@newtype-ai/nit 0.1.2 → 0.2.1

package/README.md

@@ -49,13 +49,15 @@ nit push --all
 | Command | Description |
 |---------|-------------|
 | `nit init` | Create `.nit/`, generate Ed25519 keypair, initial commit |
-| `nit status` | Current branch, uncommitted changes, ahead/behind remote |
-| `nit commit -m "msg"` | Snapshot agent-card.json (auto-resolves SKILL.md pointers) |
+| `nit status` | Identity info, current branch, uncommitted changes |
+| `nit commit -m "msg"` | Snapshot agent-card.json |
 | `nit log` | Commit history for current branch |
 | `nit diff [target]` | JSON diff vs HEAD, branch, or commit |
 | `nit branch [name]` | List branches or create a new one |
 | `nit checkout <branch>` | Switch branch (overwrites agent-card.json) |
 | `nit push [--all]` | Push branch(es) to remote |
+| `nit sign "msg"` | Sign a message with your Ed25519 key |
+| `nit sign --login <domain>` | Generate login payload for an app |
 | `nit remote` | Show remote URL and credential status |
 
 ## How It Works

package/dist/{chunk-5AVY6P7B.js → chunk-AEWDQDBM.js}

@@ -1,8 +1,8 @@
 // nit — version control for agent cards
 
 // src/index.ts
-import { promises as fs6, statSync } from "fs";
-import { join as join6, basename as basename2, resolve } from "path";
+import { promises as fs5, statSync } from "fs";
+import { join as join5, basename as basename2, resolve } from "path";
 
 // src/objects.ts
 import { createHash } from "crypto";
@@ -170,6 +170,7 @@ async function getRemoteRef(nitDir, remote2, branch2) {
 
 // src/identity.ts
 import {
+  createHash as createHash2,
   generateKeyPairSync,
   createPrivateKey,
   createPublicKey,
@@ -261,94 +262,73 @@ function verifySignature(pubBase64, challenge, signatureBase64) {
     Buffer.from(signatureBase64, "base64")
   );
 }
-
-// src/config.ts
-import { promises as fs4 } from "fs";
-import { join as join4 } from "path";
-var CONFIG_FILE = "config";
-async function readConfig(nitDir) {
-  const configPath = join4(nitDir, CONFIG_FILE);
-  let raw;
+async function signMessage(nitDir, message) {
+  const privateKey = await loadPrivateKey(nitDir);
+  const sig = sign(null, Buffer.from(message, "utf-8"), privateKey);
+  return sig.toString("base64");
+}
+var NIT_NAMESPACE = "801ba518-f326-47e5-97c9-d1efd1865a19";
+function deriveAgentId(publicKeyField) {
+  return uuidv5(publicKeyField, NIT_NAMESPACE);
+}
+async function loadAgentId(nitDir) {
+  const idPath = join3(nitDir, "identity", "agent-id");
   try {
-    raw = await fs4.readFile(configPath, "utf-8");
+    return (await fs3.readFile(idPath, "utf-8")).trim();
   } catch {
-    return { remotes: {} };
-  }
-  return parseConfig(raw);
-}
-async function writeConfig(nitDir, config) {
-  const configPath = join4(nitDir, CONFIG_FILE);
-  await fs4.writeFile(configPath, serializeConfig(config), "utf-8");
-}
-async function getRemoteCredential(nitDir, remoteName) {
-  const config = await readConfig(nitDir);
-  return config.remotes[remoteName]?.credential ?? null;
-}
-async function setRemoteCredential(nitDir, remoteName, credential) {
-  const config = await readConfig(nitDir);
-  if (!config.remotes[remoteName]) {
-    config.remotes[remoteName] = {};
-  }
-  config.remotes[remoteName].credential = credential;
-  await writeConfig(nitDir, config);
-}
-function parseConfig(raw) {
-  const remotes = {};
-  let currentRemote = null;
-  for (const line of raw.split("\n")) {
-    const trimmed = line.trim();
-    if (trimmed === "" || trimmed.startsWith("#")) continue;
-    const sectionMatch = trimmed.match(/^\[remote\s+"([^"]+)"\]$/);
-    if (sectionMatch) {
-      currentRemote = sectionMatch[1];
-      if (!remotes[currentRemote]) {
-        remotes[currentRemote] = {};
-      }
-      continue;
-    }
-    if (currentRemote !== null) {
-      const kvMatch = trimmed.match(/^(\w+)\s*=\s*(.+)$/);
-      if (kvMatch) {
-        const [, key, value] = kvMatch;
-        if (key === "credential") {
-          remotes[currentRemote].credential = value.trim();
-        }
-      }
-    }
+    throw new Error(
+      "No agent ID found. Run `nit init` to generate identity."
+    );
   }
-  return { remotes };
 }
-function serializeConfig(config) {
-  const lines = [];
-  for (const [name, remote2] of Object.entries(config.remotes)) {
-    lines.push(`[remote "${name}"]`);
-    if (remote2.credential) {
-      lines.push(`  credential = ${remote2.credential}`);
-    }
-    lines.push("");
-  }
-  return lines.join("\n");
+async function saveAgentId(nitDir, agentId) {
+  const idPath = join3(nitDir, "identity", "agent-id");
+  await fs3.writeFile(idPath, agentId + "\n", "utf-8");
+}
+function parseUuid(uuid) {
+  const hex = uuid.replace(/-/g, "");
+  return Buffer.from(hex, "hex");
+}
+function formatUuid(bytes) {
+  const hex = bytes.toString("hex");
+  return [
+    hex.slice(0, 8),
+    hex.slice(8, 12),
+    hex.slice(12, 16),
+    hex.slice(16, 20),
+    hex.slice(20, 32)
+  ].join("-");
+}
+function uuidv5(name, namespace) {
+  const namespaceBytes = parseUuid(namespace);
+  const nameBytes = Buffer.from(name, "utf-8");
+  const data = Buffer.concat([namespaceBytes, nameBytes]);
+  const hash = createHash2("sha1").update(data).digest();
+  const uuid = Buffer.from(hash.subarray(0, 16));
+  uuid[6] = uuid[6] & 15 | 80;
+  uuid[8] = uuid[8] & 63 | 128;
+  return formatUuid(uuid);
 }
 
