@private.me/xbind 3.0.1 → 3.0.2

package/dist-standalone/cjs/types/error-response.js

@@ -1 +1,56 @@
-"use strict";function isErrorResponse(e){if(!e||"object"!=typeof e)return!1;const r=e;return"string"==typeof r.code&&"number"==typeof r.httpStatus&&"string"==typeof r.message}function createErrorResponse(e){return{...e,timestamp:e.timestamp??Date.now()}}Object.defineProperty(exports,"__esModule",{value:!0}),exports.isErrorResponse=isErrorResponse,exports.createErrorResponse=createErrorResponse;
+"use strict";
+/**
+ * Error Response Types
+ *
+ * Dual-code error response system supporting both AWS standard codes
+ * and legacy xBind codes for backward compatibility.
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isErrorResponse = isErrorResponse;
+exports.createErrorResponse = createErrorResponse;
+/**
+ * Type guard to check if a value is an ErrorResponse
+ *
+ * @param value - Value to check
+ * @returns True if value is an ErrorResponse
+ *
+ * @example
+ * ```typescript
+ * if (isErrorResponse(result)) {
+ *   console.error(result.message);
+ * }
+ * ```
+ */
+function isErrorResponse(value) {
+    if (!value || typeof value !== 'object') {
+        return false;
+    }
+    const err = value;
+    return (typeof err.code === 'string' &&
+        typeof err.httpStatus === 'number' &&
+        typeof err.message === 'string');
+}
+/**
+ * Create a standardized error response
+ *
+ * @param params - Error response parameters
+ * @returns Standardized ErrorResponse object
+ *
+ * @example
+ * ```typescript
+ * const error = createErrorResponse({
+ *   code: 'UnauthorizedException',
+ *   legacyCode: 'XBIND_AUTH_FAILED',
+ *   httpStatus: 401,
+ *   message: 'Invalid signature'
+ * });
+ * ```
+ */
+function createErrorResponse(params) {
+    return {
+        ...params,
+        timestamp: params.timestamp ?? Date.now()
+    };
+}

package/dist-standalone/cjs/vault-auth.js

@@ -1 +1,178 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.signVaultRequest=signVaultRequest,exports.verifyVaultRequest=verifyVaultRequest;const shared_1=require("../_deps/shared/index.js"),crypto_utils_js_1=require("./crypto-utils.js");async function signVaultRequest(e,t,r){const n=Date.now(),s=generateNonce(),a=JSON.stringify(r),o=`POST\n${t}\n${n}\n${s}\n${await hashString(a)}`;let i;try{const t=(new TextEncoder).encode(o);i=await crypto.subtle.sign({name:"Ed25519"},e.privateKey,t)}catch{return(0,shared_1.err)("SIGN_FAILED")}return(0,shared_1.ok)({signature:(0,crypto_utils_js_1.toBase64)(new Uint8Array(i)),timestamp:n,nonce:s})}function generateNonce(){if("undefined"!=typeof crypto&&crypto.randomUUID)return crypto.randomUUID();const e=new Uint8Array(16);crypto.getRandomValues(e),e[6]=15&e[6]|64,e[8]=63&e[8]|128;const t=Array.from(e).map(e=>e.toString(16).padStart(2,"0")).join("");return[t.slice(0,8),t.slice(8,12),t.slice(12,16),t.slice(16,20),t.slice(20,32)].join("-")}async function hashString(e){const t=(new TextEncoder).encode(e),r=await crypto.subtle.digest("SHA-256",t);return(0,crypto_utils_js_1.toBase64)(new Uint8Array(r))}async function verifyVaultRequest(e,t,r,n,s,a,o){const i=Date.now();if(Math.abs(i-a)>3e5)return!1;const c=`POST\n${r}\n${a}\n${o}\n${await hashString(n)}`;let u;try{const e=new ArrayBuffer(t.byteLength);new Uint8Array(e).set(t),u=await crypto.subtle.importKey("raw",e,{name:"Ed25519"},!1,["verify"])}catch{return!1}try{const e=(new TextEncoder).encode(c),t=Uint8Array.from(atob(s),e=>e.charCodeAt(0));return await crypto.subtle.verify({name:"Ed25519"},u,t,e)}catch{return!1}}
+"use strict";
+/**
+ * @module vault-auth
+ * DID-based authentication for Vault Store API requests.
