@epochcore/identity-sdk 1.0.0 → 1.1.0

package/dist/index.d.mts

@@ -0,0 +1,109 @@
+/**
+ * @epochcore/identity-sdk
+ * World's First Universal Infrastructure Identity SDK
+ *
+ * Provides Ed25519 cryptographic identities for:
+ * - Cloudflare Workers
+ * - D1 Databases
+ * - R2 Storage Buckets
+ * - Durable Objects
+ * - Local Daemons
+ */
+type IdentityType = 'worker' | 'database' | 'storage' | 'durable_object' | 'daemon';
+interface EpochCoreIdentity {
+    did: string;
+    publicKey: string;
+    fingerprint: string;
+    type: IdentityType;
+    name: string;
+    createdAt: string;
+}
+interface EpochCoreWallet {
+    address: string;
+    publicKey: string;
+    identityDid: string;
+}
+interface SignedPayload {
+    payload: string;
+    signature: string;
+    publicKey: string;
+    timestamp: string;
+}
+/**
+ * Generate a new Ed25519 keypair for infrastructure identity
+ */
+declare function generateKeypair(): Promise<{
+    privateKey: string;
+    publicKey: string;
+}>;
+/**
+ * Create a DID (Decentralized Identifier) for infrastructure
+ * Format: did:epochcore:<type>:<name>:<fingerprint>
+ */
+declare function createDID(type: IdentityType, name: string, publicKey: string): string;
+/**
+ * Generate a complete infrastructure identity
+ */
+declare function generateIdentity(type: IdentityType, name: string): Promise<{
+    identity: EpochCoreIdentity;
+    privateKey: string;
+}>;
+/**
+ * Derive a secp256k1 wallet from an identity for Web3 operations
+ */
+declare function deriveWallet(privateKey: string, identityDid: string): EpochCoreWallet;
+/**
+ * Sign a payload with Ed25519 private key
+ */
+declare function signPayload(payload: string, privateKey: string): Promise<SignedPayload>;
+/**
+ * Verify an Ed25519 signature
+ */
+declare function verifySignature(payload: string, signature: string, publicKey: string): Promise<boolean>;
+/**
+ * Parse a DID string into components
+ */
+declare function parseDID(did: string): {
+    method: string;
+    type: IdentityType;
+    name: string;
+    fingerprint: string;
+} | null;
+/**
+ * Generate JWKS (JSON Web Key Set) for OAuth2/OIDC integration
+ */
+declare function generateJWKS(publicKeys: string[]): {
+    keys: Array<{
+        kty: string;
+        crv: string;
+        x: string;
+        use: string;
+        kid: string;
+    }>;
+};
+declare const CONSTANTS: {
+    DID_PREFIX: string;
+    SIGNING_ALGORITHM: string;
+    WALLET_ALGORITHM: string;
+    SUPPORTED_TYPES: IdentityType[];
+    VERSION: string;
+};
+declare const _default: {
+    generateKeypair: typeof generateKeypair;
+    generateIdentity: typeof generateIdentity;
+    createDID: typeof createDID;
+    parseDID: typeof parseDID;
+    deriveWallet: typeof deriveWallet;
+    signPayload: typeof signPayload;
+    verifySignature: typeof verifySignature;
+    generateJWKS: typeof generateJWKS;
+    CONSTANTS: {
+        DID_PREFIX: string;
+        SIGNING_ALGORITHM: string;
+        WALLET_ALGORITHM: string;
+        SUPPORTED_TYPES: IdentityType[];
+        VERSION: string;
+    };
+};
+
+export { CONSTANTS, type EpochCoreIdentity, type EpochCoreWallet, type IdentityType, type SignedPayload, createDID, _default as default, deriveWallet, generateIdentity, generateJWKS, generateKeypair, parseDID, signPayload, verifySignature };

package/dist/index.d.ts

@@ -9,8 +9,8 @@
  * - Durable Objects
  * - Local Daemons
  */
-export type IdentityType = 'worker' | 'database' | 'storage' | 'durable_object' | 'daemon';
-export interface EpochCoreIdentity {
+type IdentityType = 'worker' | 'database' | 'storage' | 'durable_object' | 'daemon';
+interface EpochCoreIdentity {
     did: string;
     publicKey: string;
     fingerprint: string;
@@ -18,12 +18,12 @@ export interface EpochCoreIdentity {
