@scopeblind/passport 0.3.0 → 0.4.0

package/dist/index.mjs

@@ -1,275 +1,54 @@
-// src/keys.ts
-import { ed25519 } from "@noble/curves/ed25519";
-import { sha256 } from "@noble/hashes/sha256";
-import { bytesToHex } from "@noble/hashes/utils";
-var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-function base58Encode(bytes) {
-  let num = BigInt("0x" + bytesToHex(bytes));
-  const chars = [];
-  while (num > 0n) {
-    const remainder = Number(num % 58n);
-    chars.unshift(BASE58_ALPHABET[remainder]);
-    num = num / 58n;
-  }
-  for (const b of bytes) {
-    if (b === 0) chars.unshift("1");
-    else break;
-  }
-  return chars.join("") || "1";
-}
-function derivePassportId(publicKey, role) {
-  const fingerprint = base58Encode(publicKey).slice(0, 12);
-  return `sb:${role}:${fingerprint}`;
-}
-function generatePassportKey(role) {
-  const secretKeyRaw = ed25519.utils.randomPrivateKey();
-  const publicKey = ed25519.getPublicKey(secretKeyRaw);
-  const secretKey = new Uint8Array(64);
-  secretKey.set(secretKeyRaw, 0);
-  secretKey.set(publicKey, 32);
-  const kid = derivePassportId(publicKey, role);
-  return {
-    publicKey,
-    secretKey,
-    kid,
-    role,
-    created_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-}
-function getSigningKey(keyPair) {
-  return bytesToHex(keyPair.secretKey.slice(0, 32));
-}
-function getVerifyKey(keyPair) {
-  return bytesToHex(keyPair.publicKey);
-}
-function hashString(value) {
-  const encoder = new TextEncoder();
-  return bytesToHex(sha256(encoder.encode(value)));
-}
-
-// src/manifest.ts
-import { ed25519 as ed255192 } from "@noble/curves/ed25519";
-import { sha256 as sha2562 } from "@noble/hashes/sha256";
-import { bytesToHex as bytesToHex2, utf8ToBytes } from "@noble/hashes/utils";
-function canonicalize(obj) {
-  return JSON.stringify(obj, (_key, value) => {
-    if (value && typeof value === "object" && !Array.isArray(value)) {
-      const sorted = {};
-      for (const k of Object.keys(value).sort()) {
-        sorted[k] = value[k];
-      }
-      return sorted;
-    }
-    return value;
-  });
-}
-function canonicalHash(obj) {
-  return bytesToHex2(sha2562(utf8ToBytes(canonicalize(obj))));
-}
-function signPayload(payload, keyPair) {
-  const message = utf8ToBytes(canonicalize(payload));
-  const sigBytes = ed255192.sign(message, keyPair.secretKey.slice(0, 32));
-  return {
-    payload,
-    signature: {
-      alg: "EdDSA",
-      kid: keyPair.kid,
-      sig: bytesToHex2(sigBytes)
-    }
-  };
-}
-function createCoachManifest(keyPair, input, previousVersion, version) {
-  const manifest = {
-    type: "scopeblind:coach-manifest",
-    id: keyPair.kid,
-    version: version || "1.0.0",
-    previous_version: previousVersion ?? null,
-    created_at: (/* @__PURE__ */ new Date()).toISOString(),
-    public_key: base58Encode(keyPair.publicKey),
-    display_name: input.display_name.trim().slice(0, 32)
-  };
-  return signPayload(manifest, keyPair);
-}
-function createAgentManifest(keyPair, input, previousVersion, version) {
-  const promptHash = hashString(input.configuration_attestations.system_prompt);
-  const manifest = {
-    type: "scopeblind:agent-manifest",
-    id: keyPair.kid,
-    version: version || "1.0.0",
-    previous_version: previousVersion ?? null,
-    created_at: (/* @__PURE__ */ new Date()).toISOString(),
-    public_key: base58Encode(keyPair.publicKey),
-    public_profile: input.public_profile,
-    configuration_attestations: {