+ *
+ * Implements Ed25519 signature over canonical request representation with:
+ * - Timestamp (prevents replay attacks >5min old)
+ * - Nonce (prevents duplicate requests)
+ * - Request body hash (ensures integrity)
+ *
+ * Server verifies signature + timestamp + nonce before serving vault content.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signVaultRequest = signVaultRequest;
+exports.verifyVaultRequest = verifyVaultRequest;
+const shared_1 = require("../_deps/shared/index.js");
+const crypto_utils_js_1 = require("./crypto-utils.js");
+/**
+ * Sign a vault store API request with agent's DID identity.
+ *
+ * Creates canonical request representation:
+ * ```
+ * {method}\n{endpoint}\n{timestamp}\n{nonce}\n{bodyHash}
+ * ```
+ *
+ * Server verifies:
+ * 1. Signature matches DID public key
+ * 2. Timestamp within ±5min (prevents replay)
+ * 3. Nonce not seen before (prevents duplicate)
+ * 4. Body hash matches (ensures integrity)
+ *
+ * @param identity - Agent identity (contains signing key)
+ * @param endpoint - API endpoint (e.g., "/api/vault-store/crypto")
+ * @param body - Request body (JSON-serializable)
+ * @returns Signed request metadata or error
+ *
+ * @example
+ * ```typescript
+ * const sigResult = await signVaultRequest(agent.identity, '/api/vault-store/crypto', {
+ *   requestedVersion: 'latest',
+ *   clientVersion: '1.5.0',
+ * });
+ *
+ * if (!sigResult.ok) {
+ *   throw new Error('Failed to sign vault request');
+ * }
+ *
+ * const { signature, timestamp, nonce } = sigResult.value;
+ *
+ * const response = await fetch('https://private.me/api/vault-store/crypto', {
+ *   method: 'POST',
+ *   headers: {
+ *     'X-DID': agent.did,
+ *     'X-Signature': signature,
+ *     'X-Timestamp': timestamp.toString(),
+ *     'X-Nonce': nonce,
+ *   },
+ *   body: JSON.stringify(body),
+ * });
+ * ```
+ */
+async function signVaultRequest(identity, endpoint, body) {
+    const timestamp = Date.now();
+    const nonce = generateNonce();
+    // Canonical request representation
+    const method = 'POST';
+    const bodyJson = JSON.stringify(body);
+    const bodyHash = await hashString(bodyJson);
+    const canonical = `${method}\n${endpoint}\n${timestamp}\n${nonce}\n${bodyHash}`;
+    // Sign with Ed25519
+    let signatureBuffer;
+    try {
+        const encoder = new TextEncoder();
+        const message = encoder.encode(canonical);
+        signatureBuffer = await crypto.subtle.sign({ name: 'Ed25519' }, identity.privateKey, message);
+    }
+    catch {
+        return (0, shared_1.err)('SIGN_FAILED');
+    }
+    return (0, shared_1.ok)({
+        signature: (0, crypto_utils_js_1.toBase64)(new Uint8Array(signatureBuffer)),
+        timestamp,
+        nonce,
+    });
+}
+/**
+ * Generate cryptographically secure nonce (UUID v4 format).
+ *
+ * @returns Random UUID string
+ */
+function generateNonce() {
+    // Use crypto.randomUUID if available (Node.js 16+, modern browsers)
+    if (typeof crypto !== 'undefined' && crypto.randomUUID) {
+        return crypto.randomUUID();
+    }
+    // Fallback: manual UUID v4 generation
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    // Set version (4) and variant (RFC 4122)
+    bytes[6] = (bytes[6] & 0x0f) | 0x40;
+    bytes[8] = (bytes[8] & 0x3f) | 0x80;
+    const hex = Array.from(bytes)
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('');
+    return [
+        hex.slice(0, 8),
+        hex.slice(8, 12),
+        hex.slice(12, 16),
+        hex.slice(16, 20),
+        hex.slice(20, 32),
+    ].join('-');
+}
+/**
+ * Hash string with SHA-256 (for request body integrity).
