@opena2a/aim-core 0.1.0

package/dist/audit.d.ts

@@ -0,0 +1,8 @@
+import type { AuditEvent, AuditEventInput, AuditReadOptions } from './types';
+/** Append an audit event to the JSON-lines log */
+export declare function logEvent(dataDir: string, event: AuditEventInput): AuditEvent;
+/** Read audit events from the JSON-lines log */
+export declare function readAuditLog(dataDir: string, options?: AuditReadOptions): AuditEvent[];
+/** Check if the audit log exists and has entries */
+export declare function hasAuditLog(dataDir: string): boolean;
+//# sourceMappingURL=audit.d.ts.map

package/dist/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAI7E,kDAAkD;AAClD,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,UAAU,CA+D5E;AAED,gDAAgD;AAChD,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,gBAAgB,GACzB,UAAU,EAAE,CAsBd;AAED,oDAAoD;AACpD,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAKpD"}

package/dist/audit.js

@@ -0,0 +1,135 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logEvent = logEvent;
+exports.readAuditLog = readAuditLog;
+exports.hasAuditLog = hasAuditLog;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const crypto = __importStar(require("crypto"));
+const AUDIT_FILE = 'audit.jsonl';
+/** Append an audit event to the JSON-lines log */
+function logEvent(dataDir, event) {
+    const fullEvent = {
+        timestamp: new Date().toISOString(),
+        ...event,
+    };
+    // Enforce per-field size limits to prevent DoS via oversized fields
+    const MAX_FIELD_SIZE = 4096;
+    if (fullEvent.plugin.length > MAX_FIELD_SIZE)
+        fullEvent.plugin = fullEvent.plugin.slice(0, MAX_FIELD_SIZE);
+    if (fullEvent.action.length > MAX_FIELD_SIZE)
+        fullEvent.action = fullEvent.action.slice(0, MAX_FIELD_SIZE);
+    if (fullEvent.target.length > MAX_FIELD_SIZE)
+        fullEvent.target = fullEvent.target.slice(0, MAX_FIELD_SIZE);
+    // Enforce per-event size limit (1MB) to prevent DoS via oversized metadata
+    const MAX_EVENT_SIZE = 1024 * 1024;
+    let serialized = JSON.stringify(fullEvent);
+    if (serialized.length > MAX_EVENT_SIZE) {
+        fullEvent.metadata = { _truncated: true, _reason: 'Event exceeded 1MB size limit' };
+        serialized = JSON.stringify(fullEvent);
+    }
+    fs.mkdirSync(dataDir, { recursive: true });
+    const filePath = path.join(dataDir, AUDIT_FILE);
+    // Rotate if audit log exceeds 50MB, keep last 5 rotated logs
+    const MAX_AUDIT_SIZE = 50 * 1024 * 1024;
+    const MAX_ROTATED_LOGS = 5;
+    try {
+        const stat = fs.statSync(filePath);
+        if (stat.size > MAX_AUDIT_SIZE) {
+            const suffix = `${Date.now()}.${process.pid}.${crypto.randomBytes(4).toString('hex')}`;
+            const rotatedPath = `${filePath}.${suffix}`;
+            try {
+                fs.renameSync(filePath, rotatedPath);
+            }
+            catch {
+                // Another process may have already rotated — safe to continue
+            }
+            // Clean up old rotated logs beyond the retention limit
+            try {
+                const dir = path.dirname(filePath);
+                const base = path.basename(filePath);
+                const rotated = fs.readdirSync(dir)
+                    .filter((f) => f.startsWith(base + '.') && f !== base)
+                    .sort()
+                    .reverse();
+                for (const old of rotated.slice(MAX_ROTATED_LOGS)) {
+                    try {
+                        fs.unlinkSync(path.join(dir, old));
+                    }
+                    catch {
+                        // Individual file deletion is best-effort
+                    }
+                }
+            }
+            catch {
+                // Cleanup is best-effort
+            }
+        }
+    }
+    catch {
+        // File doesn't exist yet — will be created by appendFileSync
+    }
+    fs.appendFileSync(filePath, serialized + '\n', 'utf-8');
+    return fullEvent;
+}
+/** Read audit events from the JSON-lines log */
+function readAuditLog(dataDir, options) {
+    const filePath = path.join(dataDir, AUDIT_FILE);
+    if (!fs.existsSync(filePath)) {
+        return [];
+    }
+    const raw = fs.readFileSync(filePath, 'utf-8');
+    const lines = raw.trim().split('\n').filter(Boolean);
+    let events = lines.map((line) => JSON.parse(line));
+    if (options?.since) {
+        const sinceDate = new Date(options.since).getTime();
+        events = events.filter((e) => new Date(e.timestamp).getTime() > sinceDate);
+    }
+    if (options?.limit && options.limit > 0) {
+        // Return the most recent N events
+        events = events.slice(-options.limit);
+    }
+    return events;
+}
+/** Check if the audit log exists and has entries */
+function hasAuditLog(dataDir) {
+    const filePath = path.join(dataDir, AUDIT_FILE);
+    if (!fs.existsSync(filePath))
+        return false;
+    const stat = fs.statSync(filePath);
+    return stat.size > 0;
+}
+//# sourceMappingURL=audit.js.map

