npm - @heyanon-arp/cli - Versions diffs - 0.0.30 → 0.0.31 - Mend

@heyanon-arp/cli 0.0.30 → 0.0.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js CHANGED Viewed

@@ -741,7 +741,7 @@ var import_commander = require("commander");
 // package.json
 var package_default = {
   name: "@heyanon-arp/cli",
-  version: "0.0.30",
+  version: "0.0.31",
   description: "Command-line client for the Agent Relationship Protocol \u2014 register agents, sign envelopes, run escrowed work cycles on Solana.",
   license: "MIT",
   keywords: ["arp", "agent-relationship-protocol", "did", "solana", "escrow", "ed25519", "agents", "a2a", "cli"],
@@ -1022,7 +1022,7 @@ function requireCredential(commandName, serverUrl) {
 // src/state.ts
 init_paths();
-var STATE_WARNING = "DO NOT COMMIT \u2014 contains private keys (Ed25519 + derived scrypt).";
+var STATE_WARNING = "DO NOT COMMIT \u2014 contains private keys (Ed25519 identity + settlement).";
 function stateFilePath() {
   return (0, import_node_path4.join)(arpHomeDir(), "agents.json");
 }
@@ -1135,9 +1135,6 @@ function toKeyBundle(agent, exportedAt) {
     identitySecretKeyB64: agent.identitySecretKeyB64,
     settlementPublicKeyB58: agent.settlementPublicKeyB58,
     settlementSecretKeyB64: agent.settlementSecretKeyB64,
-    scryptKeyB64: agent.scryptKeyB64,
-    scryptSaltB64: agent.scryptSaltB64,
-    scryptSaltId: agent.scryptSaltId,
     ownerWallet: agent.ownerWallet,
     exportedAt
   };
@@ -1147,16 +1144,7 @@ function validateKeyBundle(raw) {
     throw new Error("recover: key file is not a JSON object");
   }
   const o = raw;
-  const required = [
-    "did",
-    "identityPublicKeyB58",
-    "identitySecretKeyB64",
-    "settlementPublicKeyB58",
-    "settlementSecretKeyB64",
-    "scryptKeyB64",
-    "scryptSaltB64",
-    "scryptSaltId"
-  ];
+  const required = ["did", "identityPublicKeyB58", "identitySecretKeyB64", "settlementPublicKeyB58", "settlementSecretKeyB64"];
   for (const f of required) {
     if (typeof o[f] !== "string" || o[f].length === 0) {
       throw new Error(`recover: key file is missing or has an invalid '${f}' (expected a non-empty string) \u2014 is this a 'heyarp keys export' file?`);
@@ -1171,9 +1159,6 @@ function validateKeyBundle(raw) {
     identitySecretKeyB64: o.identitySecretKeyB64,
     settlementPublicKeyB58: o.settlementPublicKeyB58,
     settlementSecretKeyB64: o.settlementSecretKeyB64,
-    scryptKeyB64: o.scryptKeyB64,
-    scryptSaltB64: o.scryptSaltB64,
-    scryptSaltId: o.scryptSaltId,
     ownerWallet: o.ownerWallet,
     exportedAt: typeof o.exportedAt === "string" ? o.exportedAt : ""
   };
@@ -6939,9 +6924,6 @@ async function runRecover(opts) {
     identitySecretKeyB64: bundle.identitySecretKeyB64,
     settlementPublicKeyB58: bundle.settlementPublicKeyB58,
     settlementSecretKeyB64: bundle.settlementSecretKeyB64,
-    scryptKeyB64: bundle.scryptKeyB64,
-    scryptSaltB64: bundle.scryptSaltB64,
-    scryptSaltId: bundle.scryptSaltId,
     currentAttestationId: row.currentAttestationId,
     name: row.name ?? void 0,
     description: row.description ?? void 0,
@@ -6959,7 +6941,6 @@ async function runRecover(opts) {
 }
 // src/commands/register.ts
-var import_node_crypto4 = require("crypto");
 var import_node_fs9 = require("fs");
 var import_sdk25 = require("@heyanon-arp/sdk");
 var import_chalk28 = __toESM(require("chalk"));
@@ -6971,28 +6952,10 @@ function registerRegisterCommand(root) {
     [
       "Register a new ARP agent. Interactive by default; pass any of the profile flags below to skip the matching prompt.",
       "",
-      "`--password` is REQUIRED \u2014 must be at least 8 characters. In interactive mode (--yes omitted) the CLI prompts for it; with --yes it must be passed explicitly.",
+      "No password \u2014 the agent identity key self-signs the owner key-link; ownership is your `heyarp login` wallet.",
       "`--yes` is the non-interactive switch \u2014 every required field must arrive via flags (no prompts). Use this for scripted setups."
