@haiai/haiai 0.1.2 → 0.1.4

package/README.md

@@ -5,7 +5,7 @@ Give your AI agent an email address. Node.js/TypeScript SDK for the [HAI.AI](htt
 ## Install
 
 ```bash
-npm install @haiai/haiai @hai.ai/jacs
+npm install @haiai/haiai
 ```
 
 ### CLI and MCP Server

package/dist/cjs/client.js

@@ -35,6 +35,8 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.HaiClient = void 0;
 const errors_js_1 = require("./errors.js");
+const node_crypto_1 = require("node:crypto");
+const node_fs_1 = require("node:fs");
 const signing_js_1 = require("./signing.js");
 const config_js_1 = require("./config.js");
 const jacs_1 = require("@hai.ai/jacs");
@@ -55,6 +57,75 @@ function normalizeKeyText(raw, blockType) {
     }
     return armorKeyData(raw, blockType);
 }
+const credentialWorkspaceDirs = new Set();
+let credentialWorkspaceCleanupRegistered = false;
+function registerCredentialWorkspace(dir) {
+    credentialWorkspaceDirs.add(dir);
+    if (credentialWorkspaceCleanupRegistered) {
+        return;
+    }
+    credentialWorkspaceCleanupRegistered = true;
+    process.once('exit', () => {
+        for (const workspaceDir of credentialWorkspaceDirs) {
+            try {
+                (0, node_fs_1.rmSync)(workspaceDir, { recursive: true, force: true });
+            }
+            catch {
+                // Best-effort temp workspace cleanup.
+            }
+        }
+        credentialWorkspaceDirs.clear();
+    });
+}
+function createCredentialSigner(privateKeyPem, privateKeyPassphrase) {
+    const privateKey = privateKeyPassphrase
+        ? (0, node_crypto_1.createPrivateKey)({ key: privateKeyPem, format: 'pem', passphrase: privateKeyPassphrase })
+        : (0, node_crypto_1.createPrivateKey)({ key: privateKeyPem, format: 'pem' });
+    const keyType = privateKey.asymmetricKeyType;
+    if (keyType !== 'ed25519' && keyType !== 'rsa' && keyType !== 'rsa-pss') {
+        throw new errors_js_1.AuthenticationError(`fromCredentials does not support ${keyType ?? 'this'} private key type in this runtime. ` +
+            'Use a config-backed client for other JACS key types.');
+    }
+    const publicKeyPem = (0, node_crypto_1.createPublicKey)(privateKey)
+        .export({ format: 'pem', type: 'spki' })
+        .toString()
+        .trim();
+    return {
+        algorithm: keyType === 'ed25519' ? 'ring-Ed25519' : 'RSA-PSS',
+        privateKeyPem: privateKeyPem.trim(),
+        publicKeyPem,
+        signStringSync(message) {
+            const data = Buffer.from(message, 'utf-8');
+            const signature = keyType === 'ed25519'
+                ? (0, node_crypto_1.sign)(null, data, privateKey)
+                : (0, node_crypto_1.sign)('sha256', data, {
+                    key: privateKey,
+                    padding: node_crypto_1.constants.RSA_PKCS1_PSS_PADDING,
+                    saltLength: node_crypto_1.constants.RSA_PSS_SALTLEN_DIGEST,
+                });
+            return signature.toString('base64');
+        },
+    };
+}
+async function withPrivateKeyPassphrase(passphrase, run) {
+    const envKey = 'JACS_PRIVATE_KEY_PASSWORD';
+    const hadOriginal = Object.prototype.hasOwnProperty.call(process.env, envKey);
+    const original = process.env[envKey];
+    if (passphrase) {
+        process.env[envKey] = passphrase;
+    }
+    try {
+        return await run();
+    }
+    finally {
+        if (hadOriginal) {
+            process.env[envKey] = original;
+        }
+        else {
+            delete process.env[envKey];
+        }
+    }
+}
 /**
  * HAI platform client.
