@hai.ai/jacs 0.6.0

package/README.md

@@ -0,0 +1,237 @@
+# JACS for Node.js
+
+Node.js bindings for JACS (JSON Agent Communication Standard) -- an open data provenance toolkit for signing and verifying AI agent communications. JACS works standalone with no server required; optionally register with [HAI.ai](https://hai.ai) for cross-organization key discovery.
+
+**Dependencies**: The `overrides` in `package.json` for `body-parser` and `qs` are for security (CVE-2024-45590). Do not remove them without re-auditing.
+
+## Installation
+
+```bash
+npm install @hai.ai/jacs
+```
+
+The npm package ships prebuilt native bindings for supported targets and does not compile Rust during `npm install`.
+
+## Quick Start
+
+```javascript
+const jacs = require('@hai.ai/jacs/simple');
+
+// Load your agent (run `jacs create` first if needed)
+const agent = jacs.load('./jacs.config.json');
+
+// Sign a message
+const signed = jacs.signMessage({
+  action: 'approve',
+  amount: 100
+});
+
+// Verify it
+const result = jacs.verify(signed.raw);
+console.log(`Valid: ${result.valid}`);
+console.log(`Signer: ${result.signerId}`);
+```
+
+## Core API
+
+| Function | Description |
+|----------|-------------|
+| `create(options)` | Create a new agent programmatically (non-interactive) |
+| `load(configPath)` | Load agent from config file |
+| `verifySelf()` | Verify agent's own integrity |
+| `updateAgent(data)` | Update agent document with new data |
+| `updateDocument(id, data)` | Update existing document with new data |
+| `signMessage(data)` | Sign any JSON data |
+| `signFile(path, embed)` | Sign a file |
+| `verify(doc)` | Verify signed document (JSON string) |
+| `verifyStandalone(doc, opts?)` | Verify without loading an agent (one-off) |
+| `verifyById(id)` | Verify a document by storage ID (`uuid:version`) |
+| `registerWithHai(opts?)` | Register the loaded agent with HAI.ai |
+| `getDnsRecord(domain, ttl?)` | Get DNS TXT record line for the agent |
+| `getWellKnownJson()` | Get well-known JSON for `/.well-known/jacs-pubkey.json` |
+| `reencryptKey(oldPw, newPw)` | Re-encrypt private key with new password |
+| `getPublicKey()` | Get public key for sharing |
+| `isLoaded()` | Check if agent is loaded |
+| `trustAgent(json)` | Add an agent to the local trust store |
+| `listTrustedAgents()` | List all trusted agent IDs |
+| `untrustAgent(id)` | Remove an agent from the trust store |
+| `isTrusted(id)` | Check if an agent is trusted |
+| `getTrustedAgent(id)` | Get a trusted agent's JSON document |
+| `audit(options?)` | Run a read-only security audit; optional `configPath`, `recentN` |
+| `generateVerifyLink(doc, baseUrl?)` | Generate a shareable hai.ai verification URL for a signed document |
+
+## Types
+
+```typescript
+interface SignedDocument {
+  raw: string;        // Full JSON document
+  documentId: string; // UUID
+  agentId: string;    // Signer's ID
+  timestamp: string;  // ISO 8601
+}
+
+interface VerificationResult {
+  valid: boolean;
+  data?: any;
+  signerId: string;
+  timestamp: string;
+  attachments: Attachment[];
+  errors: string[];
+}
+```
+
+## Programmatic Agent Creation
+
+```typescript
+const jacs = require('@hai.ai/jacs/simple');
+
+const agent = jacs.create({
+  name: 'my-agent',
+  password: process.env.JACS_PRIVATE_KEY_PASSWORD,  // required
+  algorithm: 'pq2025',                  // default; also: "ring-Ed25519", "RSA-PSS"
+  dataDirectory: './jacs_data',
+  keyDirectory: './jacs_keys',
+});
+console.log(`Created: ${agent.agentId}`);
+```
+
+### Verify by Document ID
+
+```javascript
+const result = jacs.verifyById('550e8400-e29b-41d4-a716-446655440000:1');
+console.log(`Valid: ${result.valid}`);
+```
+
+### Re-encrypt Private Key
+
+```javascript
+jacs.reencryptKey('old-password-123!', 'new-Str0ng-P@ss!');
+```
+
+### Password Requirements
+
+Passwords must be at least 8 characters and include uppercase, lowercase, a digit, and a special character.