 // src/skills.ts
-import { promises as fs5 } from "fs";
-import { join as join5 } from "path";
+import { promises as fs4 } from "fs";
+import { join as join4 } from "path";
 import { homedir } from "os";
 async function discoverSkills(projectDir2) {
   const home = homedir();
   const searchDirs = [
     // Project-local (all known agent frameworks)
-    join5(projectDir2, ".claude", "skills"),
-    join5(projectDir2, ".cursor", "skills"),
-    join5(projectDir2, ".windsurf", "skills"),
-    join5(projectDir2, ".codex", "skills"),
-    join5(projectDir2, ".agents", "skills"),
+    join4(projectDir2, ".claude", "skills"),
+    join4(projectDir2, ".cursor", "skills"),
+    join4(projectDir2, ".windsurf", "skills"),
+    join4(projectDir2, ".codex", "skills"),
+    join4(projectDir2, ".agents", "skills"),
     // User-global
-    join5(home, ".claude", "skills"),
+    join4(home, ".claude", "skills"),
     // Claude Code + Cursor (shared)
-    join5(home, ".codex", "skills"),
+    join4(home, ".codex", "skills"),
     // Codex CLI
-    join5(home, ".codeium", "windsurf", "skills")
+    join4(home, ".codeium", "windsurf", "skills")
     // Windsurf
   ];
   const seen = /* @__PURE__ */ new Set();
@@ -381,15 +361,15 @@ async function resolveSkillPointers(card, projectDir2) {
 async function scanSkillDir(dir) {
   let entries;
   try {
-    entries = await fs5.readdir(dir);
+    entries = await fs4.readdir(dir);
   } catch {
     return [];
   }
   const skills = [];
   for (const entry of entries) {
-    const skillMdPath = join5(dir, entry, "SKILL.md");
+    const skillMdPath = join4(dir, entry, "SKILL.md");
     try {
-      const content = await fs5.readFile(skillMdPath, "utf-8");
+      const content = await fs4.readFile(skillMdPath, "utf-8");
       const meta = parseFrontmatter(content, entry, skillMdPath);
       if (meta) skills.push(meta);
     } catch {
@@ -531,36 +511,50 @@ function formatValue(val) {
 }
 