package/dist/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAQA,4BA+DC;AAGD,oCAyBC;AAGD,kCAKC;AA3GD,uCAAyB;AACzB,2CAA6B;AAC7B,+CAAiC;AAGjC,MAAM,UAAU,GAAG,aAAa,CAAC;AAEjC,kDAAkD;AAClD,SAAgB,QAAQ,CAAC,OAAe,EAAE,KAAsB;IAC9D,MAAM,SAAS,GAAe;QAC5B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,GAAG,KAAK;KACT,CAAC;IAEF,oEAAoE;IACpE,MAAM,cAAc,GAAG,IAAI,CAAC;IAC5B,IAAI,SAAS,CAAC,MAAM,CAAC,MAAM,GAAG,cAAc;QAAE,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;IAC3G,IAAI,SAAS,CAAC,MAAM,CAAC,MAAM,GAAG,cAAc;QAAE,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;IAC3G,IAAI,SAAS,CAAC,MAAM,CAAC,MAAM,GAAG,cAAc;QAAE,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;IAE3G,2EAA2E;IAC3E,MAAM,cAAc,GAAG,IAAI,GAAG,IAAI,CAAC;IACnC,IAAI,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IAC3C,IAAI,UAAU,CAAC,MAAM,GAAG,cAAc,EAAE,CAAC;QACvC,SAAS,CAAC,QAAQ,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;QACpF,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;IAED,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAEhD,6DAA6D;IAC7D,MAAM,cAAc,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;IACxC,MAAM,gBAAgB,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnC,IAAI,IAAI,CAAC,IAAI,GAAG,cAAc,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC,GAAG,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACvF,MAAM,WAAW,GAAG,GAAG,QAAQ,IAAI,MAAM,EAAE,CAAC;YAC5C,IAAI,CAAC;gBACH,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;YACvC,CAAC;YAAC,MAAM,CAAC;gBACP,8DAA8D;YAChE,CAAC;YAED,uDAAuD;YACvD,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;gBACnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBACrC,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC;qBAChC,MAAM,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;qBAC7D,IAAI,EAAE;qBACN,OAAO,EAAE,CAAC;gBACb,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE,CAAC;oBAClD,IAAI,CAAC;wBACH,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;oBACrC,CAAC;oBAAC,MAAM,CAAC;wBACP,0CAA0C;oBAC5C,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yBAAyB;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,6DAA6D;IAC/D,CAAC;IAED,EAAE,CAAC,cAAc,CAAC,QAAQ,EAAE,UAAU,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IAExD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,gDAAgD;AAChD,SAAgB,YAAY,CAC1B,OAAe,EACf,OAA0B;IAE1B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAChD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAErD,IAAI,MAAM,GAAiB,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAe,CAAC,CAAC;IAE/E,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;QACpD,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,CAAC;IAC7E,CAAC;IAED,IAAI,OAAO,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;QACxC,kCAAkC;QAClC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,oDAAoD;AACpD,SAAgB,WAAW,CAAC,OAAe;IACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAChD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACnC,OAAO,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC;AACvB,CAAC"}

package/dist/crypto.d.ts

@@ -0,0 +1,5 @@
+/** Sign data with an Ed25519 secret key */
+export declare function sign(data: Uint8Array, secretKey: Uint8Array): Uint8Array;
+/** Verify an Ed25519 detached signature */
+export declare function verify(data: Uint8Array, signature: Uint8Array, publicKey: Uint8Array): boolean;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAEA,2CAA2C;AAC3C,wBAAgB,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,GAAG,UAAU,CAExE;AAED,2CAA2C;AAC3C,wBAAgB,MAAM,CACpB,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,EACrB,SAAS,EAAE,UAAU,GACpB,OAAO,CAET"}

package/dist/crypto.js

@@ -0,0 +1,47 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sign = sign;
+exports.verify = verify;
+const nacl = __importStar(require("tweetnacl"));
+/** Sign data with an Ed25519 secret key */
+function sign(data, secretKey) {
+    return nacl.sign.detached(data, secretKey);
+}
+/** Verify an Ed25519 detached signature */
+function verify(data, signature, publicKey) {
+    return nacl.sign.detached.verify(data, signature, publicKey);
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA,oBAEC;AAGD,wBAMC;AAdD,gDAAkC;AAElC,2CAA2C;AAC3C,SAAgB,IAAI,CAAC,IAAgB,EAAE,SAAqB;IAC1D,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;AAC7C,CAAC;AAED,2CAA2C;AAC3C,SAAgB,MAAM,CACpB,IAAgB,EAChB,SAAqB,EACrB,SAAqB;IAErB,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;AAC/D,CAAC"}

package/dist/identity.d.ts

@@ -0,0 +1,12 @@
+import type { AIMIdentity, StoredIdentity } from './types';
+/** Generate a new Ed25519 keypair and store it */
+export declare function createIdentity(dataDir: string, agentName: string): StoredIdentity;
+/** Load an existing identity from disk */
+export declare function loadIdentity(dataDir: string): StoredIdentity | null;
+/** Get or create the agent's identity. Returns the public-facing identity (no secret key). */
+export declare function getOrCreateIdentity(dataDir: string, agentName: string): AIMIdentity;
+/** Get the Ed25519 secret key as Uint8Array (for signing operations) */
+export declare function getSecretKey(dataDir: string): Uint8Array | null;
+/** Get the Ed25519 public key as Uint8Array (for verification) */
+export declare function getPublicKey(dataDir: string): Uint8Array | null;
+//# sourceMappingURL=identity.d.ts.map

package/dist/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAgB3D,kDAAkD;AAClD,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,cAAc,CAmBjF;AAED,0CAA0C;AAC1C,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI,CAYnE;AAED,8FAA8F;AAC9F,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,WAAW,CAanF;AAED,wEAAwE;AACxE,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAI/D;AAED,kEAAkE;AAClE,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAI/D"}