+
+### Algorithm Deprecation Notice
+
+The `pq-dilithium` algorithm is deprecated. Use `pq2025` (ML-DSA-87, FIPS-204) instead. `pq-dilithium` still works but emits deprecation warnings.
+
+## Examples
+
+### Sign and Verify
+
+```javascript
+const jacs = require('@hai.ai/jacs/simple');
+
+jacs.load('./jacs.config.json');
+
+// Sign data
+const signed = jacs.signMessage({
+  action: 'transfer',
+  amount: 500,
+  to: 'agent-123'
+});
+
+// Later, verify received data
+const result = jacs.verify(receivedJson);
+if (result.valid) {
+  console.log(`Signed by: ${result.signerId}`);
+  console.log(`Data: ${JSON.stringify(result.data)}`);
+}
+```
+
+### Update Agent
+
+```javascript
+// Get current agent, modify, and update
+const agentDoc = JSON.parse(jacs.exportAgent());
+agentDoc.jacsAgentType = 'updated-service';
+const updated = jacs.updateAgent(agentDoc);
+console.log('Agent updated with new version');
+```
+
+### Update Document
+
+```javascript
+// Create a document
+const signed = jacs.signMessage({ status: 'pending', amount: 100 });
+
+// Later, update it
+const doc = JSON.parse(signed.raw);
+doc.content.status = 'approved';
+const updated = jacs.updateDocument(signed.documentId, doc);
+console.log('Document updated with new version');
+```
+
+### File Signing
+
+```javascript
+// Reference only (stores hash)
+const signed = jacs.signFile('contract.pdf', false);
+
+// Embed content (portable document)
+const embedded = jacs.signFile('contract.pdf', true);
+```
+
+### MCP Integration
+
+JACS provides a transport proxy that wraps any MCP transport with automatic signing and verification at the network boundary:
+
+```javascript
+import { createJACSTransportProxy } from '@hai.ai/jacs/mcp';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+
+// Wrap any MCP transport with JACS signing
+const baseTransport = new StdioServerTransport();
+const jacsTransport = createJACSTransportProxy(
+  baseTransport, './jacs.config.json', 'server'
+);
+```
+
+See `examples/mcp.simple.server.js` for a complete MCP server example with JACS-signed tools.
+
+## HAI Integration
+
+The JACS package includes integration with HAI's key distribution service for fetching public keys without requiring local key storage.
+
+### Fetch Remote Keys
+
+```javascript
+const { fetchRemoteKey } = require('@hai.ai/jacs');
+
+// Fetch a public key from HAI's key service
+const keyInfo = fetchRemoteKey('550e8400-e29b-41d4-a716-446655440000', 'latest');
+console.log('Algorithm:', keyInfo.algorithm);
+console.log('Public Key Hash:', keyInfo.publicKeyHash);
+console.log('Agent ID:', keyInfo.agentId);
+console.log('Version:', keyInfo.version);
+
+// Use the public key for verification
+const publicKeyBytes = keyInfo.publicKey; // Buffer containing DER-encoded key
+```
+
+### Environment Variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `HAI_KEYS_BASE_URL` | Base URL for the HAI key service | `https://keys.hai.ai` |
+
+### HAI Types
+
+```typescript
+interface RemotePublicKeyInfo {
+  publicKey: Buffer;      // DER-encoded public key bytes
+  algorithm: string;      // e.g., "ed25519", "rsa-pss-sha256"
+  publicKeyHash: string;  // SHA-256 hash of the public key
+  agentId: string;        // The agent's unique identifier
+  version: string;        // The key version
+}
+```
+
+## See Also
+
+- [JACS Book](https://humanassisted.github.io/JACS/) - Full documentation (published book)
+- [Quick Start](https://humanassisted.github.io/JACS/getting-started/quick-start.html)
+- [Source](https://github.com/HumanAssisted/JACS) - GitHub repository
+- [HAI Developer Portal](https://hai.ai/dev)
+- [Examples](./examples/)

package/http.d.ts

@@ -0,0 +1,13 @@
+// Define JacsOptions if not already defined elsewhere
+interface JacsOptions {
+  configPath: string;
+}
+
+// For Koa
+export function JACSKoaMiddleware(options: JacsOptions): (ctx: any, next: () => Promise<void>) => Promise<void>;
+
+// For Express
+export function JACSExpressMiddleware(options: JacsOptions): (req: any, res: any, next: () => Promise<void>) => Promise<void>;
+
+// You can keep the old one if it's still used or remove it
+// export function createJacsMiddleware(options?: JacsOptions): (ctx: any, next: () => Promise<void>) => Promise<void>;

package/http.js

@@ -0,0 +1,154 @@
+import jacs from './index.js'; // Assuming JACS NAPI is here
+
+/**
+ * JACS Middleware for Koa.js applications.