 // src/remote.ts
+import { createHash as createHash3 } from "crypto";
 var API_BASE = "https://api.newtype-ai.org";
+function sha256Hex(data) {
+  return createHash3("sha256").update(data, "utf-8").digest("hex");
+}
+async function buildAuthHeaders(nitDir, method, path, body) {
+  const agentId = await loadAgentId(nitDir);
+  const timestamp = Math.floor(Date.now() / 1e3).toString();
+  let message = `${method}
+${path}
+${agentId}
+${timestamp}`;
+  if (body !== void 0) {
+    message += `
+${sha256Hex(body)}`;
+  }
+  const signature = await signMessage(nitDir, message);
+  return {
+    "X-Nit-Agent-Id": agentId,
+    "X-Nit-Timestamp": timestamp,
+    "X-Nit-Signature": signature
+  };
+}
 async function pushBranch(nitDir, remoteName, branch2, cardJson, commitHash) {
-  const credential = await getRemoteCredential(nitDir, remoteName);
-  if (!credential) {
-    return {
-      branch: branch2,
-      commitHash,
-      remoteUrl: API_BASE,
-      success: false,
-      error: `No credential configured for remote "${remoteName}". Run: nit remote set-credential <agent-key>`
-    };
-  }
-  const url = `${API_BASE}/agent-card/branches/${encodeURIComponent(branch2)}`;
+  const path = `/agent-card/branches/${encodeURIComponent(branch2)}`;
+  const body = JSON.stringify({ card_json: cardJson, commit_hash: commitHash });
   try {
-    const res = await fetch(url, {
+    const authHeaders = await buildAuthHeaders(nitDir, "PUT", path, body);
+    const res = await fetch(`${API_BASE}${path}`, {
       method: "PUT",
       headers: {
         "Content-Type": "application/json",
-        Authorization: `Bearer ${credential}`
+        ...authHeaders
       },
-      body: JSON.stringify({ card_json: cardJson, commit_hash: commitHash })
+      body
     });
     if (!res.ok) {
-      const body = await res.text();
+      const text = await res.text();
       return {
         branch: branch2,
         commitHash,
         remoteUrl: API_BASE,
         success: false,
-        error: `HTTP ${res.status}: ${body}`
+        error: `HTTP ${res.status}: ${text}`
       };
     }
     return { branch: branch2, commitHash, remoteUrl: API_BASE, success: true };
@@ -615,7 +609,7 @@ var CARD_FILE = "agent-card.json";
 function findNitDir(startDir) {
   let dir = resolve(startDir || process.cwd());
   while (true) {
-    const candidate = join6(dir, NIT_DIR);
+    const candidate = join5(dir, NIT_DIR);
     try {
       const s = statSync(candidate);
       if (s.isDirectory()) return candidate;
@@ -634,17 +628,17 @@ function projectDir(nitDir) {
   return resolve(nitDir, "..");
 }
 async function readWorkingCard(nitDir) {
-  const cardPath = join6(projectDir(nitDir), CARD_FILE);
+  const cardPath = join5(projectDir(nitDir), CARD_FILE);
   try {
-    const raw = await fs6.readFile(cardPath, "utf-8");
+    const raw = await fs5.readFile(cardPath, "utf-8");
     return JSON.parse(raw);
   } catch {
     throw new Error(`Cannot read ${CARD_FILE}. Does it exist?`);
   }
 }
 async function writeWorkingCard(nitDir, card) {
-  const cardPath = join6(projectDir(nitDir), CARD_FILE);
-  await fs6.writeFile(cardPath, JSON.stringify(card, null, 2) + "\n", "utf-8");
+  const cardPath = join5(projectDir(nitDir), CARD_FILE);
+  await fs5.writeFile(cardPath, JSON.stringify(card, null, 2) + "\n", "utf-8");
 }
 async function getCardAtCommit(nitDir, commitHash) {
   const commitRaw = await readObject(nitDir, commitHash);
@@ -662,25 +656,27 @@ async function getAuthorName(nitDir) {
 }
 async function init(options) {
   const projDir = resolve(options?.projectDir || process.cwd());
-  const nitDir = join6(projDir, NIT_DIR);
+  const nitDir = join5(projDir, NIT_DIR);
   try {
-    await fs6.access(nitDir);
+    await fs5.access(nitDir);
     throw new Error("Already initialized. .nit/ directory exists.");
   } catch (err) {
     if (err instanceof Error && err.message.startsWith("Already")) throw err;
   }
-  await fs6.mkdir(join6(nitDir, "objects"), { recursive: true });
-  await fs6.mkdir(join6(nitDir, "refs", "heads"), { recursive: true });
-  await fs6.mkdir(join6(nitDir, "refs", "remote"), { recursive: true });
-  await fs6.mkdir(join6(nitDir, "identity"), { recursive: true });
-  await fs6.mkdir(join6(nitDir, "logs"), { recursive: true });