package/dist/identity.js

@@ -0,0 +1,119 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createIdentity = createIdentity;
+exports.loadIdentity = loadIdentity;
+exports.getOrCreateIdentity = getOrCreateIdentity;
+exports.getSecretKey = getSecretKey;
+exports.getPublicKey = getPublicKey;
+const nacl = __importStar(require("tweetnacl"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const IDENTITY_FILE = 'identity.json';
+/** Derive a short agent ID from an Ed25519 public key */
+function deriveAgentId(publicKey) {
+    // Use first 12 bytes of public key, base64url-encoded, prefixed with "aim_"
+    const idBytes = publicKey.slice(0, 12);
+    const b64 = Buffer.from(idBytes)
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/, '');
+    return `aim_${b64}`;
+}
+/** Generate a new Ed25519 keypair and store it */
+function createIdentity(dataDir, agentName) {
+    const keypair = nacl.sign.keyPair();
+    const identity = {
+        agentId: deriveAgentId(keypair.publicKey),
+        publicKey: Buffer.from(keypair.publicKey).toString('base64'),
+        secretKey: Buffer.from(keypair.secretKey).toString('base64'),
+        agentName,
+        createdAt: new Date().toISOString(),
+    };
+    fs.mkdirSync(dataDir, { recursive: true });
+    const identityPath = path.join(dataDir, IDENTITY_FILE);
+    const tmpPath = identityPath + '.tmp.' + process.pid;
+    fs.writeFileSync(tmpPath, JSON.stringify(identity, null, 2), 'utf-8');
+    try {
+        fs.chmodSync(tmpPath, 0o600);
+    }
+    catch { /* Windows */ }
+    fs.renameSync(tmpPath, identityPath);
+    return identity;
+}
+/** Load an existing identity from disk */
+function loadIdentity(dataDir) {
+    const filePath = path.join(dataDir, IDENTITY_FILE);
+    if (!fs.existsSync(filePath)) {
+        return null;
+    }
+    try {
+        const raw = fs.readFileSync(filePath, 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+/** Get or create the agent's identity. Returns the public-facing identity (no secret key). */
+function getOrCreateIdentity(dataDir, agentName) {
+    let stored = loadIdentity(dataDir);
+    if (!stored) {
+        stored = createIdentity(dataDir, agentName);
+    }
+    // Return public identity only (strip secret key)
+    return {
+        agentId: stored.agentId,
+        publicKey: stored.publicKey,
+        agentName: stored.agentName,
+        createdAt: stored.createdAt,
+    };
+}
+/** Get the Ed25519 secret key as Uint8Array (for signing operations) */
+function getSecretKey(dataDir) {
+    const stored = loadIdentity(dataDir);
+    if (!stored)
+        return null;
+    return Buffer.from(stored.secretKey, 'base64');
+}
+/** Get the Ed25519 public key as Uint8Array (for verification) */
+function getPublicKey(dataDir) {
+    const stored = loadIdentity(dataDir);
+    if (!stored)
+        return null;
+    return Buffer.from(stored.publicKey, 'base64');
+}
+//# sourceMappingURL=identity.js.map

package/dist/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoBA,wCAmBC;AAGD,oCAYC;AAGD,kDAaC;AAGD,oCAIC;AAGD,oCAIC;AApFD,gDAAkC;AAClC,uCAAyB;AACzB,2CAA6B;AAG7B,MAAM,aAAa,GAAG,eAAe,CAAC;AAEtC,yDAAyD;AACzD,SAAS,aAAa,CAAC,SAAqB;IAC1C,4EAA4E;IAC5E,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;SAC7B,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACtB,OAAO,OAAO,GAAG,EAAE,CAAC;AACtB,CAAC;AAED,kDAAkD;AAClD,SAAgB,cAAc,CAAC,OAAe,EAAE,SAAiB;IAC/D,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;IAEpC,MAAM,QAAQ,GAAmB;QAC/B,OAAO,EAAE,aAAa,CAAC,OAAO,CAAC,SAAS,CAAC;QACzC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5D,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5D,SAAS;QACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IAEF,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3C,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IACvD,MAAM,OAAO,GAAG,YAAY,GAAG,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC;IACrD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACtE,IAAI,CAAC;QAAC,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;IAC7D,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IAErC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,0CAA0C;AAC1C,SAAgB,YAAY,CAAC,OAAe;IAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IACnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAmB,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8FAA8F;AAC9F,SAAgB,mBAAmB,CAAC,OAAe,EAAE,SAAiB;IACpE,IAAI,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACnC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,cAAc,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAC9C,CAAC;IAED,iDAAiD;IACjD,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;KAC5B,CAAC;AACJ,CAAC;AAED,wEAAwE;AACxE,SAAgB,YAAY,CAAC,OAAe;IAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACrC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AACjD,CAAC;AAED,kEAAkE;AAClE,SAAgB,YAAY,CAAC,OAAe;IAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACrC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AACjD,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,46 @@
+export declare const VERSION = "0.1.0";
+export type { AIMCoreOptions, AIMIdentity, StoredIdentity, AuditEvent, AuditEventInput, AuditReadOptions, CapabilityPolicy, CapabilityRule, TrustScore, TrustFactors, TrustHints, } from './types';
+export { sign, verify } from './crypto';
+export { createIdentity, loadIdentity, getOrCreateIdentity } from './identity';
+export { logEvent, readAuditLog, hasAuditLog } from './audit';
+export { loadPolicy, savePolicy, checkCapability, hasPolicy } from './policy';
+export { calculateTrust } from './trust';
+import type { AIMCoreOptions, AIMIdentity, AuditEvent, AuditEventInput, AuditReadOptions, CapabilityPolicy, TrustScore, TrustHints } from './types';
+/**
+ * Main entry point for aim-core.
+ *
+ * Provides Ed25519 identity, local audit logging, capability policy enforcement,
+ * trust scoring, and cryptographic signing — all without a server or database.
+ */
+export declare class AIMCore {
+    private readonly agentName;
+    private readonly dataDir;
+    private readonly serverUrl;
+    private cachedPolicy;
+    private trustHints;
+    constructor(options: AIMCoreOptions);
+    /** Get or create the agent's Ed25519 identity */
+    getIdentity(): AIMIdentity;
+    /** Check if a capability is allowed by the current policy */
+    checkCapability(capability: string, plugin?: string): boolean;
+    /** Load capability policy from YAML file */
+    loadPolicy(): CapabilityPolicy;
+    /** Save a capability policy to YAML file */
+    savePolicy(p: CapabilityPolicy): void;
+    /** Log an audit event to the local JSON-lines file */
+    logEvent(event: AuditEventInput): AuditEvent;
+    /** Read audit events from local log */
+    readAuditLog(options?: AuditReadOptions): AuditEvent[];
+    /** Calculate the agent's trust score based on current state */
+    calculateTrust(): TrustScore;
+    /** Provide hints from plugins to improve trust score accuracy */
+    setTrustHints(hints: TrustHints): void;
+    /** Sign data with the agent's Ed25519 private key */
+    sign(data: Uint8Array): Uint8Array;
+    /** Verify an Ed25519 signature against a public key */
+    verify(data: Uint8Array, signature: Uint8Array, publicKey: Uint8Array): boolean;
+    /** Get the data directory path */
+    getDataDir(): string;
+    private defaultDataDir;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,OAAO,UAAU,CAAC;AAG/B,YAAY,EACV,cAAc,EACd,WAAW,EACX,cAAc,EACd,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,UAAU,EACV,YAAY,EACZ,UAAU,GACX,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAC/E,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAC9E,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAGzC,OAAO,KAAK,EACV,cAAc,EACd,WAAW,EACX,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,UAAU,EACV,UAAU,EACX,MAAM,SAAS,CAAC;AAQjB;;;;;GAKG;AACH,qBAAa,OAAO;IAClB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,YAAY,CAAiC;IACrD,OAAO,CAAC,UAAU,CAAkB;gBAExB,OAAO,EAAE,cAAc;IAMnC,iDAAiD;IACjD,WAAW,IAAI,WAAW;IAI1B,6DAA6D;IAC7D,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO;IAO7D,4CAA4C;IAC5C,UAAU,IAAI,gBAAgB;IAK9B,4CAA4C;IAC5C,UAAU,CAAC,CAAC,EAAE,gBAAgB,GAAG,IAAI;IAKrC,sDAAsD;IACtD,QAAQ,CAAC,KAAK,EAAE,eAAe,GAAG,UAAU;IAI5C,uCAAuC;IACvC,YAAY,CAAC,OAAO,CAAC,EAAE,gBAAgB,GAAG,UAAU,EAAE;IAItD,+DAA+D;IAC/D,cAAc,IAAI,UAAU;IAK5B,iEAAiE;IACjE,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;IAItC,qDAAqD;IACrD,IAAI,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU;IAQlC,uDAAuD;IACvD,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,GAAG,OAAO;IAI/E,kCAAkC;IAClC,UAAU,IAAI,MAAM;IAIpB,OAAO,CAAC,cAAc;CAIvB"}