     name: string;
     createdAt: string;
 }
-export interface EpochCoreWallet {
+interface EpochCoreWallet {
     address: string;
     publicKey: string;
     identityDid: string;
 }
-export interface SignedPayload {
+interface SignedPayload {
     payload: string;
     signature: string;
     publicKey: string;
@@ -32,7 +32,7 @@ export interface SignedPayload {
 /**
  * Generate a new Ed25519 keypair for infrastructure identity
  */
-export declare function generateKeypair(): Promise<{
+declare function generateKeypair(): Promise<{
     privateKey: string;
     publicKey: string;
 }>;
@@ -40,30 +40,30 @@ export declare function generateKeypair(): Promise<{
  * Create a DID (Decentralized Identifier) for infrastructure
  * Format: did:epochcore:<type>:<name>:<fingerprint>
  */
-export declare function createDID(type: IdentityType, name: string, publicKey: string): string;
+declare function createDID(type: IdentityType, name: string, publicKey: string): string;
 /**
  * Generate a complete infrastructure identity
  */
-export declare function generateIdentity(type: IdentityType, name: string): Promise<{
+declare function generateIdentity(type: IdentityType, name: string): Promise<{
     identity: EpochCoreIdentity;
     privateKey: string;
 }>;
 /**
  * Derive a secp256k1 wallet from an identity for Web3 operations
  */
-export declare function deriveWallet(privateKey: string, identityDid: string): EpochCoreWallet;
+declare function deriveWallet(privateKey: string, identityDid: string): EpochCoreWallet;
 /**
  * Sign a payload with Ed25519 private key
  */
-export declare function signPayload(payload: string, privateKey: string): Promise<SignedPayload>;
+declare function signPayload(payload: string, privateKey: string): Promise<SignedPayload>;
 /**
  * Verify an Ed25519 signature
  */
-export declare function verifySignature(payload: string, signature: string, publicKey: string): Promise<boolean>;
+declare function verifySignature(payload: string, signature: string, publicKey: string): Promise<boolean>;
 /**
  * Parse a DID string into components
  */
-export declare function parseDID(did: string): {
+declare function parseDID(did: string): {
     method: string;
     type: IdentityType;
     name: string;
@@ -72,7 +72,7 @@ export declare function parseDID(did: string): {
 /**
  * Generate JWKS (JSON Web Key Set) for OAuth2/OIDC integration
  */
-export declare function generateJWKS(publicKeys: string[]): {
+declare function generateJWKS(publicKeys: string[]): {
     keys: Array<{
         kty: string;
         crv: string;
@@ -81,7 +81,7 @@ export declare function generateJWKS(publicKeys: string[]): {
         kid: string;
     }>;
 };
-export declare const CONSTANTS: {
+declare const CONSTANTS: {
     DID_PREFIX: string;
     SIGNING_ALGORITHM: string;
     WALLET_ALGORITHM: string;
@@ -105,5 +105,5 @@ declare const _default: {
         VERSION: string;
     };
 };
-export default _default;
-//# sourceMappingURL=index.d.ts.map
+
+export { CONSTANTS, type EpochCoreIdentity, type EpochCoreWallet, type IdentityType, type SignedPayload, createDID, _default as default, deriveWallet, generateIdentity, generateJWKS, generateKeypair, parseDID, signPayload, verifySignature };

package/dist/index.js

@@ -1,138 +1,236 @@
-/**
- * @epochcore/identity-sdk
- * World's First Universal Infrastructure Identity SDK
- *
- * Provides Ed25519 cryptographic identities for:
- * - Cloudflare Workers
- * - D1 Databases
- * - R2 Storage Buckets
- * - Durable Objects
- * - Local Daemons
- */
-import * as ed25519 from '@noble/ed25519';
-import * as secp256k1 from '@noble/secp256k1';
-import { sha256 } from '@noble/hashes/sha256';
-import { bytesToHex, hexToBytes } from '@noble/hashes/utils';
-/**
