@private.me/xbind 3.0.2 → 3.0.4

package/dist-standalone/cjs/types/error-response.js

@@ -1,56 +1 @@
-"use strict";
-/**
- * Error Response Types
- *
- * Dual-code error response system supporting both AWS standard codes
- * and legacy xBind codes for backward compatibility.
- *
- * @packageDocumentation
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isErrorResponse = isErrorResponse;
-exports.createErrorResponse = createErrorResponse;
-/**
- * Type guard to check if a value is an ErrorResponse
- *
- * @param value - Value to check
- * @returns True if value is an ErrorResponse
- *
- * @example
- * ```typescript
- * if (isErrorResponse(result)) {
- *   console.error(result.message);
- * }
- * ```
- */
-function isErrorResponse(value) {
-    if (!value || typeof value !== 'object') {
-        return false;
-    }
-    const err = value;
-    return (typeof err.code === 'string' &&
-        typeof err.httpStatus === 'number' &&
-        typeof err.message === 'string');
-}
-/**
- * Create a standardized error response
- *
- * @param params - Error response parameters
- * @returns Standardized ErrorResponse object
- *
- * @example
- * ```typescript
- * const error = createErrorResponse({
- *   code: 'UnauthorizedException',
- *   legacyCode: 'XBIND_AUTH_FAILED',
- *   httpStatus: 401,
- *   message: 'Invalid signature'
- * });
- * ```
- */
-function createErrorResponse(params) {
-    return {
-        ...params,
-        timestamp: params.timestamp ?? Date.now()
-    };
-}
+"use strict";function isErrorResponse(e){if(!e||"object"!=typeof e)return!1;const r=e;return"string"==typeof r.code&&"number"==typeof r.httpStatus&&"string"==typeof r.message}function createErrorResponse(e){return{...e,timestamp:e.timestamp??Date.now()}}Object.defineProperty(exports,"__esModule",{value:!0}),exports.isErrorResponse=isErrorResponse,exports.createErrorResponse=createErrorResponse;

package/dist-standalone/cjs/vault-auth.js

@@ -1,178 +1 @@
-"use strict";
-/**
- * @module vault-auth
- * DID-based authentication for Vault Store API requests.
- *
- * Implements Ed25519 signature over canonical request representation with:
- * - Timestamp (prevents replay attacks >5min old)
- * - Nonce (prevents duplicate requests)
- * - Request body hash (ensures integrity)
- *
- * Server verifies signature + timestamp + nonce before serving vault content.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.signVaultRequest = signVaultRequest;
-exports.verifyVaultRequest = verifyVaultRequest;
-const shared_1 = require("../_deps/shared/index.js");
-const crypto_utils_js_1 = require("./crypto-utils.js");
-/**
- * Sign a vault store API request with agent's DID identity.
- *
- * Creates canonical request representation:
- * ```
- * {method}\n{endpoint}\n{timestamp}\n{nonce}\n{bodyHash}
- * ```
- *
- * Server verifies:
- * 1. Signature matches DID public key
- * 2. Timestamp within ±5min (prevents replay)
- * 3. Nonce not seen before (prevents duplicate)
- * 4. Body hash matches (ensures integrity)
- *
- * @param identity - Agent identity (contains signing key)
- * @param endpoint - API endpoint (e.g., "/api/vault-store/crypto")
- * @param body - Request body (JSON-serializable)
- * @returns Signed request metadata or error
- *
- * @example
- * ```typescript
- * const sigResult = await signVaultRequest(agent.identity, '/api/vault-store/crypto', {
- *   requestedVersion: 'latest',
- *   clientVersion: '1.5.0',
- * });
- *
- * if (!sigResult.ok) {
- *   throw new Error('Failed to sign vault request');
- * }
- *
- * const { signature, timestamp, nonce } = sigResult.value;
- *
- * const response = await fetch('https://private.me/api/vault-store/crypto', {
- *   method: 'POST',
- *   headers: {
- *     'X-DID': agent.did,
- *     'X-Signature': signature,
- *     'X-Timestamp': timestamp.toString(),
- *     'X-Nonce': nonce,
- *   },
- *   body: JSON.stringify(body),
- * });
- * ```
- */
-async function signVaultRequest(identity, endpoint, body) {
-    const timestamp = Date.now();
-    const nonce = generateNonce();
-    // Canonical request representation
-    const method = 'POST';
-    const bodyJson = JSON.stringify(body);
-    const bodyHash = await hashString(bodyJson);
-    const canonical = `${method}\n${endpoint}\n${timestamp}\n${nonce}\n${bodyHash}`;
-    // Sign with Ed25519
-    let signatureBuffer;
-    try {
-        const encoder = new TextEncoder();
-        const message = encoder.encode(canonical);
-        signatureBuffer = await crypto.subtle.sign({ name: 'Ed25519' }, identity.privateKey, message);
-    }
-    catch {
-        return (0, shared_1.err)('SIGN_FAILED');
-    }
-    return (0, shared_1.ok)({
-        signature: (0, crypto_utils_js_1.toBase64)(new Uint8Array(signatureBuffer)),
-        timestamp,
-        nonce,
-    });
-}
-/**
- * Generate cryptographically secure nonce (UUID v4 format).
