@motebit/verify 0.7.0 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +198 -18
- package/NOTICE +19 -0
- package/README.md +88 -69
- package/dist/adapters.d.ts +92 -0
- package/dist/adapters.d.ts.map +1 -0
- package/dist/adapters.js +52 -0
- package/dist/adapters.js.map +1 -0
- package/dist/cli.d.ts +43 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +261 -0
- package/dist/cli.js.map +1 -0
- package/dist/index.d.ts +20 -228
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +28 -1513
- package/dist/index.js.map +1 -1
- package/package.json +35 -16
package/dist/cli.js
ADDED
|
@@ -0,0 +1,261 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
/**
|
|
3
|
+
* `motebit-verify` CLI — the canonical motebit artifact verifier.
|
|
4
|
+
*
|
|
5
|
+
* Verifies identity files, execution receipts, credentials, and
|
|
6
|
+
* presentations against their embedded signatures. When a credential
|
|
7
|
+
* carries a `hardware_attestation` claim for `device_check` / `tpm` /
|
|
8
|
+
* `play_integrity` / `webauthn`, the bundled platform adapters verify
|
|
9
|
+
* the chain, nonce, bundle, and identity binding end-to-end.
|
|
10
|
+
*
|
|
11
|
+
* ```
|
|
12
|
+
* motebit-verify <file> # auto-detect, print human
|
|
13
|
+
* motebit-verify <file> --json # structured output
|
|
14
|
+
* motebit-verify <file> --expect credential
|
|
15
|
+
* motebit-verify <file> --clock-skew 30
|
|
16
|
+
*
|
|
17
|
+
* # Platform-specific overrides (all optional; defaults match
|
|
18
|
+
* # motebit's canonical identifiers).
|
|
19
|
+
* motebit-verify <file> \
|
|
20
|
+
* --bundle-id com.example.app \
|
|
21
|
+
* --android-package com.example.app \
|
|
22
|
+
* --rp-id example.com
|
|
23
|
+
* ```
|
|
24
|
+
*
|
|
25
|
+
* Exit codes:
|
|
26
|
+
* 0 artifact verified (including any hardware-attestation channel)
|
|
27
|
+
* 1 artifact detected but signature / hardware-channel invalid
|
|
28
|
+
* 2 usage / I/O error
|
|
29
|
+
*
|
|
30
|
+
* Network-free by design. Every adapter pins its own trust anchor
|
|
31
|
+
* (Apple App Attest Root CA, FIDO roots, TPM vendor roots); Play
|
|
32
|
+
* Integrity's JWKS is fail-closed by default until an operator lands
|
|
33
|
+
* real bytes (see `@motebit/crypto-play-integrity`'s CLAUDE.md).
|
|
34
|
+
*
|
|
35
|
+
* Three-package lineage — mirrors how tools like `git` / `libgit2` or
|
|
36
|
+
* `cargo` / `tokio` separate the verb-tool from the library layer:
|
|
37
|
+
*
|
|
38
|
+
* @motebit/verify — this CLI (Apache-2.0, bundles all 4 adapters)
|
|
39
|
+
* @motebit/verifier — Apache-2.0 library (file I/O, human formatting)
|
|
40
|
+
* @motebit/crypto — Apache-2.0 primitives (verify, sign, suite dispatch)
|
|
41
|
+
*/
|
|
42
|
+
import { readFileSync } from "node:fs";
|
|
43
|
+
import { dirname, join } from "node:path";
|
|
44
|
+
import { fileURLToPath } from "node:url";
|
|
45
|
+
import { formatHuman, verifyFile } from "@motebit/verifier";
|
|
46
|
+
import { buildHardwareVerifiers } from "./adapters.js";
|
|
47
|
+
const EXPECT_VALUES = [
|
|
48
|
+
"identity",
|
|
49
|
+
"receipt",
|
|
50
|
+
"credential",
|
|
51
|
+
"presentation",
|
|
52
|
+
];
|
|
53
|
+
function parseArgs(argv) {
|
|
54
|
+
let file;
|
|
55
|
+
let json = false;
|
|
56
|
+
let expectedType;
|
|
57
|
+
let clockSkewSeconds;
|
|
58
|
+
let bundleId;
|
|
59
|
+
let androidPackage;
|
|
60
|
+
let rpId;
|
|
61
|
+
let help = false;