+ * Reads the raw request body, verifies JACS, makes payload available as ctx.jacsPayload.
+ * Signs the response object from ctx.body before sending.
+ * @param {Object} options
+ * @param {string} options.configPath - Path to JACS config file for the server.
+ */
+export function JACSKoaMiddleware(options = {}) {
+  if (!options.configPath) {
+    throw new Error("JACSKoaMiddleware: options.configPath is required.");
+  }
+
+  return async (ctx, next) => {
+    // Ensure JACS NAPI is loaded with the server's config
+    // Consider loading this once when the middleware is initialized if jacs.load supports it,
+    // or ensure jacs instance is pre-configured. For simplicity, loading per request if not cached.
+    try {
+      await jacs.load(options.configPath);
+    } catch (loadError) {
+      console.error("JACSKoaMiddleware: Failed to load JACS config:", loadError);
+      ctx.status = 500;
+      ctx.body = "JACS configuration error on server.";
+      return;
+    }
+
+    // 1. Request Handling
+    if (ctx.request.method === 'POST' || ctx.request.method === 'PUT') { // Or any method with a body
+      let rawBody = '';
+      try {
+        const bodyBuffer = [];
+        for await (const chunk of ctx.req) { // ctx.req is the Node.js incoming message
+          bodyBuffer.push(chunk);
+        }
+        rawBody = Buffer.concat(bodyBuffer).toString();
+      } catch (err) {
+        console.error("JACSKoaMiddleware: Error reading raw request body:", err);
+        ctx.status = 400;
+        ctx.body = 'Failed to read request body.';
+        return;
+      }
+
+      if (rawBody) {
+        try {
+          console.log("JACSKoaMiddleware: Verifying incoming JACS string...");
+          const verificationResult = await jacs.verifyResponse(rawBody);
+          ctx.state.jacsPayload = verificationResult.payload; // Standard place for Koa state
+          ctx.jacsPayload = verificationResult.payload; // For convenience
+          console.log("JACSKoaMiddleware: JACS request verified. Payload in ctx.state.jacsPayload / ctx.jacsPayload.");
+        } catch (jacsError) {
+          console.error("JACSKoaMiddleware: JACS verification failed:", jacsError);
+          ctx.status = 400; // Bad Request - JACS validation failed
+          ctx.body = `Invalid JACS request: ${jacsError.message}`;
+          return;
+        }
+      } else {
+        console.log("JACSKoaMiddleware: No body found in POST/PUT request for JACS verification.");
+        // Depending on policy, might error or proceed if JACS is optional for this path
+      }
+    }
+
+    await next(); // Call the next middleware (e.g., your route handler)
+
+    // 2. Response Handling
+    // Check if ctx.body is an object intended for signing (and not already a string or buffer)
+    if (ctx.body && typeof ctx.body === 'object' && !(ctx.body instanceof String) && !Buffer.isBuffer(ctx.body) && !(typeof ctx.body.pipe === 'function')) {
+      try {
+        console.log("JACSKoaMiddleware: Signing outgoing response from ctx.body:", ctx.body);
+        const jacsStringResponse = await jacs.signRequest(ctx.body);
+        ctx.body = jacsStringResponse; // Replace object payload with JACS string
+        ctx.type = 'text/plain';      // Set Content-Type for the JACS string
+        console.log("JACSKoaMiddleware: JACS response signed.");
+      } catch (jacsError) {
+        console.error("JACSKoaMiddleware: Failed to sign JACS response:", jacsError);
+        // Potentially overwrite ctx.body with an error or re-throw
+        ctx.status = 500;
+        ctx.body = `Failed to sign JACS response: ${jacsError.message}`;
+      }
+    }
+  };
+}
+
+/**
+ * JACS Middleware for Express.js applications.
