@newtype-ai/nit 0.1.2 → 0.2.0

package/dist/{chunk-5AVY6P7B.js → chunk-7KTMZ67T.js}

@@ -1,8 +1,8 @@
 // nit — version control for agent cards
 
 // src/index.ts
-import { promises as fs6, statSync } from "fs";
-import { join as join6, basename as basename2, resolve } from "path";
+import { promises as fs5, statSync } from "fs";
+import { join as join5, basename as basename2, resolve } from "path";
 
 // src/objects.ts
 import { createHash } from "crypto";
@@ -170,6 +170,7 @@ async function getRemoteRef(nitDir, remote2, branch2) {
 
 // src/identity.ts
 import {
+  createHash as createHash2,
   generateKeyPairSync,
   createPrivateKey,
   createPublicKey,
@@ -261,94 +262,73 @@ function verifySignature(pubBase64, challenge, signatureBase64) {
     Buffer.from(signatureBase64, "base64")
   );
 }
-
-// src/config.ts
-import { promises as fs4 } from "fs";
-import { join as join4 } from "path";
-var CONFIG_FILE = "config";
-async function readConfig(nitDir) {
-  const configPath = join4(nitDir, CONFIG_FILE);
-  let raw;
+async function signMessage(nitDir, message) {
+  const privateKey = await loadPrivateKey(nitDir);
+  const sig = sign(null, Buffer.from(message, "utf-8"), privateKey);
+  return sig.toString("base64");
+}
+var NIT_NAMESPACE = "801ba518-f326-47e5-97c9-d1efd1865a19";
+function deriveAgentId(publicKeyField) {
+  return uuidv5(publicKeyField, NIT_NAMESPACE);
+}
+async function loadAgentId(nitDir) {
+  const idPath = join3(nitDir, "identity", "agent-id");
   try {
-    raw = await fs4.readFile(configPath, "utf-8");
+    return (await fs3.readFile(idPath, "utf-8")).trim();
   } catch {
-    return { remotes: {} };
-  }
-  return parseConfig(raw);
-}
-async function writeConfig(nitDir, config) {
-  const configPath = join4(nitDir, CONFIG_FILE);
-  await fs4.writeFile(configPath, serializeConfig(config), "utf-8");
-}
-async function getRemoteCredential(nitDir, remoteName) {
-  const config = await readConfig(nitDir);
-  return config.remotes[remoteName]?.credential ?? null;
-}
-async function setRemoteCredential(nitDir, remoteName, credential) {
-  const config = await readConfig(nitDir);
-  if (!config.remotes[remoteName]) {
-    config.remotes[remoteName] = {};
-  }
-  config.remotes[remoteName].credential = credential;
-  await writeConfig(nitDir, config);
-}
-function parseConfig(raw) {
-  const remotes = {};
-  let currentRemote = null;
-  for (const line of raw.split("\n")) {
-    const trimmed = line.trim();
-    if (trimmed === "" || trimmed.startsWith("#")) continue;
-    const sectionMatch = trimmed.match(/^\[remote\s+"([^"]+)"\]$/);
-    if (sectionMatch) {
-      currentRemote = sectionMatch[1];
-      if (!remotes[currentRemote]) {
-        remotes[currentRemote] = {};
-      }
-      continue;
-    }
-    if (currentRemote !== null) {
-      const kvMatch = trimmed.match(/^(\w+)\s*=\s*(.+)$/);
-      if (kvMatch) {
-        const [, key, value] = kvMatch;
-        if (key === "credential") {
-          remotes[currentRemote].credential = value.trim();
-        }
-      }
-    }
+    throw new Error(
+      "No agent ID found. Run `nit init` to generate identity."
+    );
   }
-  return { remotes };
 }
-function serializeConfig(config) {
-  const lines = [];
-  for (const [name, remote2] of Object.entries(config.remotes)) {
-    lines.push(`[remote "${name}"]`);
-    if (remote2.credential) {
-      lines.push(`  credential = ${remote2.credential}`);
-    }
-    lines.push("");
-  }
-  return lines.join("\n");
+async function saveAgentId(nitDir, agentId) {
+  const idPath = join3(nitDir, "identity", "agent-id");
+  await fs3.writeFile(idPath, agentId + "\n", "utf-8");
+}
+function parseUuid(uuid) {
+  const hex = uuid.replace(/-/g, "");
+  return Buffer.from(hex, "hex");
+}
+function formatUuid(bytes) {
+  const hex = bytes.toString("hex");
+  return [
+    hex.slice(0, 8),
+    hex.slice(8, 12),
+    hex.slice(12, 16),
+    hex.slice(16, 20),
+    hex.slice(20, 32)
+  ].join("-");
+}
+function uuidv5(name, namespace) {
+  const namespaceBytes = parseUuid(namespace);
+  const nameBytes = Buffer.from(name, "utf-8");
+  const data = Buffer.concat([namespaceBytes, nameBytes]);
+  const hash = createHash2("sha1").update(data).digest();
+  const uuid = Buffer.from(hash.subarray(0, 16));
+  uuid[6] = uuid[6] & 15 | 80;
+  uuid[8] = uuid[8] & 63 | 128;
+  return formatUuid(uuid);
 }
 
