@newtype-ai/nit 0.4.9 → 0.4.10

package/README.md

@@ -114,6 +114,9 @@ Pure Node.js builtins. No bloat.
 | `nit branch [name]` | List branches or create a new one |
 | `nit checkout <branch>` | Switch branch (overwrites agent-card.json) |
 | `nit push [--all]` | Push branch(es) to remote |
+| `nit pull [--all]` | Pull branch(es) from remote |
+| `nit reset [target]` | Restore agent-card.json from HEAD or target |
+| `nit show [target]` | Show commit metadata and card content |
 | `nit sign "msg"` | Sign a message with your Ed25519 key |
 | `nit sign --login <domain>` | Auto-switch to domain branch + generate login payload |
 | `nit remote` | Show remote URL and credential status |
@@ -123,6 +126,8 @@ Pure Node.js builtins. No bloat.
 | `nit broadcast --chain <c> <tx>` | Broadcast signed transaction to configured RPC endpoint |
 | `nit rpc` | Show configured RPC endpoints |
 | `nit rpc set-url <chain> <url>` | Set RPC endpoint for a chain |
+| `nit auth set <domain> --provider <p> --account <a>` | Configure OAuth auth for a domain branch |
+| `nit auth show [domain]` | Show auth config for branch(es) |
 
 ## How It Works
 
@@ -186,7 +191,7 @@ your-project/
 ```typescript
 import {
   init, commit, checkout, branch, push, status, sign, loginPayload,
-  loadRawKeyPair, getWalletAddresses, signTx, broadcast, rpcSetUrl,
+  loadRawKeyPair, getWalletAddresses, signTx, broadcast, rpcSetUrl, authSet, authShow,
 } from '@newtype-ai/nit';
 
 await init();

package/dist/chunk-M6SR6QMR.js

@@ -0,0 +1,291 @@
+// nit — version control for agent cards
+
+// src/remote.ts
+import { createHash as createHash2 } from "crypto";
+
+// src/identity.ts
+import {
+  createHash,
+  generateKeyPairSync,
+  createPrivateKey,
+  createPublicKey,
+  sign,
+  verify
+} from "crypto";
+import { promises as fs } from "fs";
+import { join } from "path";
+function base64urlToBase64(b64url) {
+  let s = b64url.replace(/-/g, "+").replace(/_/g, "/");
+  while (s.length % 4 !== 0) s += "=";
+  return s;
+}
+function base64ToBase64url(b64) {
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function generateKeypair(nitDir) {
+  const identityDir = join(nitDir, "identity");
+  await fs.mkdir(identityDir, { recursive: true });
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+  const pubJwk = publicKey.export({ format: "jwk" });
+  const privJwk = privateKey.export({ format: "jwk" });
+  const pubBase64 = base64urlToBase64(pubJwk.x);
+  const privBase64 = base64urlToBase64(privJwk.d);
+  const pubPath = join(identityDir, "agent.pub");
+  const keyPath = join(identityDir, "agent.key");
+  await fs.writeFile(pubPath, pubBase64 + "\n", "utf-8");
+  await fs.writeFile(keyPath, privBase64 + "\n", {
+    mode: 384,
+    encoding: "utf-8"
+  });
+  return { publicKey: pubBase64, privateKey: privBase64 };
+}
+async function loadPublicKey(nitDir) {
+  const pubPath = join(nitDir, "identity", "agent.pub");
+  try {
+    return (await fs.readFile(pubPath, "utf-8")).trim();
+  } catch {
+    throw new Error(
+      "No identity found. Run `nit init` to generate a keypair."
+    );
+  }
+}
+async function loadPrivateKey(nitDir) {
+  const pubBase64 = await loadPublicKey(nitDir);
+  const keyPath = join(nitDir, "identity", "agent.key");
+  let privBase64;
+  try {
+    privBase64 = (await fs.readFile(keyPath, "utf-8")).trim();
+  } catch {
+    throw new Error(
+      "Private key not found at .nit/identity/agent.key. Regenerate with `nit init`."