- * Generate a new Ed25519 keypair for infrastructure identity
- */
-export async function generateKeypair() {
-    const privateKey = ed25519.utils.randomPrivateKey();
-    const publicKey = await ed25519.getPublicKeyAsync(privateKey);
-    return {
-        privateKey: bytesToHex(privateKey),
-        publicKey: bytesToHex(publicKey)
-    };
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  CONSTANTS: () => CONSTANTS,
+  createDID: () => createDID,
+  default: () => index_default,
+  deriveWallet: () => deriveWallet,
+  generateIdentity: () => generateIdentity,
+  generateJWKS: () => generateJWKS,
+  generateKeypair: () => generateKeypair,
+  parseDID: () => parseDID,
+  signPayload: () => signPayload,
+  verifySignature: () => verifySignature
+});
+module.exports = __toCommonJS(index_exports);
+var ed25519 = __toESM(require("@noble/ed25519"));
+var secp256k1 = __toESM(require("@noble/secp256k1"));
+var import_sha256 = require("@noble/hashes/sha256");
+var import_utils = require("@noble/hashes/utils");
+var HEX_64_RE = /^[0-9a-f]{64}$/i;
+var NAME_RE = /^[\w.-]{1,128}$/;
+var MAX_DID_LENGTH = 512;
+var MAX_PAYLOAD_BYTES = 1048576;
+var SECP256K1_ORDER = BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141");
+function toBase64Url(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+  const base64 = btoa(binary);
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
-/**
- * Create a DID (Decentralized Identifier) for infrastructure
- * Format: did:epochcore:<type>:<name>:<fingerprint>
- */
-export function createDID(type, name, publicKey) {
-    const fingerprint = bytesToHex(sha256(hexToBytes(publicKey))).slice(0, 16);
-    return `did:epochcore:${type}:${name}:${fingerprint}`;
+function validateHex64(value, name) {
+  if (typeof value !== "string" || !HEX_64_RE.test(value)) {
+    throw new TypeError(`${name} must be a 64-character hex string`);
+  }
 }
-/**
- * Generate a complete infrastructure identity
- */
-export async function generateIdentity(type, name) {
-    const { privateKey, publicKey } = await generateKeypair();
-    const fingerprint = bytesToHex(sha256(hexToBytes(publicKey))).slice(0, 16);
-    const did = createDID(type, name, publicKey);
-    return {
-        identity: {
-            did,
-            publicKey,
-            fingerprint,
-            type,
-            name,
-            createdAt: new Date().toISOString()
-        },
-        privateKey
-    };
+function validateType(type) {
+  if (typeof type !== "string" || !CONSTANTS.SUPPORTED_TYPES.includes(type)) {
+    throw new TypeError(
+      `Invalid identity type: ${String(type)}. Must be one of: ${CONSTANTS.SUPPORTED_TYPES.join(", ")}`
+    );
+  }
 }
-/**
- * Derive a secp256k1 wallet from an identity for Web3 operations
- */
-export function deriveWallet(privateKey, identityDid) {
-    const seedBytes = sha256(hexToBytes(privateKey));
-    const walletPrivKey = secp256k1.utils.normPrivateKeyToScalar(seedBytes);
-    const walletPubKey = secp256k1.getPublicKey(walletPrivKey, false);
-    // Ethereum-style address derivation
-    const pubKeyHash = sha256(walletPubKey.slice(1));
-    const address = '0x' + bytesToHex(pubKeyHash).slice(-40);
-    return {
-        address,
-        publicKey: bytesToHex(walletPubKey),
-        identityDid
-    };
+function validateName(name) {
+  if (typeof name !== "string" || !NAME_RE.test(name)) {
+    throw new TypeError("name must be 1-128 characters matching /^[\\w.-]+$/");
+  }
 }
-/**
- * Sign a payload with Ed25519 private key
- */
-export async function signPayload(payload, privateKey) {
-    const message = new TextEncoder().encode(payload);
-    const signature = await ed25519.signAsync(message, hexToBytes(privateKey));
-    const publicKey = await ed25519.getPublicKeyAsync(hexToBytes(privateKey));