-      model_family_hash: input.configuration_attestations.model_family_hash,
-      memory_mode: input.configuration_attestations.memory_mode,
-      prompt_hash: promptHash
-    },
-    capability_declarations: input.capability_declarations,
-    evidence_pointers: input.evidence_pointers || {}
-  };
-  return signPayload(manifest, keyPair);
-}
-function createOwnershipAttestation(coachKeyPair, agentId, agentManifestVersion) {
-  const attestation = {
-    type: "scopeblind:ownership-attestation",
-    coach_id: coachKeyPair.kid,
-    agent_id: agentId,
-    agent_manifest_version: agentManifestVersion,
-    granted_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  return signPayload(attestation, coachKeyPair);
-}
-function createStatusRecord(signerKeyPair, targetId, status, reason) {
-  const record = {
-    type: "scopeblind:status-record",
-    target_id: targetId,
-    status,
-    changed_at: (/* @__PURE__ */ new Date()).toISOString(),
-    issuer_id: signerKeyPair.kid,
-    ...reason ? { reason } : {}
-  };
-  return signPayload(record, signerKeyPair);
-}
-function createCoachContribution(coachKeyPair, battleId, coachedSide, noteHash, noteLength, upliftVerdict) {
-  const contribution = {
-    type: "scopeblind:coach-contribution",
-    battle_id: battleId,
-    coach_id: coachKeyPair.kid,
-    coached_side: coachedSide,
-    note_hash: noteHash,
-    note_length: noteLength,
-    ...upliftVerdict ? { uplift_verdict: upliftVerdict } : {}
-  };
-  return signPayload(contribution, coachKeyPair);
-}
-
-// src/verify.ts
-import { ed25519 as ed255193 } from "@noble/curves/ed25519";
-import { hexToBytes as hexToBytes2, utf8ToBytes as utf8ToBytes2 } from "@noble/hashes/utils";
-function verifyEnvelope(envelope, expectedPublicKey) {
-  try {
-    if (!envelope.signature?.sig || !envelope.signature?.kid) {
-      return { valid: false, error: "missing_signature" };
-    }
-    const message = utf8ToBytes2(canonicalize(envelope.payload));
-    const hash = canonicalHash(envelope.payload);
-    const payload = envelope.payload;
-    let publicKeyBytes;
-    if (expectedPublicKey) {
-      publicKeyBytes = expectedPublicKey;
-    } else if (typeof payload.public_key === "string") {
-      publicKeyBytes = base58Decode(payload.public_key);
-    } else {
-      return { valid: false, error: "no_public_key_available" };
-    }
-    if (expectedPublicKey) {
-      const expectedKid = base58Encode(expectedPublicKey);
-      const signerFingerprint = envelope.signature.kid.split(":")[2];
-      const expectedFingerprint = expectedKid.slice(0, 12);
-      if (signerFingerprint !== expectedFingerprint) {
-        return { valid: false, hash, error: "kid_mismatch" };
-      }
-    }
-    const valid = ed255193.verify(
-      hexToBytes2(envelope.signature.sig),
-      message,
-      publicKeyBytes
-    );
-    return valid ? { valid: true, hash } : { valid: false, hash, error: "invalid_signature" };
-  } catch (err) {
-    return {
-      valid: false,
-      error: `verification_error: ${err instanceof Error ? err.message : "unknown"}`
-    };
-  }
-}
-function verifyManifest(envelope) {
-  return verifyEnvelope(envelope);
-}
-function verifyOwnership(attestation, coachPublicKey) {
-  const result = verifyEnvelope(attestation, coachPublicKey);
-  if (!result.valid) return result;
-  return result;
-}
-function base58Decode(str) {
-  const ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-  let num = 0n;
-  for (const char of str) {
-    const idx = ALPHABET.indexOf(char);