     ].join("\n")
-  ).option("--server <url>", "Override ARP server base URL").option("--from-keys <file>", "Load identity + settlement keys from a JSON file instead of generating").option("--name <s>", "Unique handle \u2014 lowercase a-z0-9_, 3-32 chars, immutable (skips the name prompt)").option("--description <s>", "Description (skips the description prompt)").option("--tag <s>", "Capability tag \u2014 repeatable, e.g. --tag translation --tag fr", accumulate3, []).option(
-    "--password <s>",
-    // `--password` puts the secret in `argv` — visible via
-    // `ps aux` / kernel process table on shared hosts,
-    // recorded by `/proc/<pid>/cmdline`, and almost always
-    // logged by CI runners (e.g. GitHub Actions echoes the
-    // full command). Safer alternatives:
-    // • interactive prompt (default) — never written anywhere
-    // • `HEYARP_PASSWORD` env var (tracked) reads from env so
-    //   the secret stays out of argv even in scripts
-    // Treat `--password <s>` as a one-off local-dev affordance;
-    // do NOT use it in CI pipelines without a secret-redacting
-    // runner.
-    "Owner password \u2014 MUST be at least 8 characters. REQUIRED when --yes is set; otherwise the CLI prompts for it. WARNING: --password puts the secret in process argv (visible in `ps`, /proc/<pid>/cmdline, and CI logs that echo commands). Prefer the interactive prompt unless your CI runner redacts secrets in command echoes. HEYARP_PASSWORD env var support is tracked."
-  ).option(
-    "--yes",
-    "Strict non-interactive: fail if any required field is still missing after merging flags. With --yes, --password must be supplied explicitly (>= 8 chars).",
-    false
-  ).option(
+  ).option("--server <url>", "Override ARP server base URL").option("--from-keys <file>", "Load identity + settlement keys from a JSON file instead of generating").option("--name <s>", "Unique handle \u2014 lowercase a-z0-9_, 3-32 chars, immutable (skips the name prompt)").option("--description <s>", "Description (skips the description prompt)").option("--tag <s>", "Capability tag \u2014 repeatable, e.g. --tag translation --tag fr", accumulate3, []).option("--yes", "Strict non-interactive: fail if any required field (--name) is still missing after merging flags.", false).option(
     "--json",
     // Emit a single JSON object instead of human-friendly
     // success prints. Output shape:
@@ -7029,9 +6992,6 @@ async function runRegister(opts, deps = defaultRegisterDeps) {
   const did = (0, import_sdk25.formatDid)(keys.identityPublicKey);
   if (!opts.json) console.log(import_chalk28.default.dim(`DID will be: ${did}`));
   const answers = await mergeAnswers(opts);
-  const scryptSalt = (0, import_node_crypto4.randomBytes)(16);
-  if (!opts.json) console.log(import_chalk28.default.dim("Deriving scrypt key, this may take a moment..."));
-  const scryptKey = (0, import_sdk25.deriveScryptKey)(answers.password, new Uint8Array(scryptSalt));
   const challenge = await api.issueChallenge("register");
   const challengeBytes = base64UrlNoPadDecode(challenge.challengeB64);
   if (challengeBytes.length !== 32) {
@@ -7045,7 +7005,6 @@ async function runRegister(opts, deps = defaultRegisterDeps) {
     signature: Buffer.from(challengeSig).toString("base64")
   });
   const settlementPublicKeyB58 = (0, import_sdk25.base58btcEncode)(keys.settlementPublicKey);
-  const scryptSaltId = (0, import_sdk25.uuidV4)();
   const payload = {
     purpose: import_sdk25.Purpose.KEY_LINK,
     agent_did: did,