 // src/skills.ts
-import { promises as fs5 } from "fs";
-import { join as join5 } from "path";
+import { promises as fs4 } from "fs";
+import { join as join4 } from "path";
 import { homedir } from "os";
 async function discoverSkills(projectDir2) {
   const home = homedir();
   const searchDirs = [
     // Project-local (all known agent frameworks)
-    join5(projectDir2, ".claude", "skills"),
-    join5(projectDir2, ".cursor", "skills"),
-    join5(projectDir2, ".windsurf", "skills"),
-    join5(projectDir2, ".codex", "skills"),
-    join5(projectDir2, ".agents", "skills"),
+    join4(projectDir2, ".claude", "skills"),
+    join4(projectDir2, ".cursor", "skills"),
+    join4(projectDir2, ".windsurf", "skills"),
+    join4(projectDir2, ".codex", "skills"),
+    join4(projectDir2, ".agents", "skills"),
     // User-global
-    join5(home, ".claude", "skills"),
+    join4(home, ".claude", "skills"),
     // Claude Code + Cursor (shared)
-    join5(home, ".codex", "skills"),
+    join4(home, ".codex", "skills"),
     // Codex CLI
-    join5(home, ".codeium", "windsurf", "skills")
+    join4(home, ".codeium", "windsurf", "skills")
     // Windsurf
   ];
   const seen = /* @__PURE__ */ new Set();
@@ -381,15 +361,15 @@ async function resolveSkillPointers(card, projectDir2) {
 async function scanSkillDir(dir) {
   let entries;
   try {
-    entries = await fs5.readdir(dir);
+    entries = await fs4.readdir(dir);
   } catch {
     return [];
   }
   const skills = [];
   for (const entry of entries) {
-    const skillMdPath = join5(dir, entry, "SKILL.md");
+    const skillMdPath = join4(dir, entry, "SKILL.md");
     try {
-      const content = await fs5.readFile(skillMdPath, "utf-8");
+      const content = await fs4.readFile(skillMdPath, "utf-8");
       const meta = parseFrontmatter(content, entry, skillMdPath);
       if (meta) skills.push(meta);
     } catch {
@@ -531,36 +511,50 @@ function formatValue(val) {
 }
 