-    if (idx === -1) throw new Error(`Invalid base58 character: ${char}`);
-    num = num * 58n + BigInt(idx);
-  }
-  const hex = num.toString(16).padStart(64, "0");
-  const bytes = new Uint8Array(32);
-  for (let i = 0; i < 32; i++) {
-    bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
-  }
-  return bytes;
-}
-
-// src/display.ts
-function formatKidShort(kid) {
-  const parts = kid.split(":");
-  const fingerprint = parts[2] || kid;
-  if (fingerprint.length <= 8) return fingerprint;
-  return `${fingerprint.slice(0, 4)}\u2026${fingerprint.slice(-4)}`;
-}
-function formatKidLabeled(kid) {
-  const parts = kid.split(":");
-  const role = parts[1] === "coach" ? "Coach" : parts[1] === "agent" ? "Agent" : "Unknown";
-  return `${role} ${formatKidShort(kid)}`;
-}
-function getCoachSummary(envelope) {
-  const m = envelope.payload;
-  return {
-    kid: m.id,
-    displayName: m.display_name,
-    shortId: formatKidShort(m.id),
-    version: m.version,
-    createdAt: m.created_at
-  };
-}
-function getAgentSummary(envelope) {
-  const m = envelope.payload;
-  return {
-    kid: m.id,
-    name: m.public_profile.name,
-    shortId: formatKidShort(m.id),
-    version: m.version,
-    domainLanes: m.public_profile.domain_lanes,
-    createdAt: m.created_at
-  };
-}
-function isCoachManifest(manifest) {
-  return manifest.type === "scopeblind:coach-manifest";
-}
-function isAgentManifest(manifest) {
-  return manifest.type === "scopeblind:agent-manifest";
-}
+import {
+  base58Encode,
+  canonicalHash,
+  canonicalize,
+  createAgentManifest,
+  createCoachContribution,
+  createCoachManifest,
+  createOwnershipAttestation,
+  createStatusRecord,
+  derivePassportId,
+  exportPassportBundle,
+  formatKidLabeled,
+  formatKidShort,
+  generatePassportKey,
+  getAgentSummary,
+  getCoachSummary,
+  getSigningKey,
+  getVerifyKey,
+  hashString,
+  importPassportBundle,
+  isAgentManifest,
+  isCoachManifest,
+  serializeBundle,
+  signPayload,
+  verifyEnvelope,
+  verifyManifest,
+  verifyOwnership
+} from "./chunk-LEODYLAY.mjs";
 
 // src/issuer.ts
-import { ed25519 as ed255194 } from "@noble/curves/ed25519";
-import { bytesToHex as bytesToHex3, hexToBytes as hexToBytes3, utf8ToBytes as utf8ToBytes3 } from "@noble/hashes/utils";
+import { ed25519 } from "@noble/curves/ed25519";
+import { bytesToHex, hexToBytes, utf8ToBytes } from "@noble/hashes/utils";
 function generateIssuerKey() {
-  const secretKeyRaw = ed255194.utils.randomPrivateKey();
-  const publicKey = ed255194.getPublicKey(secretKeyRaw);
+  const secretKeyRaw = ed25519.utils.randomPrivateKey();
+  const publicKey = ed25519.getPublicKey(secretKeyRaw);
   const fingerprint = base58Encode(publicKey).slice(0, 12);
   return {
-    publicKeyHex: bytesToHex3(publicKey),
-    secretKeyHex: bytesToHex3(secretKeyRaw),
+    publicKeyHex: bytesToHex(publicKey),
+    secretKeyHex: bytesToHex(secretKeyRaw),
     issuerId: `sb:issuer:${fingerprint}`
   };
 }
 function signReceipt(payload, issuerSecretKeyHex, issuerId) {
-  const message = utf8ToBytes3(canonicalize(payload));
-  const sigBytes = ed255194.sign(message, hexToBytes3(issuerSecretKeyHex));
+  const message = utf8ToBytes(canonicalize(payload));
+  const sigBytes = ed25519.sign(message, hexToBytes(issuerSecretKeyHex));
   return {
     payload,
     signature: {
       alg: "EdDSA",
       kid: issuerId,
-      sig: bytesToHex3(sigBytes)
+      sig: bytesToHex(sigBytes)
     }
   };
 }
@@ -318,7 +97,7 @@ function createFormalDebateReceipt(input, issuerSecretKeyHex, issuerId) {