package/dist/index.js

@@ -0,0 +1,136 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AIMCore = exports.calculateTrust = exports.hasPolicy = exports.checkCapability = exports.savePolicy = exports.loadPolicy = exports.hasAuditLog = exports.readAuditLog = exports.logEvent = exports.getOrCreateIdentity = exports.loadIdentity = exports.createIdentity = exports.verify = exports.sign = exports.VERSION = void 0;
+exports.VERSION = '0.1.0';
+// Re-export module functions for advanced usage
+var crypto_1 = require("./crypto");
+Object.defineProperty(exports, "sign", { enumerable: true, get: function () { return crypto_1.sign; } });
+Object.defineProperty(exports, "verify", { enumerable: true, get: function () { return crypto_1.verify; } });
+var identity_1 = require("./identity");
+Object.defineProperty(exports, "createIdentity", { enumerable: true, get: function () { return identity_1.createIdentity; } });
+Object.defineProperty(exports, "loadIdentity", { enumerable: true, get: function () { return identity_1.loadIdentity; } });
+Object.defineProperty(exports, "getOrCreateIdentity", { enumerable: true, get: function () { return identity_1.getOrCreateIdentity; } });
+var audit_1 = require("./audit");
+Object.defineProperty(exports, "logEvent", { enumerable: true, get: function () { return audit_1.logEvent; } });
+Object.defineProperty(exports, "readAuditLog", { enumerable: true, get: function () { return audit_1.readAuditLog; } });
+Object.defineProperty(exports, "hasAuditLog", { enumerable: true, get: function () { return audit_1.hasAuditLog; } });
+var policy_1 = require("./policy");
+Object.defineProperty(exports, "loadPolicy", { enumerable: true, get: function () { return policy_1.loadPolicy; } });
+Object.defineProperty(exports, "savePolicy", { enumerable: true, get: function () { return policy_1.savePolicy; } });
+Object.defineProperty(exports, "checkCapability", { enumerable: true, get: function () { return policy_1.checkCapability; } });
+Object.defineProperty(exports, "hasPolicy", { enumerable: true, get: function () { return policy_1.hasPolicy; } });
+var trust_1 = require("./trust");
+Object.defineProperty(exports, "calculateTrust", { enumerable: true, get: function () { return trust_1.calculateTrust; } });
+const identity = __importStar(require("./identity"));
+const audit = __importStar(require("./audit"));
+const policy = __importStar(require("./policy"));
+const trust = __importStar(require("./trust"));
+const crypto = __importStar(require("./crypto"));
+/**
+ * Main entry point for aim-core.
+ *
+ * Provides Ed25519 identity, local audit logging, capability policy enforcement,
+ * trust scoring, and cryptographic signing — all without a server or database.
+ */
+class AIMCore {
+    constructor(options) {
+        this.cachedPolicy = null;
+        this.trustHints = {};
+        this.agentName = options.agentName;
+        this.dataDir = options.dataDir ?? this.defaultDataDir();
+        this.serverUrl = options.serverUrl ?? '';
+    }
+    /** Get or create the agent's Ed25519 identity */
+    getIdentity() {
+        return identity.getOrCreateIdentity(this.dataDir, this.agentName);
+    }
+    /** Check if a capability is allowed by the current policy */
+    checkCapability(capability, plugin) {
+        if (!this.cachedPolicy) {
+            this.cachedPolicy = policy.loadPolicy(this.dataDir);
+        }
+        return policy.checkCapability(this.cachedPolicy, capability, plugin);
+    }
+    /** Load capability policy from YAML file */
+    loadPolicy() {
+        this.cachedPolicy = policy.loadPolicy(this.dataDir);
+        return this.cachedPolicy;
+    }
+    /** Save a capability policy to YAML file */
+    savePolicy(p) {
+        policy.savePolicy(this.dataDir, p);
+        this.cachedPolicy = p;
+    }
+    /** Log an audit event to the local JSON-lines file */
+    logEvent(event) {
+        return audit.logEvent(this.dataDir, event);
+    }
+    /** Read audit events from local log */
+    readAuditLog(options) {
+        return audit.readAuditLog(this.dataDir, options);
+    }
+    /** Calculate the agent's trust score based on current state */
