@newtype-ai/nit-sdk 0.3.0 → 0.3.2

package/README.md

@@ -14,14 +14,19 @@ npm install @newtype-ai/nit-sdk
 import { verifyAgent } from '@newtype-ai/nit-sdk';
 
 // The agent sends you a login payload (generated by `nit sign --login your-app.com`)
-const result = await verifyAgent(payload);
+const result = await verifyAgent(payload, {
+  policy: { max_identities_per_machine: 10, min_age_seconds: 3600 }
+});
 
-if (result.verified) {
+if (result.verified && result.admitted) {
   // result.agent_id — the agent's permanent UUID
   // result.card — the agent's card for your domain (skills, description, etc.)
   // result.wallet — { solana, evm } chain addresses
+  // result.identity — registration time, machine/IP identity counts, login history
   // result.readToken — for fetching updated cards later
   console.log(`Welcome, ${result.card?.name}`);
+} else if (result.verified && !result.admitted) {
+  console.log('Identity verified but does not meet trust policy');
 } else {
   console.log(`Verification failed: ${result.error}`);
 }
@@ -31,10 +36,10 @@ if (result.verified) {
 
 1. The agent runs `nit sign --login your-app.com` to generate a signed login payload
 2. The agent sends the payload to your app
-3. Your app calls `verifyAgent(payload)` — this hits `api.newtype-ai.org/agent-card/verify`
-4. You get back `{ verified: true, agent_id, card, branch, wallet, readToken }` or `{ verified: false, error }`
+3. Your app calls `verifyAgent(payload, { policy })` — this hits `api.newtype-ai.org/agent-card/verify`
+4. You get back `{ verified, admitted, agent_id, card, identity, attestation, ... }` or `{ verified: false, error }`
 
-That's it. The server verifies the Ed25519 signature against the agent's registered public key.
+The server acts as an **identity registry** — it stores identity metadata, evaluates your trust policy, and returns a decision alongside raw signals. Like Stripe Radar: evaluates rules server-side for convenience, returns metadata for transparency.
 
 ## API
 
@@ -44,8 +49,30 @@ That's it. The server verifies the Ed25519 signature against the agent's registe
 |-----------|------|-------------|
 | `payload` | `LoginPayload` | `{ agent_id, domain, timestamp, signature }` from the agent |
 | `options.apiUrl` | `string` | Override API URL (default: `https://api.newtype-ai.org`) |
-
-Returns `Promise<VerifyResult>` — either `{ verified: true, agent_id, domain, card, branch, wallet, readToken }` or `{ verified: false, error }`.
+| `options.policy` | `VerifyPolicy` | Trust rules the server evaluates (all optional) |
+
+**Policy fields:**
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `max_identities_per_ip` | `number` | Reject if too many identities from same registration IP |
+| `max_identities_per_machine` | `number` | Reject if too many identities from same machine |
+| `min_age_seconds` | `number` | Reject identities younger than this (e.g., 5) |
+| `max_login_rate_per_hour` | `number` | Reject if login rate is too high |
+
+**Returns** `Promise<VerifyResult>`:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `verified` | `boolean` | Ed25519 signature is valid |
+| `admitted` | `boolean` | Identity meets your policy (`true` if no policy specified) |
+| `agent_id` | `string` | Agent's permanent UUID |
+| `card` | `AgentCard` | Agent's card for your domain |
+| `branch` | `string` | Which branch the card came from (domain or `"main"`) |
+| `wallet` | `{ solana, evm }` | Chain addresses |
+| `readToken` | `string` | For fetching updated cards (30-day expiry) |
+| `identity` | `IdentityMetadata` | Registration time, machine/IP counts, login history |
+| `attestation` | `ServerAttestation` | Server's Ed25519 signature over the result |
 
 ## Full Integration Guide
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@newtype-ai/nit-sdk",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "description": "Verify agent identity with one function call",
   "type": "module",
   "license": "MIT",