- *
- * @returns Random UUID string
- */
-function generateNonce() {
-    // Use crypto.randomUUID if available (Node.js 16+, modern browsers)
-    if (typeof crypto !== 'undefined' && crypto.randomUUID) {
-        return crypto.randomUUID();
-    }
-    // Fallback: manual UUID v4 generation
-    const bytes = new Uint8Array(16);
-    crypto.getRandomValues(bytes);
-    // Set version (4) and variant (RFC 4122)
-    bytes[6] = (bytes[6] & 0x0f) | 0x40;
-    bytes[8] = (bytes[8] & 0x3f) | 0x80;
-    const hex = Array.from(bytes)
-        .map((b) => b.toString(16).padStart(2, '0'))
-        .join('');
-    return [
-        hex.slice(0, 8),
-        hex.slice(8, 12),
-        hex.slice(12, 16),
-        hex.slice(16, 20),
-        hex.slice(20, 32),
-    ].join('-');
-}
-/**
- * Hash string with SHA-256 (for request body integrity).
- *
- * @param data - String to hash
- * @returns Base64-encoded hash
- */
-async function hashString(data) {
-    const encoder = new TextEncoder();
-    const bytes = encoder.encode(data);
-    const hashBuffer = await crypto.subtle.digest('SHA-256', bytes);
-    return (0, crypto_utils_js_1.toBase64)(new Uint8Array(hashBuffer));
-}
-/**
- * Verify vault request signature (server-side only).
- *
- * Validates:
- * 1. Signature matches DID public key
- * 2. Timestamp within ±5min window
- * 3. Body hash matches
- *
- * Note: Nonce verification requires server-side nonce store (not implemented here).
- *
- * @param did - Sender DID
- * @param publicKeyBytes - Ed25519 public key (32 bytes)
- * @param endpoint - API endpoint
- * @param body - Request body (JSON string)
- * @param signature - Base64-encoded signature
- * @param timestamp - Request timestamp (Unix ms)
- * @param nonce - Request nonce
- * @returns True if signature is valid
- *
- * @internal Server-side verification only
- */
-async function verifyVaultRequest(did, publicKeyBytes, endpoint, body, signature, timestamp, nonce) {
-    // Timestamp verification (±5min window)
-    const now = Date.now();
-    const maxAge = 5 * 60 * 1000; // 5 minutes
-    if (Math.abs(now - timestamp) > maxAge) {
-        return false;
-    }
-    // Reconstruct canonical request
-    const method = 'POST';
-    const bodyHash = await hashString(body);
-    const canonical = `${method}\n${endpoint}\n${timestamp}\n${nonce}\n${bodyHash}`;
-    // Import public key
-    let publicKey;
-    try {
-        // Copy to new ArrayBuffer to avoid SharedArrayBuffer issues
-        const keyBuffer = new ArrayBuffer(publicKeyBytes.byteLength);
-        new Uint8Array(keyBuffer).set(publicKeyBytes);
-        publicKey = await crypto.subtle.importKey('raw', keyBuffer, { name: 'Ed25519' }, false, ['verify']);
-    }
-    catch {
-        return false;
-    }
-    // Verify signature
-    try {
-        const encoder = new TextEncoder();
-        const message = encoder.encode(canonical);
-        const signatureBytes = Uint8Array.from(atob(signature), (c) => c.charCodeAt(0));
-        return await crypto.subtle.verify({ name: 'Ed25519' }, publicKey, signatureBytes, message);