+    calculateTrust() {
+        const hasId = identity.loadIdentity(this.dataDir) !== null;
+        return trust.calculateTrust(this.dataDir, hasId, this.trustHints);
+    }
+    /** Provide hints from plugins to improve trust score accuracy */
+    setTrustHints(hints) {
+        this.trustHints = { ...this.trustHints, ...hints };
+    }
+    /** Sign data with the agent's Ed25519 private key */
+    sign(data) {
+        const secretKey = identity.getSecretKey(this.dataDir);
+        if (!secretKey) {
+            throw new Error('No identity found. Call getIdentity() first to generate a keypair.');
+        }
+        return crypto.sign(data, secretKey);
+    }
+    /** Verify an Ed25519 signature against a public key */
+    verify(data, signature, publicKey) {
+        return crypto.verify(data, signature, publicKey);
+    }
+    /** Get the data directory path */
+    getDataDir() {
+        return this.dataDir;
+    }
+    defaultDataDir() {
+        const home = process.env.HOME ?? process.env.USERPROFILE ?? '/tmp';
+        return `${home}/.opena2a/aim-core`;
+    }
+}
+exports.AIMCore = AIMCore;
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAa,QAAA,OAAO,GAAG,OAAO,CAAC;AAiB/B,gDAAgD;AAChD,mCAAwC;AAA/B,8FAAA,IAAI,OAAA;AAAE,gGAAA,MAAM,OAAA;AACrB,uCAA+E;AAAtE,0GAAA,cAAc,OAAA;AAAE,wGAAA,YAAY,OAAA;AAAE,+GAAA,mBAAmB,OAAA;AAC1D,iCAA8D;AAArD,iGAAA,QAAQ,OAAA;AAAE,qGAAA,YAAY,OAAA;AAAE,oGAAA,WAAW,OAAA;AAC5C,mCAA8E;AAArE,oGAAA,UAAU,OAAA;AAAE,oGAAA,UAAU,OAAA;AAAE,yGAAA,eAAe,OAAA;AAAE,mGAAA,SAAS,OAAA;AAC3D,iCAAyC;AAAhC,uGAAA,cAAc,OAAA;AAcvB,qDAAuC;AACvC,+CAAiC;AACjC,iDAAmC;AACnC,+CAAiC;AACjC,iDAAmC;AAEnC;;;;;GAKG;AACH,MAAa,OAAO;IAOlB,YAAY,OAAuB;QAH3B,iBAAY,GAA4B,IAAI,CAAC;QAC7C,eAAU,GAAe,EAAE,CAAC;QAGlC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QACxD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;IAC3C,CAAC;IAED,iDAAiD;IACjD,WAAW;QACT,OAAO,QAAQ,CAAC,mBAAmB,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IACpE,CAAC;IAED,6DAA6D;IAC7D,eAAe,CAAC,UAAkB,EAAE,MAAe;QACjD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,YAAY,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;IACvE,CAAC;IAED,4CAA4C;IAC5C,UAAU;QACR,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpD,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,4CAA4C;IAC5C,UAAU,CAAC,CAAmB;QAC5B,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACnC,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC;IACxB,CAAC;IAED,sDAAsD;IACtD,QAAQ,CAAC,KAAsB;QAC7B,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC7C,CAAC;IAED,uCAAuC;IACvC,YAAY,CAAC,OAA0B;QACrC,OAAO,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;IAED,+DAA+D;IAC/D,cAAc;QACZ,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC;QAC3D,OAAO,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACpE,CAAC;IAED,iEAAiE;IACjE,aAAa,CAAC,KAAiB;QAC7B,IAAI,CAAC,UAAU,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,EAAE,GAAG,KAAK,EAAE,CAAC;IACrD,CAAC;IAED,qDAAqD;IACrD,IAAI,CAAC,IAAgB;QACnB,MAAM,SAAS,GAAG,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACxF,CAAC;QACD,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IACtC,CAAC;IAED,uDAAuD;IACvD,MAAM,CAAC,IAAgB,EAAE,SAAqB,EAAE,SAAqB;QACnE,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IACnD,CAAC;IAED,kCAAkC;IAClC,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAEO,cAAc;QACpB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,MAAM,CAAC;QACnE,OAAO,GAAG,IAAI,oBAAoB,CAAC;IACrC,CAAC;CACF;AAlFD,0BAkFC"}

package/dist/policy.d.ts

@@ -0,0 +1,10 @@
+import type { CapabilityPolicy } from './types';
+/** Load capability policy from YAML file, or return default */
+export declare function loadPolicy(dataDir: string): CapabilityPolicy;
+/** Save a capability policy to YAML file */
+export declare function savePolicy(dataDir: string, policy: CapabilityPolicy): void;
+/** Check if a capability is allowed by the policy */
+export declare function checkCapability(policy: CapabilityPolicy, capability: string, plugin?: string): boolean;
+/** Check if a policy file exists */
+export declare function hasPolicy(dataDir: string): boolean;
+//# sourceMappingURL=policy.d.ts.map