+  await fs5.mkdir(join5(nitDir, "objects"), { recursive: true });
+  await fs5.mkdir(join5(nitDir, "refs", "heads"), { recursive: true });
+  await fs5.mkdir(join5(nitDir, "refs", "remote"), { recursive: true });
+  await fs5.mkdir(join5(nitDir, "identity"), { recursive: true });
+  await fs5.mkdir(join5(nitDir, "logs"), { recursive: true });
   const { publicKey: pubBase64 } = await generateKeypair(nitDir);
   const publicKeyField = formatPublicKeyField(pubBase64);
-  const cardPath = join6(projDir, CARD_FILE);
+  const agentId = deriveAgentId(publicKeyField);
+  await saveAgentId(nitDir, agentId);
+  const cardPath = join5(projDir, CARD_FILE);
   let card;
   let skillsFound = [];
   try {
-    const raw = await fs6.readFile(cardPath, "utf-8");
+    const raw = await fs5.readFile(cardPath, "utf-8");
     card = JSON.parse(raw);
     card.publicKey = publicKeyField;
     skillsFound = card.skills.map((s) => s.id);
@@ -703,6 +699,9 @@ async function init(options) {
       }))
     };
   }
+  if (!card.url) {
+    card.url = `https://agent-${agentId}.newtype-ai.org`;
+  }
   await writeWorkingCard(nitDir, card);
   const cardJson = JSON.stringify(card, null, 2);
   const cardHash = await writeObject(nitDir, "card", cardJson);
@@ -716,11 +715,12 @@ async function init(options) {
   const commitHash = await writeObject(nitDir, "commit", commitContent);
   await setBranch(nitDir, "main", commitHash);
   await setHead(nitDir, "main");
-  await fs6.writeFile(join6(nitDir, "logs", "HEAD"), "", "utf-8");
-  await fs6.writeFile(join6(nitDir, "config"), "", "utf-8");
+  await fs5.writeFile(join5(nitDir, "logs", "HEAD"), "", "utf-8");
+  await fs5.writeFile(join5(nitDir, "config"), "", "utf-8");
   return {
+    agentId,
     publicKey: publicKeyField,
-    cardUrl: card.url || null,
+    cardUrl: card.url,
     skillsFound
   };
 }
@@ -729,12 +729,15 @@ async function status(options) {
   const currentBranch = await getCurrentBranch(nitDir);
   const pubBase64 = await loadPublicKey(nitDir);
   const publicKey = formatPublicKeyField(pubBase64);
+  const agentId = await loadAgentId(nitDir);
+  const workingCard = await readWorkingCard(nitDir);
+  const cardUrl = workingCard.url || `https://agent-${agentId}.newtype-ai.org`;
   let uncommittedChanges = null;
   try {
     const headHash = await resolveHead(nitDir);
     const headCard = await getCardAtCommit(nitDir, headHash);
-    const workingCard = await readWorkingCard(nitDir);
-    const d = diffCards(headCard, workingCard);
+    const workingCard2 = await readWorkingCard(nitDir);
+    const d = diffCards(headCard, workingCard2);
     if (d.changed) {
       uncommittedChanges = d;
     }
@@ -773,12 +776,28 @@ async function status(options) {
     branchStatus.push({ name: b.name, ahead, behind: 0 });
   }
   return {
+    agentId,
+    cardUrl,
     branch: currentBranch,
     publicKey,
     uncommittedChanges,
     branches: branchStatus
   };
 }
+async function sign2(message, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  return signMessage(nitDir, message);
+}
+async function loginPayload(domain, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  const agentId = await loadAgentId(nitDir);
+  const timestamp = Math.floor(Date.now() / 1e3);
+  const message = `${agentId}
+${domain}
+${timestamp}`;
+  const signature = await signMessage(nitDir, message);
+  return { agent_id: agentId, domain, timestamp, signature };
+}
 async function commit(message, options) {
   const nitDir = findNitDir(options?.projectDir);
   const projDir = projectDir(nitDir);
@@ -921,36 +940,36 @@ async function push(options) {
 async function remote(options) {
   const nitDir = findNitDir(options?.projectDir);
   const card = await readWorkingCard(nitDir);
-  const credential = await getRemoteCredential(nitDir, "origin");
+  const agentId = await loadAgentId(nitDir);
   return {
     name: "origin",
     url: card.url || "(not set)",
-    hasCredential: credential !== null
+    agentId
   };
 }
-async function setCredential(credential, options) {
-  const nitDir = findNitDir(options?.projectDir);
-  const remoteName = options?.remoteName || "origin";
-  await setRemoteCredential(nitDir, remoteName, credential);
-}
 