-    }
-    catch {
-        return false;
-    }
-}
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.signVaultRequest=signVaultRequest,exports.verifyVaultRequest=verifyVaultRequest;const shared_1=require("../_deps/shared/index.js"),crypto_utils_js_1=require("./crypto-utils.js");async function signVaultRequest(e,t,r){const n=Date.now(),s=generateNonce(),a=JSON.stringify(r),o=`POST\n${t}\n${n}\n${s}\n${await hashString(a)}`;let i;try{const t=(new TextEncoder).encode(o);i=await crypto.subtle.sign({name:"Ed25519"},e.privateKey,t)}catch{return(0,shared_1.err)("SIGN_FAILED")}return(0,shared_1.ok)({signature:(0,crypto_utils_js_1.toBase64)(new Uint8Array(i)),timestamp:n,nonce:s})}function generateNonce(){if("undefined"!=typeof crypto&&crypto.randomUUID)return crypto.randomUUID();const e=new Uint8Array(16);crypto.getRandomValues(e),e[6]=15&e[6]|64,e[8]=63&e[8]|128;const t=Array.from(e).map(e=>e.toString(16).padStart(2,"0")).join("");return[t.slice(0,8),t.slice(8,12),t.slice(12,16),t.slice(16,20),t.slice(20,32)].join("-")}async function hashString(e){const t=(new TextEncoder).encode(e),r=await crypto.subtle.digest("SHA-256",t);return(0,crypto_utils_js_1.toBase64)(new Uint8Array(r))}async function verifyVaultRequest(e,t,r,n,s,a,o){const i=Date.now();if(Math.abs(i-a)>3e5)return!1;const c=`POST\n${r}\n${a}\n${o}\n${await hashString(n)}`;let u;try{const e=new ArrayBuffer(t.byteLength);new Uint8Array(e).set(t),u=await crypto.subtle.importKey("raw",e,{name:"Ed25519"},!1,["verify"])}catch{return!1}try{const e=(new TextEncoder).encode(c),t=Uint8Array.from(atob(s),e=>e.charCodeAt(0));return await crypto.subtle.verify({name:"Ed25519"},u,t,e)}catch{return!1}}

package/dist-standalone/cjs/vault-store-loader.js

@@ -1,194 +1 @@
-"use strict";
-/**
- * @module vault-store-loader
- * Runtime loader for payment-gated crypto packages (Full Control IP protection).
- *
- * Fetches XorIDA algorithm from EC2 Vault Store with:
- * - DID-based authentication (Ed25519 signatures)
- * - Usage quota verification (Free: 100K/month, Pro: unlimited)
- * - Memory caching (7-day TTL, session-only)
- * - Automatic re-fetch on expiration
- *
- * Security: Crypto package NEVER bundled in npm. Always fetched at runtime
- * with payment gate enforcement. Share 2 (Vault Store) completes algorithm.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.loadCryptoPackage = loadCryptoPackage;
-exports.getCrypto = getCrypto;
-exports.isCryptoLoaded = isCryptoLoaded;
-exports.clearCryptoCache = clearCryptoCache;
-exports.getCacheStatus = getCacheStatus;
-const shared_1 = require("../_deps/shared/index.js");
-const vault_auth_js_1 = require("./vault-auth.js");
-/** Vault Store API endpoint (EC2) */
-const VAULT_STORE_URL = process.env.VAULT_STORE_URL || 'https://private.me/api/vault-store';
-/** Cache TTL: 7 days (in milliseconds) */
-const CACHE_TTL_MS = 7 * 24 * 60 * 60 * 1000;
-/** In-memory cache (cleared on process restart) */
-let cryptoCache = null;
-/**
- * Load crypto package from Vault Store with authentication and caching.