+ *
+ * @param data - String to hash
+ * @returns Base64-encoded hash
+ */
+async function hashString(data) {
+    const encoder = new TextEncoder();
+    const bytes = encoder.encode(data);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', bytes);
+    return (0, crypto_utils_js_1.toBase64)(new Uint8Array(hashBuffer));
+}
+/**
+ * Verify vault request signature (server-side only).
+ *
+ * Validates:
+ * 1. Signature matches DID public key
+ * 2. Timestamp within ±5min window
+ * 3. Body hash matches
+ *
+ * Note: Nonce verification requires server-side nonce store (not implemented here).
+ *
+ * @param did - Sender DID
+ * @param publicKeyBytes - Ed25519 public key (32 bytes)
+ * @param endpoint - API endpoint
+ * @param body - Request body (JSON string)
+ * @param signature - Base64-encoded signature
+ * @param timestamp - Request timestamp (Unix ms)
+ * @param nonce - Request nonce
+ * @returns True if signature is valid
+ *
+ * @internal Server-side verification only
+ */
+async function verifyVaultRequest(did, publicKeyBytes, endpoint, body, signature, timestamp, nonce) {
+    // Timestamp verification (±5min window)
+    const now = Date.now();
+    const maxAge = 5 * 60 * 1000; // 5 minutes
+    if (Math.abs(now - timestamp) > maxAge) {
+        return false;
+    }
+    // Reconstruct canonical request
+    const method = 'POST';
+    const bodyHash = await hashString(body);
+    const canonical = `${method}\n${endpoint}\n${timestamp}\n${nonce}\n${bodyHash}`;
+    // Import public key
+    let publicKey;
+    try {
+        // Copy to new ArrayBuffer to avoid SharedArrayBuffer issues
+        const keyBuffer = new ArrayBuffer(publicKeyBytes.byteLength);
+        new Uint8Array(keyBuffer).set(publicKeyBytes);
+        publicKey = await crypto.subtle.importKey('raw', keyBuffer, { name: 'Ed25519' }, false, ['verify']);
+    }
+    catch {
+        return false;
+    }
+    // Verify signature
+    try {
+        const encoder = new TextEncoder();
+        const message = encoder.encode(canonical);
+        const signatureBytes = Uint8Array.from(atob(signature), (c) => c.charCodeAt(0));
+        return await crypto.subtle.verify({ name: 'Ed25519' }, publicKey, signatureBytes, message);
+    }
+    catch {
+        return false;
+    }
+}

package/dist-standalone/cjs/vault-store-loader.js

@@ -1 +1,194 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.loadCryptoPackage=loadCryptoPackage,exports.getCrypto=getCrypto,exports.isCryptoLoaded=isCryptoLoaded,exports.clearCryptoCache=clearCryptoCache,exports.getCacheStatus=getCacheStatus;const shared_1=require("../_deps/shared/index.js"),vault_auth_js_1=require("./vault-auth.js"),VAULT_STORE_URL=process.env.VAULT_STORE_URL||"https://private.me/api/vault-store",CACHE_TTL_MS=6048e5;let cryptoCache=null;async function loadCryptoPackage(identity){if(cryptoCache&&Date.now()<cryptoCache.expiresAt)return(0,shared_1.ok)(cryptoCache.module);const signatureResult=await(0,vault_auth_js_1.signVaultRequest)(identity,"/api/vault-store/crypto",{requestedVersion:"latest",clientVersion:"1.5.0"});if(!signatureResult.ok)return(0,shared_1.err)("VAULT_AUTH_FAILED");const{signature:signature,timestamp:timestamp,nonce:nonce}=signatureResult.value;let response,vaultData,cryptoModule;try{response=await fetch(`${VAULT_STORE_URL}/crypto`,{method:"POST",headers:{"Content-Type":"application/json","X-DID":identity.did,"X-Signature":signature,"X-Timestamp":timestamp.toString(),"X-Nonce":nonce},body:JSON.stringify({requestedVersion:"latest",clientVersion:"1.5.0"})})}catch(e){return(0,shared_1.err)("VAULT_FETCH_FAILED")}if(!response.ok)return 402===response.status?