 export {
   formatPublicKeyField,
   parsePublicKeyField,
   signChallenge,
   verifySignature,
+  signMessage,
+  NIT_NAMESPACE,
+  deriveAgentId,
+  loadAgentId,
   diffCards,
   formatDiff,
   fetchBranchCard,
   findNitDir,
   init,
   status,
+  sign2 as sign,
+  loginPayload,
   commit,
   log,
   diff,
   branch,
   checkout,
   push,
-  remote,
-  setCredential
+  remote
 };

package/dist/cli.js

@@ -8,11 +8,12 @@ import {
   formatDiff,
   init,
   log,
+  loginPayload,
   push,
   remote,
-  setCredential,
+  sign,
   status
-} from "./chunk-5AVY6P7B.js";
+} from "./chunk-AEWDQDBM.js";
 
 // src/cli.ts
 var bold = (s) => `\x1B[1m${s}\x1B[0m`;
@@ -48,6 +49,9 @@ async function main() {
       case "push":
         await cmdPush(args);
         break;
+      case "sign":
+        await cmdSign(args);
+        break;
       case "remote":
         await cmdRemote(args);
         break;
@@ -71,10 +75,9 @@ async function cmdInit() {
   const result = await init();
   console.log(bold("Initialized nit repository"));
   console.log();
-  console.log(`  Public key:  ${green(result.publicKey)}`);
-  if (result.cardUrl) {
-    console.log(`  Card URL:    ${result.cardUrl}`);
-  }
+  console.log(`  Agent ID:    ${green(result.agentId)}`);
+  console.log(`  Public key:  ${dim(result.publicKey)}`);
+  console.log(`  Card URL:    ${result.cardUrl}`);
   if (result.skillsFound.length > 0) {
     console.log(`  Skills:      ${result.skillsFound.join(", ")}`);
   } else {
@@ -82,11 +85,16 @@ async function cmdInit() {
   }
   console.log();
   console.log(dim("Created .nit/ with initial commit on main."));
+  console.log();
+  console.log(`Next: open ${bold("agent-card.json")} and set your name, description, and skills.`);
 }
 async function cmdStatus() {
   const s = await status();
   console.log(`On branch ${bold(s.branch)}`);
-  console.log(`Public key: ${dim(s.publicKey)}`);
+  console.log();
+  console.log(`  Agent ID:    ${green(s.agentId)}`);
+  console.log(`  Public key:  ${dim(s.publicKey)}`);
+  console.log(`  Card URL:    ${s.cardUrl}`);
   console.log();
   if (s.uncommittedChanges) {
     console.log(yellow("Uncommitted changes:"));
@@ -177,23 +185,32 @@ async function cmdPush(args) {
   }
 }
 async function cmdRemote(args) {
-  const subcommand = args[0];
-  if (subcommand === "set-credential") {
-    const token = args[1];
-    if (!token) {
-      console.error("Usage: nit remote set-credential <agent-key>");
+  const info = await remote();
+  console.log(`${bold(info.name)}`);
+  console.log(`  URL:        ${info.url}`);
+  console.log(`  Agent ID:   ${info.agentId}`);
+  console.log(`  Auth:       ${green("Ed25519 keypair")}`);
+}
+async function cmdSign(args) {
+  const loginIndex = args.indexOf("--login");
+  if (loginIndex !== -1) {
+    const domain = args[loginIndex + 1];
+    if (!domain) {
+      console.error("Usage: nit sign --login <domain>");
       process.exit(1);
     }
-    await setCredential(token);
-    console.log(`Credential ${green("configured")} for origin.`);
+    const payload = await loginPayload(domain);
+    console.log(JSON.stringify(payload, null, 2));
     return;
   }
-  const info = await remote();
-  console.log(`${bold(info.name)}`);
-  console.log(`  URL:        ${info.url}`);
-  console.log(
-    `  Credential: ${info.hasCredential ? green("configured") : yellow("not set")}`
-  );
+  const message = args[0];
+  if (!message) {
+    console.error('Usage: nit sign "message"');
+    console.error("       nit sign --login <domain>");
+    process.exit(1);
+  }
+  const signature = await sign(message);
+  console.log(signature);
 }
 function printUsage() {
   console.log(`
@@ -203,21 +220,22 @@ ${bold("Usage:")} nit <command> [options]
 
