@did-btcr2/cli 0.10.3 → 0.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/.tsbuildinfo +1 -1
- package/dist/cjs/index.js +1028 -114
- package/dist/esm/src/cli.js +31 -13
- package/dist/esm/src/cli.js.map +1 -1
- package/dist/esm/src/commands/completion.js +36 -0
- package/dist/esm/src/commands/completion.js.map +1 -0
- package/dist/esm/src/commands/config.js +69 -0
- package/dist/esm/src/commands/config.js.map +1 -0
- package/dist/esm/src/commands/create.js +109 -30
- package/dist/esm/src/commands/create.js.map +1 -1
- package/dist/esm/src/commands/deactivate.js +21 -8
- package/dist/esm/src/commands/deactivate.js.map +1 -1
- package/dist/esm/src/commands/index.js +4 -0
- package/dist/esm/src/commands/index.js.map +1 -1
- package/dist/esm/src/commands/key.js +175 -0
- package/dist/esm/src/commands/key.js.map +1 -0
- package/dist/esm/src/commands/profile.js +63 -0
- package/dist/esm/src/commands/profile.js.map +1 -0
- package/dist/esm/src/commands/update.js +19 -9
- package/dist/esm/src/commands/update.js.map +1 -1
- package/dist/esm/src/config.js +119 -12
- package/dist/esm/src/config.js.map +1 -1
- package/dist/esm/src/keystore/atomic.js +64 -0
- package/dist/esm/src/keystore/atomic.js.map +1 -0
- package/dist/esm/src/keystore/envelope.js +123 -0
- package/dist/esm/src/keystore/envelope.js.map +1 -0
- package/dist/esm/src/keystore/error.js +16 -0
- package/dist/esm/src/keystore/error.js.map +1 -0
- package/dist/esm/src/keystore/file-backed-key-manager.js +78 -0
- package/dist/esm/src/keystore/file-backed-key-manager.js.map +1 -0
- package/dist/esm/src/keystore/file-key-store.js +184 -0
- package/dist/esm/src/keystore/file-key-store.js.map +1 -0
- package/dist/esm/src/keystore/passphrase.js +87 -0
- package/dist/esm/src/keystore/passphrase.js.map +1 -0
- package/dist/esm/src/keystore/paths.js +20 -0
- package/dist/esm/src/keystore/paths.js.map +1 -0
- package/dist/esm/src/keystore/resolve-key-ref.js +47 -0
- package/dist/esm/src/keystore/resolve-key-ref.js.map +1 -0
- package/dist/types/src/cli.d.ts +6 -2
- package/dist/types/src/cli.d.ts.map +1 -1
- package/dist/types/src/commands/completion.d.ts +5 -0
- package/dist/types/src/commands/completion.d.ts.map +1 -0
- package/dist/types/src/commands/config.d.ts +5 -0
- package/dist/types/src/commands/config.d.ts.map +1 -0
- package/dist/types/src/commands/create.d.ts +19 -1
- package/dist/types/src/commands/create.d.ts.map +1 -1
- package/dist/types/src/commands/deactivate.d.ts.map +1 -1
- package/dist/types/src/commands/index.d.ts +4 -0
- package/dist/types/src/commands/index.d.ts.map +1 -1
- package/dist/types/src/commands/key.d.ts +10 -0
- package/dist/types/src/commands/key.d.ts.map +1 -0
- package/dist/types/src/commands/profile.d.ts +5 -0
- package/dist/types/src/commands/profile.d.ts.map +1 -0
- package/dist/types/src/commands/update.d.ts.map +1 -1
- package/dist/types/src/config.d.ts +57 -5
- package/dist/types/src/config.d.ts.map +1 -1
- package/dist/types/src/keystore/atomic.d.ts +19 -0
- package/dist/types/src/keystore/atomic.d.ts.map +1 -0
- package/dist/types/src/keystore/envelope.d.ts +64 -0
- package/dist/types/src/keystore/envelope.d.ts.map +1 -0
- package/dist/types/src/keystore/error.d.ts +14 -0
- package/dist/types/src/keystore/error.d.ts.map +1 -0
- package/dist/types/src/keystore/file-backed-key-manager.d.ts +41 -0
- package/dist/types/src/keystore/file-backed-key-manager.d.ts.map +1 -0
- package/dist/types/src/keystore/file-key-store.d.ts +52 -0
- package/dist/types/src/keystore/file-key-store.d.ts.map +1 -0
- package/dist/types/src/keystore/passphrase.d.ts +20 -0
- package/dist/types/src/keystore/passphrase.d.ts.map +1 -0
- package/dist/types/src/keystore/paths.d.ts +13 -0
- package/dist/types/src/keystore/paths.d.ts.map +1 -0
- package/dist/types/src/keystore/resolve-key-ref.d.ts +19 -0
- package/dist/types/src/keystore/resolve-key-ref.d.ts.map +1 -0
- package/dist/types/src/types.d.ts +93 -5
- package/dist/types/src/types.d.ts.map +1 -1
- package/package.json +9 -4
- package/src/cli.ts +37 -12
- package/src/commands/completion.ts +40 -0
- package/src/commands/config.ts +84 -0
- package/src/commands/create.ts +140 -52
- package/src/commands/deactivate.ts +25 -12
- package/src/commands/index.ts +4 -0
- package/src/commands/key.ts +193 -0
- package/src/commands/profile.ts +65 -0
- package/src/commands/update.ts +23 -13
- package/src/config.ts +165 -20
- package/src/keystore/atomic.ts +73 -0
- package/src/keystore/envelope.ts +172 -0
- package/src/keystore/error.ts +16 -0
- package/src/keystore/file-backed-key-manager.ts +99 -0
- package/src/keystore/file-key-store.ts +242 -0
- package/src/keystore/passphrase.ts +99 -0
- package/src/keystore/paths.ts +20 -0
- package/src/keystore/resolve-key-ref.ts +62 -0
- package/src/types.ts +31 -18
|
@@ -1,5 +1,23 @@
|
|
|
1
1
|
import type { Command } from 'commander';
|
|
2
2
|
import type { ApiFactory } from '../config.js';
|
|
3
3
|
import type { GlobalOptions } from '../types.js';
|
|
4
|
-
|
|
4
|
+
/**
|
|
5
|
+
* Registers the `create` command.
|
|
6
|
+
*
|
|
7
|
+
* A deterministic (`-t k`) identifier has three mutually-exclusive input modes,
|
|
8
|
+
* selected by which is present:
|
|
9
|
+
* - generate (neither `--bytes` nor `--signing-key`): mint a fresh key, persist
|
|
10
|
+
* it to the keystore, set it active, and print the identifier. Sealing the
|
|
11
|
+
* secret prompts for the keystore passphrase.
|
|
12
|
+
* - existing (`--signing-key <ref>`): use a stored key's public key as the
|
|
13
|
+
* genesis bytes. Reading a public key never decrypts, so this never prompts.