+ * Expects raw request body string in req.body (e.g., from express.text()).
+ * Verifies JACS, makes payload available as req.jacsPayload.
+ * Wraps res.send to sign the response object before sending.
+ * @param {Object} options
+ * @param {string} options.configPath - Path to JACS config file for the server.
+ */
+export function JACSExpressMiddleware(options = {}) {
+  if (!options.configPath) {
+    throw new Error("JACSExpressMiddleware: options.configPath is required.");
+  }
+
+  return async (req, res, next) => {
+    // Ensure JACS NAPI is loaded
+    try {
+      await jacs.load(options.configPath);
+    } catch (loadError) {
+      console.error("JACSExpressMiddleware: Failed to load JACS config:", loadError);
+      res.status(500).send("JACS configuration error on server.");
+      return;
+    }
+
+    // 1. Request Handling
+    // Assumes prior middleware (like express.text()) has put raw string body into req.body
+    if ((req.method === 'POST' || req.method === 'PUT') && typeof req.body === 'string' && req.body.length > 0) {
+      try {
+        console.log("JACSExpressMiddleware: Verifying incoming JACS string from req.body...");
+        const verificationResult = await jacs.verifyResponse(req.body);
+        req.jacsPayload = verificationResult.payload;
+        console.log("JACSExpressMiddleware: JACS request verified. Payload in req.jacsPayload.");
+      } catch (jacsError) {
+        console.error("JACSExpressMiddleware: JACS verification failed:", jacsError);
+        res.status(400).send(`Invalid JACS request: ${jacsError.message}`);
+        return;
+      }
+    } else if ((req.method === 'POST' || req.method === 'PUT') && (!req.body || typeof req.body !== 'string')) {
+      console.log("JACSExpressMiddleware: req.body is not a JACS string. Ensure express.text() or similar is used before this middleware for POST/PUT.");
+      // Depending on policy, you might proceed or error if JACS is mandatory
+    }
+
+    // 2. Response Handling - Wrap res.send
+    const originalSend = res.send.bind(res);
+    res.send = async function (body) {
+      // 'this' is 'res'
+      if (body && typeof body === 'object' && !(body instanceof String) && !Buffer.isBuffer(body) && !(typeof body.pipe === 'function')) {
+        try {
+          console.log("JACSExpressMiddleware (res.send wrapper): Signing outgoing response object:", body);
+          const jacsStringResponse = await jacs.signRequest(body);
+          this.type('text/plain'); // Set Content-Type for the JACS string
+          console.log("JACSExpressMiddleware (res.send wrapper): JACS response signed.");
+          originalSend(jacsStringResponse);
+        } catch (jacsError) {
+          console.error("JACSExpressMiddleware (res.send wrapper): Failed to sign JACS response:", jacsError);
+          // Handle error - send an error response
+          if (!this.headersSent) {
+            this.status(500).type('text/plain').send(`Failed to sign JACS response: ${jacsError.message}`);
+          }
+        }
+      } else {
+        // Not an object to sign, or already a string/buffer, send as is
+        originalSend(body);
+      }
+    };
+
+    next(); // Call the next middleware (e.g., your route handler)
+  };
+}
+
+// The old generic middleware, can be removed or kept for other purposes.