 ${bold("Commands:")}
   init               Initialize .nit/ in current directory
-  status             Show current branch and uncommitted changes
+  status             Show identity, branch, and uncommitted changes
   commit -m "msg"    Snapshot agent-card.json
   log                Show commit history
   diff [target]      Compare card vs HEAD, branch, or commit
   branch [name]      List branches or create a new one
   checkout <branch>  Switch branch (overwrites agent-card.json)
   push [--all]       Push branch(es) to remote
+  sign "message"     Sign a message with your Ed25519 key
+  sign --login <dom> Generate login payload for an app
   remote             Show remote info
-  remote set-credential <key>  Set push credential (agent key)
 
 ${bold("Examples:")}
   nit init
   nit branch faam.io
   nit checkout faam.io
-  ${dim("# edit agent-card.json for FAAM...")}
+  ${dim("# edit agent-card.json for this platform...")}
   nit commit -m "FAAM config"
   nit push --all
 `.trim());

package/dist/index.d.ts

@@ -27,7 +27,7 @@ interface NitHead {
 }
 /** Remote configuration for a single named remote. */
 interface NitRemoteConfig {
-    /** Push credential (Bearer token) */
+    /** Legacy field — push auth is now via Ed25519 keypair */
     credential?: string;
 }
 /** Full .nit/config file contents. */
@@ -101,6 +101,8 @@ interface PushResult {
 }
 /** Result returned by the status command. */
 interface StatusResult {
+    agentId: string;
+    cardUrl: string;
     branch: string;
     publicKey: string;
     uncommittedChanges: DiffResult | null;
@@ -110,6 +112,13 @@ interface StatusResult {
         behind: number;
     }>;
 }
+/** Result of generating a login payload for app authentication. */
+interface LoginPayload {
+    agent_id: string;
+    domain: string;
+    timestamp: number;
+    signature: string;
+}
 
 /**
  * Compare two agent cards and return a structured diff.
@@ -140,15 +149,38 @@ declare function signChallenge(nitDir: string, challenge: string): Promise<strin
  * for challenge-response flows.
  */
 declare function verifySignature(pubBase64: string, challenge: string, signatureBase64: string): boolean;
+/**
+ * Sign an arbitrary message with the agent's private key.
+ * Returns a standard base64-encoded signature.
+ */
+declare function signMessage(nitDir: string, message: string): Promise<string>;
+/**
+ * Fixed namespace UUID for nit agent ID derivation.
+ * Generated once, hardcoded forever. Changing this would change ALL agent IDs.
+ * Must match the server-side constant in apps/agent-cards/src/api/agent-id.ts.
+ */
+declare const NIT_NAMESPACE = "801ba518-f326-47e5-97c9-d1efd1865a19";
+/**
+ * Derive a deterministic agent ID (UUID) from an Ed25519 public key field.
+ * Uses UUIDv5: SHA-1 hash of NIT_NAMESPACE + publicKeyField.
+ *
+ * @param publicKeyField  "ed25519:<base64>" format string
+ * @returns               UUID string (lowercase, with hyphens)
+ */
+declare function deriveAgentId(publicKeyField: string): string;
+/**
+ * Load the agent ID from .nit/identity/agent-id.
+ */
+declare function loadAgentId(nitDir: string): Promise<string>;
 