- *
- * Flow:
- * 1. Check cache (if valid, return cached)
- * 2. Sign vault request with DID
- * 3. POST to /api/vault-store/crypto
- * 4. Server verifies: signature + quota + payment
- * 5. Receive crypto bundle + share2
- * 6. Evaluate bundle (dynamic import)
- * 7. Cache for 7 days
- *
- * @param identity - Agent identity (for DID signature)
- * @returns Crypto package exports or error
- *
- * @example
- * ```typescript
- * const cryptoResult = await loadCryptoPackage(agent.identity);
- * if (!cryptoResult.ok) {
- *   if (cryptoResult.error === 'VAULT_QUOTA_EXCEEDED') {
- *     console.error('Free tier quota exceeded. Upgrade to Pro for unlimited access.');
- *   }
- *   throw new Error(cryptoResult.error);
- * }
- * const { splitXorIDA, reconstructXorIDA } = cryptoResult.value;
- * ```
- */
-async function loadCryptoPackage(identity) {
-    // Check cache first
-    if (cryptoCache && Date.now() < cryptoCache.expiresAt) {
-        return (0, shared_1.ok)(cryptoCache.module);
-    }
-    // Sign vault request
-    const signatureResult = await (0, vault_auth_js_1.signVaultRequest)(identity, '/api/vault-store/crypto', {
-        requestedVersion: 'latest',
-        clientVersion: '1.5.0',
-    });
-    if (!signatureResult.ok) {
-        return (0, shared_1.err)('VAULT_AUTH_FAILED');
-    }
-    const { signature, timestamp, nonce } = signatureResult.value;
-    // Fetch from vault store
-    let response;
-    try {
-        response = await fetch(`${VAULT_STORE_URL}/crypto`, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json',
-                'X-DID': identity.did,
-                'X-Signature': signature,
-                'X-Timestamp': timestamp.toString(),
-                'X-Nonce': nonce,
-            },
-            body: JSON.stringify({
-                requestedVersion: 'latest',
-                clientVersion: '1.5.0',
-            }),
-        });
-    }
-    catch (fetchError) {
-        return (0, shared_1.err)('VAULT_FETCH_FAILED');
-    }
-    // Handle error responses
-    if (!response.ok) {
-        if (response.status === 402) {
-            // Payment Required - quota exceeded
-            return (0, shared_1.err)('VAULT_QUOTA_EXCEEDED');
-        }
-        else if (response.status === 401 || response.status === 403) {
-            // Unauthorized / Forbidden
-            return (0, shared_1.err)('VAULT_AUTH_FAILED');
-        }
-        else if (response.status === 451) {
-            // Unavailable For Legal Reasons - payment required
-            return (0, shared_1.err)('VAULT_PAYMENT_REQUIRED');
-        }
-        return (0, shared_1.err)('VAULT_FETCH_FAILED');
-    }
-    // Parse response
-    let vaultData;
-    try {
-        vaultData = (await response.json());
-    }
-    catch {
-        return (0, shared_1.err)('VAULT_INVALID_RESPONSE');
-    }
-    if (!vaultData.cryptoBundle || !vaultData.version) {
-        return (0, shared_1.err)('VAULT_INVALID_RESPONSE');
-    }
-    // Decode and evaluate bundle
-    let cryptoModule;
-    try {
-        const bundleCode = atob(vaultData.cryptoBundle);
-        // Dynamic evaluation (isolated scope)
-        // eslint-disable-next-line no-eval
-        const moduleExports = eval(`(function() {
-      const exports = {};
-      ${bundleCode}
-      return exports;
-    })()`);
-        cryptoModule = moduleExports;
-        // Validate required exports
-        if (typeof cryptoModule.splitXorIDA !== 'function' ||
-            typeof cryptoModule.reconstructXorIDA !== 'function') {
-            return (0, shared_1.err)('VAULT_LOAD_FAILED');
-        }
-    }
-    catch {
-        return (0, shared_1.err)('VAULT_LOAD_FAILED');
-    }
-    // Cache for 7 days (or server-provided TTL)
-    const ttlMs = vaultData.cacheTtl ? vaultData.cacheTtl * 1000 : CACHE_TTL_MS;
-    cryptoCache = {
-        module: cryptoModule,
-        expiresAt: Date.now() + ttlMs,
-        version: vaultData.version,
-    };
-    return (0, shared_1.ok)(cryptoModule);
-}
-/**
- * Get cached crypto package without fetching.