(0,shared_1.err)("VAULT_QUOTA_EXCEEDED"):401===response.status||403===response.status?(0,shared_1.err)("VAULT_AUTH_FAILED"):451===response.status?(0,shared_1.err)("VAULT_PAYMENT_REQUIRED"):(0,shared_1.err)("VAULT_FETCH_FAILED");try{vaultData=await response.json()}catch{return(0,shared_1.err)("VAULT_INVALID_RESPONSE")}if(!vaultData.cryptoBundle||!vaultData.version)return(0,shared_1.err)("VAULT_INVALID_RESPONSE");try{const bundleCode=atob(vaultData.cryptoBundle),moduleExports=eval(`(function() {\n      const exports = {};\n      ${bundleCode}\n      return exports;\n    })()`);if(cryptoModule=moduleExports,"function"!=typeof cryptoModule.splitXorIDA||"function"!=typeof cryptoModule.reconstructXorIDA)return(0,shared_1.err)("VAULT_LOAD_FAILED")}catch{return(0,shared_1.err)("VAULT_LOAD_FAILED")}const ttlMs=vaultData.cacheTtl?1e3*vaultData.cacheTtl:CACHE_TTL_MS;return cryptoCache={module:cryptoModule,expiresAt:Date.now()+ttlMs,version:vaultData.version},(0,shared_1.ok)(cryptoModule)}function getCrypto(){return cryptoCache&&Date.now()<cryptoCache.expiresAt?cryptoCache.module:null}function isCryptoLoaded(){return null!==cryptoCache&&Date.now()<cryptoCache.expiresAt}function clearCryptoCache(){cryptoCache=null}function getCacheStatus(){if(!cryptoCache)return{loaded:!1};const e=Date.now();return{loaded:e<cryptoCache.expiresAt,version:cryptoCache.version,expiresAt:cryptoCache.expiresAt,ttlRemaining:Math.max(0,cryptoCache.expiresAt-e)}}
+"use strict";
+/**
+ * @module vault-store-loader
+ * Runtime loader for payment-gated crypto packages (Full Control IP protection).
+ *
+ * Fetches XorIDA algorithm from EC2 Vault Store with:
+ * - DID-based authentication (Ed25519 signatures)
+ * - Usage quota verification (Free: 100K/month, Pro: unlimited)
+ * - Memory caching (7-day TTL, session-only)
+ * - Automatic re-fetch on expiration
+ *
+ * Security: Crypto package NEVER bundled in npm. Always fetched at runtime
+ * with payment gate enforcement. Share 2 (Vault Store) completes algorithm.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadCryptoPackage = loadCryptoPackage;
+exports.getCrypto = getCrypto;
+exports.isCryptoLoaded = isCryptoLoaded;
+exports.clearCryptoCache = clearCryptoCache;
+exports.getCacheStatus = getCacheStatus;
+const shared_1 = require("../_deps/shared/index.js");
+const vault_auth_js_1 = require("./vault-auth.js");
+/** Vault Store API endpoint (EC2) */
+const VAULT_STORE_URL = process.env.VAULT_STORE_URL || 'https://private.me/api/vault-store';
+/** Cache TTL: 7 days (in milliseconds) */
+const CACHE_TTL_MS = 7 * 24 * 60 * 60 * 1000;
+/** In-memory cache (cleared on process restart) */
+let cryptoCache = null;
+/**
+ * Load crypto package from Vault Store with authentication and caching.