|
|
62
|
+
let version = false;
|
|
63
|
+
let i = 0;
|
|
64
|
+
while (i < argv.length) {
|
|
65
|
+
const arg = argv[i];
|
|
66
|
+
switch (arg) {
|
|
67
|
+
case "-h":
|
|
68
|
+
case "--help":
|
|
69
|
+
help = true;
|
|
70
|
+
i++;
|
|
71
|
+
break;
|
|
72
|
+
case "-V":
|
|
73
|
+
case "--version":
|
|
74
|
+
version = true;
|
|
75
|
+
i++;
|
|
76
|
+
break;
|
|
77
|
+
case "--json":
|
|
78
|
+
json = true;
|
|
79
|
+
i++;
|
|
80
|
+
break;
|
|
81
|
+
case "--expect":
|
|
82
|
+
case "--expected-type": {
|
|
83
|
+
const value = argv[i + 1];
|
|
84
|
+
if (value === undefined)
|
|
85
|
+
return usage(`${arg} requires a value`);
|
|
86
|
+
if (!EXPECT_VALUES.includes(value)) {
|
|
87
|
+
return usage(`unknown --expect value "${value}" (valid: ${EXPECT_VALUES.join(", ")})`);
|
|
88
|
+
}
|
|
89
|
+
expectedType = value;
|
|
90
|
+
i += 2;
|
|
91
|
+
break;
|
|
92
|
+
}
|
|
93
|
+
case "--clock-skew": {
|
|
94
|
+
const value = argv[i + 1];
|
|
95
|
+
if (value === undefined)
|
|
96
|
+
return usage("--clock-skew requires an integer seconds value");
|
|
97
|
+
const n = Number.parseInt(value, 10);
|
|
98
|
+
if (!Number.isFinite(n) || n < 0) {
|
|
99
|
+
return usage(`--clock-skew must be a non-negative integer (got "${value}")`);
|
|
100
|
+
}
|
|
101
|
+
clockSkewSeconds = n;
|
|
102
|
+
i += 2;
|
|
103
|
+
break;
|
|
104
|
+
}
|
|
105
|
+
case "--bundle-id": {
|
|
106
|
+
const value = argv[i + 1];
|
|
107
|
+
if (value === undefined)
|
|
108
|
+
return usage("--bundle-id requires a value");
|
|
109
|
+
bundleId = value;
|
|
110
|
+
i += 2;
|
|
111
|
+
break;
|
|
112
|
+
}
|
|
113
|
+
case "--android-package": {
|
|
114
|
+
const value = argv[i + 1];
|
|
115
|
+
if (value === undefined)
|
|
116
|
+
return usage("--android-package requires a value");
|
|
117
|
+
androidPackage = value;
|
|
118
|
+
i += 2;
|
|
119
|
+
break;
|
|
120
|
+
}
|
|
121
|
+
case "--rp-id": {
|
|
122
|
+
const value = argv[i + 1];
|
|
123
|
+
if (value === undefined)
|
|
124
|
+
return usage("--rp-id requires a value");
|
|
125
|
+
rpId = value;
|
|
126
|
+
i += 2;
|
|
127
|
+
break;
|
|
128
|
+
}
|
|
129
|
+
default:
|
|
130
|
+
if (arg.startsWith("-"))
|
|
131
|
+
return usage(`unknown flag: ${arg}`);
|
|
132
|
+
if (file !== undefined) {
|
|
133
|
+
return usage(`expected exactly one file argument, got a second: "${arg}" (after "${file}")`);
|
|
134
|
+
}
|
|
135
|
+
file = arg;
|
|
136
|
+
i++;
|
|
137
|
+
break;
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
if (help)
|
|
141
|
+
return { mode: "help", json };
|
|
142
|
+
if (version)
|
|
143
|
+
return { mode: "version", json };
|
|
144
|
+
if (file === undefined)
|
|
145
|
+
return usage("missing file argument");
|
|
146
|
+
return {
|
|
147
|
+
mode: "verify",
|
|
148
|
+
file,
|
|
149
|
+
json,
|
|
150
|
+
...(expectedType !== undefined && { expectedType }),
|
|
151
|
+
...(clockSkewSeconds !== undefined && { clockSkewSeconds }),
|
|
152
|
+
...(bundleId !== undefined && { bundleId }),
|
|
153
|
+
...(androidPackage !== undefined && { androidPackage }),
|
|
154
|
+
...(rpId !== undefined && { rpId }),
|
|
155
|
+
};
|
|
156
|
+
}
|
|
157
|
+
function usage(message) {
|
|
158
|
+
return { mode: "help", json: false, usageError: message };
|
|
159
|
+
}
|
|
160
|
+
function renderHelp() {
|
|
161
|
+
return [
|
|
162
|
+
"motebit-verify — hardware-attestation-aware verifier for Motebit credentials",