  *
@@ -70,8 +141,11 @@ function normalizeKeyText(raw, blockType) {
  */
 class HaiClient {
     config;
+    configPath = null;
     /** JACS native agent for all cryptographic operations. */
     agent;
+    /** Explicit credential signer used when the runtime cannot import a PEM into JACS directly. */
+    credentialSigner = null;
     baseUrl;
     timeout;
     maxRetries;
@@ -111,33 +185,64 @@ class HaiClient {
         const resolvedConfigPath = resolve(configPath);
         client.agent = new jacs_1.JacsAgent();
         await client.agent.load(resolvedConfigPath);
+        client.configPath = resolvedConfigPath;
         return client;
     }
     /**
      * Create a HaiClient directly from a JACS ID and PEM-encoded private key.
      * Useful for testing or programmatic setup without config files.
      *
-     * Creates a temporary JACS agent backed by on-disk key files so that
-     * all cryptographic operations delegate to JACS core.
+     * Creates a temporary JACS-shaped workspace for compatibility with
+     * config-based flows. When this runtime cannot import PEM material into
+     * JACS directly, signing uses the supplied credentials and verification
+     * still delegates to JACS.
      */
     static async fromCredentials(jacsId, privateKeyPem, options) {
         const client = new HaiClient(options);
-        // Store the caller's private key PEM for exportKeys/rotateKeys compatibility
-        client._privateKeyPem = privateKeyPem;
-        client.privateKeyPem = privateKeyPem;
+        const signer = createCredentialSigner(privateKeyPem, options?.privateKeyPassphrase);
+        // Store the caller's PEM material for exportKeys/rotateKeys compatibility.
+        client._privateKeyPem = signer.privateKeyPem;
+        client.privateKeyPem = signer.privateKeyPem;
+        client._publicKeyPem = signer.publicKeyPem;
         client._privateKeyPassphrase = options?.privateKeyPassphrase;
-        // Create an ephemeral JACS agent (in-memory keys, no disk I/O required).
-        // The ephemeral agent generates its own key pair — this is appropriate
-        // because fromCredentials is typically followed by register() which sends
-        // the new public key to the server.
-        client.agent = new jacs_1.JacsAgent();
-        const ephResult = JSON.parse(client.agent.ephemeralSync('pq2025'));
-        client.config = {
+        client.credentialSigner = signer;
+        // Materialize a minimal JACS-shaped workspace so file-based flows (for
+        // example rotateKeys) have a stable key directory, even though this
+        // runtime still lacks a direct "load PEM credentials into JacsAgent"
+        // bootstrap path.
+        const { mkdir, mkdtemp, writeFile } = await Promise.resolve().then(() => __importStar(require('node:fs/promises')));
+        const { join } = await Promise.resolve().then(() => __importStar(require('node:path')));
+        const { tmpdir } = await Promise.resolve().then(() => __importStar(require('node:os')));
+        const tempDir = await mkdtemp(join(tmpdir(), 'haiai-creds-'));
+        registerCredentialWorkspace(tempDir);
+        const keyDir = join(tempDir, 'keys');
+        const dataDir = join(tempDir, 'data');
+        await mkdir(keyDir, { recursive: true });
+        await mkdir(dataDir, { recursive: true });
+        await writeFile(join(keyDir, 'agent_private_key.pem'), `${signer.privateKeyPem}\n`, { mode: 0o600 });
+        await writeFile(join(keyDir, 'agent_public_key.pem'), `${signer.publicKeyPem}\n`, { mode: 0o644 });
+        const configPath = join(tempDir, 'jacs.config.json');
+        const configJson = {
             jacsAgentName: jacsId,
-            jacsAgentVersion: ephResult.version || '1.0.0',
-            jacsKeyDir: '',
+            jacsAgentVersion: '1.0.0',
+            jacsKeyDir: './keys',
+            jacsPrivateKeyPath: './keys/agent_private_key.pem',
             jacsId,
+            jacs_data_directory: './data',
+            jacs_key_directory: './keys',
+            jacs_agent_private_key_filename: 'agent_private_key.pem',
+            jacs_agent_public_key_filename: 'agent_public_key.pem',
+            jacs_agent_key_algorithm: signer.algorithm,
+            jacs_default_storage: 'fs',
         };
+        await writeFile(configPath, JSON.stringify(configJson, null, 2) + '\n');
+        client.config = await (0, config_js_1.loadConfig)(configPath);
+        client.configPath = configPath;
+        // Keep a lightweight JACS agent around for canonicalization and explicit
+        // verifyStringSync checks. Signing is handled by the credentialSigner above
+        // so fromCredentials actually uses the caller's key material.