@@ -7056,18 +7015,15 @@ async function runRegister(opts, deps = defaultRegisterDeps) {
     created_at: (0, import_sdk25.rfc3339)(),
     nonce: (0, import_sdk25.senderNonce)()
   };
-  const attestation = (0, import_sdk25.signKeyLinkAttestation)({ payload, scryptKey, scryptSaltId });
+  const attestation = (0, import_sdk25.signKeyLinkAttestation)({ payload, identitySecretKey: keys.identitySecretKey });
   const body = {
     challengeId: challenge.challengeId,
     identityPublicKey: identityPublicKeyB58,
     settlementPublicKey: settlementPublicKeyB58,
     ownerAttestation: {
       payload: attestation.payload,
-      sig: attestation.sig,
-      scrypt_salt_id: attestation.scrypt_salt_id
+      sig: attestation.sig
     },
-    scryptKeyB64: Buffer.from(scryptKey).toString("base64"),
-    scryptSaltB64: Buffer.from(scryptSalt).toString("base64"),
     name: answers.name,
     description: answers.description ? answers.description : void 0,
     tags: answers.tags.length > 0 ? answers.tags : void 0
@@ -7078,9 +7034,6 @@ async function runRegister(opts, deps = defaultRegisterDeps) {
     identitySecretKeyB64: Buffer.from(keys.identitySecretKey).toString("base64"),
     settlementPublicKeyB58,
     settlementSecretKeyB64: Buffer.from(keys.settlementSecretKey).toString("base64"),
-    scryptKeyB64: Buffer.from(scryptKey).toString("base64"),
-    scryptSaltB64: Buffer.from(scryptSalt).toString("base64"),
-    scryptSaltId,
     // Placeholder until the server confirms registration and returns
     // the canonical attestation id (finalized in Step 8 below).
     currentAttestationId: "",
@@ -7159,32 +7112,15 @@ Local state saved to ${arpHomeDir()}/agents.json (mode 0600).`));
   }
 }
 async function mergeAnswers(opts) {
-  const need = opts.yes ? { password: false, name: false, description: false, tagsCsv: false } : {
-    password: opts.password === void 0,
+  const need = opts.yes ? { name: false, description: false, tagsCsv: false } : {
     name: opts.name === void 0,
     description: opts.description === void 0,
     tagsCsv: opts.tag === void 0 || opts.tag.length === 0
   };
-  if (opts.yes) {
-    const missing = [];
-    if (opts.password === void 0) missing.push("--password");
-    if (opts.name === void 0) missing.push("--name");
-    if (missing.length > 0) {
-      throw new Error(`register --yes: missing required flag${missing.length > 1 ? "s" : ""}: ${missing.join(", ")}`);
-    }
-  }
-  if (opts.password !== void 0 && opts.password.length < 8) {
-    throw new Error("register --password: password must be at least 8 characters");
+  if (opts.yes && opts.name === void 0) {
+    throw new Error("register --yes: missing required flag: --name");
   }
   const promptDefs = [];
-  if (need.password) {
-    promptDefs.push({
-      type: "password",
-      name: "password",
-      message: "Owner password (used to derive the scrypt key)",
-      validate: (v) => v.length >= 8 ? true : "must be at least 8 characters"
-    });
-  }
   if (need.name) {
     promptDefs.push({
       type: "text",
@@ -7218,7 +7154,6 @@ async function mergeAnswers(opts) {
   const tags = (opts.tag && opts.tag.length > 0 ? opts.tag : parseTagsCsv(typeof prompted.tagsCsv === "string" ? prompted.tagsCsv : "")).map((t) => t.trim().toLowerCase()).filter((t) => t.length > 0);
   const name = normalizeAndValidateName(opts.name ?? prompted.name);
   return {
-    password: opts.password ?? prompted.password,
     name,
     description: opts.description ?? prompted.description ?? "",
     tags