|
|
163
|
+
"",
|
|
164
|
+
"USAGE",
|
|
165
|
+
" motebit-verify <file> [options]",
|
|
166
|
+
"",
|
|
167
|
+
"OPTIONS",
|
|
168
|
+
" --json Print structured JSON instead of human-readable.",
|
|
169
|
+
" --expect <type> Require the artifact to be of the named type.",
|
|
170
|
+
" --clock-skew <seconds> Allow N seconds of clock skew.",
|
|
171
|
+
" --bundle-id <id> Override the expected iOS bundle ID for App Attest",
|
|
172
|
+
" (default: com.motebit.mobile).",
|
|
173
|
+
" --android-package <name> Override the expected Android package name for",
|
|
174
|
+
" Play Integrity (default: com.motebit.mobile).",
|
|
175
|
+
" --rp-id <id> Override the expected WebAuthn Relying Party ID",
|
|
176
|
+
" (default: motebit.com).",
|
|
177
|
+
" -h, --help Show this help.",
|
|
178
|
+
" -V, --version Print version.",
|
|
179
|
+
"",
|
|
180
|
+
"EXIT CODES",
|
|
181
|
+
" 0 Artifact verified (including hardware-attestation channel).",
|
|
182
|
+
" 1 Artifact invalid (signature, expiry, hardware-channel chain / nonce / bundle).",
|
|
183
|
+
" 2 Usage or I/O error.",
|
|
184
|
+
"",
|
|
185
|
+
"PLATFORMS WIRED",
|
|
186
|
+
" device_check Apple App Attest (pinned Apple root)",
|
|
187
|
+
" tpm TPM 2.0 (pinned Infineon / Nuvoton / STMicro / Intel PTT roots)",
|
|
188
|
+
" play_integrity Google Play Integrity (fail-closed; operator pins real JWKS)",
|
|
189
|
+
" webauthn WebAuthn packed attestation (pinned Apple / Yubico / Microsoft)",
|
|
190
|
+
].join("\n");
|
|
191
|
+
}
|
|
192
|
+
let cachedVersion;
|
|
193
|
+
function getPackageVersion() {
|
|
194
|
+
if (cachedVersion !== undefined)
|
|
195
|
+
return cachedVersion;
|
|
196
|
+
try {
|
|
197
|
+
const here = dirname(fileURLToPath(import.meta.url));
|
|
198
|
+
const pkgPath = join(here, "..", "package.json");
|
|
199
|
+
const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
|
|
200
|
+
cachedVersion = pkg.version ?? "0.0.0";
|
|
201
|
+
}
|
|
202
|
+
catch {
|
|
203
|
+
cachedVersion = "0.0.0";
|
|
204
|
+
}
|
|
205
|
+
return cachedVersion;
|
|
206
|
+
}
|
|
207
|
+
async function main() {
|
|
208
|
+
const args = parseArgs(process.argv.slice(2));
|
|
209
|
+
if (args.mode === "version") {
|
|
210
|
+
process.stdout.write(`${getPackageVersion()}\n`);
|
|
211
|
+
return 0;
|
|
212
|
+
}
|
|
213
|
+
if (args.mode === "help") {
|
|
214
|
+
const help = renderHelp();
|
|
215
|
+
if (args.usageError !== undefined) {
|
|
216
|
+
process.stderr.write(`motebit-verify: ${args.usageError}\n\n${help}\n`);
|
|
217
|
+
return 2;
|
|
218
|
+
}
|
|
219
|
+
process.stdout.write(`${help}\n`);
|
|
220
|
+
return 0;
|
|
221
|
+
}
|
|
222
|
+
if (args.file === undefined) {
|
|
223
|
+
process.stderr.write(`motebit-verify: missing file argument\n\n${renderHelp()}\n`);
|
|
224
|
+
return 2;
|
|
225
|
+
}
|
|
226
|
+
const hardwareAttestation = buildHardwareVerifiers({
|
|
227
|
+
...(args.bundleId !== undefined && { appAttestBundleId: args.bundleId }),
|
|
228
|
+
...(args.androidPackage !== undefined && { playIntegrityPackageName: args.androidPackage }),
|
|
229
|
+
...(args.rpId !== undefined && { webauthnRpId: args.rpId }),
|
|
230
|
+
});
|
|
231
|
+
let result;
|
|
232
|
+
try {
|
|
233
|
+
result = await verifyFile(args.file, {
|
|
234
|
+
...(args.expectedType !== undefined && { expectedType: args.expectedType }),
|
|
235
|
+
...(args.clockSkewSeconds !== undefined && { clockSkewSeconds: args.clockSkewSeconds }),