+// export function createJacsMiddleware(options = {}) { ... }

package/index.d.ts

@@ -0,0 +1,178 @@
+/* tslint:disable */
+/* eslint-disable */
+
+/* auto-generated by NAPI-RS */
+
+/** Hash a string using SHA-256. */
+export declare function hashString(data: string): string
+/** Create a JACS configuration object. */
+export declare function createConfig(jacsUseSecurity?: string | undefined | null, jacsDataDirectory?: string | undefined | null, jacsKeyDirectory?: string | undefined | null, jacsAgentPrivateKeyFilename?: string | undefined | null, jacsAgentPublicKeyFilename?: string | undefined | null, jacsAgentKeyAlgorithm?: string | undefined | null, jacsPrivateKeyPassword?: string | undefined | null, jacsAgentIdAndVersion?: string | undefined | null, jacsDefaultStorage?: string | undefined | null): string
+/** Create a JACS agent programmatically (non-interactive). */
+export declare function createAgent(name: string, password: string, algorithm?: string | undefined | null, dataDirectory?: string | undefined | null, keyDirectory?: string | undefined | null, configPath?: string | undefined | null, agentType?: string | undefined | null, description?: string | undefined | null, domain?: string | undefined | null, defaultStorage?: string | undefined | null): string
+/** Add an agent to the local trust store. */
+export declare function trustAgent(agentJson: string): string
+/** List all trusted agent IDs. */
+export declare function listTrustedAgents(): Array<string>
+/** Remove an agent from the trust store. */
+export declare function untrustAgent(agentId: string): void
+/** Check if an agent is in the trust store. */
+export declare function isTrusted(agentId: string): boolean
+/** Get a trusted agent's JSON document. */
+export declare function getTrustedAgent(agentId: string): string
+/**
+ * Run a read-only security audit and health checks.
+ * Returns the audit result as a JSON string (risks, health_checks, summary).
+ */
+export declare function audit(configPath?: string | undefined | null, recentN?: number | undefined | null): string
+/** @deprecated Use `new JacsAgent()` and `agent.load()` instead. */
+export declare function load(configPath: string): string
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function signAgent(agentString: string, publicKey: Buffer, publicKeyEncType: string): string
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function verifyString(data: string, signatureBase64: string, publicKey: Buffer, publicKeyEncType: string): boolean
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function signString(data: string): string
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function verifyAgent(agentfile?: string | undefined | null): boolean
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function updateAgent(newAgentString: string): string
+/** Result of verify_document_standalone. Exposed to JS as { valid, signerId }. */
+export interface VerifyStandaloneResult {
+  valid: boolean
+  /** Signer agent ID; exposed to JS as signerId (camelCase). */
+  signerId: string
+}
+/**
+ * Verify a signed JACS document without loading an agent.
+ * Returns { valid, signerId }. Does not use global agent state.
+ */
+export declare function verifyDocumentStandalone(signedDocument: string, keyResolution?: string | undefined | null, dataDirectory?: string | undefined | null, keyDirectory?: string | undefined | null): VerifyStandaloneResult
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function verifyDocument(documentString: string): boolean
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function updateDocument(documentKey: string, newDocumentString: string, attachments?: Array<string> | undefined | null, embed?: boolean | undefined | null): string
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function verifySignature(documentString: string, signatureField?: string | undefined | null): boolean
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function createAgreement(documentString: string, agentids: Array<string>, question?: string | undefined | null, context?: string | undefined | null, agreementFieldname?: string | undefined | null): string
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function signAgreement(documentString: string, agreementFieldname?: string | undefined | null): string
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function createDocument(documentString: string, customSchema?: string | undefined | null, outputfilename?: string | undefined | null, noSave?: boolean | undefined | null, attachments?: string | undefined | null, embed?: boolean | undefined | null): string
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function checkAgreement(documentString: string, agreementFieldname?: string | undefined | null): string
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function signRequest(params: any): string
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function verifyResponse(documentString: string): object
+/** @deprecated Use `new JacsAgent()` and instance methods instead. */
+export declare function verifyResponseWithAgentId(documentString: string): object
+/**
+ * Information about a public key fetched from HAI key service.
+ *
+ * This struct contains the public key data and metadata returned by
+ * the HAI key distribution service.
+ */
+export interface RemotePublicKeyInfo {
+  /** The raw public key bytes (DER encoded). */
+  publicKey: Buffer
+  /** The cryptographic algorithm (e.g., "ed25519", "rsa-pss-sha256"). */
+  algorithm: string
+  /** The hash of the public key (SHA-256). */
+  publicKeyHash: string
+  /** The agent ID the key belongs to. */
+  agentId: string
+  /** The version of the key. */
+  version: string
+}
+/**
+ * Fetch a public key from HAI's key distribution service.
+ *
+ * This function retrieves the public key for a specific agent and version
+ * from the HAI key distribution service. It is used to obtain trusted public
+ * keys for verifying agent signatures without requiring local key storage.