 /**
  * Fetch an agent card from a remote URL.
  *
  * For the main branch, this is a simple public GET.
  * For other branches, this performs the challenge-response flow:
- *   1. Request branch → 401 with challenge
+ *   1. Request branch -> 401 with challenge
  *   2. Sign challenge with agent's private key
- *   3. Re-request with signature → get branch card
+ *   3. Re-request with signature -> get branch card
  *
  * @param cardUrl   The agent's card URL (e.g. https://agent-{uuid}.newtype-ai.org)
  * @param branch    Branch to fetch ("main" for public, others need auth)
@@ -162,8 +194,9 @@ declare function fetchBranchCard(cardUrl: string, branch: string, nitDir?: strin
  */
 declare function findNitDir(startDir?: string): string;
 interface InitResult {
+    agentId: string;
     publicKey: string;
-    cardUrl: string | null;
+    cardUrl: string;
     skillsFound: string[];
 }
 /**
@@ -183,6 +216,21 @@ declare function init(options?: {
 declare function status(options?: {
     projectDir?: string;
 }): Promise<StatusResult>;
+/**
+ * Sign an arbitrary message with the agent's Ed25519 private key.
+ * Returns a base64-encoded signature.
+ */
+declare function sign(message: string, options?: {
+    projectDir?: string;
+}): Promise<string>;
+/**
+ * Generate a login payload for app authentication.
+ * Constructs the canonical message ({agent_id}\n{domain}\n{timestamp}),
+ * signs it, and returns the full payload ready to send to an app.
+ */
+declare function loginPayload(domain: string, options?: {
+    projectDir?: string;
+}): Promise<LoginPayload>;
 /**
  * Snapshot the current agent-card.json as a new commit.
  * Resolves skill pointers from SKILL.md before committing.
@@ -231,20 +279,13 @@ declare function push(options?: {
 interface RemoteInfo {
     name: string;
     url: string;
-    hasCredential: boolean;
+    agentId: string;
 }
 /**
- * Show remote info. URL comes from agent-card.json, credential from .nit/config.
+ * Show remote info. URL comes from agent-card.json, agent ID from .nit/identity/.
  */
 declare function remote(options?: {
     projectDir?: string;
 }): Promise<RemoteInfo>;
-/**
- * Set the push credential for a remote.
- */
-declare function setCredential(credential: string, options?: {
-    projectDir?: string;
-    remoteName?: string;
-}): Promise<void>;
 
-export { type AgentCard, type AgentCardSkill, type DiffResult, type FieldDiff, type InitResult, type NitBranch, type NitCommit, type NitConfig, type NitHead, type NitRemoteConfig, type PushResult, type RemoteInfo, type SkillMetadata, type StatusResult, branch, checkout, commit, diff, diffCards, fetchBranchCard, findNitDir, formatDiff, formatPublicKeyField, init, log, parsePublicKeyField, push, remote, setCredential, signChallenge, status, verifySignature };
+export { type AgentCard, type AgentCardSkill, type DiffResult, type FieldDiff, type InitResult, type LoginPayload, NIT_NAMESPACE, type NitBranch, type NitCommit, type NitConfig, type NitHead, type NitRemoteConfig, type PushResult, type RemoteInfo, type SkillMetadata, type StatusResult, branch, checkout, commit, deriveAgentId, diff, diffCards, fetchBranchCard, findNitDir, formatDiff, formatPublicKeyField, init, loadAgentId, log, loginPayload, parsePublicKeyField, push, remote, sign, signChallenge, signMessage, status, verifySignature };

package/dist/index.js

@@ -1,8 +1,10 @@
 // nit — version control for agent cards
 import {
+  NIT_NAMESPACE,
   branch,
   checkout,
   commit,
+  deriveAgentId,
   diff,
   diffCards,
   fetchBranchCard,
@@ -10,19 +12,24 @@ import {
   formatDiff,
   formatPublicKeyField,
   init,
+  loadAgentId,
   log,
+  loginPayload,
   parsePublicKeyField,
   push,
   remote,
-  setCredential,
+  sign,
   signChallenge,
+  signMessage,
   status,
   verifySignature
-} from "./chunk-5AVY6P7B.js";
+} from "./chunk-AEWDQDBM.js";
 export {
+  NIT_NAMESPACE,
   branch,
   checkout,
   commit,
+  deriveAgentId,
   diff,
   diffCards,
   fetchBranchCard,
@@ -30,12 +37,15 @@ export {
   formatDiff,
   formatPublicKeyField,
   init,
+  loadAgentId,
   log,
+  loginPayload,
   parsePublicKeyField,
   push,
   remote,
-  setCredential,
+  sign,
   signChallenge,
+  signMessage,
   status,
   verifySignature
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@newtype-ai/nit",
-  "version": "0.1.2",
+  "version": "0.2.1",
   "description": "Version control for agent cards",
   "type": "module",
   "bin": {