|
|
14
|
+
* - raw (`--bytes <hex>`): a 33-byte public key as hex. Offline, keystore-free.
|
|
15
|
+
*
|
|
16
|
+
* An external (`-t x`) identifier is raw-bytes-only: a 32-byte genesis-document
|
|
17
|
+
* hash via `--bytes`. Generation and `--signing-key` apply only to `-t k`.
|
|
18
|
+
*
|
|
19
|
+
* The keystore-free `factory` serves the raw-bytes path; the keystore-aware
|
|
20
|
+
* `keystoreFactory` serves the generate and existing-key paths.
|
|
21
|
+
*/
|
|
22
|
+
export declare function registerCreateCommand(program: Command, factory: ApiFactory, keystoreFactory: ApiFactory, globals: () => GlobalOptions): void;
|
|
5
23
|
//# sourceMappingURL=create.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"create.d.ts","sourceRoot":"","sources":["../../../../src/commands/create.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"create.d.ts","sourceRoot":"","sources":["../../../../src/commands/create.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,KAAK,EAAE,UAAU,EAAuB,MAAM,cAAc,CAAC;AAKpE,OAAO,KAAK,EAAiB,aAAa,EAAiB,MAAM,aAAa,CAAC;AAS/E;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAW,OAAO,EACzB,OAAO,EAAW,UAAU,EAC5B,eAAe,EAAG,UAAU,EAC5B,OAAO,EAAW,MAAM,aAAa,GACpC,IAAI,CA2FN"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"deactivate.d.ts","sourceRoot":"","sources":["../../../../src/commands/deactivate.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"deactivate.d.ts","sourceRoot":"","sources":["../../../../src/commands/deactivate.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAiB,KAAK,UAAU,EAAE,MAAM,cAAc,CAAC;AAI9D,OAAO,KAAK,EAAE,aAAa,EAAwB,MAAM,aAAa,CAAC;AAKvE,wBAAgB,yBAAyB,CACvC,OAAO,EAAG,OAAO,EACjB,OAAO,EAAG,UAAU,EACpB,OAAO,EAAG,MAAM,aAAa,GAC5B,IAAI,CAmEN"}
|
|
@@ -2,4 +2,8 @@ export { registerCreateCommand } from './create.js';
|
|
|
2
2
|
export { registerResolveCommand } from './resolve.js';
|
|
3
3
|
export { registerUpdateCommand } from './update.js';
|
|
4
4
|
export { registerDeactivateCommand } from './deactivate.js';
|
|
5
|
+
export { registerKeyCommand } from './key.js';
|
|
6
|
+
export { registerConfigCommand } from './config.js';
|
|
7
|
+
export { registerProfileCommand } from './profile.js';
|
|
8
|
+
export { registerCompletionCommand } from './completion.js';
|
|
5
9
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/commands/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/commands/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
import type { Command } from 'commander';
|
|
2
|
+
import type { ApiFactory } from '../config.js';
|
|
3
|
+
import type { GlobalOptions } from '../types.js';
|
|
4
|
+
/**
|
|
5
|
+
* Registers the `key` command group for managing keypairs in the encrypted
|
|
6
|
+
* keystore. All subcommands operate offline (no Bitcoin connection) through the
|
|
7
|
+
* keystore-backed KeyManager injected by the factory.
|
|
8
|
+
*/
|
|
9
|
+
export declare function registerKeyCommand(program: Command, factory: ApiFactory, globals: () => GlobalOptions): void;
|
|
10
|
+
//# sourceMappingURL=key.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"key.d.ts","sourceRoot":"","sources":["../../../../src/commands/key.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEzC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI/C,OAAO,KAAK,EAAiB,aAAa,EAAE,MAAM,aAAa,CAAC;AAEhE;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAG,OAAO,EACjB,OAAO,EAAG,UAAU,EACpB,OAAO,EAAG,MAAM,aAAa,GAC5B,IAAI,CAgHN"}
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
import type { Command } from 'commander';
|
|
2
|
+
import type { GlobalOptions } from '../types.js';
|
|
3
|
+
/** Registers the `profile` command group for managing configuration profiles. */
|
|
4
|
+
export declare function registerProfileCommand(program: Command, globals: () => GlobalOptions): void;
|
|
5
|
+
//# sourceMappingURL=profile.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"profile.d.ts","sourceRoot":"","sources":["../../../../src/commands/profile.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIzC,OAAO,KAAK,EAAiB,aAAa,EAAE,MAAM,aAAa,CAAC;AAEhE,iFAAiF;AACjF,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,GAAG,IAAI,CAyD3F"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"update.d.ts","sourceRoot":"","sources":["../../../../src/commands/update.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"update.d.ts","sourceRoot":"","sources":["../../../../src/commands/update.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAiB,KAAK,UAAU,EAAE,MAAM,cAAc,CAAC;AAI9D,OAAO,KAAK,EAAE,aAAa,EAAwB,MAAM,aAAa,CAAC;AAEvE,wBAAgB,qBAAqB,CACnC,OAAO,EAAG,OAAO,EACjB,OAAO,EAAG,UAAU,EACpB,OAAO,EAAG,MAAM,aAAa,GAC5B,IAAI,CAsEN"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { type DidBtcr2Api } from '@did-btcr2/api';
|
|
2
|
-
import { type NetworkOption } from './types.js';
|
|
2
|
+
import { type NetworkOption, type OutputFormat } from './types.js';
|
|
3
3
|
/**
|
|
4
4
|
* Endpoint overrides provided via CLI flags, env vars, or config file.
|
|
5
5
|
* These override the per-network defaults from
|
|
@@ -16,6 +16,10 @@ export type ConnectionOverrides = {
|
|
|
16
16
|
casGateway?: string;
|
|
17
17
|
config?: string;
|
|
18
18
|
profile?: string;
|
|
19
|
+
/** Keystore file path. Overrides the default `$XDG_DATA_HOME/btcr2/keystore.json`. */
|
|
20
|
+
keystore?: string;
|
|
21
|
+
/** Path to a file holding the keystore passphrase (for unattended use). */
|
|
22
|
+
passphraseFile?: string;
|
|
19
23
|
};
|
|
20
24
|
/**
|
|
21
25
|
* On-disk config file schema.