 // src/remote.ts
+import { createHash as createHash3 } from "crypto";
 var API_BASE = "https://api.newtype-ai.org";
+function sha256Hex(data) {
+  return createHash3("sha256").update(data, "utf-8").digest("hex");
+}
+async function buildAuthHeaders(nitDir, method, path, body) {
+  const agentId = await loadAgentId(nitDir);
+  const timestamp = Math.floor(Date.now() / 1e3).toString();
+  let message = `${method}
+${path}
+${agentId}
+${timestamp}`;
+  if (body !== void 0) {
+    message += `
+${sha256Hex(body)}`;
+  }
+  const signature = await signMessage(nitDir, message);
+  return {
+    "X-Nit-Agent-Id": agentId,
+    "X-Nit-Timestamp": timestamp,
+    "X-Nit-Signature": signature
+  };
+}
 async function pushBranch(nitDir, remoteName, branch2, cardJson, commitHash) {
-  const credential = await getRemoteCredential(nitDir, remoteName);
-  if (!credential) {
-    return {
-      branch: branch2,
-      commitHash,
-      remoteUrl: API_BASE,
-      success: false,
-      error: `No credential configured for remote "${remoteName}". Run: nit remote set-credential <agent-key>`
-    };
-  }
-  const url = `${API_BASE}/agent-card/branches/${encodeURIComponent(branch2)}`;
+  const path = `/agent-card/branches/${encodeURIComponent(branch2)}`;
+  const body = JSON.stringify({ card_json: cardJson, commit_hash: commitHash });
   try {
-    const res = await fetch(url, {
+    const authHeaders = await buildAuthHeaders(nitDir, "PUT", path, body);
+    const res = await fetch(`${API_BASE}${path}`, {
       method: "PUT",
       headers: {
         "Content-Type": "application/json",
-        Authorization: `Bearer ${credential}`
+        ...authHeaders
       },
-      body: JSON.stringify({ card_json: cardJson, commit_hash: commitHash })
+      body
     });
     if (!res.ok) {
-      const body = await res.text();
+      const text = await res.text();
       return {
         branch: branch2,
         commitHash,
         remoteUrl: API_BASE,
         success: false,
-        error: `HTTP ${res.status}: ${body}`
+        error: `HTTP ${res.status}: ${text}`
       };
     }
     return { branch: branch2, commitHash, remoteUrl: API_BASE, success: true };
@@ -615,7 +609,7 @@ var CARD_FILE = "agent-card.json";
 function findNitDir(startDir) {
   let dir = resolve(startDir || process.cwd());
   while (true) {
-    const candidate = join6(dir, NIT_DIR);
+    const candidate = join5(dir, NIT_DIR);
     try {
       const s = statSync(candidate);
       if (s.isDirectory()) return candidate;
@@ -634,17 +628,17 @@ function projectDir(nitDir) {
   return resolve(nitDir, "..");
 }
 async function readWorkingCard(nitDir) {
-  const cardPath = join6(projectDir(nitDir), CARD_FILE);
+  const cardPath = join5(projectDir(nitDir), CARD_FILE);
   try {
-    const raw = await fs6.readFile(cardPath, "utf-8");
+    const raw = await fs5.readFile(cardPath, "utf-8");
     return JSON.parse(raw);
   } catch {
     throw new Error(`Cannot read ${CARD_FILE}. Does it exist?`);
   }
 }
 async function writeWorkingCard(nitDir, card) {
-  const cardPath = join6(projectDir(nitDir), CARD_FILE);
-  await fs6.writeFile(cardPath, JSON.stringify(card, null, 2) + "\n", "utf-8");
+  const cardPath = join5(projectDir(nitDir), CARD_FILE);
+  await fs5.writeFile(cardPath, JSON.stringify(card, null, 2) + "\n", "utf-8");
 }
 async function getCardAtCommit(nitDir, commitHash) {