   return signReceipt(receipt, issuerSecretKeyHex, issuerId);
 }
 function hexToBase64url(hex) {
-  const bytes = hexToBytes3(hex);
+  const bytes = hexToBytes(hex);
   const binary = String.fromCharCode(...bytes);
   return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
 }
@@ -336,139 +115,16 @@ function buildPublicKeyEndpoint(issuerPublicKeyHex, issuerId) {
   };
 }
 function deriveIssuerFromSeed(secretKeyHex) {
-  const secretKeyBytes = hexToBytes3(secretKeyHex);
-  const publicKey = ed255194.getPublicKey(secretKeyBytes);
+  const secretKeyBytes = hexToBytes(secretKeyHex);
+  const publicKey = ed25519.getPublicKey(secretKeyBytes);
   const fingerprint = base58Encode(publicKey).slice(0, 12);
   return {
-    publicKeyHex: bytesToHex3(publicKey),
+    publicKeyHex: bytesToHex(publicKey),
     secretKeyHex,
     issuerId: `sb:issuer:${fingerprint}`
   };
 }
 
-// src/portable.ts
-import { bytesToHex as bytesToHex4, hexToBytes as hexToBytes4 } from "@noble/hashes/utils";
-import { ed25519 as ed255195 } from "@noble/curves/ed25519";
-function exportPassportBundle(bundle) {
-  return {
-    v: 1,
-    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
-    passport: {
-      kid: bundle.key.kid,
-      role: bundle.key.role,
-      created_at: bundle.key.created_at,
-      publicKeyHex: bytesToHex4(bundle.key.publicKey),
-      secretKeyHex: bytesToHex4(bundle.key.secretKey)
-    },
-    manifests: bundle.manifests,
-    ownership_attestations: bundle.ownership_attestations,
-    status_records: bundle.status_records
-  };
-}
-function serializeBundle(bundle) {
-  return JSON.stringify(bundle, null, 2);
-}
-function importPassportBundle(json) {
-  const errors = [];
-  const warnings = [];
-  let raw;
-  try {
-    raw = JSON.parse(json);
-  } catch {
-    return { valid: false, errors: ["Invalid JSON"], warnings };
-  }
-  const data = raw;
-  if (data.v !== 1) {
-    errors.push(`Unsupported bundle version: ${data.v}`);
-    return { valid: false, errors, warnings };
-  }
-  const passport = data.passport;
-  if (!passport) {
-    errors.push("Missing passport field");
-    return { valid: false, errors, warnings };
-  }
-  if (typeof passport.publicKeyHex !== "string" || typeof passport.secretKeyHex !== "string") {
-    errors.push("Missing or invalid key hex values");
-    return { valid: false, errors, warnings };
-  }
-  if (typeof passport.kid !== "string" || !passport.kid.startsWith("sb:")) {
-    errors.push("Invalid passport kid format");
-    return { valid: false, errors, warnings };
-  }
-  const role = passport.role;
-  if (role !== "coach" && role !== "agent") {
-    errors.push(`Invalid role: ${role}`);
-    return { valid: false, errors, warnings };
-  }
-  let publicKey;
-  let secretKey;
-  try {
-    publicKey = hexToBytes4(passport.publicKeyHex);
-    secretKey = hexToBytes4(passport.secretKeyHex);
-  } catch {
-    errors.push("Failed to decode key hex values");
-    return { valid: false, errors, warnings };
-  }
-  if (publicKey.length !== 32) {
-    errors.push(`Invalid public key length: ${publicKey.length} (expected 32)`);
-    return { valid: false, errors, warnings };
-  }
-  if (secretKey.length !== 64) {
-    errors.push(`Invalid secret key length: ${secretKey.length} (expected 64)`);
-    return { valid: false, errors, warnings };
-  }
-  const seed = secretKey.slice(0, 32);
-  let derivedPublicKey;
-  try {
-    derivedPublicKey = ed255195.getPublicKey(seed);
-  } catch {
-    errors.push("Secret key seed is not a valid Ed25519 private key");
