.public_keys?.some(
+        (k) => k.public_key === publicKey && k.status === "active",
+      ) ?? false;
+    if (!hasKey) {
+      throw new Error(
+        "Bot not registered or key not found; operator must mint this bot with your public key.",
+      );
+    }
+  }
+
+  async getBot(): Promise<BotRecord> {
+    return this.getJson<BotRecord>(`/v1/bots/${encodeURIComponent(this.botId)}`);
+  }
+
+  /**
+   * Canonical JSON serialization used for signing, following bot-comms.md.
+   */
+  private static canonicalizeForSignature(msg: IdentityMessageEnvelope): string {
+    const canonicalFields: Record<string, unknown> = {
+      body: msg.body,
+      correlation_id: msg.correlation_id,
+      from: msg.from,
+      from_id: msg.from_id,
+      message_id: msg.message_id,
+      operator_id: msg.operator_id,
+      subtype: msg.subtype,
+      timestamp: msg.timestamp,
+      to: msg.to,
+      to_id: msg.to_id,
+      type: msg.type,
+    };
+    for (const key of Object.keys(canonicalFields)) {
+      if (canonicalFields[key] === undefined || canonicalFields[key] === null) {
+        // eslint-disable-next-line @typescript-eslint/no-dynamic-delete
+        delete canonicalFields[key];
+      }
+    }
+    const sortedKeys = Object.keys(canonicalFields).sort();
+    return JSON.stringify(canonicalFields, sortedKeys as (keyof typeof canonicalFields)[]);
+  }
+
+  /**
+   * Sign a message envelope using the local Ed25519 private key.
+   * Returns base64(signature) and signature_scheme.
+   */
+  async signMessage(msg: IdentityMessageEnvelope): Promise<{
+    signature: string;
+    signature_scheme: "ed25519";
+  }> {
+    const priv = await this.loadOrCreatePrivateKey();
+    const canonical = IdentityClient.canonicalizeForSignature(msg);
+    const bytes = new TextEncoder().encode(canonical);
+    const sig = await ed25519.signAsync(bytes, priv);
+    return {
+      signature: Buffer.from(sig).toString("base64"),
+      signature_scheme: "ed25519",
+    };
+  }
+
+  /**
+   * Issue a short-lived JWT for MQTT broker authentication (EdDSA / Ed25519).
+   * Use as the MQTT CONNECT password with username = bot_id.
+   * @param ttlSec Token lifetime in seconds (default 300).
+   * @returns Compact JWT string.
+   */
+  async issueMqttToken(ttlSec: number = 300): Promise<string> {
+    const priv = await this.loadOrCreatePrivateKey();
+    const pub = await ed25519.getPublicKeyAsync(priv);
+    const jwk = {
+      kty: "OKP" as const,
+      crv: "Ed25519" as const,
+      d: base64url(priv),
+      x: base64url(pub),
+    };
+    const key = await importJWK(jwk, "EdDSA");
+    if (!key) {
+      throw new Error("Failed to import key for MQTT token");
+    }
+    const exp = Math.floor(Date.now() / 1000) + ttlSec;
+    const jwt = await new SignJWT({})
+      .setProtectedHeader({ alg: "EdDSA", typ: "JWT" })
+      .setSubject(this.botId)
+      .setAudience(MQTT_TOKEN_AUD)
+      .setExpirationTime(exp)
+      .sign(key);
+    return jwt;
+  }
+}
+
+export * from "./types.js";
+

package/src/types.ts

@@ -0,0 +1,52 @@
+export type PublicKeyStatus = "active" | "revoked";
+
+export interface PublicKeyRecord {
+  key_id: string;
+  algorithm: string;
+  public_key: string;
+  created: string;
+  status: PublicKeyStatus;
+  metadata?: Record<string, unknown>;
+}
+
+export interface OperatorRecord {
+  operator_id: string;
+  display_name?: string;
+  public_keys?: PublicKeyRecord[];
+  status: "active" | "suspended" | "retired";
+  created: string;
+  updated: string;
+  metadata?: Record<string, unknown>;
+}
+
+export interface BotRecord {
+  bot_id: string;
+  display_name?: string;
+  operator_id: string;
+  aliases?: string[];
+  public_keys?: PublicKeyRecord[];
+  status: "active" | "suspended" | "retired";
+  created: string;
+  updated: string;
+  metadata?: Record<string, unknown>;
+}
+
+export interface IdentityMessageEnvelope {
+  from: string;
+  from_id: string;
+  operator_id: string;
+  to?: string;
+  to_id?: string;
+  type: string;
+  subtype?: string;
+  channel?: string;
+  timestamp: string;
+  message_id: string;
+  correlation_id?: string;
+  privacy?: "default" | "private" | "encrypted";
+  encrypted?: boolean;
+  encryption_scheme?: string | null;
+  identity_token?: string | null;
+  body: unknown;
+}
+

package/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "ESNext",
+    "moduleResolution": "node",
+    "declaration": true,
+    "outDir": "dist",
+    "strict": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "skipLibCheck": true,
+    "types": ["node"]
+  },
+  "include": ["src/**/*.ts"]
+}
+