@motebit/verify 0.7.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/LICENSE +198 -18
  2. package/NOTICE +19 -0
  3. package/README.md +92 -69
  4. package/dist/adapters.d.ts +132 -0
  5. package/dist/adapters.d.ts.map +1 -0
  6. package/dist/adapters.js +74 -0
  7. package/dist/adapters.js.map +1 -0
  8. package/dist/cli.d.ts +45 -0
  9. package/dist/cli.d.ts.map +1 -0
  10. package/dist/cli.js +317 -0
  11. package/dist/cli.js.map +1 -0
  12. package/dist/index.d.ts +25 -230
  13. package/dist/index.d.ts.map +1 -1
  14. package/dist/index.js +31 -1513
  15. package/dist/index.js.map +1 -1
  16. package/package.json +38 -16
package/dist/index.d.ts CHANGED
@@ -1,237 +1,32 @@
1
1
  /**
2
- * @motebit/verify — Standalone verifier for all Motebit artifacts.
2
+ * @motebit/verify — hardware-attestation-aware companion to
3
+ * `@motebit/verifier`.
4
+ *
5
+ * Bundles every Apache-2.0 permissive-floor platform verifier leaf
6
+ * into a single `HardwareAttestationVerifiers` record + a CLI
7
+ * `motebit-verify` that hands them to `@motebit/verifier::verifyFile`.
8
+ * A credential with `hardware_attestation: { platform: "device_check" |
9
+ * "tpm" | "android_keystore" | "webauthn", ... }` verifies end-to-end
10
+ * through this package instead of returning the permissive-floor
11
+ * verifier's `adapter not yet shipped` sentinel. The deprecated
12
+ * `play_integrity` arm is also wired during the
13
+ * `@motebit/crypto-play-integrity@1.x` deprecation cycle for backward
14
+ * compatibility with already-minted credentials.
15
+ *
16
+ * Programmatic use:
3
17
  *
4
- * Verifies identity files, execution receipts, verifiable credentials,
5
- * and verifiable presentations. One function, any artifact, zero config.
6
- *
7
- * Zero monorepo dependencies — only @noble/ed25519 for cryptography.
8
- *
9
- * Usage:
10
- * import { verify } from "@motebit/verify";
11
- *
12
- * // Identity file
13
- * const result = await verify(fs.readFileSync("motebit.md", "utf-8"));
14
- *
15
- * // Execution receipt (JSON)
16
- * const result = await verify(receiptJson);
17
- *
18
- * // Verifiable credential or presentation (JSON)
19
- * const result = await verify(credentialJson);
20
- *
21
- * // With expected type (fail-fast on misclassification)
22
- * const result = await verify(artifact, { expectedType: "receipt" });
23
- */
24
- interface MotebitIdentityFile {
25
- spec: string;
26
- motebit_id: string;
27
- created_at: string;
28
- owner_id: string;
29
- type?: "personal" | "service" | "collaborative";
30
- service_name?: string;
31
- service_description?: string;
32
- service_url?: string;
33
- capabilities?: string[];
34
- terms_url?: string;
35
- identity: {
36
- algorithm: "Ed25519";
37
- public_key: string;
38
- };
39
- governance: {
40
- trust_mode: "full" | "guarded" | "minimal";
41
- max_risk_auto: string;
42
- require_approval_above: string;
43
- deny_above: string;
44
- operator_mode: boolean;
45
- };
46
- privacy: {
47
- default_sensitivity: string;
48
- retention_days: Record<string, number>;
49
- fail_closed: boolean;
50
- };
51
- memory: {
52
- half_life_days: number;
53
- confidence_threshold: number;
54
- per_turn_limit: number;
55
- };
56
- /** Organizational guardian for key recovery and enterprise custody (§3.3). */
57
- guardian?: {
58
- public_key: string;
59
- organization?: string;
60
- organization_id?: string;
61
- established_at: string;
62
- /** Ed25519 signature proving guardian governs this agent. */
63
- attestation?: string;
64
- };
65
- devices: Array<{
66
- device_id: string;
67
- name: string;
68
- public_key: string;
69
- registered_at: string;
70
- }>;
71
- succession?: Array<SuccessionRecord>;
72
- }
73
- interface SuccessionRecord {
74
- old_public_key: string;
75
- new_public_key: string;
76
- timestamp: number;
77
- reason?: string;
78
- old_key_signature?: string;
79
- new_key_signature: string;
80
- /** True when succession was authorized by guardian, not old key. */
81
- recovery?: boolean;
82
- /** Guardian signature — present only when recovery is true. */
83
- guardian_signature?: string;
84
- }
85
- interface ExecutionReceipt {
86
- task_id: string;
87
- motebit_id: string;
88
- /** Signer's Ed25519 public key (hex). Enables verification without relay lookup. */
89
- public_key?: string;
90
- device_id: string;
91
- submitted_at: number;
92
- completed_at: number;
93
- status: string;
94
- result: string;
95
- tools_used: string[];
96
- memories_formed: number;
97
- prompt_hash: string;
98
- result_hash: string;
99
- delegation_receipts?: ExecutionReceipt[];
100
- delegated_scope?: string;
101
- signature: string;