-    return {
-        payload,
-        signature: bytesToHex(signature),
-        publicKey: bytesToHex(publicKey),
-        timestamp: new Date().toISOString()
-    };
+async function generateKeypair() {
+  const privateKey = ed25519.utils.randomPrivateKey();
+  let allZero = true;
+  for (let i = 0; i < privateKey.length; i++) {
+    if (privateKey[i] !== 0) {
+      allZero = false;
+      break;
+    }
+  }
+  if (allZero) {
+    throw new Error("Key generation produced zero-entropy private key; CSPRNG may be broken");
+  }
+  const publicKey = await ed25519.getPublicKeyAsync(privateKey);
+  return {
+    privateKey: (0, import_utils.bytesToHex)(privateKey),
+    publicKey: (0, import_utils.bytesToHex)(publicKey)
+  };
 }
-/**
- * Verify an Ed25519 signature
- */
-export async function verifySignature(payload, signature, publicKey) {
-    const message = new TextEncoder().encode(payload);
-    return ed25519.verifyAsync(hexToBytes(signature), message, hexToBytes(publicKey));
+function createDID(type, name, publicKey) {
+  validateType(type);
+  validateName(name);
+  validateHex64(publicKey, "publicKey");
+  const fingerprint = (0, import_utils.bytesToHex)((0, import_sha256.sha256)((0, import_utils.hexToBytes)(publicKey))).slice(0, 32);
+  return `did:epochcore:${type}:${name}:${fingerprint}`;
 }
-/**
- * Parse a DID string into components
- */
-export function parseDID(did) {
-    const parts = did.split(':');
-    if (parts.length !== 5 || parts[0] !== 'did' || parts[1] !== 'epochcore') {
-        return null;
-    }
-    return {
-        method: parts[1],
-        type: parts[2],
-        name: parts[3],
-        fingerprint: parts[4]
-    };
+async function generateIdentity(type, name) {
+  validateType(type);
+  validateName(name);
+  const { privateKey, publicKey } = await generateKeypair();
+  const fingerprint = (0, import_utils.bytesToHex)((0, import_sha256.sha256)((0, import_utils.hexToBytes)(publicKey))).slice(0, 32);
+  const did = createDID(type, name, publicKey);
+  return {
+    identity: {
+      did,
+      publicKey,
+      fingerprint,
+      type,
+      name,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    },
+    privateKey
+  };
+}
+function deriveWallet(privateKey, identityDid) {
+  validateHex64(privateKey, "privateKey");
+  if (typeof identityDid !== "string" || !identityDid.startsWith("did:epochcore:")) {
+    throw new TypeError('identityDid must start with "did:epochcore:"');
+  }
+  const seedBytes = (0, import_sha256.sha256)((0, import_utils.hexToBytes)(privateKey));
+  const walletPrivKey = secp256k1.utils.normPrivateKeyToScalar(seedBytes);
+  if (walletPrivKey <= 0n || walletPrivKey >= SECP256K1_ORDER) {
+    throw new RangeError("Derived wallet private key scalar is out of valid secp256k1 range [1, n-1]");
+  }
+  const walletPubKey = secp256k1.getPublicKey(walletPrivKey, false);
+  const pubKeyHash = (0, import_sha256.sha256)(walletPubKey.slice(1));
+  const address = "0x" + (0, import_utils.bytesToHex)(pubKeyHash).slice(-40);
+  return {
+    address,
+    publicKey: (0, import_utils.bytesToHex)(walletPubKey),
+    identityDid
+  };
+}
+async function signPayload(payload, privateKey) {
+  if (typeof payload !== "string" || payload.length === 0) {
+    throw new TypeError("payload must be a non-empty string");
+  }
+  const payloadBytes = new TextEncoder().encode(payload);
+  if (payloadBytes.byteLength > MAX_PAYLOAD_BYTES) {
+    throw new RangeError(`payload exceeds maximum size of ${MAX_PAYLOAD_BYTES} bytes`);
+  }
+  validateHex64(privateKey, "privateKey");
+  const signature = await ed25519.signAsync(payloadBytes, (0, import_utils.hexToBytes)(privateKey));
+  const publicKey = await ed25519.getPublicKeyAsync((0, import_utils.hexToBytes)(privateKey));