+        client.agent = new jacs_1.JacsAgent();
+        client.agent.ephemeralSync(signer.algorithm);
         return client;
     }
     /** The agent's JACS ID. */
@@ -186,6 +291,9 @@ class HaiClient {
     clearAgentKeyCache() {
         this.keyCache.clear();
     }
+    activeSigner() {
+        return this.credentialSigner ?? this.agent;
+    }
     // ---------------------------------------------------------------------------
     // Auth helpers
     // ---------------------------------------------------------------------------
@@ -201,10 +309,16 @@ class HaiClient {
     }
     /** Sign a UTF-8 message with the agent's private key via JACS. Returns base64. */
     signMessage(message) {
-        return this.agent.signStringSync(message);
+        return this.activeSigner().signStringSync(message);
     }
     /** Build the JACS Authorization header value string. */
     buildAuthHeader() {
+        if (this.credentialSigner) {
+            const timestamp = Math.floor(Date.now() / 1000).toString();
+            const message = `${this.jacsId}:${timestamp}`;
+            const signature = this.credentialSigner.signStringSync(message);
+            return `JACS ${this.jacsId}:${timestamp}:${signature}`;
+        }
         // Prefer JACS binding delegation
         if ('buildAuthHeaderSync' in this.agent && typeof this.agent.buildAuthHeaderSync === 'function') {
             return this.agent.buildAuthHeaderSync();
@@ -336,7 +450,7 @@ class HaiClient {
             }
             // Sign canonical JSON via JACS
             const canonical = (0, signing_js_1.canonicalJson)(agentDoc);
-            const signature = this.agent.signStringSync(canonical);
+            const signature = this.activeSigner().signStringSync(canonical);
             agentDoc.jacsSignature.signature = signature;
             agentJson = JSON.stringify(agentDoc);
         }
@@ -408,7 +522,7 @@ class HaiClient {
         // Build old-key auth header BEFORE rotation (chain of trust)
         const oldAuthTimestamp = Math.floor(Date.now() / 1000).toString();
         const oldAuthMessage = `${jacsId}:${oldVersion}:${oldAuthTimestamp}`;
-        const oldAuthSig = this.agent.signStringSync(oldAuthMessage);
+        const oldAuthSig = this.activeSigner().signStringSync(oldAuthMessage);
         const oldAgent = this.agent;
         // Find existing private key file
         const candidates = [
@@ -452,18 +566,29 @@ class HaiClient {
         const newVersion = randomUUID();
         const generatedKeyDir = await mkdtemp(join(tmpdir(), 'haiai-rotate-'));
         let newPublicKeyPem;
+        let generatedSignerAgent = null;
         try {
             const resultJson = (0, jacs_1.createAgentSync)(this.config.jacsAgentName, passphrase, 'pq2025', null, // data dir
-            generatedKeyDir, null, // config path (don't overwrite main config)
-            null, // agent type
+            generatedKeyDir, join(generatedKeyDir, 'jacs.config.json'), null, // agent type
             this.config.description
                 ?? 'Agent registered via Node SDK', null, // domain
             null);
             const result = JSON.parse(resultJson);
+            const generatedConfigPath = result.config_path;
             const newPubKeyPath = result.public_key_path || join(keyDir, 'jacs.public.pem');
             const newPrivKeyPath = result.private_key_path || join(keyDir, 'jacs.private.pem.enc');
             const newPublicKeyRaw = await readF(newPubKeyPath);
             newPublicKeyPem = normalizeKeyText(newPublicKeyRaw, 'PUBLIC KEY');
+            if (generatedConfigPath) {
+                const nextAgent = new jacs_1.JacsAgent();
+                try {
+                    await withPrivateKeyPassphrase(passphrase || undefined, () => nextAgent.load(generatedConfigPath));
+                    generatedSignerAgent = nextAgent;
+                }
+                catch {
+                    generatedSignerAgent = null;
+                }
+            }
             if (newPrivKeyPath !== privKeyPath) {
                 await copyFile(newPrivKeyPath, privKeyPath);
             }
@@ -473,8 +598,9 @@ class HaiClient {
             else {
                 await writeFile(pubKeyPath, `${newPublicKeyPem}\n`);
             }
-            this._privateKeyPem = (await readF(privKeyPath)).toString('base64');