+    );
+  }
+  const xB64url = base64ToBase64url(pubBase64);
+  const dB64url = base64ToBase64url(privBase64);
+  return createPrivateKey({
+    key: { kty: "OKP", crv: "Ed25519", x: xB64url, d: dB64url },
+    format: "jwk"
+  });
+}
+async function loadRawKeyPair(nitDir) {
+  const pubBase64 = await loadPublicKey(nitDir);
+  const keyPath = join(nitDir, "identity", "agent.key");
+  let privBase64;
+  try {
+    privBase64 = (await fs.readFile(keyPath, "utf-8")).trim();
+  } catch {
+    throw new Error(
+      "Private key not found at .nit/identity/agent.key. Regenerate with `nit init`."
+    );
+  }
+  const seed = Buffer.from(privBase64, "base64");
+  const pubkey = Buffer.from(pubBase64, "base64");
+  const keypair = new Uint8Array(64);
+  keypair.set(seed, 0);
+  keypair.set(pubkey, 32);
+  return keypair;
+}
+function formatPublicKeyField(pubBase64) {
+  return `ed25519:${pubBase64}`;
+}
+function parsePublicKeyField(field) {
+  const prefix = "ed25519:";
+  if (!field.startsWith(prefix)) {
+    throw new Error(
+      `Invalid publicKey format: expected "ed25519:<base64>", got "${field}"`
+    );
+  }
+  return field.slice(prefix.length);
+}
+async function signChallenge(nitDir, challenge) {
+  const privateKey = await loadPrivateKey(nitDir);
+  const sig = sign(null, Buffer.from(challenge, "utf-8"), privateKey);
+  return sig.toString("base64");
+}
+async function signMessage(nitDir, message) {
+  const privateKey = await loadPrivateKey(nitDir);
+  const sig = sign(null, Buffer.from(message, "utf-8"), privateKey);
+  return sig.toString("base64");
+}
+var NIT_NAMESPACE = "801ba518-f326-47e5-97c9-d1efd1865a19";
+function deriveAgentId(publicKeyField) {
+  return uuidv5(publicKeyField, NIT_NAMESPACE);
+}
+async function loadAgentId(nitDir) {
+  const idPath = join(nitDir, "identity", "agent-id");
+  try {
+    return (await fs.readFile(idPath, "utf-8")).trim();
+  } catch {
+    throw new Error(
+      "No agent ID found. Run `nit init` to generate identity."
+    );
+  }
+}
+async function saveAgentId(nitDir, agentId) {
+  const idPath = join(nitDir, "identity", "agent-id");
+  await fs.writeFile(idPath, agentId + "\n", "utf-8");
+}
+function parseUuid(uuid) {
+  const hex = uuid.replace(/-/g, "");
+  return Buffer.from(hex, "hex");
+}
+function formatUuid(bytes) {
+  const hex = bytes.toString("hex");
+  return [
+    hex.slice(0, 8),
+    hex.slice(8, 12),
+    hex.slice(12, 16),
+    hex.slice(16, 20),
+    hex.slice(20, 32)
+  ].join("-");
+}
+function uuidv5(name, namespace) {
+  const namespaceBytes = parseUuid(namespace);
+  const nameBytes = Buffer.from(name, "utf-8");
+  const data = Buffer.concat([namespaceBytes, nameBytes]);
+  const hash = createHash("sha1").update(data).digest();
+  const uuid = Buffer.from(hash.subarray(0, 16));
+  uuid[6] = uuid[6] & 15 | 80;
+  uuid[8] = uuid[8] & 63 | 128;
+  return formatUuid(uuid);
+}
+
+// src/remote.ts
+function sha256Hex(data) {
+  return createHash2("sha256").update(data, "utf-8").digest("hex");
+}
+async function buildAuthHeaders(nitDir, method, path, body) {
+  const agentId = await loadAgentId(nitDir);
+  const timestamp = Math.floor(Date.now() / 1e3).toString();
+  let message = `${method}
+${path}
+${agentId}
+${timestamp}`;
+  if (body !== void 0) {
+    message += `
+${sha256Hex(body)}`;
+  }
+  const signature = await signMessage(nitDir, message);
+  return {
+    "X-Nit-Agent-Id": agentId,
+    "X-Nit-Timestamp": timestamp,