+ *
+ * # Arguments
+ *
+ * * `agent_id` - The unique identifier of the agent whose key to fetch.
+ * * `version` - The version of the agent's key to fetch. Use "latest" for
+ *   the most recent version. If not provided, defaults to "latest".
+ *
+ * # Returns
+ *
+ * Returns a `RemotePublicKeyInfo` object containing the public key, algorithm, and hash.
+ *
+ * # Environment Variables
+ *
+ * * `HAI_KEYS_BASE_URL` - Base URL for the key service. Defaults to `https://keys.hai.ai`.
+ *
+ * # Example
+ *
+ * ```javascript
+ * const { fetchRemoteKey } = require('@hai.ai/jacs');
+ *
+ * const keyInfo = fetchRemoteKey('550e8400-e29b-41d4-a716-446655440000', 'latest');
+ * console.log('Algorithm:', keyInfo.algorithm);
+ * console.log('Hash:', keyInfo.publicKeyHash);
+ * ```
+ */
+export declare function fetchRemoteKey(agentId: string, version?: string | undefined | null): RemotePublicKeyInfo
+/**
+ * Build a verification URL for a signed JACS document.
+ *
+ * Encodes `document` as URL-safe base64 (no padding) and returns a full URL
+ * like `https://hai.ai/jacs/verify?s=...`. Throws if the URL would exceed 2048 chars.
+ */
+export declare function generateVerifyLink(document: string, baseUrl: string): string
+/**
+ * JacsAgent is a handle to a JACS agent instance.
+ * Each instance maintains its own state and can be used independently.
+ * This allows multiple agents to be used concurrently in the same process.
+ */
+export declare class JacsAgent {
+  /**
+   * Create a new empty JacsAgent instance.
+   * Call `load()` to initialize it with a configuration.
+   */
+  constructor()
+  /** Load an agent from a configuration file. */
+  load(configPath: string): string
+  /** Sign an external agent's document with this agent's registration signature. */
+  signAgent(agentString: string, publicKey: Buffer, publicKeyEncType: string): string
+  /** Verify a signature on arbitrary string data. */
+  verifyString(data: string, signatureBase64: string, publicKey: Buffer, publicKeyEncType: string): boolean
+  /** Sign arbitrary string data with this agent's private key. */
+  signString(data: string): string
+  /** Verify this agent's signature and hash. */
+  verifyAgent(agentfile?: string | undefined | null): boolean
+  /** Update the agent document with new data. */
+  updateAgent(newAgentString: string): string
+  /** Verify a document's signature and hash. */
+  verifyDocument(documentString: string): boolean
+  /** Update an existing document. */
+  updateDocument(documentKey: string, newDocumentString: string, attachments?: Array<string> | undefined | null, embed?: boolean | undefined | null): string
+  /** Verify a document's signature with an optional custom signature field. */
+  verifySignature(documentString: string, signatureField?: string | undefined | null): boolean
+  /** Create an agreement on a document. */
+  createAgreement(documentString: string, agentids: Array<string>, question?: string | undefined | null, context?: string | undefined | null, agreementFieldname?: string | undefined | null): string
+  /** Sign an agreement on a document. */
+  signAgreement(documentString: string, agreementFieldname?: string | undefined | null): string
+  /** Create a new JACS document. */
+  createDocument(documentString: string, customSchema?: string | undefined | null, outputfilename?: string | undefined | null, noSave?: boolean | undefined | null, attachments?: string | undefined | null, embed?: boolean | undefined | null): string
+  /** Check an agreement on a document. */
+  checkAgreement(documentString: string, agreementFieldname?: string | undefined | null): string
+  /**
+   * Verify a document looked up by ID from storage.
+   *
+   * The document_id should be in "uuid:version" format.
+   */
+  verifyDocumentById(documentId: string): boolean
+  /** Re-encrypt the agent's private key with a new password. */
+  reencryptKey(oldPassword: string, newPassword: string): void
+  /** Sign a request payload (wraps in a JACS document). */
+  signRequest(params: any): string
+  /** Verify a response payload. */
+  verifyResponse(documentString: string): object
+  /** Verify a response payload and return the agent ID. */
+  verifyResponseWithAgentId(documentString: string): object
+}