package/dist/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../src/policy.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAAkB,MAAM,SAAS,CAAC;AAUhE,+DAA+D;AAC/D,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,CA6B5D;AAED,4CAA4C;AAC5C,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,IAAI,CAM1E;AAED,qDAAqD;AACrD,wBAAgB,eAAe,CAC7B,MAAM,EAAE,gBAAgB,EACxB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAeT;AAED,oCAAoC;AACpC,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAElD"}

package/dist/policy.js

@@ -0,0 +1,133 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadPolicy = loadPolicy;
+exports.savePolicy = savePolicy;
+exports.checkCapability = checkCapability;
+exports.hasPolicy = hasPolicy;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const yaml = __importStar(require("js-yaml"));
+const POLICY_FILE = 'policy.yaml';
+const DEFAULT_POLICY = {
+    version: '1',
+    defaultAction: 'deny',
+    rules: [],
+};
+/** Load capability policy from YAML file, or return default */
+function loadPolicy(dataDir) {
+    const filePath = path.join(dataDir, POLICY_FILE);
+    if (!fs.existsSync(filePath)) {
+        return DEFAULT_POLICY;
+    }
+    let parsed;
+    try {
+        const raw = fs.readFileSync(filePath, 'utf-8');
+        parsed = yaml.load(raw, { schema: yaml.FAILSAFE_SCHEMA });
+    }
+    catch {
+        return DEFAULT_POLICY;
+    }
+    if (!parsed || typeof parsed !== 'object') {
+        return DEFAULT_POLICY;
+    }
+    // Reject prototype pollution attempts
+    const keys = Object.keys(parsed);
+    if (keys.includes('__proto__') || keys.includes('constructor') || keys.includes('prototype')) {
+        return DEFAULT_POLICY;
+    }
+    return {
+        version: String(parsed.version ?? '1'),
+        defaultAction: parsed.defaultAction === 'allow' ? 'allow' : 'deny',
+        rules: Array.isArray(parsed.rules) ? parsed.rules.map(parseRule) : [],
+    };
+}
+/** Save a capability policy to YAML file */
+function savePolicy(dataDir, policy) {
+    fs.mkdirSync(dataDir, { recursive: true });
+    const filePath = path.join(dataDir, POLICY_FILE);
+    const tmpPath = filePath + '.tmp.' + process.pid;
+    fs.writeFileSync(tmpPath, yaml.dump(policy), 'utf-8');
+    fs.renameSync(tmpPath, filePath);
+}
+/** Check if a capability is allowed by the policy */
+function checkCapability(policy, capability, plugin) {
+    for (const rule of policy.rules) {
+        if (matchesCapability(rule.capability, capability)) {
+            // If rule restricts to specific plugins, check plugin name
+            if (rule.plugins && rule.plugins.length > 0) {
+                if (!plugin || !rule.plugins.includes(plugin)) {
+                    continue; // Rule doesn't apply to this plugin
+                }
+            }
+            return rule.action === 'allow';
+        }
+    }
+    // No rule matched — use default
+    return policy.defaultAction === 'allow';
+}
+/** Check if a policy file exists */
+function hasPolicy(dataDir) {
+    return fs.existsSync(path.join(dataDir, POLICY_FILE));
+}
+// --- Internal helpers ---
+function parseRule(raw) {
+    const obj = raw;
+    return {
+        capability: String(obj.capability ?? '*'),
+        action: obj.action === 'allow' ? 'allow' : 'deny',
+        plugins: Array.isArray(obj.plugins) ? obj.plugins.map(String) : undefined,
+    };
+}
+/**
+ * Match a capability against a pattern.
+ * Supports:
+ *   "*"           → matches everything
+ *   "db:*"        → matches "db:read", "db:write", etc.
+ *   "fs:write:*"  → matches "fs:write:/tmp/foo", "fs:write:/var/log"
+ *   "db:read"     → exact match
+ */
+function matchesCapability(pattern, capability) {
+    if (pattern === '*')
+        return true;
+    if (pattern === capability)
+        return true;
+    if (pattern.endsWith(':*')) {
+        const prefix = pattern.slice(0, -1); // "db:" from "db:*"
+        return capability.startsWith(prefix) && capability.length > prefix.length;
+    }
+    return false;
+}
+//# sourceMappingURL=policy.js.map

package/dist/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../src/policy.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAcA,gCA6BC;AAGD,gCAMC;AAGD,0CAmBC;AAGD,8BAEC;AA/ED,uCAAyB;AACzB,2CAA6B;AAC7B,8CAAgC;AAGhC,MAAM,WAAW,GAAG,aAAa,CAAC;AAElC,MAAM,cAAc,GAAqB;IACvC,OAAO,EAAE,GAAG;IACZ,aAAa,EAAE,MAAM;IACrB,KAAK,EAAE,EAAE;CACV,CAAC;AAEF,+DAA+D;AAC/D,SAAgB,UAAU,CAAC,OAAe;IACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IACjD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,IAAI,MAA2C,CAAC;IAChD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC/C,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,eAAe,EAAE,CAAwC,CAAC;IACnG,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC1C,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,sCAAsC;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7F,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,IAAI,GAAG,CAAC;QACtC,aAAa,EAAE,MAAM,CAAC,aAAa,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;QAClE,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE;KACtE,CAAC;AACJ,CAAC;AAED,4CAA4C;AAC5C,SAAgB,UAAU,CAAC,OAAe,EAAE,MAAwB;IAClE,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IACjD,MAAM,OAAO,GAAG,QAAQ,GAAG,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC;IACjD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;IACtD,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;AACnC,CAAC;AAED,qDAAqD;AACrD,SAAgB,eAAe,CAC7B,MAAwB,EACxB,UAAkB,EAClB,MAAe;IAEf,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QAChC,IAAI,iBAAiB,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,CAAC;YACnD,2DAA2D;YAC3D,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5C,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC9C,SAAS,CAAC,oCAAoC;gBAChD,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC,MAAM,KAAK,OAAO,CAAC;QACjC,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,OAAO,MAAM,CAAC,aAAa,KAAK,OAAO,CAAC;AAC1C,CAAC;AAED,oCAAoC;AACpC,SAAgB,SAAS,CAAC,OAAe;IACvC,OAAO,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,2BAA2B;AAE3B,SAAS,SAAS,CAAC,GAAY;IAC7B,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,OAAO;QACL,UAAU,EAAE,MAAM,CAAC,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC;QACzC,MAAM,EAAE,GAAG,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;QACjD,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;KAC1E,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,iBAAiB,CAAC,OAAe,EAAE,UAAkB;IAC5D,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACjC,IAAI,OAAO,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IAExC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,oBAAoB;QACzD,OAAO,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAC5E,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/trust.d.ts