|
|
236
|
+
hardwareAttestation,
|
|
237
|
+
});
|
|
238
|
+
}
|
|
239
|
+
catch (err) {
|
|
240
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
241
|
+
process.stderr.write(`motebit-verify: cannot read ${args.file}: ${msg}\n`);
|
|
242
|
+
return 2;
|
|
243
|
+
}
|
|
244
|
+
if (args.json) {
|
|
245
|
+
process.stdout.write(`${JSON.stringify(result, null, 2)}\n`);
|
|
246
|
+
}
|
|
247
|
+
else {
|
|
248
|
+
process.stdout.write(`${formatHuman(result)}\n`);
|
|
249
|
+
}
|
|
250
|
+
return result.valid ? 0 : 1;
|
|
251
|
+
}
|
|
252
|
+
main()
|
|
253
|
+
.then((code) => {
|
|
254
|
+
process.exit(code);
|
|
255
|
+
})
|
|
256
|
+
.catch((err) => {
|
|
257
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
258
|
+
process.stderr.write(`motebit-verify: ${msg}\n`);
|
|
259
|
+
process.exit(2);
|
|
260
|
+
});
|
|
261
|
+
//# sourceMappingURL=cli.js.map
|
package/dist/cli.js.map
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAGzC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE5D,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAEvD,MAAM,aAAa,GAA4B;IAC7C,UAAU;IACV,SAAS;IACT,YAAY;IACZ,cAAc;CACf,CAAC;AAcF,SAAS,SAAS,CAAC,IAAuB;IACxC,IAAI,IAAwB,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,YAAsC,CAAC;IAC3C,IAAI,gBAAoC,CAAC;IACzC,IAAI,QAA4B,CAAC;IACjC,IAAI,cAAkC,CAAC;IACvC,IAAI,IAAwB,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;QACrB,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,IAAI,CAAC;YACV,KAAK,QAAQ;gBACX,IAAI,GAAG,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,IAAI,CAAC;YACV,KAAK,WAAW;gBACd,OAAO,GAAG,IAAI,CAAC;gBACf,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,GAAG,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,UAAU,CAAC;YAChB,KAAK,iBAAiB,CAAC,CAAC,CAAC;gBACvB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,GAAG,GAAG,mBAAmB,CAAC,CAAC;gBACjE,IAAI,CAAE,aAAmC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC1D,OAAO,KAAK,CAAC,2BAA2B,KAAK,aAAa,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACzF,CAAC;gBACD,YAAY,GAAG,KAAqB,CAAC;gBACrC,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,cAAc,CAAC,CAAC,CAAC;gBACpB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,gDAAgD,CAAC,CAAC;gBACxF,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,OAAO,KAAK,CAAC,qDAAqD,KAAK,IAAI,CAAC,CAAC;gBAC/E,CAAC;gBACD,gBAAgB,GAAG,CAAC,CAAC;gBACrB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,aAAa,CAAC,CAAC,CAAC;gBACnB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,8BAA8B,CAAC,CAAC;gBACtE,QAAQ,GAAG,KAAK,CAAC;gBACjB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,mBAAmB,CAAC,CAAC,CAAC;gBACzB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBAC5E,cAAc,GAAG,KAAK,CAAC;gBACvB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAClE,IAAI,GAAG,KAAK,CAAC;gBACb,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD;gBACE,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,OAAO,KAAK,CAAC,iBAAiB,GAAG,EAAE,CAAC,CAAC;gBAC9D,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;oBACvB,OAAO,KAAK,CACV,sDAAsD,GAAG,aAAa,IAAI,IAAI,CAC/E,CAAC;gBACJ,CAAC;gBACD,IAAI,GAAG,GAAG,CAAC;gBACX,CAAC,EAAE,CAAC;gBACJ,MAAM;QACV,CAAC;IACH,CAAC;IAED,IAAI,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACxC,IAAI,OAAO;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAC9C,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAE9D,