+            this._privateKeyPem = (await readF(privKeyPath, 'utf-8')).trim();
             this.privateKeyPem = this._privateKeyPem;
+            this._publicKeyPem = newPublicKeyPem.trim();
         }
         catch (err) {
             // Rollback: restore archived keys
@@ -504,19 +630,42 @@ class HaiClient {
             },
         };
         // Reload the agent with new keys for signing
-        const configPath = resolve(process.env.JACS_CONFIG_PATH ?? './jacs.config.json');
+        const configPath = resolve(process.env.JACS_CONFIG_PATH ?? this.configPath ?? './jacs.config.json');
         const reloadedAgent = new jacs_1.JacsAgent();
+        let reloadedWithNewKeys = false;
         try {
-            await reloadedAgent.load(configPath);
+            await withPrivateKeyPassphrase(passphrase || undefined, () => reloadedAgent.load(configPath));
             this.agent = reloadedAgent;
+            reloadedWithNewKeys = true;
         }
         catch {
-            // Fall back to the currently loaded in-memory agent when the freshly
-            // generated on-disk config cannot be reloaded in this process.
-            this.agent = oldAgent;
+            if (generatedSignerAgent) {
+                this.agent = generatedSignerAgent;
+                reloadedWithNewKeys = true;
+            }
+            else {
+                // Fall back to the currently loaded in-memory agent when we cannot
+                // hydrate the new key material in this process.
+                this.agent = oldAgent;
+            }
+        }
+        let rotatedSigner = this.agent;
+        if (this.credentialSigner) {
+            try {
+                this.credentialSigner = createCredentialSigner(this._privateKeyPem, passphrase || undefined);
+                rotatedSigner = this.credentialSigner;
+            }
+            catch {
+                // Some runtimes can generate post-quantum keys before they can
+                // re-import them through the local PEM compatibility path. In that
+                // case we keep the best available in-memory signer and preserve the
+                // local rotation result rather than failing the entire operation.
+                this.credentialSigner = null;
+                rotatedSigner = this.agent;
+            }
         }
         const canonical = (0, signing_js_1.canonicalJson)(agentDoc);
-        const signature = this.agent.signStringSync(canonical);
+        const signature = rotatedSigner.signStringSync(canonical);
         agentDoc.jacsSignature.signature = signature;
         const signedAgentJson = JSON.stringify(agentDoc, null, 2);
         // 4. Compute new public key hash via JACS
@@ -755,7 +904,7 @@ class HaiClient {
             },
         };
         // Sign the response as a JACS document via JACS
-        const signed = (0, signing_js_1.signResponse)(body, this.agent, this.jacsId);
+        const signed = (0, signing_js_1.signResponse)(body, this.activeSigner(), this.jacsId, this.agent);
         const response = await this.fetchWithRetry(url, {
             method: 'POST',
             headers: this.buildAuthHeaders(),
@@ -1012,7 +1161,7 @@ class HaiClient {
      * @returns Registration result
      */
     async registerNewAgent(agentName, options) {
-        const { mkdtemp, readFile: readF } = await Promise.resolve().then(() => __importStar(require('node:fs/promises')));
+        const { mkdtemp, readFile: readF, rm } = await Promise.resolve().then(() => __importStar(require('node:fs/promises')));
         const { join } = await Promise.resolve().then(() => __importStar(require('node:path')));
         const { tmpdir } = await Promise.resolve().then(() => __importStar(require('node:os')));
         // Generate a new JACS agent with keys via JACS core
@@ -1020,88 +1169,93 @@ class HaiClient {
         const keyDir = join(tempDir, 'keys');
         const dataDir = join(tempDir, 'data');
         const passphrase = process.env.JACS_PRIVATE_KEY_PASSWORD ?? 'register-temp';
-        const resultJson = (0, jacs_1.createAgentSync)(agentName, passphrase, 'pq2025', dataDir, keyDir, join(tempDir, 'jacs.config.json'), null, options.description ?? 'Agent registered via Node SDK', options.domain ?? null, null);
-        const createResult = JSON.parse(resultJson);
-        const pubKeyPath = createResult.public_key_path || join(keyDir, 'jacs.public.pem');