102
- }
103
- interface DataIntegrityProof {
104
- type: "DataIntegrityProof";
105
- cryptosuite: "eddsa-jcs-2022";
106
- created: string;
107
- verificationMethod: string;
108
- proofPurpose: "assertionMethod" | "authentication";
109
- proofValue: string;
110
- }
111
- interface VerifiableCredential {
112
- "@context": string[];
113
- type: string[];
114
- issuer: string;
115
- credentialSubject: Record<string, unknown> & {
116
- id: string;
117
- };
118
- validFrom: string;
119
- validUntil?: string;
120
- credentialStatus?: {
121
- id: string;
122
- type: string;
123
- };
124
- proof: DataIntegrityProof;
125
- }
126
- interface VerifiablePresentation {
127
- "@context": string[];
128
- type: string[];
129
- holder: string;
130
- verifiableCredential: VerifiableCredential[];
131
- proof: DataIntegrityProof;
132
- }
133
- interface VerificationError {
134
- message: string;
135
- path?: string;
136
- }
137
- interface BaseResult {
138
- valid: boolean;
139
- errors?: VerificationError[];
140
- }
141
- interface IdentityVerifyResult extends BaseResult {
142
- type: "identity";
143
- identity: MotebitIdentityFile | null;
144
- did?: string;
145
- /** First error message. Convenience accessor for backward compatibility. */
146
- error?: string;
147
- succession?: {
148
- valid: boolean;
149
- genesis_public_key?: string;
150
- rotations: number;
151
- error?: string;
152
- };
153
- }
154
- interface ReceiptVerifyResult extends BaseResult {
155
- type: "receipt";
156
- receipt: ExecutionReceipt | null;
157
- signer?: string;
158
- delegations?: ReceiptVerifyResult[];
159
- }
160
- interface CredentialVerifyResult extends BaseResult {
161
- type: "credential";
162
- credential: VerifiableCredential | null;
163
- issuer?: string;
164
- subject?: string;
165
- expired?: boolean;
166
- }
167
- interface PresentationVerifyResult extends BaseResult {
168
- type: "presentation";
169
- presentation: VerifiablePresentation | null;
170
- holder?: string;
171
- credentials?: CredentialVerifyResult[];
172
- }
173
- type VerifyResult = IdentityVerifyResult | ReceiptVerifyResult | CredentialVerifyResult | PresentationVerifyResult;
174
- type ArtifactType = VerifyResult["type"];
175
- interface VerifyOptions {
176
- expectedType?: ArtifactType;
177
- /** Clock skew tolerance in seconds for credential expiry checks. Default: 60. */
178
- clockSkewSeconds?: number;
179
- }
180
- /** @deprecated Use VerifyResult instead. Kept for backward compatibility. */
181
- interface LegacyVerifyResult {
182
- valid: boolean;
183
- identity: MotebitIdentityFile | null;
184
- did?: string;
185
- error?: string;
186
- succession?: {
187
- valid: boolean;
188
- genesis_public_key?: string;
189
- rotations: number;
190
- error?: string;
191
- };
192
- }
193
- /**
194
- * Parse a motebit.md file into its components.
195
- * Does not verify the signature — use `verify()` for that.
196
- */
197
- declare function parse(content: string): {
198
- frontmatter: MotebitIdentityFile;
199
- signature: string;
200
- rawFrontmatter: string;
201
- };
202
- /**
203
- * Verify any Motebit artifact: identity file, execution receipt,
204
- * verifiable credential, or verifiable presentation.
205
- *
206
- * Accepts strings (identity files, JSON) or parsed objects (receipts,
207
- * credentials, presentations). Detects the artifact type automatically.
208
- *
209
- * Use `options.expectedType` to fail fast if the artifact doesn't match
210
- * the expected type.
211
- *
212
- * @example
213
18
  * ```ts
214
- * import { verify } from "@motebit/verify";
19
+ * import { verifyFile } from "@motebit/verifier";
20
+ * import { buildHardwareVerifiers } from "@motebit/verify";
215
21
  *
216
- * // Identity file (string)
217
- * const r1 = await verify(identityFileContent);
218
- * if (r1.type === "identity" && r1.valid) console.log(r1.did);
219
- *
220
- * // Execution receipt (object or JSON string)
221
- * const r2 = await verify(receipt, { expectedType: "receipt" });
222
- * if (r2.type === "receipt" && r2.valid) console.log(r2.signer);
223
- *
224
- * // Verifiable credential
225
- * const r3 = await verify(credential);
226
- * if (r3.type === "credential" && r3.valid) console.log(r3.issuer);
22
+ * const result = await verifyFile("cred.json", {
23
+ * hardwareAttestation: buildHardwareVerifiers(),
24
+ * });
227
25
  * ```
228
- */
229
- declare function verify(artifact: unknown, options?: VerifyOptions): Promise<VerifyResult>;
230
- /**
231
- * Verify a motebit.md identity file. Backward-compatible with pre-0.4.0.
232
26
  *
233
- * @deprecated Use `verify(content)` insteadit handles all artifact types.