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,IAAI;QACJ,GAAG,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,CAAC;QACnD,GAAG,CAAC,gBAAgB,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,CAAC;QAC3D,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,QAAQ,EAAE,CAAC;QAC3C,GAAG,CAAC,cAAc,KAAK,SAAS,IAAI,EAAE,cAAc,EAAE,CAAC;QACvD,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,EAAE,IAAI,EAAE,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,SAAS,KAAK,CAAC,OAAe;IAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;AAC5D,CAAC;AAED,SAAS,UAAU;IACjB,OAAO;QACL,8EAA8E;QAC9E,EAAE;QACF,OAAO;QACP,mCAAmC;QACnC,EAAE;QACF,SAAS;QACT,8EAA8E;QAC9E,2EAA2E;QAC3E,4DAA4D;QAC5D,gFAAgF;QAChF,4DAA4D;QAC5D,4EAA4E;QAC5E,2EAA2E;QAC3E,6EAA6E;QAC7E,qDAAqD;QACrD,6CAA6C;QAC7C,4CAA4C;QAC5C,EAAE;QACF,YAAY;QACZ,kEAAkE;QAClE,qFAAqF;QACrF,0BAA0B;QAC1B,EAAE;QACF,iBAAiB;QACjB,yDAAyD;QACzD,oFAAoF;QACpF,iFAAiF;QACjF,oFAAoF;KACrF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,IAAI,aAAiC,CAAC;AACtC,SAAS,iBAAiB;IACxB,IAAI,aAAa,KAAK,SAAS;QAAE,OAAO,aAAa,CAAC;IACtD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACrD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;QACjD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAyB,CAAC;QAC/E,aAAa,GAAG,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,aAAa,GAAG,OAAO,CAAC;IAC1B,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9C,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,iBAAiB,EAAE,IAAI,CAAC,CAAC;QACjD,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;QAC1B,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,IAAI,CAAC,UAAU,OAAO,IAAI,IAAI,CAAC,CAAC;YACxE,OAAO,CAAC,CAAC;QACX,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC;QAClC,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4CAA4C,UAAU,EAAE,IAAI,CAAC,CAAC;QACnF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,mBAAmB,GAAG,sBAAsB,CAAC;QACjD,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,iBAAiB,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACxE,GAAG,CAAC,IAAI,CAAC,cAAc,KAAK,SAAS,IAAI,EAAE,wBAAwB,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC;QAC3F,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;KAC5D,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE;YACnC,GAAG,CAAC,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3E,GAAG,CAAC,IAAI,CAAC,gBAAgB,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACvF,mBAAmB;SACpB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,IAAI,CAAC,IAAI,KAAK,GAAG,IAAI,CAAC,CAAC;QAC3E,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IAC/D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9B,CAAC;AAED,IAAI,EAAE;KACH,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;IACb,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC,CAAC;KACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;IACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAC;IACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -1,237 +1,29 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* @motebit/verify —
|
|
2
|
+
* @motebit/verify — hardware-attestation-aware companion to
|
|
3
|
+
* `@motebit/verifier`.
|
|
3
4
|
*
|
|
4
|
-
*
|
|
5
|
-
*
|
|
5
|
+
* Bundles the four Apache-2.0 permissive-floor platform verifier leaves
|
|
6
|
+
* into a single `HardwareAttestationVerifiers` record + a CLI
|
|
7
|
+
* `motebit-verify` that hands them to `@motebit/verifier::verifyFile`.