-        const publicKeyPem = normalizeKeyText(await readF(pubKeyPath), 'PUBLIC KEY');
-        // Load the new agent for signing
-        const tempAgent = new jacs_1.JacsAgent();
-        const tempConfigPath = createResult.config_path || join(tempDir, 'jacs.config.json');
-        const { resolve } = await Promise.resolve().then(() => __importStar(require('node:path')));
-        let signingAgent = tempAgent;
         try {
-            await tempAgent.load(resolve(tempConfigPath));
-        }
-        catch {
-            tempAgent.ephemeralSync('pq2025');
-            signingAgent = tempAgent;
-        }
-        // Build minimal JACS agent document
-        const agentDoc = {
-            jacsId: agentName,
-            jacsVersion: '1.0.0',
-            jacsSignature: {
-                agentID: agentName,
-                date: new Date().toISOString(),
-            },
-            jacsPublicKey: publicKeyPem,
-            name: agentName,
-            description: options.description ?? 'Agent registered via Node SDK',
-            capabilities: ['mediation'],
-            version: '1.0.0',
-        };
-        // Sign canonical JSON via JACS
-        const canonical = (0, signing_js_1.canonicalJson)(agentDoc);
-        const signature = signingAgent.signStringSync(canonical);
-        agentDoc.jacsSignature.signature = signature;
-        const url = this.makeUrl('/api/v1/agents/register');
-        const publicKeyB64 = Buffer.from(publicKeyPem, 'utf-8').toString('base64');
-        const body = {
-            agent_json: JSON.stringify(agentDoc),
-            public_key: publicKeyB64,
-            owner_email: options.ownerEmail,
-        };
-        if (options.domain) {
-            body.domain = options.domain;
-        }
-        if (options.description) {
-            body.description = options.description;
-        }
-        const response = await this.fetchWithRetry(url, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify(body),
-        });
-        const data = await response.json();
-        if (!options.quiet) {
-            console.log(`\nAgent created and submitted for registration!`);
-            console.log(`  -> Check your email (${options.ownerEmail}) for a verification link`);
-            console.log(`  -> Click the link and log into hai.ai to complete registration`);
-            console.log(`  -> After verification, claim a @hai.ai username with:`);
-            console.log(`     client.claimUsername('${data.agent_id || ''}', 'my-agent')`);
-            console.log(`  -> Save your config and private key to a secure, access-controlled location`);
+            const resultJson = (0, jacs_1.createAgentSync)(agentName, passphrase, 'pq2025', dataDir, keyDir, join(tempDir, 'jacs.config.json'), null, options.description ?? 'Agent registered via Node SDK', options.domain ?? null, null);
+            const createResult = JSON.parse(resultJson);
+            const pubKeyPath = createResult.public_key_path || join(keyDir, 'jacs.public.pem');
+            const publicKeyPem = normalizeKeyText(await readF(pubKeyPath), 'PUBLIC KEY');
+            // Load the new agent for signing
+            const tempAgent = new jacs_1.JacsAgent();
+            const tempConfigPath = createResult.config_path || join(tempDir, 'jacs.config.json');
+            const { resolve } = await Promise.resolve().then(() => __importStar(require('node:path')));
+            let signingAgent = tempAgent;
+            try {
+                await withPrivateKeyPassphrase(passphrase || undefined, () => tempAgent.load(resolve(tempConfigPath)));
+            }
+            catch {
+                tempAgent.ephemeralSync('pq2025');
+                signingAgent = tempAgent;
+            }
+            // Build minimal JACS agent document
+            const agentDoc = {
+                jacsId: agentName,
+                jacsVersion: '1.0.0',
+                jacsSignature: {
+                    agentID: agentName,
+                    date: new Date().toISOString(),
+                },
+                jacsPublicKey: publicKeyPem,
+                name: agentName,
+                description: options.description ?? 'Agent registered via Node SDK',
+                capabilities: ['mediation'],
+                version: '1.0.0',
+            };
+            // Sign canonical JSON via JACS