   const commitRaw = await readObject(nitDir, commitHash);
@@ -662,25 +656,27 @@ async function getAuthorName(nitDir) {
 }
 async function init(options) {
   const projDir = resolve(options?.projectDir || process.cwd());
-  const nitDir = join6(projDir, NIT_DIR);
+  const nitDir = join5(projDir, NIT_DIR);
   try {
-    await fs6.access(nitDir);
+    await fs5.access(nitDir);
     throw new Error("Already initialized. .nit/ directory exists.");
   } catch (err) {
     if (err instanceof Error && err.message.startsWith("Already")) throw err;
   }
-  await fs6.mkdir(join6(nitDir, "objects"), { recursive: true });
-  await fs6.mkdir(join6(nitDir, "refs", "heads"), { recursive: true });
-  await fs6.mkdir(join6(nitDir, "refs", "remote"), { recursive: true });
-  await fs6.mkdir(join6(nitDir, "identity"), { recursive: true });
-  await fs6.mkdir(join6(nitDir, "logs"), { recursive: true });
+  await fs5.mkdir(join5(nitDir, "objects"), { recursive: true });
+  await fs5.mkdir(join5(nitDir, "refs", "heads"), { recursive: true });
+  await fs5.mkdir(join5(nitDir, "refs", "remote"), { recursive: true });
+  await fs5.mkdir(join5(nitDir, "identity"), { recursive: true });
+  await fs5.mkdir(join5(nitDir, "logs"), { recursive: true });
   const { publicKey: pubBase64 } = await generateKeypair(nitDir);
   const publicKeyField = formatPublicKeyField(pubBase64);
-  const cardPath = join6(projDir, CARD_FILE);
+  const agentId = deriveAgentId(publicKeyField);
+  await saveAgentId(nitDir, agentId);
+  const cardPath = join5(projDir, CARD_FILE);
   let card;
   let skillsFound = [];
   try {
-    const raw = await fs6.readFile(cardPath, "utf-8");
+    const raw = await fs5.readFile(cardPath, "utf-8");
     card = JSON.parse(raw);
     card.publicKey = publicKeyField;
     skillsFound = card.skills.map((s) => s.id);
@@ -703,6 +699,9 @@ async function init(options) {
       }))
     };
   }
+  if (!card.url) {
+    card.url = `https://agent-${agentId}.newtype-ai.org`;
+  }
   await writeWorkingCard(nitDir, card);
   const cardJson = JSON.stringify(card, null, 2);
   const cardHash = await writeObject(nitDir, "card", cardJson);
@@ -716,11 +715,12 @@ async function init(options) {
   const commitHash = await writeObject(nitDir, "commit", commitContent);
   await setBranch(nitDir, "main", commitHash);
   await setHead(nitDir, "main");
-  await fs6.writeFile(join6(nitDir, "logs", "HEAD"), "", "utf-8");
-  await fs6.writeFile(join6(nitDir, "config"), "", "utf-8");
+  await fs5.writeFile(join5(nitDir, "logs", "HEAD"), "", "utf-8");
+  await fs5.writeFile(join5(nitDir, "config"), "", "utf-8");
   return {
+    agentId,
     publicKey: publicKeyField,
-    cardUrl: card.url || null,
+    cardUrl: card.url,
     skillsFound
   };
 }
@@ -921,24 +921,23 @@ async function push(options) {
 async function remote(options) {
   const nitDir = findNitDir(options?.projectDir);
   const card = await readWorkingCard(nitDir);
-  const credential = await getRemoteCredential(nitDir, "origin");
+  const agentId = await loadAgentId(nitDir);
   return {
     name: "origin",
     url: card.url || "(not set)",
-    hasCredential: credential !== null
+    agentId
   };
 }
-async function setCredential(credential, options) {
-  const nitDir = findNitDir(options?.projectDir);
-  const remoteName = options?.remoteName || "origin";
-  await setRemoteCredential(nitDir, remoteName, credential);
-}
 