|
|
8
|
+
* A credential with `hardware_attestation: { platform: "device_check" |
|
|
9
|
+
* "tpm" | "play_integrity" | "webauthn", ... }` verifies end-to-end
|
|
10
|
+
* through this package instead of returning the permissive-floor
|
|
11
|
+
* verifier's `adapter not yet shipped` sentinel.
|
|
6
12
|
*
|
|
7
|
-
*
|
|
13
|
+
* Programmatic use:
|
|
8
14
|
*
|
|
9
|
-
* Usage:
|
|
10
|
-
* import { verify } from "@motebit/verify";
|
|
11
|
-
*
|
|
12
|
-
* // Identity file
|
|
13
|
-
* const result = await verify(fs.readFileSync("motebit.md", "utf-8"));
|
|
14
|
-
*
|
|
15
|
-
* // Execution receipt (JSON)
|
|
16
|
-
* const result = await verify(receiptJson);
|
|
17
|
-
*
|
|
18
|
-
* // Verifiable credential or presentation (JSON)
|
|
19
|
-
* const result = await verify(credentialJson);
|
|
20
|
-
*
|
|
21
|
-
* // With expected type (fail-fast on misclassification)
|
|
22
|
-
* const result = await verify(artifact, { expectedType: "receipt" });
|
|
23
|
-
*/
|
|
24
|
-
interface MotebitIdentityFile {
|
|
25
|
-
spec: string;
|
|
26
|
-
motebit_id: string;
|
|
27
|
-
created_at: string;
|
|
28
|
-
owner_id: string;
|
|
29
|
-
type?: "personal" | "service" | "collaborative";
|
|
30
|
-
service_name?: string;
|
|
31
|
-
service_description?: string;
|
|
32
|
-
service_url?: string;
|
|
33
|
-
capabilities?: string[];
|
|
34
|
-
terms_url?: string;
|
|
35
|
-
identity: {
|
|
36
|
-
algorithm: "Ed25519";
|
|
37
|
-
public_key: string;
|
|
38
|
-
};
|
|
39
|
-
governance: {
|
|
40
|
-
trust_mode: "full" | "guarded" | "minimal";
|
|
41
|
-
max_risk_auto: string;
|
|
42
|
-
require_approval_above: string;
|
|
43
|
-
deny_above: string;
|
|
44
|
-
operator_mode: boolean;
|
|
45
|
-
};
|
|
46
|
-
privacy: {
|
|
47
|
-
default_sensitivity: string;
|
|
48
|
-
retention_days: Record<string, number>;
|
|
49
|
-
fail_closed: boolean;
|
|
50
|
-
};
|
|
51
|
-
memory: {
|
|
52
|
-
half_life_days: number;
|
|
53
|
-
confidence_threshold: number;
|
|
54
|
-
per_turn_limit: number;
|
|
55
|
-
};
|
|
56
|
-
/** Organizational guardian for key recovery and enterprise custody (§3.3). */
|
|
57
|
-
guardian?: {
|
|
58
|
-
public_key: string;
|
|
59
|
-
organization?: string;
|
|
60
|
-
organization_id?: string;
|
|
61
|
-
established_at: string;
|
|
62
|
-
/** Ed25519 signature proving guardian governs this agent. */
|
|
63
|
-
attestation?: string;
|
|
64
|
-
};
|
|
65
|
-
devices: Array<{
|
|
66
|
-
device_id: string;
|
|
67
|
-
name: string;
|
|
68
|
-
public_key: string;
|
|
69
|
-
registered_at: string;
|
|
70
|
-
}>;
|
|
71
|
-
succession?: Array<SuccessionRecord>;
|
|
72
|
-
}
|
|
73
|
-
interface SuccessionRecord {
|
|
74
|
-
old_public_key: string;
|
|
75
|
-
new_public_key: string;
|
|
76
|
-
timestamp: number;
|
|
77
|
-
reason?: string;
|
|
78
|
-
old_key_signature?: string;
|
|
79
|
-
new_key_signature: string;
|
|
80
|
-
/** True when succession was authorized by guardian, not old key. */
|
|
81
|
-
recovery?: boolean;
|
|
82
|
-
/** Guardian signature — present only when recovery is true. */
|
|
83
|
-
guardian_signature?: string;
|
|
84
|
-
}
|
|
85
|
-