|
|
@@ -41,6 +45,14 @@ export type ConnectionOverrides = {
|
|
|
41
45
|
* ```
|
|
42
46
|
*/
|
|
43
47
|
export type ConfigFile = {
|
|
48
|
+
/** Schema version, stamped on every write for forward compatibility. */
|
|
49
|
+
schemaVersion?: number;
|
|
50
|
+
/** Tool-wide defaults applied when not overridden by a flag or environment variable. */
|
|
51
|
+
defaults?: {
|
|
52
|
+
profile?: string;
|
|
53
|
+
network?: NetworkOption;
|
|
54
|
+
output?: OutputFormat;
|
|
55
|
+
};
|
|
44
56
|
profiles?: Record<string, {
|
|
45
57
|
btc?: {
|
|
46
58
|
rest?: string;
|
|
@@ -51,8 +63,34 @@ export type ConfigFile = {
|
|
|
51
63
|
cas?: {
|
|
52
64
|
gateway?: string;
|
|
53
65
|
};
|
|
66
|
+
/** Signing identity references. Never embeds key material; the secret lives in the keystore. */
|
|
67
|
+
identity?: {
|
|
68
|
+
keystore?: string;
|
|
69
|
+
default?: string;
|
|
70
|
+
};
|
|
71
|
+
/** Aggregation transport and cohort defaults, mirroring the aggregation runner inputs. */
|
|
72
|
+
aggregation?: {
|
|
73
|
+
transport?: 'nostr' | 'http' | 'didcomm';
|
|
74
|
+
relays?: string[];
|
|
75
|
+
httpBaseUrl?: string;
|
|
76
|
+
cohort?: Record<string, unknown>;
|
|
77
|
+
};
|
|
54
78
|
}>;
|
|
55
79
|
};
|
|
80
|
+
/** Current config-file schema version, stamped on every write. */
|
|
81
|
+
export declare const CONFIG_SCHEMA_VERSION = 1;
|
|
82
|
+
/**
|
|
83
|
+
* Read-modify-write a config file, preserving unknown keys. Reads the raw JSON
|
|
84
|
+
* (so keys outside {@link ConfigFile} survive a rewrite), applies `mutate`,
|
|
85
|
+
* stamps the schema version, and writes atomically (file 0600, dir 0700).
|
|
86
|
+
*/
|
|
87
|
+
export declare function writeConfigFile(path: string, mutate: (raw: Record<string, unknown>) => void): void;
|
|
88
|
+
/** Reads the value at a dotted path (e.g. `profiles.regtest.btc.rest`). */
|
|
89
|
+
export declare function getConfigPath(config: Record<string, unknown>, path: string): unknown;
|
|
90
|
+
/** Sets the value at a dotted path, creating intermediate objects. */
|
|
91
|
+
export declare function setConfigPath(config: Record<string, unknown>, path: string, value: unknown): void;
|
|
92
|
+
/** Deletes the value at a dotted path. No-op if the path does not exist. */
|
|
93
|
+
export declare function unsetConfigPath(config: Record<string, unknown>, path: string): void;
|
|
56
94
|
/**
|
|
57
95
|
* Factory function that creates a configured {@link DidBtcr2Api} instance.
|
|
58
96
|
*
|
|
@@ -105,18 +143,32 @@ export declare function readConfigFile(path: string): ConfigFile | undefined;
|
|
|
105
143
|
* {@link ConfigFile}. Returns an empty object if the profile does not exist.
|
|
106
144
|
*/
|
|
107
145
|
export declare function profileToOverrides(config: ConfigFile, profileName: string): ConnectionOverrides;
|
|
146
|
+
/**
|
|
147
|
+
* Resolves the default Bitcoin network for offline identifier creation when no
|
|
148
|
+
* `--network` flag is given. Resolution order: the config file's
|
|
149
|
+
* `defaults.network`, then an active profile named for a network (an explicit
|
|
150
|
+
* `--profile` flag or `defaults.profile`), then `regtest` as the development
|
|
151
|
+
* fallback. Generation itself is offline; this only fixes which network the
|
|
152
|
+
* identifier encodes.
|
|
153
|
+
*/
|
|
154
|
+
export declare function resolveDefaultNetwork(overrides?: ConnectionOverrides): NetworkOption;
|
|
108
155
|
/**
|
|
109
156
|
* Default {@link ApiFactory} backed by network defaults from
|
|
110
157
|
* `@did-btcr2/bitcoin` (mempool.space for public networks, localhost for
|
|
111
|
-
* regtest).
|
|
158
|
+
* regtest). Keystore-free: suitable for offline `create` and read-only
|
|
159
|
+
* `resolve`, which never need a signing identity.
|
|
112
160
|
*
|
|
113
161
|
* Override precedence (highest wins):
|
|
114
162
|
* CLI flags -> env vars -> config file profile -> network defaults.
|
|
115
|
-
*
|
|
116
|
-
* When no `--profile` is given, the network name is used as the profile
|
|
117
|
-
* key (e.g. a regtest DID auto-selects the `"regtest"` profile).
|
|
118
163
|
*/
|
|
119
164
|
export declare function defaultApiFactory(network?: NetworkOption, overrides?: ConnectionOverrides): DidBtcr2Api;
|
|
165
|
+
/**
|
|
166
|
+
* Keystore-aware {@link ApiFactory} for commands that need a signing identity
|
|
167
|
+
* (key management, update, deactivate). Identical to {@link defaultApiFactory}
|
|
168
|
+
* for Bitcoin and CAS, plus an injected keystore-backed KeyManager. Offline key
|
|
169
|
+
* commands (no network) still get the keystore.
|
|
170
|
+
*/
|
|
171
|
+
export declare function keystoreApiFactory(network?: NetworkOption, overrides?: ConnectionOverrides): DidBtcr2Api;
|
|
120
172
|
/**
|
|
121
173
|
* Extracts and validates the Bitcoin network from a DID string.