@@ -0,0 +1,4 @@
+import type { TrustScore, TrustHints } from './types';
+/** Calculate trust score based on current state and plugin hints */
+export declare function calculateTrust(dataDir: string, hasIdentity: boolean, hints?: TrustHints): TrustScore;
+//# sourceMappingURL=trust.d.ts.map

package/dist/trust.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust.d.ts","sourceRoot":"","sources":["../src/trust.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAgB,UAAU,EAAE,MAAM,SAAS,CAAC;AAgBpE,oEAAoE;AACpE,wBAAgB,cAAc,CAC5B,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,OAAO,EACpB,KAAK,CAAC,EAAE,UAAU,GACjB,UAAU,CAyBZ"}

package/dist/trust.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.calculateTrust = calculateTrust;
+const audit_1 = require("./audit");
+const policy_1 = require("./policy");
+/** Weight for each trust factor (must sum to 1.0) */
+const WEIGHTS = {
+    identity: 0.20,
+    capabilities: 0.15,
+    auditLog: 0.10,
+    secretsManaged: 0.15,
+    configSigned: 0.10,
+    skillsVerified: 0.10,
+    networkControlled: 0.10,
+    heartbeatMonitored: 0.10,
+};
+/** Calculate trust score based on current state and plugin hints */
+function calculateTrust(dataDir, hasIdentity, hints) {
+    const factors = {
+        identity: hasIdentity ? 1.0 : 0.0,
+        capabilities: (0, policy_1.hasPolicy)(dataDir) ? 1.0 : 0.0,
+        auditLog: (0, audit_1.hasAuditLog)(dataDir) ? 1.0 : 0.0,
+        secretsManaged: hints?.secretsManaged ? 1.0 : 0.0,
+        configSigned: hints?.configSigned ? 1.0 : 0.0,
+        skillsVerified: hints?.skillsVerified ? 1.0 : 0.0,
+        networkControlled: hints?.networkControlled ? 1.0 : 0.0,
+        heartbeatMonitored: hints?.heartbeatMonitored ? 1.0 : 0.0,
+    };
+    let overall = 0;
+    for (const [factor, weight] of Object.entries(WEIGHTS)) {
+        overall += factors[factor] * weight;
+    }
+    // Round to 2 decimal places
+    overall = Math.round(overall * 100) / 100;
+    return {
+        overall,
+        factors,
+        calculatedAt: new Date().toISOString(),
+    };
+}
+//# sourceMappingURL=trust.js.map