27
+ * CLI use: `motebit-verify <file>`same args as `motebit-verify`,
28
+ * plus hardware-attestation verification. See `cli.ts`.
234
29
  */
235
- declare function verifyIdentityFile(content: string): Promise<LegacyVerifyResult>;
236
-
237
- export { type ArtifactType, type CredentialVerifyResult, type DataIntegrityProof, type ExecutionReceipt, type IdentityVerifyResult, type LegacyVerifyResult, type MotebitIdentityFile, type PresentationVerifyResult, type ReceiptVerifyResult, type SuccessionRecord, type VerifiableCredential, type VerifiablePresentation, type VerificationError, type VerifyOptions, type VerifyResult, parse, verify, verifyIdentityFile };
30
+ export { buildHardwareVerifiers } from "./adapters.js";
31
+ export type { HardwareVerifierBundleConfig } from "./adapters.js";
32
+ //# sourceMappingURL=index.d.ts.map
package/dist/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAcH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IAGjB,IAAI,CAAC,EAAE,UAAU,GAAG,SAAS,GAAG,eAAe,CAAC;IAChD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,QAAQ,EAAE;QACR,SAAS,EAAE,SAAS,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IAEF,UAAU,EAAE;QACV,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS,CAAC;QAC3C,aAAa,EAAE,MAAM,CAAC;QACtB,sBAAsB,EAAE,MAAM,CAAC;QAC/B,UAAU,EAAE,MAAM,CAAC;QACnB,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC;IAEF,OAAO,EAAE;QACP,mBAAmB,EAAE,MAAM,CAAC;QAC5B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACvC,WAAW,EAAE,OAAO,CAAC;KACtB,CAAC;IAEF,MAAM,EAAE;QACN,cAAc,EAAE,MAAM,CAAC;QACvB,oBAAoB,EAAE,MAAM,CAAC;QAC7B,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IAEF,8EAA8E;IAC9E,QAAQ,CAAC,EAAE;QACT,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,cAAc,EAAE,MAAM,CAAC;QACvB,6DAA6D;QAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF,OAAO,EAAE,KAAK,CAAC;QACb,SAAS,EAAE,MAAM,CAAC;QAClB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,aAAa,EAAE,MAAM,CAAC;KACvB,CAAC,CAAC;IAEH,UAAU,CAAC,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,gBAAgB;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,+DAA+D;IAC/D,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAMD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,oFAAoF;IACpF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACzC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB;AAMD,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,oBAAoB,CAAC;IAC3B,WAAW,EAAE,gBAAgB,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,iBAAiB,GAAG,gBAAgB,CAAC;IACnD,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5D,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAChD,KAAK,EAAE,kBAAkB,CAAC;CAC3B;AAED,MAAM,WAAW,sBAAsB;IACrC,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,oBAAoB,EAAE,oBAAoB,EAAE,CAAC;IAC7C,KAAK,EAAE,kBAAkB,CAAC;CAC3B;AAMD,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,UAAU,UAAU;IAClB,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,iBAAiB,EAAE,CAAC;CAC9B;AAED,MAAM,WAAW,oBAAqB,SAAQ,UAAU;IACtD,IAAI,EAAE,UAAU,CAAC;IACjB,QAAQ,EAAE,mBAAmB,GAAG,IAAI,CAAC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,4EAA4E;IAC5E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE;QACX,KAAK,EAAE,OAAO,CAAC;QACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED,MAAM,WAAW,mBAAoB,SAAQ,UAAU;IACrD,IAAI,EAAE,SAAS,CAAC;IAChB,OAAO,EAAE,gBAAgB,GAAG,IAAI,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,mBAAmB,EAAE,CAAC;CACrC;AAED,MAAM,WAAW,sBAAuB,SAAQ,UAAU;IACxD,IAAI,EAAE,YAAY,CAAC;IACnB,UAAU,EAAE,oBAAoB,GAAG,IAAI,CAAC;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,wBAAyB,SAAQ,UAAU;IAC1D,IAAI,EAAE,cAAc,CAAC;IACrB,YAAY,EAAE,sBAAsB,GAAG,IAAI,CAAC;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,sBAAsB,EAAE,CAAC;CACxC;AAED,MAAM,MAAM,YAAY,GACpB,oBAAoB,GACpB,mBAAmB,GACnB,sBAAsB,GACtB,wBAAwB,CAAC;AAE7B,MAAM,MAAM,YAAY,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;AAEhD,MAAM,WAAW,aAAa;IAC5B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,iFAAiF;IACjF,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAMD,6EAA6E;AAC7E,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,OAAO,CAAC;IACf,QAAQ,EAAE,mBAAmB,GAAG,IAAI,CAAC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE;QACX,KAAK,EAAE,OAAO,CAAC;QACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAyTD;;;GAGG;AACH,wBAAgB,KAAK,CAAC,OAAO,EAAE,MAAM,GAAG;IACtC,WAAW,EAAE,mBAAmB,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACxB,CAqBA;AA2bD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,MAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC,CAwD9F;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CASrF"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AACvD,YAAY,EAAE,4BAA4B,EAAE,MAAM,eAAe,CAAC"}