+    "X-Nit-Signature": signature
+  };
+}
+async function pushBranch(nitDir, apiBase, branch, cardJson, commitHash) {
+  const path = `/agent-card/branches/${encodeURIComponent(branch)}`;
+  const body = JSON.stringify({ card_json: cardJson, commit_hash: commitHash });
+  try {
+    const authHeaders = await buildAuthHeaders(nitDir, "PUT", path, body);
+    const res = await fetch(`${apiBase}${path}`, {
+      method: "PUT",
+      headers: {
+        "Content-Type": "application/json",
+        ...authHeaders
+      },
+      body
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      return {
+        branch,
+        commitHash,
+        remoteUrl: apiBase,
+        success: false,
+        error: `HTTP ${res.status}: ${text}`
+      };
+    }
+    return { branch, commitHash, remoteUrl: apiBase, success: true };
+  } catch (err) {
+    return {
+      branch,
+      commitHash,
+      remoteUrl: apiBase,
+      success: false,
+      error: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
+async function pushAll(nitDir, apiBase, branches) {
+  const results = [];
+  for (const b of branches) {
+    const result = await pushBranch(nitDir, apiBase, b.name, b.cardJson, b.commitHash);
+    results.push(result);
+  }
+  return results;
+}
+async function listRemoteBranches(nitDir, apiBase) {
+  const path = "/agent-card/branches";
+  const authHeaders = await buildAuthHeaders(nitDir, "GET", path);
+  const res = await fetch(`${apiBase}${path}`, {
+    headers: authHeaders
+  });
+  if (!res.ok) {
+    throw new Error(`Failed to list remote branches: HTTP ${res.status}`);
+  }
+  const data = await res.json();
+  return data.branches.map((b) => b.name);
+}
+async function deleteRemoteBranch(nitDir, apiBase, branch) {
+  const path = `/agent-card/branches/${encodeURIComponent(branch)}`;
+  const authHeaders = await buildAuthHeaders(nitDir, "DELETE", path);
+  const res = await fetch(`${apiBase}${path}`, {
+    method: "DELETE",
+    headers: authHeaders
+  });
+  return res.ok;
+}
+async function fetchBranchCard(cardUrl, branch, nitDir) {
+  const baseUrl = cardUrl.replace(/\/$/, "");
+  let url = `${baseUrl}/.well-known/agent-card.json`;
+  if (branch !== "main") {
+    url += `?branch=${encodeURIComponent(branch)}`;
+  }
+  const res = await fetch(url);
+  if (res.ok) {
+    return await res.json();
+  }
+  if (res.status === 401 && branch !== "main") {
+    if (!nitDir) {
+      throw new Error(
+        `Branch "${branch}" requires authentication. Provide nitDir for signing.`
+      );
+    }
+    const challengeData = await res.json();
+    const signature = await signChallenge(nitDir, challengeData.challenge);
+    const authRes = await fetch(url, {
+      headers: {
+        "X-Nit-Challenge": challengeData.challenge,
+        "X-Nit-Signature": signature
+      }
+    });
+    if (!authRes.ok) {
+      const body = await authRes.text();
+      throw new Error(
+        `Failed to fetch branch "${branch}" after challenge: HTTP ${authRes.status} ${body}`
+      );
+    }
+    return await authRes.json();
+  }
+  throw new Error(`Failed to fetch card: HTTP ${res.status}`);
+}
+
+export {
+  generateKeypair,
+  loadPublicKey,
+  loadPrivateKey,
+  loadRawKeyPair,
+  formatPublicKeyField,
+  parsePublicKeyField,
+  signChallenge,
+  signMessage,
+  NIT_NAMESPACE,
+  deriveAgentId,
+  loadAgentId,
+  saveAgentId,
+  pushBranch,
+  pushAll,
+  listRemoteBranches,
+  deleteRemoteBranch,
+  fetchBranchCard
+};