- *
- * Returns null if cache is empty or expired.
- * Use loadCryptoPackage() to fetch and cache.
- *
- * @returns Cached crypto package or null
- */
-function getCrypto() {
-    if (cryptoCache && Date.now() < cryptoCache.expiresAt) {
-        return cryptoCache.module;
-    }
-    return null;
-}
-/**
- * Check if crypto package is loaded and valid.
- *
- * @returns True if crypto is cached and not expired
- */
-function isCryptoLoaded() {
-    return cryptoCache !== null && Date.now() < cryptoCache.expiresAt;
-}
-/**
- * Clear crypto cache (force re-fetch on next load).
- *
- * Useful for testing or forcing quota re-verification.
- */
-function clearCryptoCache() {
-    cryptoCache = null;
-}
-/**
- * Get cache status (for debugging).
- *
- * @returns Cache metadata or null if empty
- */
-function getCacheStatus() {
-    if (!cryptoCache) {
-        return { loaded: false };
-    }
-    const now = Date.now();
-    return {
-        loaded: now < cryptoCache.expiresAt,
-        version: cryptoCache.version,
-        expiresAt: cryptoCache.expiresAt,
-        ttlRemaining: Math.max(0, cryptoCache.expiresAt - now),
-    };
-}
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.loadCryptoPackage=loadCryptoPackage,exports.getCrypto=getCrypto,exports.isCryptoLoaded=isCryptoLoaded,exports.clearCryptoCache=clearCryptoCache,exports.getCacheStatus=getCacheStatus,exports.setMockCrypto=setMockCrypto;const shared_1=require("../_deps/shared/index.js"),vault_auth_js_1=require("./vault-auth.js"),VAULT_STORE_URL=process.env.VAULT_STORE_URL||"https://private.me/api/vault-store",CACHE_TTL_MS=6048e5;let cryptoCache=null;async function loadCryptoPackage(identity){if(cryptoCache&&Date.now()<cryptoCache.expiresAt)return(0,shared_1.ok)(cryptoCache.module);const signatureResult=await(0,vault_auth_js_1.signVaultRequest)(identity,"/api/vault-store/crypto",{requestedVersion:"latest",clientVersion:"1.5.0"});if(!signatureResult.ok)return(0,shared_1.err)("VAULT_AUTH_FAILED");const{signature:signature,timestamp:timestamp,nonce:nonce}=signatureResult.value;let response,vaultData,cryptoModule;try{response=await fetch(`${VAULT_STORE_URL}/crypto`,{method:"POST",headers:{"Content-Type":"application/json","X-DID":identity.did,"X-Signature":signature,"X-Timestamp":timestamp.toString(),"X-Nonce":nonce},body:JSON.stringify({requestedVersion:"latest",clientVersion:"1.5.0"})})}catch{return(0,shared_1.err)("VAULT_FETCH_FAILED")}if(!response.ok)return 402===response.status?(0,shared_1.err)("VAULT_QUOTA_EXCEEDED"):401===response.status||403===response.status?(0,shared_1.err)("VAULT_AUTH_FAILED"):451===response.status?(0,shared_1.err)("VAULT_PAYMENT_REQUIRED"):(0,shared_1.err)("VAULT_FETCH_FAILED");try{vaultData=await response.json()}catch{return(0,shared_1.err)("VAULT_INVALID_RESPONSE")}if(!vaultData.cryptoBundle||!vaultData.version)return(0,shared_1.err)("VAULT_INVALID_RESPONSE");try{const bundleCode=atob(vaultData.cryptoBundle),moduleExports=eval(`(function() {\n      const exports = {};\n      ${bundleCode}\n      return exports;\n    })()`);if(cryptoModule=moduleExports,"function"!=typeof cryptoModule.splitXorIDA||"function"!=typeof cryptoModule.reconstructXorIDA)return(0,shared_1.err)("VAULT_LOAD_FAILED")}catch{return(0,shared_1.err)("VAULT_LOAD_FAILED")}const ttlMs=vaultData.cacheTtl?1e3*vaultData.cacheTtl:CACHE_TTL_MS;return cryptoCache={module:cryptoModule,expiresAt:Date.now()+ttlMs,version:vaultData.version},(0,shared_1.ok)(cryptoModule)}function getCrypto(){return cryptoCache&&Date.now()<cryptoCache.expiresAt?cryptoCache.module:null}function isCryptoLoaded(){return null!