-    return { valid: false, errors, warnings };
-  }
-  if (bytesToHex4(derivedPublicKey) !== bytesToHex4(publicKey)) {
-    errors.push("Key coherence failure: secret key does not derive to the claimed public key");
-    return { valid: false, errors, warnings };
-  }
-  const expectedKid = derivePassportId(publicKey, role);
-  if (passport.kid !== expectedKid) {
-    errors.push(`Kid mismatch: bundle claims ${passport.kid} but public key derives to ${expectedKid}`);
-    return { valid: false, errors, warnings };
-  }
-  const key = {
-    publicKey,
-    secretKey,
-    kid: passport.kid,
-    role,
-    created_at: passport.created_at || (/* @__PURE__ */ new Date()).toISOString()
-  };
-  const rawManifests = Array.isArray(data.manifests) ? data.manifests : [];
-  const validManifests = [];
-  for (const m of rawManifests) {
-    const result = verifyManifest(m);
-    if (!result.valid) {
-      errors.push(`Manifest ${m.payload?.id || "unknown"} has invalid signature: ${result.error}`);
-      continue;
-    }
-    if (m.payload?.id && m.payload.id !== key.kid) {
-      warnings.push(`Dropped manifest ${m.payload.id}: does not belong to passport ${key.kid}`);
-      continue;
-    }
-    validManifests.push(m);
-  }
-  const bundle = {
-    key,
-    manifests: validManifests,
-    ownership_attestations: Array.isArray(data.ownership_attestations) ? data.ownership_attestations : [],
-    status_records: Array.isArray(data.status_records) ? data.status_records : []
-  };
-  return {
-    valid: errors.length === 0,
-    bundle,
-    errors,
-    warnings
-  };
-}
-
 // src/artifact-bridge.ts
 function passportToArtifact(envelope, options) {
   return {

package/package.json

@@ -1,10 +1,13 @@
 {
     "name": "@scopeblind/passport",
-    "version": "0.3.0",
-    "description": "Portable cryptographic identity for AI agents and coaches. Ed25519 passports, immutable manifests, ownership attestations, and evidence receipt verification.",
+    "version": "0.4.0",
+    "description": "Portable cryptographic identity and local pack builder for AI agents and MCP runtimes. Ed25519 passports, signed manifests, export bundles, and create/wrap CLI flows.",
     "main": "dist/index.js",
     "types": "dist/index.d.ts",
     "module": "dist/index.mjs",
+    "bin": {
+        "passport": "dist/cli.js"
+    },
     "exports": {
         ".": {
             "types": "./dist/index.d.ts",
@@ -18,7 +21,7 @@
         }
     },
     "scripts": {
-        "build": "tsup src/index.ts src/browser.ts --format cjs,esm --dts --clean --external @noble/curves --external @noble/hashes",
+        "build": "tsup src/index.ts src/browser.ts src/cli.ts --format cjs,esm --dts --clean --external @noble/curves --external @noble/hashes",
         "test": "vitest run",
         "smoke": "vite --config vite.smoke.config.ts",
         "pack:fresh": "npm run build && npm pack",
@@ -37,14 +40,17 @@
         "verifiable-credentials",
         "ai-agent",
         "coach",
-        "portable-identity"
+        "portable-identity",
+        "mcp",
+        "openclaw",
+        "agent-pack"
     ],
     "author": "Tom Farley <tommy@scopeblind.com>",
     "license": "FSL-1.1-MIT",
     "homepage": "https://www.scopeblind.com",
     "repository": {
         "type": "git",
-        "url": "https://github.com/tomjwxf/scopeblind-gateway"
+        "url": "git+https://github.com/tomjwxf/scopeblind-gateway.git"
     },
     "dependencies": {
         "@noble/curves": "^1.8.0",