+  return {
+    payload,
+    signature: (0, import_utils.bytesToHex)(signature),
+    publicKey: (0, import_utils.bytesToHex)(publicKey),
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+async function verifySignature(payload, signature, publicKey) {
+  if (typeof payload !== "string" || payload.length === 0) {
+    throw new TypeError("payload must be a non-empty string");
+  }
+  if (typeof signature !== "string" || !/^[0-9a-f]{128}$/i.test(signature)) {
+    throw new TypeError("signature must be a 128-character hex string");
+  }
+  validateHex64(publicKey, "publicKey");
+  const message = new TextEncoder().encode(payload);
+  return ed25519.verifyAsync(
+    (0, import_utils.hexToBytes)(signature),
+    message,
+    (0, import_utils.hexToBytes)(publicKey)
+  );
+}
+function parseDID(did) {
+  if (typeof did !== "string" || did.length > MAX_DID_LENGTH) {
+    return null;
+  }
+  const parts = did.split(":");
+  if (parts.length !== 5 || parts[0] !== "did" || parts[1] !== "epochcore") {
+    return null;
+  }
+  if (!CONSTANTS.SUPPORTED_TYPES.includes(parts[2])) {
+    return null;
+  }
+  return {
+    method: parts[1],
+    type: parts[2],
+    name: parts[3],
+    fingerprint: parts[4]
+  };
 }
-/**
- * Generate JWKS (JSON Web Key Set) for OAuth2/OIDC integration
- */
-export function generateJWKS(publicKeys) {
-    return {
-        keys: publicKeys.map((pk, i) => ({
-            kty: 'OKP',
-            crv: 'Ed25519',
-            x: Buffer.from(hexToBytes(pk)).toString('base64url'),
-            use: 'sig',
-            kid: `epochcore-${i + 1}`
-        }))
-    };
+function generateJWKS(publicKeys) {
+  if (!Array.isArray(publicKeys)) {
+    throw new TypeError("publicKeys must be an array");
+  }
+  for (let i = 0; i < publicKeys.length; i++) {
+    validateHex64(publicKeys[i], `publicKeys[${i}]`);
+  }
+  return {
+    keys: publicKeys.map((pk, i) => ({
+      kty: "OKP",
+      crv: "Ed25519",
+      x: toBase64Url((0, import_utils.hexToBytes)(pk)),
+      use: "sig",
+      kid: `epochcore-${i + 1}`
+    }))
+  };
 }
-// Constants
-export const CONSTANTS = {
-    DID_PREFIX: 'did:epochcore',
-    SIGNING_ALGORITHM: 'Ed25519',
-    WALLET_ALGORITHM: 'secp256k1',
-    SUPPORTED_TYPES: ['worker', 'database', 'storage', 'durable_object', 'daemon'],
-    VERSION: '1.0.0'
+var CONSTANTS = {
+  DID_PREFIX: "did:epochcore",
+  SIGNING_ALGORITHM: "Ed25519",
+  WALLET_ALGORITHM: "secp256k1",
+  SUPPORTED_TYPES: ["worker", "database", "storage", "durable_object", "daemon"],
+  VERSION: "1.1.0"
 };
-export default {
-    generateKeypair,
-    generateIdentity,
-    createDID,
-    parseDID,
-    deriveWallet,
-    signPayload,
-    verifySignature,
-    generateJWKS,
-    CONSTANTS
+var index_default = {
+  generateKeypair,
+  generateIdentity,
+  createDID,
+  parseDID,
+  deriveWallet,
+  signPayload,
+  verifySignature,
+  generateJWKS,
+  CONSTANTS
 };
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  CONSTANTS,
+  createDID,
+  deriveWallet,
+  generateIdentity,
+  generateJWKS,
+  generateKeypair,
+  parseDID,
+  signPayload,
+  verifySignature
+});

package/dist/index.mjs

@@ -0,0 +1,193 @@
+// src/index.ts
+import * as ed25519 from "@noble/ed25519";
+import * as secp256k1 from "@noble/secp256k1";
+import { sha256 } from "@noble/hashes/sha256";
+import { bytesToHex, hexToBytes } from "@noble/hashes/utils";
+var HEX_64_RE = /^[0-9a-f]{64}$/i;
+var NAME_RE = /^[\w.-]{1,128}$/;
+var MAX_DID_LENGTH = 512;
+var MAX_PAYLOAD_BYTES = 1048576;
+var SECP256K1_ORDER = BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141");
+function toBase64Url(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+  const base64 = btoa(binary);
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function validateHex64(value, name) {