 export {
   formatPublicKeyField,
   parsePublicKeyField,
   signChallenge,
   verifySignature,
+  signMessage,
+  NIT_NAMESPACE,
+  deriveAgentId,
+  loadAgentId,
   diffCards,
   formatDiff,
   fetchBranchCard,
@@ -951,6 +950,5 @@ export {
   branch,
   checkout,
   push,
-  remote,
-  setCredential
+  remote
 };

package/dist/cli.js

@@ -10,9 +10,8 @@ import {
   log,
   push,
   remote,
-  setCredential,
   status
-} from "./chunk-5AVY6P7B.js";
+} from "./chunk-7KTMZ67T.js";
 
 // src/cli.ts
 var bold = (s) => `\x1B[1m${s}\x1B[0m`;
@@ -71,10 +70,9 @@ async function cmdInit() {
   const result = await init();
   console.log(bold("Initialized nit repository"));
   console.log();
-  console.log(`  Public key:  ${green(result.publicKey)}`);
-  if (result.cardUrl) {
-    console.log(`  Card URL:    ${result.cardUrl}`);
-  }
+  console.log(`  Agent ID:    ${green(result.agentId)}`);
+  console.log(`  Public key:  ${dim(result.publicKey)}`);
+  console.log(`  Card URL:    ${result.cardUrl}`);
   if (result.skillsFound.length > 0) {
     console.log(`  Skills:      ${result.skillsFound.join(", ")}`);
   } else {
@@ -177,23 +175,11 @@ async function cmdPush(args) {
   }
 }
 async function cmdRemote(args) {
-  const subcommand = args[0];
-  if (subcommand === "set-credential") {
-    const token = args[1];
-    if (!token) {
-      console.error("Usage: nit remote set-credential <agent-key>");
-      process.exit(1);
-    }
-    await setCredential(token);
-    console.log(`Credential ${green("configured")} for origin.`);
-    return;
-  }
   const info = await remote();
   console.log(`${bold(info.name)}`);
   console.log(`  URL:        ${info.url}`);
-  console.log(
-    `  Credential: ${info.hasCredential ? green("configured") : yellow("not set")}`
-  );
+  console.log(`  Agent ID:   ${info.agentId}`);
+  console.log(`  Auth:       ${green("Ed25519 keypair")}`);
 }
 function printUsage() {
   console.log(`
@@ -211,13 +197,12 @@ ${bold("Commands:")}
   checkout <branch>  Switch branch (overwrites agent-card.json)
   push [--all]       Push branch(es) to remote
   remote             Show remote info
-  remote set-credential <key>  Set push credential (agent key)
 
 ${bold("Examples:")}
   nit init
   nit branch faam.io
   nit checkout faam.io
-  ${dim("# edit agent-card.json for FAAM...")}
+  ${dim("# edit agent-card.json for this platform...")}
   nit commit -m "FAAM config"
   nit push --all
 `.trim());

package/dist/index.d.ts

@@ -27,7 +27,7 @@ interface NitHead {
 }
 /** Remote configuration for a single named remote. */
 interface NitRemoteConfig {
-    /** Push credential (Bearer token) */
+    /** Legacy field — push auth is now via Ed25519 keypair */
     credential?: string;
 }
 /** Full .nit/config file contents. */
@@ -140,15 +140,38 @@ declare function signChallenge(nitDir: string, challenge: string): Promise<strin
  * for challenge-response flows.
  */
 declare function verifySignature(pubBase64: string, challenge: string, signatureBase64: string): boolean;
+/**
+ * Sign an arbitrary message with the agent's private key.
+ * Returns a standard base64-encoded signature.
+ */
+declare function signMessage(nitDir: string, message: string): Promise<string>;
+/**
+ * Fixed namespace UUID for nit agent ID derivation.
+ * Generated once, hardcoded forever. Changing this would change ALL agent IDs.
+ * Must match the server-side constant in apps/agent-cards/src/api/agent-id.ts.
+ */
+declare const NIT_NAMESPACE = "801ba518-f326-47e5-97c9-d1efd1865a19";
+/**
+ * Derive a deterministic agent ID (UUID) from an Ed25519 public key field.
+ * Uses UUIDv5: SHA-1 hash of NIT_NAMESPACE + publicKeyField.
+ *
+ * @param publicKeyField  "ed25519:<base64>" format string
+ * @returns               UUID string (lowercase, with hyphens)
+ */
+declare function deriveAgentId(publicKeyField: string): string;
+/**
+ * Load the agent ID from .nit/identity/agent-id.
+ */
+declare function loadAgentId(nitDir: string): Promise<string>;
 