interface ExecutionReceipt {
|
|
86
|
-
task_id: string;
|
|
87
|
-
motebit_id: string;
|
|
88
|
-
/** Signer's Ed25519 public key (hex). Enables verification without relay lookup. */
|
|
89
|
-
public_key?: string;
|
|
90
|
-
device_id: string;
|
|
91
|
-
submitted_at: number;
|
|
92
|
-
completed_at: number;
|
|
93
|
-
status: string;
|
|
94
|
-
result: string;
|
|
95
|
-
tools_used: string[];
|
|
96
|
-
memories_formed: number;
|
|
97
|
-
prompt_hash: string;
|
|
98
|
-
result_hash: string;
|
|
99
|
-
delegation_receipts?: ExecutionReceipt[];
|
|
100
|
-
delegated_scope?: string;
|
|
101
|
-
signature: string;
|
|
102
|
-
}
|
|
103
|
-
interface DataIntegrityProof {
|
|
104
|
-
type: "DataIntegrityProof";
|
|
105
|
-
cryptosuite: "eddsa-jcs-2022";
|
|
106
|
-
created: string;
|
|
107
|
-
verificationMethod: string;
|
|
108
|
-
proofPurpose: "assertionMethod" | "authentication";
|
|
109
|
-
proofValue: string;
|
|
110
|
-
}
|
|
111
|
-
interface VerifiableCredential {
|
|
112
|
-
"@context": string[];
|
|
113
|
-
type: string[];
|
|
114
|
-
issuer: string;
|
|
115
|
-
credentialSubject: Record<string, unknown> & {
|
|
116
|
-
id: string;
|
|
117
|
-
};
|
|
118
|
-
validFrom: string;
|
|
119
|
-
validUntil?: string;
|
|
120
|
-
credentialStatus?: {
|
|
121
|
-
id: string;
|
|
122
|
-
type: string;
|
|
123
|
-
};
|
|
124
|
-
proof: DataIntegrityProof;
|
|
125
|
-
}
|
|
126
|
-
interface VerifiablePresentation {
|
|
127
|
-
"@context": string[];
|
|
128
|
-
type: string[];
|
|
129
|
-
holder: string;
|
|
130
|
-
verifiableCredential: VerifiableCredential[];
|
|
131
|
-
proof: DataIntegrityProof;
|
|
132
|
-
}
|
|
133
|
-
interface VerificationError {
|
|
134
|
-
message: string;
|
|
135
|
-
path?: string;
|
|
136
|
-
}
|
|
137
|
-
interface BaseResult {
|
|
138
|
-
valid: boolean;
|
|
139
|
-
errors?: VerificationError[];
|
|
140
|
-
}
|
|
141
|
-
interface IdentityVerifyResult extends BaseResult {
|
|
142
|
-
type: "identity";
|
|
143
|
-
identity: MotebitIdentityFile | null;
|
|
144
|
-
did?: string;
|
|
145
|
-
/** First error message. Convenience accessor for backward compatibility. */
|
|
146
|
-
error?: string;
|
|
147
|
-
succession?: {
|
|
148
|
-
valid: boolean;
|
|
149
|
-
genesis_public_key?: string;
|
|
150
|
-
rotations: number;
|
|
151
|
-
error?: string;
|
|
152
|
-
};
|
|
153
|
-
}
|
|
154
|
-
interface ReceiptVerifyResult extends BaseResult {
|
|
155
|
-
type: "receipt";
|
|
156
|
-
receipt: ExecutionReceipt | null;
|
|
157
|
-
signer?: string;
|
|
158
|
-
delegations?: ReceiptVerifyResult[];
|
|
159
|
-
}
|
|
160
|
-
interface CredentialVerifyResult extends BaseResult {
|
|
161
|
-
type: "credential";
|
|
162
|
-
credential: VerifiableCredential | null;
|
|
163
|
-
issuer?: string;
|
|
164
|
-
subject?: string;
|
|
165
|
-
expired?: boolean;
|
|
166
|
-
}
|
|
167
|
-
interface PresentationVerifyResult extends BaseResult {
|
|
168
|
-
type: "presentation";
|
|
169
|
-
presentation: VerifiablePresentation | null;
|
|
170
|
-
holder?: string;
|
|
171
|
-
credentials?: CredentialVerifyResult[];
|
|
172
|
-
}
|
|
173
|
-