|
|
122
174
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgD,KAAK,WAAW,EAAE,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgD,KAAK,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAUhG,OAAO,EAAsB,KAAK,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,YAAY,CAAC;AAEvF;;;;;;;GAOG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,CAAC,EAAU,MAAM,CAAC;IACzB,SAAS,CAAC,EAAQ,MAAM,CAAC;IACzB,UAAU,CAAC,EAAO,MAAM,CAAC;IACzB,UAAU,CAAC,EAAO,MAAM,CAAC;IACzB,UAAU,CAAC,EAAO,MAAM,CAAC;IACzB,MAAM,CAAC,EAAW,MAAM,CAAC;IACzB,OAAO,CAAC,EAAU,MAAM,CAAC;IACzB,sFAAsF;IACtF,QAAQ,CAAC,EAAS,MAAM,CAAC;IACzB,2EAA2E;IAC3E,cAAc,CAAC,EAAG,MAAM,CAAC;CAC1B,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,wEAAwE;IACxE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wFAAwF;IACxF,QAAQ,CAAC,EAAE;QACT,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,aAAa,CAAC;QACxB,MAAM,CAAC,EAAE,YAAY,CAAC;KACvB,CAAC;IACF,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QACxB,GAAG,CAAC,EAAE;YACJ,IAAI,CAAC,EAAM,MAAM,CAAC;YAClB,MAAM,CAAC,EAAI,MAAM,CAAC;YAClB,OAAO,CAAC,EAAG,MAAM,CAAC;YAClB,OAAO,CAAC,EAAG,MAAM,CAAC;SACnB,CAAC;QACF,GAAG,CAAC,EAAE;YACJ,OAAO,CAAC,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,gGAAgG;QAChG,QAAQ,CAAC,EAAE;YACT,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,OAAO,CAAC,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,0FAA0F;QAC1F,WAAW,CAAC,EAAE;YACZ,SAAS,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,CAAC;YACzC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;YAClB,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;SAClC,CAAC;KACH,CAAC,CAAC;CACJ,CAAC;AAEF,kEAAkE;AAClE,eAAO,MAAM,qBAAqB,IAAI,CAAC;AAEvC;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,GAAG,IAAI,CAMlG;AAED,2EAA2E;AAC3E,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAKpF;AAED,sEAAsE;AACtE,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI,CAUjG;AAED,4EAA4E;AAC5E,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAUnF;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,EAAE,mBAAmB,KAAK,WAAW,CAAC;AAEnG;;;;;;;;;;GAUG;AACH,eAAO,MAAM,QAAQ;;;;;;CAMX,CAAC;AAEX;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,mBAAmB,CAStD;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAK1C;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS,CAOnE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAQ,UAAU,EACxB,WAAW,EAAG,MAAM,GACnB,mBAAmB,CAUrB;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,CAAC,EAAE,mBAAmB,GAAG,aAAa,CAapF;AAwDD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,EAAE,mBAAmB,GAAG,WAAW,CAEvG;AAgBD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,EAAE,mBAAmB,GAAG,WAAW,CAKxG;AAED;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,CAUxD"}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Creates a directory (recursively) and, on POSIX systems, tightens it to the
|
|
3
|
+
* requested mode. `mkdir`'s mode is subject to the umask, so it is reapplied
|
|
4
|
+
* with an explicit `chmod`.
|
|
5
|
+
*/
|
|
6
|
+
export declare function ensureDir(dir: string, mode: number): void;
|
|
7
|
+
/**
|
|
8
|
+
* Writes a file atomically: serialize to a sibling temporary file, tighten its
|
|
9
|
+
* permissions, then rename over the target so a crash mid-write cannot leave a
|
|
10
|
+
* truncated or partially-written file. The temporary file is removed on failure.
|
|
11
|
+
*/
|
|
12
|
+
export declare function writeFileAtomic(path: string, data: string, mode: number): void;
|
|
13
|
+
/**
|
|
14
|
+
* Fails closed if a keystore file is readable or writable by group or other.
|
|
15
|
+
* On Windows, where POSIX mode bits are not enforced, this is a no-op that
|
|
16
|
+
* warns once on standard error.
|
|
17
|
+
*/
|
|
18
|
+
export declare function assertSecurePerms(path: string): void;
|
|
19
|
+
//# sourceMappingURL=atomic.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"atomic.d.ts","sourceRoot":"","sources":["../../../../src/keystore/atomic.ts"],"names":[],"mappings":"AAQA;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CASzD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAkB9E;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAkBpD"}
|
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
/** Current keystore secret-envelope format version. */
|
|
2
|
+
export declare const ENVELOPE_VERSION: 1;
|
|
3
|
+
/**
|
|
4
|
+
* argon2id cost parameters. Field names follow RFC 9106: `t` time cost
|
|
5
|
+
* (passes), `m` memory cost in KiB, `p` parallelism (lanes), `dkLen` derived
|
|
6
|
+
* key length in bytes.
|
|
7
|
+
*/
|
|
8
|
+
export type ArgonParams = {
|
|
9
|
+
t: number;
|
|
10
|
+
m: number;
|
|
11
|
+
p: number;
|
|
12
|
+
dkLen: number;
|
|
13
|
+
};
|
|
14
|
+
/**
|
|
15
|
+
* Production argon2id parameters: 3 passes over 64 MiB across 4 lanes, deriving
|
|
16
|
+
* a 32-byte key. Recorded in every envelope so the cost can be raised later
|
|
17
|
+
* without making previously sealed envelopes undecryptable.
|
|
18
|
+
*/
|
|
19
|
+
export declare const DEFAULT_ARGON_PARAMS: ArgonParams;
|
|
20
|
+
/**
|
|
21
|
+
* A self-describing, versioned envelope sealing one secret at rest. The header
|
|
22
|
+
* (version, key-derivation parameters, cipher) is bound as the AEAD additional
|
|
23
|
+
* data, so a tampered header fails authentication. All byte fields are
|
|
24
|
+
* base64url with no padding.
|
|
25
|
+
*/
|
|
26
|
+
export type SecretEnvelope = {
|
|
27
|
+
v: typeof ENVELOPE_VERSION;
|
|
28
|
+
kdf: {
|
|
29
|
+
alg: 'argon2id';
|
|
30
|
+
salt: string;
|
|
31
|
+
t: number;
|
|
32
|
+
m: number;
|
|
33
|
+
p: number;
|
|
34
|
+
dkLen: number;
|
|
35
|
+
};
|
|
36
|
+
cipher: 'xchacha20poly1305';
|
|
37
|
+
nonce: string;
|
|
38
|
+
ciphertext: string;
|
|
39
|
+
};
|
|
40
|
+
/**
|
|
41
|
+
* Seals a secret under a passphrase into a {@link SecretEnvelope}. A fresh
|
|
42
|
+
* random salt and nonce are generated per call, so encrypting the same secret
|
|
43
|
+
* twice yields different envelopes.
|
|
44
|
+
*
|
|
45
|
+
* @param secret - The secret bytes to encrypt. Must be non-empty.
|
|
46
|
+
* @param passphrase - The passphrase the encryption key is derived from.
|
|
47
|
+
* @param params - argon2id cost parameters. Defaults to {@link DEFAULT_ARGON_PARAMS}.
|
|
48
|
+
* @returns The versioned, authenticated envelope.
|
|
49
|
+
* @throws {KeyStoreError} `ENVELOPE_ENCRYPT_ERROR` when `secret` is empty.
|
|
50
|
+
*/
|
|
51
|
+
export declare function encryptSecret(secret: Uint8Array, passphrase: string, params?: ArgonParams): SecretEnvelope;
|
|
52
|
+
/**
|
|
53
|
+
* Opens a {@link SecretEnvelope} sealed by {@link encryptSecret} and returns the
|
|
54
|
+
* plaintext secret. A wrong passphrase, corrupted ciphertext, or a tampered
|
|
55
|
+
* header all fail authentication and raise `DECRYPT_ERROR`.
|
|
56
|
+
*
|
|
57
|
+
* @param env - The envelope to open.
|
|
58
|
+
* @param passphrase - The passphrase the envelope was sealed with.
|
|
59
|
+
* @returns The decrypted secret bytes.