+ *
+ * Flow:
+ * 1. Check cache (if valid, return cached)
+ * 2. Sign vault request with DID
+ * 3. POST to /api/vault-store/crypto
+ * 4. Server verifies: signature + quota + payment
+ * 5. Receive crypto bundle + share2
+ * 6. Evaluate bundle (dynamic import)
+ * 7. Cache for 7 days
+ *
+ * @param identity - Agent identity (for DID signature)
+ * @returns Crypto package exports or error
+ *
+ * @example
+ * ```typescript
+ * const cryptoResult = await loadCryptoPackage(agent.identity);
+ * if (!cryptoResult.ok) {
+ *   if (cryptoResult.error === 'VAULT_QUOTA_EXCEEDED') {
+ *     console.error('Free tier quota exceeded. Upgrade to Pro for unlimited access.');
+ *   }
+ *   throw new Error(cryptoResult.error);
+ * }
+ * const { splitXorIDA, reconstructXorIDA } = cryptoResult.value;
+ * ```
+ */
+async function loadCryptoPackage(identity) {
+    // Check cache first
+    if (cryptoCache && Date.now() < cryptoCache.expiresAt) {
+        return (0, shared_1.ok)(cryptoCache.module);
+    }
+    // Sign vault request
+    const signatureResult = await (0, vault_auth_js_1.signVaultRequest)(identity, '/api/vault-store/crypto', {
+        requestedVersion: 'latest',
+        clientVersion: '1.5.0',
+    });
+    if (!signatureResult.ok) {
+        return (0, shared_1.err)('VAULT_AUTH_FAILED');
+    }
+    const { signature, timestamp, nonce } = signatureResult.value;
+    // Fetch from vault store
+    let response;
+    try {
+        response = await fetch(`${VAULT_STORE_URL}/crypto`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-DID': identity.did,
+                'X-Signature': signature,
+                'X-Timestamp': timestamp.toString(),
+                'X-Nonce': nonce,
+            },
+            body: JSON.stringify({
+                requestedVersion: 'latest',
+                clientVersion: '1.5.0',
+            }),
+        });
+    }
+    catch (fetchError) {
+        return (0, shared_1.err)('VAULT_FETCH_FAILED');
+    }
+    // Handle error responses
+    if (!response.ok) {
+        if (response.status === 402) {
+            // Payment Required - quota exceeded
+            return (0, shared_1.err)('VAULT_QUOTA_EXCEEDED');
+        }
+        else if (response.status === 401 || response.status === 403) {
+            // Unauthorized / Forbidden
+            return (0, shared_1.err)('VAULT_AUTH_FAILED');
+        }
+        else if (response.status === 451) {
+            // Unavailable For Legal Reasons - payment required
+            return (0, shared_1.err)('VAULT_PAYMENT_REQUIRED');
+        }
+        return (0, shared_1.err)('VAULT_FETCH_FAILED');
+    }
+    // Parse response
+    let vaultData;
+    try {
+        vaultData = (await response.json());
+    }
+    catch {
+        return (0, shared_1.err)('VAULT_INVALID_RESPONSE');
+    }
+    if (!vaultData.cryptoBundle || !vaultData.version) {
+        return (0, shared_1.err)('VAULT_INVALID_RESPONSE');
+    }
+    // Decode and evaluate bundle
+    let cryptoModule;
+    try {
+        const bundleCode = atob(vaultData.cryptoBundle);
+        // Dynamic evaluation (isolated scope)
+        // eslint-disable-next-line no-eval
+        const moduleExports = eval(`(function() {
+      const exports = {};
+      ${bundleCode}
+      return exports;
+    })()`);
+        cryptoModule = moduleExports;
+        // Validate required exports
+        if (typeof cryptoModule.splitXorIDA !== 'function' ||
+            typeof cryptoModule.reconstructXorIDA !== 'function') {
+            return (0, shared_1.err)('VAULT_LOAD_FAILED');
+        }
+    }
+    catch {
+        return (0, shared_1.err)('VAULT_LOAD_FAILED');
+    }
+    // Cache for 7 days (or server-provided TTL)
+    const ttlMs = vaultData.cacheTtl ? vaultData.cacheTtl * 1000 : CACHE_TTL_MS;
+    cryptoCache = {
+        module: cryptoModule,
+        expiresAt: Date.now() + ttlMs,
+        version: vaultData.version,
+    };
+    return (0, shared_1.ok)(cryptoModule);
+}
+/**
+ * Get cached crypto package without fetching.
+ *
+ * Returns null if cache is empty or expired.