type VerifyResult = IdentityVerifyResult | ReceiptVerifyResult | CredentialVerifyResult | PresentationVerifyResult;
|
|
174
|
-
type ArtifactType = VerifyResult["type"];
|
|
175
|
-
interface VerifyOptions {
|
|
176
|
-
expectedType?: ArtifactType;
|
|
177
|
-
/** Clock skew tolerance in seconds for credential expiry checks. Default: 60. */
|
|
178
|
-
clockSkewSeconds?: number;
|
|
179
|
-
}
|
|
180
|
-
/** @deprecated Use VerifyResult instead. Kept for backward compatibility. */
|
|
181
|
-
interface LegacyVerifyResult {
|
|
182
|
-
valid: boolean;
|
|
183
|
-
identity: MotebitIdentityFile | null;
|
|
184
|
-
did?: string;
|
|
185
|
-
error?: string;
|
|
186
|
-
succession?: {
|
|
187
|
-
valid: boolean;
|
|
188
|
-
genesis_public_key?: string;
|
|
189
|
-
rotations: number;
|
|
190
|
-
error?: string;
|
|
191
|
-
};
|
|
192
|
-
}
|
|
193
|
-
/**
|
|
194
|
-
* Parse a motebit.md file into its components.
|
|
195
|
-
* Does not verify the signature — use `verify()` for that.
|
|
196
|
-
*/
|
|
197
|
-
declare function parse(content: string): {
|
|
198
|
-
frontmatter: MotebitIdentityFile;
|
|
199
|
-
signature: string;
|
|
200
|
-
rawFrontmatter: string;
|
|
201
|
-
};
|
|
202
|
-
/**
|
|
203
|
-
* Verify any Motebit artifact: identity file, execution receipt,
|
|
204
|
-
* verifiable credential, or verifiable presentation.
|
|
205
|
-
*
|
|
206
|
-
* Accepts strings (identity files, JSON) or parsed objects (receipts,
|
|
207
|
-
* credentials, presentations). Detects the artifact type automatically.
|
|
208
|
-
*
|
|
209
|
-
* Use `options.expectedType` to fail fast if the artifact doesn't match
|
|
210
|
-
* the expected type.
|
|
211
|
-
*
|
|
212
|
-
* @example
|
|
213
15
|
* ```ts
|
|
214
|
-
* import {
|
|
215
|
-
*
|
|
216
|
-
* // Identity file (string)
|
|
217
|
-
* const r1 = await verify(identityFileContent);
|
|
218
|
-
* if (r1.type === "identity" && r1.valid) console.log(r1.did);
|
|
16
|
+
* import { verifyFile } from "@motebit/verifier";
|
|
17
|
+
* import { buildHardwareVerifiers } from "@motebit/verify";
|
|
219
18
|
*
|
|
220
|
-
*
|
|
221
|
-
*
|
|
222
|
-
*
|
|
223
|
-
*
|
|
224
|
-
* // Verifiable credential
|
|
225
|
-
* const r3 = await verify(credential);
|
|
226
|
-
* if (r3.type === "credential" && r3.valid) console.log(r3.issuer);
|
|
19
|
+
* const result = await verifyFile("cred.json", {
|
|
20
|
+
* hardwareAttestation: buildHardwareVerifiers(),
|
|
21
|
+
* });
|
|
227
22
|
* ```
|
|
228
|
-
*/
|
|
229
|
-
declare function verify(artifact: unknown, options?: VerifyOptions): Promise<VerifyResult>;
|
|
230
|
-
/**
|
|
231
|
-
* Verify a motebit.md identity file. Backward-compatible with pre-0.4.0.
|
|
232
23
|
*
|
|
233
|
-
*
|
|
24
|
+
* CLI use: `motebit-verify <file>` — same args as `motebit-verify`,
|
|
25
|
+
* plus hardware-attestation verification. See `cli.ts`.
|
|
234
26
|
*/
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
27
|
+
export { buildHardwareVerifiers } from "./adapters.js";
|
|
28
|
+
export type { HardwareVerifierBundleConfig } from "./adapters.js";
|
|
29
|
+
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AACvD,YAAY,EAAE,4BAA4B,EAAE,MAAM,eAAe,CAAC"}
|