|
|
60
|
+
* @throws {KeyStoreError} `ENVELOPE_VERSION_ERROR` for an unknown version or
|
|
61
|
+
* algorithm; `DECRYPT_ERROR` for failed authentication.
|
|
62
|
+
*/
|
|
63
|
+
export declare function decryptSecret(env: SecretEnvelope, passphrase: string): Uint8Array;
|
|
64
|
+
//# sourceMappingURL=envelope.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"envelope.d.ts","sourceRoot":"","sources":["../../../../src/keystore/envelope.ts"],"names":[],"mappings":"AAMA,uDAAuD;AACvD,eAAO,MAAM,gBAAgB,EAAG,CAAU,CAAC;AAS3C;;;;GAIG;AACH,MAAM,MAAM,WAAW,GAAG;IACxB,CAAC,EAAO,MAAM,CAAC;IACf,CAAC,EAAO,MAAM,CAAC;IACf,CAAC,EAAO,MAAM,CAAC;IACf,KAAK,EAAG,MAAM,CAAC;CAChB,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,EAAE,WAAwD,CAAC;AAE5F;;;;;GAKG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B,CAAC,EAAK,OAAO,gBAAgB,CAAC;IAC9B,GAAG,EAAG;QACJ,GAAG,EAAK,UAAU,CAAC;QACnB,IAAI,EAAI,MAAM,CAAC;QACf,CAAC,EAAO,MAAM,CAAC;QACf,CAAC,EAAO,MAAM,CAAC;QACf,CAAC,EAAO,MAAM,CAAC;QACf,KAAK,EAAG,MAAM,CAAC;KAChB,CAAC;IACF,MAAM,EAAO,mBAAmB,CAAC;IACjC,KAAK,EAAQ,MAAM,CAAC;IACpB,UAAU,EAAG,MAAM,CAAC;CACrB,CAAC;AA2CF;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAO,UAAU,EACvB,UAAU,EAAG,MAAM,EACnB,MAAM,GAAO,WAAkC,GAC9C,cAAc,CAkBhB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,GAAG,UAAU,CA4BjF"}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
import { DidMethodError } from '@did-btcr2/common';
|
|
2
|
+
/**
|
|
3
|
+
* Error raised by the CLI keystore layer: secret-envelope encryption and
|
|
4
|
+
* decryption, on-disk file permission enforcement, and passphrase acquisition.
|
|
5
|
+
*
|
|
6
|
+
* Unlike {@link CLIError} (whose `name` is fixed to `'CLIError'`), this follows
|
|
7
|
+
* the {@link DidMethodError} sibling convention where `name` mirrors the `type`
|
|
8
|
+
* code, so a thrown error's `name` reflects the specific failure category
|
|
9
|
+
* (for example `DECRYPT_ERROR` or `KEYSTORE_PERMISSION_ERROR`).
|
|
10
|
+
*/
|
|
11
|
+
export declare class KeyStoreError extends DidMethodError {
|
|
12
|
+
constructor(message: string, type?: string, data?: Record<string, any>);
|
|
13
|
+
}
|
|
14
|
+
//# sourceMappingURL=error.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"error.d.ts","sourceRoot":"","sources":["../../../../src/keystore/error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;;;;;;;GAQG;AACH,qBAAa,aAAc,SAAQ,cAAc;gBACnC,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,MAAwB,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;CAGxF"}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
import type { Bytes, HashBytes, KeyBytes, SignatureBytes } from '@did-btcr2/common';
|
|
2
|
+
import { type GenerateKeyOptions, type ImportKeyOptions, type KeyIdentifier, type KeyManager, type SignOptions, type VerifyOptions } from '@did-btcr2/key-manager';
|
|
3
|
+
import type { SchnorrKeyPair } from '@did-btcr2/keypair';
|
|
4
|
+
import { type FileKeyStoreOptions } from './file-key-store.js';
|
|
5
|
+
/**
|
|
6
|
+
* A {@link KeyManager} backed by the encrypted on-disk {@link FileKeyStore}.
|
|
7
|
+
*
|
|
8
|
+
* It composes a {@link LocalKeyManager} over a {@link FileKeyStore} and adds the
|
|
9
|
+
* one thing the store interface cannot express: persisting the active-key
|
|
10
|
+
* pointer. `LocalKeyManager` tracks the active key only in process memory, so
|
|
11
|
+
* this wrapper mirrors every active-key change to the keystore file and
|
|
12
|
+
* re-applies the persisted pointer at construction. Read and signing
|
|
13
|
+
* operations delegate straight through.
|
|
14
|
+
*
|
|
15
|
+
* Injected as the api's KeyManager so every command reaches it uniformly via
|
|
16
|
+
* `api.kms`, and "the active key" survives across CLI invocations.
|
|
17
|
+
*/
|
|
18
|
+
export declare class FileBackedKeyManager implements KeyManager {
|
|
19
|
+
#private;
|
|
20
|
+
/** Capability probe: the local store supports exporting secret material. */
|
|
21
|
+
readonly canExport = true;
|
|
22
|
+
constructor(options: FileKeyStoreOptions);
|
|
23
|
+
get activeKeyId(): KeyIdentifier | undefined;
|
|
24
|
+
setActiveKey(id: KeyIdentifier): void;
|
|
25
|
+
importKey(keyPair: SchnorrKeyPair, options?: ImportKeyOptions): KeyIdentifier;
|
|
26
|
+
generateKey(options?: GenerateKeyOptions): KeyIdentifier;
|
|
27
|
+
removeKey(id: KeyIdentifier, options?: {
|
|
28
|
+
force?: boolean;
|
|
29
|
+
}): void;
|
|
30
|
+
listKeys(): KeyIdentifier[];
|
|
31
|
+
getPublicKey(id?: KeyIdentifier): KeyBytes;
|
|
32
|
+
getEntry(id?: KeyIdentifier): {
|
|
33
|
+
publicKey: KeyBytes;
|
|
34
|
+
tags?: Record<string, string>;
|
|
35
|
+
};
|
|
36
|
+
sign(data: Bytes, id?: KeyIdentifier, options?: SignOptions): SignatureBytes;
|
|
37
|
+
verify(signature: SignatureBytes, data: Bytes, id?: KeyIdentifier, options?: VerifyOptions): boolean;
|
|
38
|
+
digest(data: Uint8Array): HashBytes;
|
|
39
|
+
exportKey(id: KeyIdentifier): SchnorrKeyPair;
|
|
40
|
+
}
|
|
41
|
+
//# sourceMappingURL=file-backed-key-manager.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"file-backed-key-manager.d.ts","sourceRoot":"","sources":["../../../../src/keystore/file-backed-key-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACpF,OAAO,EAEL,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAClB,KAAK,UAAU,EACf,KAAK,WAAW,EAChB,KAAK,aAAa,EACnB,MAAM,wBAAwB,CAAC;AAChC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAgB,KAAK,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE7E;;;;;;;;;;;;GAYG;AACH,qBAAa,oBAAqB,YAAW,UAAU;;IACrD,4EAA4E;IAC5E,QAAQ,CAAC,SAAS,QAAQ;gBAKd,OAAO,EAAE,mBAAmB;IAWxC,IAAI,WAAW,IAAI,aAAa,GAAG,SAAS,CAE3C;IAED,YAAY,CAAC,EAAE,EAAE,aAAa,GAAG,IAAI;IAKrC,SAAS,CAAC,OAAO,EAAE,cAAc,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,aAAa;IAM7E,WAAW,CAAC,OAAO,CAAC,EAAE,kBAAkB,GAAG,aAAa;IAMxD,SAAS,CAAC,EAAE,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,IAAI;IAMjE,QAAQ,IAAI,aAAa,EAAE;IAI3B,YAAY,CAAC,EAAE,CAAC,EAAE,aAAa,GAAG,QAAQ;IAI1C,QAAQ,CAAC,EAAE,CAAC,EAAE,aAAa,GAAG;QAAE,SAAS,EAAE,QAAQ,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE;IAIpF,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,cAAc;IAI5E,MAAM,CAAC,SAAS,EAAE,cAAc,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO;IAIpG,MAAM,CAAC,IAAI,EAAE,UAAU,GAAG,SAAS;IAInC,SAAS,CAAC,EAAE,EAAE,aAAa,GAAG,cAAc;CAG7C"}