+ * Use loadCryptoPackage() to fetch and cache.
+ *
+ * @returns Cached crypto package or null
+ */
+function getCrypto() {
+    if (cryptoCache && Date.now() < cryptoCache.expiresAt) {
+        return cryptoCache.module;
+    }
+    return null;
+}
+/**
+ * Check if crypto package is loaded and valid.
+ *
+ * @returns True if crypto is cached and not expired
+ */
+function isCryptoLoaded() {
+    return cryptoCache !== null && Date.now() < cryptoCache.expiresAt;
+}
+/**
+ * Clear crypto cache (force re-fetch on next load).
+ *
+ * Useful for testing or forcing quota re-verification.
+ */
+function clearCryptoCache() {
+    cryptoCache = null;
+}
+/**
+ * Get cache status (for debugging).
+ *
+ * @returns Cache metadata or null if empty
+ */
+function getCacheStatus() {
+    if (!cryptoCache) {
+        return { loaded: false };
+    }
+    const now = Date.now();
+    return {
+        loaded: now < cryptoCache.expiresAt,
+        version: cryptoCache.version,
+        expiresAt: cryptoCache.expiresAt,
+        ttlRemaining: Math.max(0, cryptoCache.expiresAt - now),
+    };
+}

package/dist-standalone/cjs/verify.js

@@ -1 +1,25 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.openSignedEnvelope=exports.deserializeEnvelope=exports.validateEnvelope=exports.didToPublicKeyBytes=exports.importPublicKey=exports.verify=void 0;var identity_js_1=require("./identity.js");Object.defineProperty(exports,"verify",{enumerable:!0,get:function(){return identity_js_1.verify}}),Object.defineProperty(exports,"importPublicKey",{enumerable:!0,get:function(){return identity_js_1.importPublicKey}}),Object.defineProperty(exports,"didToPublicKeyBytes",{enumerable:!0,get:function(){return identity_js_1.didToPublicKeyBytes}});var envelope_js_1=require("./envelope.js");Object.defineProperty(exports,"validateEnvelope",{enumerable:!0,get:function(){return envelope_js_1.validateEnvelope}}),Object.defineProperty(exports,"deserializeEnvelope",{enumerable:!0,get:function(){return envelope_js_1.deserializeEnvelope}}),Object.defineProperty(exports,"openSignedEnvelope",{enumerable:!0,get:function(){return envelope_js_1.openSignedEnvelope}});
+"use strict";
+/**
+ * @module verify
+ * Lightweight sub-path export for verification-only use cases.
+ *
+ * Import as `@private.me/xbind/verify` for tree-shaking on edge/serverless:
+ * ```ts
+ * import { verify, importPublicKey, validateEnvelope } from '@private.me/xbind/verify';
+ * ```
+ *
+ * This module re-exports only the functions needed to verify signatures
+ * and validate envelopes — no key generation, no encryption, no transport.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.openSignedEnvelope = exports.deserializeEnvelope = exports.validateEnvelope = exports.didToPublicKeyBytes = exports.importPublicKey = exports.verify = void 0;
+// Identity — verify + key import only
+var identity_js_1 = require("./identity.js");
+Object.defineProperty(exports, "verify", { enumerable: true, get: function () { return identity_js_1.verify; } });
+Object.defineProperty(exports, "importPublicKey", { enumerable: true, get: function () { return identity_js_1.importPublicKey; } });
+Object.defineProperty(exports, "didToPublicKeyBytes", { enumerable: true, get: function () { return identity_js_1.didToPublicKeyBytes; } });
+// Envelope — validation + signed envelope verification
+var envelope_js_1 = require("./envelope.js");
+Object.defineProperty(exports, "validateEnvelope", { enumerable: true, get: function () { return envelope_js_1.validateEnvelope; } });
+Object.defineProperty(exports, "deserializeEnvelope", { enumerable: true, get: function () { return envelope_js_1.deserializeEnvelope; } });
+Object.defineProperty(exports, "openSignedEnvelope", { enumerable: true, get: function () { return envelope_js_1.openSignedEnvelope; } });