+  if (typeof value !== "string" || !HEX_64_RE.test(value)) {
+    throw new TypeError(`${name} must be a 64-character hex string`);
+  }
+}
+function validateType(type) {
+  if (typeof type !== "string" || !CONSTANTS.SUPPORTED_TYPES.includes(type)) {
+    throw new TypeError(
+      `Invalid identity type: ${String(type)}. Must be one of: ${CONSTANTS.SUPPORTED_TYPES.join(", ")}`
+    );
+  }
+}
+function validateName(name) {
+  if (typeof name !== "string" || !NAME_RE.test(name)) {
+    throw new TypeError("name must be 1-128 characters matching /^[\\w.-]+$/");
+  }
+}
+async function generateKeypair() {
+  const privateKey = ed25519.utils.randomPrivateKey();
+  let allZero = true;
+  for (let i = 0; i < privateKey.length; i++) {
+    if (privateKey[i] !== 0) {
+      allZero = false;
+      break;
+    }
+  }
+  if (allZero) {
+    throw new Error("Key generation produced zero-entropy private key; CSPRNG may be broken");
+  }
+  const publicKey = await ed25519.getPublicKeyAsync(privateKey);
+  return {
+    privateKey: bytesToHex(privateKey),
+    publicKey: bytesToHex(publicKey)
+  };
+}
+function createDID(type, name, publicKey) {
+  validateType(type);
+  validateName(name);
+  validateHex64(publicKey, "publicKey");
+  const fingerprint = bytesToHex(sha256(hexToBytes(publicKey))).slice(0, 32);
+  return `did:epochcore:${type}:${name}:${fingerprint}`;
+}
+async function generateIdentity(type, name) {
+  validateType(type);
+  validateName(name);
+  const { privateKey, publicKey } = await generateKeypair();
+  const fingerprint = bytesToHex(sha256(hexToBytes(publicKey))).slice(0, 32);
+  const did = createDID(type, name, publicKey);
+  return {
+    identity: {
+      did,
+      publicKey,
+      fingerprint,
+      type,
+      name,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    },
+    privateKey
+  };
+}
+function deriveWallet(privateKey, identityDid) {
+  validateHex64(privateKey, "privateKey");
+  if (typeof identityDid !== "string" || !identityDid.startsWith("did:epochcore:")) {
+    throw new TypeError('identityDid must start with "did:epochcore:"');
+  }
+  const seedBytes = sha256(hexToBytes(privateKey));
+  const walletPrivKey = secp256k1.utils.normPrivateKeyToScalar(seedBytes);
+  if (walletPrivKey <= 0n || walletPrivKey >= SECP256K1_ORDER) {
+    throw new RangeError("Derived wallet private key scalar is out of valid secp256k1 range [1, n-1]");
+  }
+  const walletPubKey = secp256k1.getPublicKey(walletPrivKey, false);
+  const pubKeyHash = sha256(walletPubKey.slice(1));
+  const address = "0x" + bytesToHex(pubKeyHash).slice(-40);
+  return {
+    address,
+    publicKey: bytesToHex(walletPubKey),
+    identityDid
+  };
+}
+async function signPayload(payload, privateKey) {
+  if (typeof payload !== "string" || payload.length === 0) {
+    throw new TypeError("payload must be a non-empty string");
+  }
+  const payloadBytes = new TextEncoder().encode(payload);
+  if (payloadBytes.byteLength > MAX_PAYLOAD_BYTES) {
+    throw new RangeError(`payload exceeds maximum size of ${MAX_PAYLOAD_BYTES} bytes`);
+  }
+  validateHex64(privateKey, "privateKey");
+  const signature = await ed25519.signAsync(payloadBytes, hexToBytes(privateKey));
+  const publicKey = await ed25519.getPublicKeyAsync(hexToBytes(privateKey));
+  return {
+    payload,
+    signature: bytesToHex(signature),
+    publicKey: bytesToHex(publicKey),
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+async function verifySignature(payload, signature, publicKey) {
+  if (typeof payload !== "string" || payload.length === 0) {
+    throw new TypeError("payload must be a non-empty string");
+  }
+  if (typeof signature !== "string" || !/^[0-9a-f]{128}$/i.test(signature)) {