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
import type { KeyEntry, KeyIdentifier, KeyValueStore } from '@did-btcr2/key-manager';
|
|
2
|
+
import type { ArgonParams } from './envelope.js';
|
|
3
|
+
/** Current on-disk keystore file format version. */
|
|
4
|
+
export declare const KEYSTORE_VERSION: 1;
|
|
5
|
+
/** Options for constructing a {@link FileKeyStore}. */
|
|
6
|
+
export type FileKeyStoreOptions = {
|
|
7
|
+
/** Keystore file path. Defaults to {@link defaultKeystorePath}. */
|
|
8
|
+
path?: string;
|
|
9
|
+
/** Supplies the passphrase lazily, called only when a secret must be sealed or opened. */
|
|
10
|
+
getPassphrase: () => string;
|
|
11
|
+
/** argon2id cost parameters used when sealing new secrets. Defaults to {@link DEFAULT_ARGON_PARAMS}. */
|
|
12
|
+
argonParams?: ArgonParams;
|
|
13
|
+
};
|
|
14
|
+
/**
|
|
15
|
+
* A Node-only, file-backed {@link KeyValueStore} that encrypts secret keys at
|
|
16
|
+
* rest. It satisfies the synchronous store contract by caching the parsed file
|
|
17
|
+
* in memory at construction and flushing the whole file atomically on every
|
|
18
|
+
* mutation.
|
|
19
|
+
*
|
|
20
|
+
* Secrets are materialized only through {@link FileKeyStore.get}. The
|
|
21
|
+
* {@link FileKeyStore.list} and {@link FileKeyStore.entries} projections omit
|
|
22
|
+
* secret keys and never decrypt, so enumerating the store never triggers a
|
|
23
|
+
* passphrase prompt.
|
|
24
|
+
*/
|
|
25
|
+
export declare class FileKeyStore implements KeyValueStore<KeyIdentifier, KeyEntry> {
|
|
26
|
+
#private;
|
|
27
|
+
constructor(options: FileKeyStoreOptions);
|
|
28
|
+
get(id: KeyIdentifier): KeyEntry | undefined;
|
|
29
|
+
has(id: KeyIdentifier): boolean;
|
|
30
|
+
set(id: KeyIdentifier, value: KeyEntry): void;
|
|
31
|
+
delete(id: KeyIdentifier): boolean;
|
|
32
|
+
clear(): void;
|
|
33
|
+
/** All stored values with secret keys omitted. Never decrypts, never prompts. */
|
|
34
|
+
list(): Array<KeyEntry>;
|
|
35
|
+
/**
|
|
36
|
+
* All entries as id-value tuples with secret keys omitted. Never decrypts,
|
|
37
|
+
* never prompts: {@link FileKeyStore.get} is the only secret-materializing
|
|
38
|
+
* path, so callers that only need identifiers (such as `listKeys`) do not
|
|
39
|
+
* force a passphrase prompt. This deviates intentionally from the in-memory
|
|
40
|
+
* store, which returns stored values verbatim.
|
|
41
|
+
*/
|
|
42
|
+
entries(): Array<[KeyIdentifier, KeyEntry]>;
|
|
43
|
+
close(): void;
|
|
44
|
+
/** The persisted active-key identifier, or undefined if none is set. */
|
|
45
|
+
getActive(): string | undefined;
|
|
46
|
+
/**
|
|
47
|
+
* Persists the active-key pointer in the keystore file. Passing undefined
|
|
48
|
+
* clears it. Throws if the identifier is not a known key.
|
|
49
|
+
*/
|
|
50
|
+
setActive(id: KeyIdentifier | undefined): void;
|
|
51
|
+
}
|
|
52
|
+
//# sourceMappingURL=file-key-store.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"file-key-store.d.ts","sourceRoot":"","sources":["../../../../src/keystore/file-key-store.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAIrF,OAAO,KAAK,EAAE,WAAW,EAAkB,MAAM,eAAe,CAAC;AAIjE,oDAAoD;AACpD,eAAO,MAAM,gBAAgB,EAAG,CAAU,CAAC;AAwB3C,uDAAuD;AACvD,MAAM,MAAM,mBAAmB,GAAG;IAChC,mEAAmE;IACnE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,0FAA0F;IAC1F,aAAa,EAAE,MAAM,MAAM,CAAC;IAC5B,wGAAwG;IACxG,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B,CAAC;AAEF;;;;;;;;;;GAUG;AACH,qBAAa,YAAa,YAAW,aAAa,CAAC,aAAa,EAAE,QAAQ,CAAC;;gBAO7D,OAAO,EAAE,mBAAmB;IAyExC,GAAG,CAAC,EAAE,EAAE,aAAa,GAAG,QAAQ,GAAG,SAAS;IA0B5C,GAAG,CAAC,EAAE,EAAE,aAAa,GAAG,OAAO;IAI/B,GAAG,CAAC,EAAE,EAAE,aAAa,EAAE,KAAK,EAAE,QAAQ,GAAG,IAAI;IAa7C,MAAM,CAAC,EAAE,EAAE,aAAa,GAAG,OAAO;IASlC,KAAK,IAAI,IAAI;IAMb,iFAAiF;IACjF,IAAI,IAAI,KAAK,CAAC,QAAQ,CAAC;IAIvB;;;;;;OAMG;IACH,OAAO,IAAI,KAAK,CAAC,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAW3C,KAAK,IAAI,IAAI;IAQb,wEAAwE;IACxE,SAAS,IAAI,MAAM,GAAG,SAAS;IAI/B;;;OAGG;IACH,SAAS,CAAC,EAAE,EAAE,aAAa,GAAG,SAAS,GAAG,IAAI;CAO/C"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
/** Environment variable that supplies the keystore passphrase for unattended use. */
|
|
2
|
+
export declare const ENV_KEYSTORE_PASSPHRASE = "BTCR2_KEYSTORE_PASSPHRASE";
|
|
3
|
+
/** Options controlling how a passphrase is acquired. */
|
|
4
|
+
export type PassphraseOptions = {
|
|
5
|
+
/** Path to a file whose contents (a trailing newline is trimmed) are the passphrase. */
|
|
6
|
+
passphraseFile?: string;
|
|
7
|
+
/** Prompt label shown on a terminal. */
|
|
8
|
+
prompt?: string;
|
|
9
|
+
/** When true, prompt twice and require the entries to match (for a new keystore). */
|
|
10
|
+
confirm?: boolean;
|
|
11
|
+
};
|
|
12
|
+
/**
|
|
13
|
+
* Acquires a passphrase without ever reading it from a command-line flag value
|
|
14
|
+
* (which would leak into process listings and shell history). Resolution order:
|
|
15
|
+
* the {@link ENV_KEYSTORE_PASSPHRASE} environment variable, a passphrase file,
|
|
16
|
+
* then a non-echoing terminal prompt. Throws if none is available and standard
|
|
17
|
+
* input is not a terminal.