package/dist/trust.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust.js","sourceRoot":"","sources":["../src/trust.ts"],"names":[],"mappings":";;AAiBA,wCA6BC;AA7CD,mCAAsC;AACtC,qCAAqC;AAErC,qDAAqD;AACrD,MAAM,OAAO,GAAuC;IAClD,QAAQ,EAAE,IAAI;IACd,YAAY,EAAE,IAAI;IAClB,QAAQ,EAAE,IAAI;IACd,cAAc,EAAE,IAAI;IACpB,YAAY,EAAE,IAAI;IAClB,cAAc,EAAE,IAAI;IACpB,iBAAiB,EAAE,IAAI;IACvB,kBAAkB,EAAE,IAAI;CACzB,CAAC;AAEF,oEAAoE;AACpE,SAAgB,cAAc,CAC5B,OAAe,EACf,WAAoB,EACpB,KAAkB;IAElB,MAAM,OAAO,GAAiB;QAC5B,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;QACjC,YAAY,EAAE,IAAA,kBAAS,EAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;QAC5C,QAAQ,EAAE,IAAA,mBAAW,EAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;QAC1C,cAAc,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;QACjD,YAAY,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;QAC7C,cAAc,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;QACjD,iBAAiB,EAAE,KAAK,EAAE,iBAAiB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;QACvD,kBAAkB,EAAE,KAAK,EAAE,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;KAC1D,CAAC;IAEF,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACvD,OAAO,IAAI,OAAO,CAAC,MAA4B,CAAC,GAAG,MAAM,CAAC;IAC5D,CAAC;IAED,4BAA4B;IAC5B,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC;IAE1C,OAAO;QACL,OAAO;QACP,OAAO;QACP,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACvC,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,104 @@
+/** Options for creating an AIMCore instance */
+export interface AIMCoreOptions {
+    /** Human-readable agent name */
+    agentName: string;
+    /** Directory for identity keys, audit log, and config. Defaults to ~/.opena2a/aim-core */
+    dataDir?: string;
+    /** Optional AIM server URL for fleet reporting */
+    serverUrl?: string;
+}
+/** Ed25519 identity for an agent */
+export interface AIMIdentity {
+    /** Agent's unique identifier (derived from public key) */
+    agentId: string;
+    /** Ed25519 public key (base64) */
+    publicKey: string;
+    /** Agent name from config */
+    agentName: string;
+    /** ISO timestamp of identity creation */
+    createdAt: string;
+}
+/** Stored identity (includes secret key — never exported via getIdentity) */
+export interface StoredIdentity extends AIMIdentity {
+    /** Ed25519 secret key (base64) — 64 bytes: 32 private + 32 public */
+    secretKey: string;
+}
+/** A single audit event */
+export interface AuditEvent {
+    /** ISO timestamp */
+    timestamp: string;
+    /** Plugin that generated the event */
+    plugin: string;
+    /** Action performed */
+    action: string;
+    /** Target resource */
+    target: string;
+    /** Result: allowed, denied, error */
+    result: 'allowed' | 'denied' | 'error';
+    /** Optional metadata */
+    metadata?: Record<string, unknown>;
+}
+/** Input for logging an event (timestamp is added automatically) */
+export type AuditEventInput = Omit<AuditEvent, 'timestamp'>;
+/** Options for reading audit events */
+export interface AuditReadOptions {
+    /** Maximum number of events to return */
+    limit?: number;
+    /** Only return events after this ISO timestamp */
+    since?: string;
+}
+/** Capability policy loaded from YAML */
+export interface CapabilityPolicy {
+    /** Policy version */
+    version: string;
+    /** Default action when no rule matches */
+    defaultAction: 'allow' | 'deny';
+    /** Capability rules (evaluated in order, first match wins) */
+    rules: CapabilityRule[];
+}
+/** A single capability rule */
+export interface CapabilityRule {
+    /** Capability pattern (e.g., "db:read", "net:*", "fs:write:/tmp/*") */
+    capability: string;
+    /** Action for this rule */
+    action: 'allow' | 'deny';
+    /** Optional: restrict to specific plugins */
+    plugins?: string[];
+}
+/** Trust score result */
+export interface TrustScore {
+    /** Overall trust score (0-1) */
+    overall: number;
+    /** Individual factor scores */
+    factors: TrustFactors;
+    /** ISO timestamp of calculation */
+    calculatedAt: string;
+}
+/** Individual trust factor scores (each 0-1) */
+export interface TrustFactors {
+    /** Identity verified (Ed25519 key exists and is valid) */
+    identity: number;
+    /** Capabilities declared and enforced */
+    capabilities: number;
+    /** Audit logging active */
+    auditLog: number;
+    /** Secrets managed (not hardcoded) */
+    secretsManaged: number;
+    /** Configuration signed */
+    configSigned: number;
+    /** Skills integrity verified */
+    skillsVerified: number;
+    /** Network access controlled */
+    networkControlled: number;
+    /** Heartbeat monitoring active */
+    heartbeatMonitored: number;
+}
+/** Hints provided by plugins to inform trust calculation */
+export interface TrustHints {
+    secretsManaged?: boolean;
+    configSigned?: boolean;
+    skillsVerified?: boolean;
+    networkControlled?: boolean;
+    heartbeatMonitored?: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,+CAA+C;AAC/C,MAAM,WAAW,cAAc;IAC7B,gCAAgC;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,oCAAoC;AACpC,MAAM,WAAW,WAAW;IAC1B,0DAA0D;IAC1D,OAAO,EAAE,MAAM,CAAC;IAChB,kCAAkC;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,6BAA6B;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,6EAA6E;AAC7E,MAAM,WAAW,cAAe,SAAQ,WAAW;IACjD,qEAAqE;IACrE,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,2BAA2B;AAC3B,MAAM,WAAW,UAAU;IACzB,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,sCAAsC;IACtC,MAAM,EAAE,MAAM,CAAC;IACf,uBAAuB;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,qCAAqC;IACrC,MAAM,EAAE,SAAS,GAAG,QAAQ,GAAG,OAAO,CAAC;IACvC,wBAAwB;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,oEAAoE;AACpE,MAAM,MAAM,eAAe,GAAG,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;AAE5D,uCAAuC;AACvC,MAAM,WAAW,gBAAgB;IAC/B,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kDAAkD;IAClD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,yCAAyC;AACzC,MAAM,WAAW,gBAAgB;IAC/B,qBAAqB;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,0CAA0C;IAC1C,aAAa,EAAE,OAAO,GAAG,MAAM,CAAC;IAChC,8DAA8D;IAC9D,KAAK,EAAE,cAAc,EAAE,CAAC;CACzB;AAED,+BAA+B;AAC/B,MAAM,WAAW,cAAc;IAC7B,uEAAuE;IACvE,UAAU,EAAE,MAAM,CAAC;IACnB,2BAA2B;IAC3B,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;IACzB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,yBAAyB;AACzB,MAAM,WAAW,UAAU;IACzB,gCAAgC;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,+BAA+B;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB,mCAAmC;IACnC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,gDAAgD;AAChD,MAAM,WAAW,YAAY;IAC3B,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,yCAAyC;IACzC,YAAY,EAAE,MAAM,CAAC;IACrB,2BAA2B;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,sCAAsC;IACtC,cAAc,EAAE,MAAM,CAAC;IACvB,2BAA2B;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,gCAAgC;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,gCAAgC;IAChC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kCAAkC;IAClC,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,4DAA4D;AAC5D,MAAM,WAAW,UAAU;IACzB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B"}

package/dist/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@opena2a/aim-core",
+  "version": "0.1.0",
+  "description": "Lightweight agent identity library — Ed25519 identity, local audit log, capability policy, trust scoring. No server required.",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist",
+    "!dist/**/*.test.*",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "eslint src --ext .ts",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "js-yaml": "^4.1.1",
+    "tweetnacl": "^1.0.3"
+  },
+  "devDependencies": {
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^20.0.0",
+    "typescript": "^5.3.3",
+    "vitest": "^3.0.0"
+  },
+  "keywords": [
+    "ai",
+    "agent",
+    "identity",
+    "ed25519",
+    "security",
+    "aim",
+    "opena2a"
+  ],
+  "author": "OpenA2A",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/opena2a-org/hackmyagent.git",
+    "directory": "packages/aim-core"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}