+    throw new TypeError("signature must be a 128-character hex string");
+  }
+  validateHex64(publicKey, "publicKey");
+  const message = new TextEncoder().encode(payload);
+  return ed25519.verifyAsync(
+    hexToBytes(signature),
+    message,
+    hexToBytes(publicKey)
+  );
+}
+function parseDID(did) {
+  if (typeof did !== "string" || did.length > MAX_DID_LENGTH) {
+    return null;
+  }
+  const parts = did.split(":");
+  if (parts.length !== 5 || parts[0] !== "did" || parts[1] !== "epochcore") {
+    return null;
+  }
+  if (!CONSTANTS.SUPPORTED_TYPES.includes(parts[2])) {
+    return null;
+  }
+  return {
+    method: parts[1],
+    type: parts[2],
+    name: parts[3],
+    fingerprint: parts[4]
+  };
+}
+function generateJWKS(publicKeys) {
+  if (!Array.isArray(publicKeys)) {
+    throw new TypeError("publicKeys must be an array");
+  }
+  for (let i = 0; i < publicKeys.length; i++) {
+    validateHex64(publicKeys[i], `publicKeys[${i}]`);
+  }
+  return {
+    keys: publicKeys.map((pk, i) => ({
+      kty: "OKP",
+      crv: "Ed25519",
+      x: toBase64Url(hexToBytes(pk)),
+      use: "sig",
+      kid: `epochcore-${i + 1}`
+    }))
+  };
+}
+var CONSTANTS = {
+  DID_PREFIX: "did:epochcore",
+  SIGNING_ALGORITHM: "Ed25519",
+  WALLET_ALGORITHM: "secp256k1",
+  SUPPORTED_TYPES: ["worker", "database", "storage", "durable_object", "daemon"],
+  VERSION: "1.1.0"
+};
+var index_default = {
+  generateKeypair,
+  generateIdentity,
+  createDID,
+  parseDID,
+  deriveWallet,
+  signPayload,
+  verifySignature,
+  generateJWKS,
+  CONSTANTS
+};
+export {
+  CONSTANTS,
+  createDID,
+  index_default as default,
+  deriveWallet,
+  generateIdentity,
+  generateJWKS,
+  generateKeypair,
+  parseDID,
+  signPayload,
+  verifySignature
+};

package/package.json

@@ -1,12 +1,20 @@
 {
   "name": "@epochcore/identity-sdk",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "World's First Universal Infrastructure Identity SDK - Ed25519 cryptographic identities for workers, databases, storage, and daemons",
   "main": "dist/index.js",
+  "module": "dist/index.mjs",
   "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
   "scripts": {
-    "build": "tsc",
-    "test": "vitest",
+    "build": "tsup src/index.ts --format cjs,esm --dts --clean --external @noble/ed25519 --external @noble/secp256k1 --external @noble/hashes",
+    "test": "vitest run",
     "prepublishOnly": "npm run build"
   },
   "keywords": [
@@ -33,6 +41,7 @@
     "@noble/hashes": "^1.3.0"
   },
   "devDependencies": {
+    "tsup": "^8.0.0",
     "typescript": "^5.3.0",
     "vitest": "^1.0.0"
   },

package/dist/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,GAAG,gBAAgB,GAAG,QAAQ,CAAC;AAE3F,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAC/C,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC,CAQD;AAED;;;GAGG;AACH,wBAAgB,SAAS,CACvB,IAAI,EAAE,YAAY,EAClB,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAChB,MAAM,CAGR;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,YAAY,EAClB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;IACT,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC,CAgBD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,eAAe,CAcjB;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,aAAa,CAAC,CAWxB;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC,CAOlB;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,YAAY,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;CACrB,GAAG,IAAI,CAYP;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG;IAClD,IAAI,EAAE,KAAK,CAAC;QACV,GAAG,EAAE,MAAM,CAAC;QACZ,GAAG,EAAE,MAAM,CAAC;QACZ,CAAC,EAAE,MAAM,CAAC;QACV,GAAG,EAAE,MAAM,CAAC;QACZ,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ,CAUA;AAGD,eAAO,MAAM,SAAS;;;;qBAI8D,YAAY,EAAE;;CAEjG,CAAC;;;;;;;;;;;;;;yBAFkF,YAAY,EAAE;;;;AAIlG,wBAUE"}