==cryptoCache&&Date.now()<cryptoCache.expiresAt}function clearCryptoCache(){cryptoCache=null}function getCacheStatus(){if(!cryptoCache)return{loaded:!1};const e=Date.now();return{loaded:e<cryptoCache.expiresAt,version:cryptoCache.version,expiresAt:cryptoCache.expiresAt,ttlRemaining:Math.max(0,cryptoCache.expiresAt-e)}}function setMockCrypto(e,t="mock-1.0.0",r=CACHE_TTL_MS){cryptoCache={module:e,expiresAt:Date.now()+r,version:t}}

package/dist-standalone/cjs/verify.js

@@ -1,25 +1 @@
-"use strict";
-/**
- * @module verify
- * Lightweight sub-path export for verification-only use cases.
- *
- * Import as `@private.me/xbind/verify` for tree-shaking on edge/serverless:
- * ```ts
- * import { verify, importPublicKey, validateEnvelope } from '@private.me/xbind/verify';
- * ```
- *
- * This module re-exports only the functions needed to verify signatures
- * and validate envelopes — no key generation, no encryption, no transport.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.openSignedEnvelope = exports.deserializeEnvelope = exports.validateEnvelope = exports.didToPublicKeyBytes = exports.importPublicKey = exports.verify = void 0;
-// Identity — verify + key import only
-var identity_js_1 = require("./identity.js");
-Object.defineProperty(exports, "verify", { enumerable: true, get: function () { return identity_js_1.verify; } });
-Object.defineProperty(exports, "importPublicKey", { enumerable: true, get: function () { return identity_js_1.importPublicKey; } });
-Object.defineProperty(exports, "didToPublicKeyBytes", { enumerable: true, get: function () { return identity_js_1.didToPublicKeyBytes; } });
-// Envelope — validation + signed envelope verification
-var envelope_js_1 = require("./envelope.js");
-Object.defineProperty(exports, "validateEnvelope", { enumerable: true, get: function () { return envelope_js_1.validateEnvelope; } });
-Object.defineProperty(exports, "deserializeEnvelope", { enumerable: true, get: function () { return envelope_js_1.deserializeEnvelope; } });
-Object.defineProperty(exports, "openSignedEnvelope", { enumerable: true, get: function () { return envelope_js_1.openSignedEnvelope; } });
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.openSignedEnvelope=exports.deserializeEnvelope=exports.validateEnvelope=exports.didToPublicKeyBytes=exports.importPublicKey=exports.verify=void 0;var identity_js_1=require("./identity.js");Object.defineProperty(exports,"verify",{enumerable:!0,get:function(){return identity_js_1.verify}}),Object.defineProperty(exports,"importPublicKey",{enumerable:!0,get:function(){return identity_js_1.importPublicKey}}),Object.defineProperty(exports,"didToPublicKeyBytes",{enumerable:!0,get:function(){return identity_js_1.didToPublicKeyBytes}});var envelope_js_1=require("./envelope.js");Object.defineProperty(exports,"validateEnvelope",{enumerable:!0,get:function(){return envelope_js_1.validateEnvelope}}),Object.defineProperty(exports,"deserializeEnvelope",{enumerable:!0,get:function(){return envelope_js_1.deserializeEnvelope}}),Object.defineProperty(exports,"openSignedEnvelope",{enumerable:!0,get:function(){return envelope_js_1.openSignedEnvelope}});