|
|
18
|
+
*/
|
|
19
|
+
export declare function acquirePassphrase(options?: PassphraseOptions): string;
|
|
20
|
+
//# sourceMappingURL=passphrase.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"passphrase.d.ts","sourceRoot":"","sources":["../../../../src/keystore/passphrase.ts"],"names":[],"mappings":"AAGA,qFAAqF;AACrF,eAAO,MAAM,uBAAuB,8BAA8B,CAAC;AAEnE,wDAAwD;AACxD,MAAM,MAAM,iBAAiB,GAAG;IAC9B,wFAAwF;IACxF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wCAAwC;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qFAAqF;IACrF,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,CAAC;AAEF;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,iBAAsB,GAAG,MAAM,CAyBzE"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Default keystore file path, following the XDG Base Directory Specification's
|
|
3
|
+
* data directory. Secret key material is data a user accumulates, so it lives
|
|
4
|
+
* under the data directory, kept separate from the configuration directory used
|
|
5
|
+
* for portable settings.
|
|
6
|
+
*
|
|
7
|
+
* Resolution order:
|
|
8
|
+
* 1. `$XDG_DATA_HOME/btcr2/keystore.json`
|
|
9
|
+
* 2. `%LOCALAPPDATA%/btcr2/keystore.json` (Windows)
|
|
10
|
+
* 3. `~/.local/share/btcr2/keystore.json` (fallback)
|
|
11
|
+
*/
|
|
12
|
+
export declare function defaultKeystorePath(): string;
|
|
13
|
+
//# sourceMappingURL=paths.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../../../src/keystore/paths.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAK5C"}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import type { KeyIdentifier, KeyManager } from '@did-btcr2/key-manager';
|
|
2
|
+
/**
|
|
3
|
+
* Resolves a user-supplied key reference to a key identifier. Resolution order:
|
|
4
|
+
* 1. No reference: the active key (errors if none is set).
|
|
5
|
+
* 2. Exact URN identifier match.
|
|
6
|
+
* 3. Unique fingerprint-prefix match (against the hex tail of the URN).
|
|
7
|
+
* 4. Unique `name` tag match.
|
|
8
|
+
*
|
|
9
|
+
* Reads only public material (listKeys + getEntry), so resolving a reference
|
|
10
|
+
* never decrypts a secret or prompts for a passphrase.
|
|
11
|
+
*
|
|
12
|
+
* @param kms The key manager to resolve against.
|
|
13
|
+
* @param ref The reference to resolve. When omitted, the active key is used.
|
|
14
|
+
* @returns The resolved key identifier.
|
|
15
|
+
* @throws {CLIError} If no key matches, the reference is ambiguous, or no
|
|
16
|
+
* reference is given and no active key is set.
|
|
17
|
+
*/
|
|
18
|
+
export declare function resolveKeyRef(kms: KeyManager, ref?: string): KeyIdentifier;
|
|
19
|
+
//# sourceMappingURL=resolve-key-ref.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resolve-key-ref.d.ts","sourceRoot":"","sources":["../../../../src/keystore/resolve-key-ref.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAQxE;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,aAAa,CAqC1E"}
|
|
@@ -5,11 +5,6 @@ import type { DidResolutionResult } from '@web5/dids';
|
|
|
5
5
|
export type NetworkOption = 'bitcoin' | 'testnet3' | 'testnet4' | 'signet' | 'mutinynet' | 'regtest';
|
|
6
6
|
export type OutputFormat = 'json' | 'text';
|
|
7
7
|
export declare const SUPPORTED_NETWORKS: NetworkOption[];
|
|
8
|
-
export interface CreateCommandOptions {
|
|
9
|
-
type: 'k' | 'x';
|
|
10
|
-
bytes: string;
|
|
11
|
-
network: NetworkOption;
|
|
12
|
-
}
|
|
13
8
|
export interface ResolveCommandOptions {
|
|
14
9
|
identifier: string;
|
|
15
10
|
options?: ResolutionOptions;
|
|
@@ -24,6 +19,8 @@ export interface UpdateCommandOptions {
|
|
|
24
19
|
export type CommandResult = {
|
|
25
20
|
action: 'create';
|
|
26
21
|
data: string;
|
|
22
|
+
keyId?: string;
|
|
23
|
+
publicKey?: string;
|
|
27
24
|
} | {
|
|
28
25
|
action: 'resolve';
|
|
29
26
|
data: DidResolutionResult;
|
|
@@ -33,6 +30,94 @@ export type CommandResult = {
|
|
|
33
30
|
} | {
|
|
34
31
|
action: 'deactivate';
|
|
35
32
|
data: SignedBTCR2Update;
|
|
33
|
+
} | {
|
|
34
|
+
action: 'key-generate';
|
|
35
|
+
data: {
|
|
36
|
+
keyId: string;
|
|
37
|
+
publicKey: string;
|
|
38
|
+
active: boolean;
|
|
39
|
+
};
|
|
40
|
+
} | {
|
|
41
|
+
action: 'key-list';
|
|
42
|
+
data: Array<{
|
|
43
|
+
keyId: string;
|
|
44
|
+
fingerprint: string;
|
|
45
|
+
name?: string;
|
|
46
|
+
active: boolean;
|
|
47
|
+
}>;
|
|
48
|
+
} | {
|
|
49
|
+
action: 'key-show';
|
|
50
|
+
data: {
|
|
51
|
+
keyId: string;
|
|
52
|
+
publicKey: string;
|
|
53
|
+
tags?: Record<string, string>;
|
|
54
|
+
};
|
|
55
|
+
} | {
|
|
56
|
+
action: 'key-import';
|
|
57
|
+
data: {
|
|
58
|
+
keyId: string;
|
|
59
|
+
publicKey: string;
|
|
60
|
+
watchOnly: boolean;
|
|
61
|
+
active: boolean;
|
|
62
|
+
};
|