 /**
  * Fetch an agent card from a remote URL.
  *
  * For the main branch, this is a simple public GET.
  * For other branches, this performs the challenge-response flow:
- *   1. Request branch → 401 with challenge
+ *   1. Request branch -> 401 with challenge
  *   2. Sign challenge with agent's private key
- *   3. Re-request with signature → get branch card
+ *   3. Re-request with signature -> get branch card
  *
  * @param cardUrl   The agent's card URL (e.g. https://agent-{uuid}.newtype-ai.org)
  * @param branch    Branch to fetch ("main" for public, others need auth)
@@ -162,8 +185,9 @@ declare function fetchBranchCard(cardUrl: string, branch: string, nitDir?: strin
  */
 declare function findNitDir(startDir?: string): string;
 interface InitResult {
+    agentId: string;
     publicKey: string;
-    cardUrl: string | null;
+    cardUrl: string;
     skillsFound: string[];
 }
 /**
@@ -231,20 +255,13 @@ declare function push(options?: {
 interface RemoteInfo {
     name: string;
     url: string;
-    hasCredential: boolean;
+    agentId: string;
 }
 /**
- * Show remote info. URL comes from agent-card.json, credential from .nit/config.
+ * Show remote info. URL comes from agent-card.json, agent ID from .nit/identity/.
  */
 declare function remote(options?: {
     projectDir?: string;
 }): Promise<RemoteInfo>;
-/**
- * Set the push credential for a remote.
- */
-declare function setCredential(credential: string, options?: {
-    projectDir?: string;
-    remoteName?: string;
-}): Promise<void>;
 
-export { type AgentCard, type AgentCardSkill, type DiffResult, type FieldDiff, type InitResult, type NitBranch, type NitCommit, type NitConfig, type NitHead, type NitRemoteConfig, type PushResult, type RemoteInfo, type SkillMetadata, type StatusResult, branch, checkout, commit, diff, diffCards, fetchBranchCard, findNitDir, formatDiff, formatPublicKeyField, init, log, parsePublicKeyField, push, remote, setCredential, signChallenge, status, verifySignature };
+export { type AgentCard, type AgentCardSkill, type DiffResult, type FieldDiff, type InitResult, NIT_NAMESPACE, type NitBranch, type NitCommit, type NitConfig, type NitHead, type NitRemoteConfig, type PushResult, type RemoteInfo, type SkillMetadata, type StatusResult, branch, checkout, commit, deriveAgentId, diff, diffCards, fetchBranchCard, findNitDir, formatDiff, formatPublicKeyField, init, loadAgentId, log, parsePublicKeyField, push, remote, signChallenge, signMessage, status, verifySignature };

package/dist/index.js

@@ -1,8 +1,10 @@
 // nit — version control for agent cards
 import {
+  NIT_NAMESPACE,
   branch,
   checkout,
   commit,
+  deriveAgentId,
   diff,
   diffCards,
   fetchBranchCard,
@@ -10,19 +12,22 @@ import {
   formatDiff,
   formatPublicKeyField,
   init,
+  loadAgentId,
   log,
   parsePublicKeyField,
   push,
   remote,
-  setCredential,
   signChallenge,
+  signMessage,
   status,
   verifySignature
-} from "./chunk-5AVY6P7B.js";
+} from "./chunk-7KTMZ67T.js";
 export {
+  NIT_NAMESPACE,
   branch,
   checkout,
   commit,
+  deriveAgentId,
   diff,
   diffCards,
   fetchBranchCard,
@@ -30,12 +35,13 @@ export {
   formatDiff,
   formatPublicKeyField,
   init,
+  loadAgentId,
   log,
   parsePublicKeyField,
   push,
   remote,
-  setCredential,
   signChallenge,
+  signMessage,
   status,
   verifySignature
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@newtype-ai/nit",
-  "version": "0.1.2",
+  "version": "0.2.0",
   "description": "Version control for agent cards",
   "type": "module",
   "bin": {