+            const canonical = (0, signing_js_1.canonicalJson)(agentDoc);
+            const signature = signingAgent.signStringSync(canonical);
+            agentDoc.jacsSignature.signature = signature;
+            const url = this.makeUrl('/api/v1/agents/register');
+            const publicKeyB64 = Buffer.from(publicKeyPem, 'utf-8').toString('base64');
+            const body = {
+                agent_json: JSON.stringify(agentDoc),
+                public_key: publicKeyB64,
+                owner_email: options.ownerEmail,
+            };
             if (options.domain) {
-                const pubKeyHash = (0, jacs_1.hashString)(publicKeyPem);
-                console.log(`\n--- DNS Setup Instructions ---`);
-                console.log(`Add this TXT record to your domain '${options.domain}':`);
-                console.log(`  Name:  _jacs.${options.domain}`);
-                console.log(`  Type:  TXT`);
-                console.log(`  Value: sha256:${pubKeyHash}`);
-                console.log(`DNS verification enables the pro tier.\n`);
+                body.domain = options.domain;
             }
-            else {
-                console.log();
+            if (options.description) {
+                body.description = options.description;
+            }
+            const response = await this.fetchWithRetry(url, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(body),
+            });
+            const data = await response.json();
+            if (!options.quiet) {
+                console.log(`\nAgent created and submitted for registration!`);
+                console.log(`  -> Check your email (${options.ownerEmail}) for a verification link`);
+                console.log(`  -> Click the link and log into hai.ai to complete registration`);
+                console.log(`  -> After verification, claim a @hai.ai username with:`);
+                console.log(`     client.claimUsername('${data.agent_id || ''}', 'my-agent')`);
+                console.log(`  -> Save your config and private key to a secure, access-controlled location`);
+                if (options.domain) {
+                    const pubKeyHash = (0, jacs_1.hashString)(publicKeyPem);
+                    console.log(`\n--- DNS Setup Instructions ---`);
+                    console.log(`Add this TXT record to your domain '${options.domain}':`);
+                    console.log(`  Name:  _jacs.${options.domain}`);
+                    console.log(`  Type:  TXT`);
+                    console.log(`  Value: sha256:${pubKeyHash}`);
+                    console.log(`DNS verification enables the pro tier.\n`);
+                }
+                else {
+                    console.log();
+                }
             }
+            return {
+                success: true,
+                agentId: data.agent_id || data.agentId || '',
+                jacsId: data.jacs_id || data.jacsId || agentDoc.jacsId || '',
+                haiSignature: data.hai_signature || data.haiSignature || '',
+                registrationId: data.registration_id || data.registrationId || '',
+                registeredAt: data.registered_at || data.registeredAt || '',
+                rawResponse: data,
+            };
+        }
+        finally {
+            await rm(tempDir, { recursive: true, force: true }).catch(() => { });
         }
-        return {
-            success: true,
-            agentId: data.agent_id || data.agentId || '',
-            jacsId: data.jacs_id || data.jacsId || agentDoc.jacsId || '',
-            haiSignature: data.hai_signature || data.haiSignature || '',
-            registrationId: data.registration_id || data.registrationId || '',
-            registeredAt: data.registered_at || data.registeredAt || '',
-            rawResponse: data,
-        };
     }
     // ---------------------------------------------------------------------------
     // testConnection()
@@ -1431,7 +1585,7 @@ class HaiClient {
      * @returns Signed JACS document envelope
      */
     signBenchmarkResult(benchmarkResult) {
-        return (0, signing_js_1.signResponse)(benchmarkResult, this.agent, this.jacsId);
+        return (0, signing_js_1.signResponse)(benchmarkResult, this.activeSigner(), this.jacsId, this.agent);
     }
     // ---------------------------------------------------------------------------
     // benchmark() -- legacy suite-based