|
63
|
+
} | {
|
|
64
|
+
action: 'key-export';
|
|
65
|
+
data: {
|
|
66
|
+
keyId: string;
|
|
67
|
+
publicKey?: string;
|
|
68
|
+
secretWrittenTo?: string;
|
|
69
|
+
};
|
|
70
|
+
} | {
|
|
71
|
+
action: 'key-delete';
|
|
72
|
+
data: {
|
|
73
|
+
keyId: string;
|
|
74
|
+
deleted: true;
|
|
75
|
+
};
|
|
76
|
+
} | {
|
|
77
|
+
action: 'key-use';
|
|
78
|
+
data: {
|
|
79
|
+
keyId: string;
|
|
80
|
+
active: true;
|
|
81
|
+
};
|
|
82
|
+
} | {
|
|
83
|
+
action: 'config-init';
|
|
84
|
+
data: {
|
|
85
|
+
path: string;
|
|
86
|
+
};
|
|
87
|
+
} | {
|
|
88
|
+
action: 'config-get';
|
|
89
|
+
data: unknown;
|
|
90
|
+
} | {
|
|
91
|
+
action: 'config-set';
|
|
92
|
+
data: {
|
|
93
|
+
path: string;
|
|
94
|
+
};
|
|
95
|
+
} | {
|
|
96
|
+
action: 'config-unset';
|
|
97
|
+
data: {
|
|
98
|
+
path: string;
|
|
99
|
+
};
|
|
100
|
+
} | {
|
|
101
|
+
action: 'config-list';
|
|
102
|
+
data: unknown;
|
|
103
|
+
} | {
|
|
104
|
+
action: 'profile-add';
|
|
105
|
+
data: {
|
|
106
|
+
profile: string;
|
|
107
|
+
};
|
|
108
|
+
} | {
|
|
109
|
+
action: 'profile-use';
|
|
110
|
+
data: {
|
|
111
|
+
profile: string;
|
|
112
|
+
};
|
|
113
|
+
} | {
|
|
114
|
+
action: 'profile-show';
|
|
115
|
+
data: unknown;
|
|
116
|
+
} | {
|
|
117
|
+
action: 'profile-remove';
|
|
118
|
+
data: {
|
|
119
|
+
profile: string;
|
|
120
|
+
};
|
|
36
121
|
};
|
|
37
122
|
export interface GlobalOptions {
|
|
38
123
|
output: OutputFormat;
|
|
@@ -45,5 +130,8 @@ export interface GlobalOptions {
|
|
|
45
130
|
btcRpcUser?: string;
|
|
46
131
|
btcRpcPass?: string;
|
|
47
132
|
casGateway?: string;
|
|
133
|
+
keystore?: string;
|
|
134
|
+
passphraseFile?: string;
|
|
135
|
+
signingKey?: string;
|
|
48
136
|
}
|
|
49
137
|
//# sourceMappingURL=types.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC7E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEtD,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,UAAU,GAAG,UAAU,GAAG,QAAQ,GAAG,WAAW,GAAG,SAAS,CAAC;AACrG,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,CAAC;AAE3C,eAAO,MAAM,kBAAkB,EAAE,aAAa,EAE7C,CAAC;AAEF,MAAM,WAAW,
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC7E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEtD,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,UAAU,GAAG,UAAU,GAAG,QAAQ,GAAG,WAAW,GAAG,SAAS,CAAC;AACrG,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,CAAC;AAE3C,eAAO,MAAM,kBAAkB,EAAE,aAAa,EAE7C,CAAC;AAEF,MAAM,WAAW,qBAAqB;IACpC,UAAU,EAAG,MAAM,CAAC;IACpB,OAAO,CAAC,EAAK,iBAAiB,CAAC;CAChC;AAED,MAAM,WAAW,oBAAoB;IACnC,cAAc,EAAS,gBAAgB,CAAC;IACxC,OAAO,EAAgB,cAAc,EAAE,CAAC;IACxC,eAAe,EAAQ,MAAM,CAAC;IAC9B,oBAAoB,EAAG,MAAM,CAAC;IAC9B,QAAQ,EAAe,MAAM,CAAC;CAC/B;AAED,MAAM,MAAM,aAAa,GACrB;IAAE,MAAM,EAAE,QAAQ,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GACtE;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,mBAAmB,CAAA;CAAE,GAChD;IAAE,MAAM,EAAE,QAAQ,CAAC;IAAC,IAAI,EAAE,iBAAiB,CAAA;CAAE,GAC7C;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,iBAAiB,CAAA;CAAE,GACjD;IAAE,MAAM,EAAE,cAAc,CAAC;IAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,OAAO,CAAA;KAAE,CAAA;CAAE,GACvF;IAAE,MAAM,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,OAAO,CAAA;KAAE,CAAC,CAAA;CAAE,GAC3G;IAAE,MAAM,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,CAAA;CAAE,GACjG;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,OAAO,CAAA;KAAE,CAAA;CAAE,GACzG;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GAC/F;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,IAAI,CAAA;KAAE,CAAA;CAAE,GAChE;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,IAAI,CAAA;KAAE,CAAA;CAAE,GAC5D;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GACjD;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,OAAO,CAAA;CAAE,GACvC;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GAChD;IAAE,MAAM,EAAE,cAAc,CAAC;IAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GAClD;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,OAAO,CAAA;CAAE,GACxC;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GACpD;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GACpD;IAAE,MAAM,EAAE,cAAc,CAAC;IAAC,IAAI,EAAE,OAAO,CAAA;CAAE,GACzC;IAAE,MAAM,EAAE,gBAAgB,CAAC;IAAC,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAAC;AAE5D,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAW,YAAY,CAAC;IAC9B,OAAO,EAAU,OAAO,CAAC;IACzB,KAAK,EAAY,OAAO,CAAC;IACzB,MAAM,CAAC,EAAU,MAAM,CAAC;IACxB,OAAO,CAAC,EAAS,MAAM,CAAC;IACxB,OAAO,CAAC,EAAS,MAAM,CAAC;IACxB,SAAS,CAAC,EAAO,MAAM,CAAC;IACxB,UAAU,CAAC,EAAM,MAAM,CAAC;IACxB,UAAU,CAAC,EAAM,MAAM,CAAC;IACxB,UAAU,CAAC,EAAM,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAQ,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAM,MAAM,CAAC;CACzB"}
|