@scopeblind/passport 0.3.0

package/dist/index.mjs

@@ -0,0 +1,568 @@
+// src/keys.ts
+import { ed25519 } from "@noble/curves/ed25519";
+import { sha256 } from "@noble/hashes/sha256";
+import { bytesToHex } from "@noble/hashes/utils";
+var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function base58Encode(bytes) {
+  let num = BigInt("0x" + bytesToHex(bytes));
+  const chars = [];
+  while (num > 0n) {
+    const remainder = Number(num % 58n);
+    chars.unshift(BASE58_ALPHABET[remainder]);
+    num = num / 58n;
+  }
+  for (const b of bytes) {
+    if (b === 0) chars.unshift("1");
+    else break;
+  }
+  return chars.join("") || "1";
+}
+function derivePassportId(publicKey, role) {
+  const fingerprint = base58Encode(publicKey).slice(0, 12);
+  return `sb:${role}:${fingerprint}`;
+}
+function generatePassportKey(role) {
+  const secretKeyRaw = ed25519.utils.randomPrivateKey();
+  const publicKey = ed25519.getPublicKey(secretKeyRaw);
+  const secretKey = new Uint8Array(64);
+  secretKey.set(secretKeyRaw, 0);
+  secretKey.set(publicKey, 32);
+  const kid = derivePassportId(publicKey, role);
+  return {
+    publicKey,
+    secretKey,
+    kid,
+    role,
+    created_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function getSigningKey(keyPair) {
+  return bytesToHex(keyPair.secretKey.slice(0, 32));
+}
+function getVerifyKey(keyPair) {
+  return bytesToHex(keyPair.publicKey);
+}
+function hashString(value) {
+  const encoder = new TextEncoder();
+  return bytesToHex(sha256(encoder.encode(value)));
+}
+
+// src/manifest.ts
+import { ed25519 as ed255192 } from "@noble/curves/ed25519";
+import { sha256 as sha2562 } from "@noble/hashes/sha256";
+import { bytesToHex as bytesToHex2, utf8ToBytes } from "@noble/hashes/utils";
+function canonicalize(obj) {
+  return JSON.stringify(obj, (_key, value) => {
+    if (value && typeof value === "object" && !Array.isArray(value)) {
+      const sorted = {};
+      for (const k of Object.keys(value).sort()) {
+        sorted[k] = value[k];
+      }
+      return sorted;
+    }
+    return value;
+  });
+}
+function canonicalHash(obj) {
+  return bytesToHex2(sha2562(utf8ToBytes(canonicalize(obj))));
+}
+function signPayload(payload, keyPair) {
+  const message = utf8ToBytes(canonicalize(payload));
+  const sigBytes = ed255192.sign(message, keyPair.secretKey.slice(0, 32));
+  return {
+    payload,
+    signature: {
+      alg: "EdDSA",
+      kid: keyPair.kid,
+      sig: bytesToHex2(sigBytes)
+    }
+  };
+}
+function createCoachManifest(keyPair, input, previousVersion, version) {
+  const manifest = {
+    type: "scopeblind:coach-manifest",
+    id: keyPair.kid,
+    version: version || "1.0.0",
+    previous_version: previousVersion ?? null,
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    public_key: base58Encode(keyPair.publicKey),
+    display_name: input.display_name.trim().slice(0, 32)
+  };
+  return signPayload(manifest, keyPair);
+}
+function createAgentManifest(keyPair, input, previousVersion, version) {
+  const promptHash = hashString(input.configuration_attestations.system_prompt);
+  const manifest = {
+    type: "scopeblind:agent-manifest",
+    id: keyPair.kid,
+    version: version || "1.0.0",
+    previous_version: previousVersion ?? null,
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    public_key: base58Encode(keyPair.publicKey),
+    public_profile: input.public_profile,
+    configuration_attestations: {
+      model_family_hash: input.configuration_attestations.model_family_hash,
+      memory_mode: input.configuration_attestations.memory_mode,
+      prompt_hash: promptHash
+    },
+    capability_declarations: input.capability_declarations,
+    evidence_pointers: input.evidence_pointers || {}
+  };
+  return signPayload(manifest, keyPair);
+}
+function createOwnershipAttestation(coachKeyPair, agentId, agentManifestVersion) {
+  const attestation = {
+    type: "scopeblind:ownership-attestation",
+    coach_id: coachKeyPair.kid,
+    agent_id: agentId,
+    agent_manifest_version: agentManifestVersion,
+    granted_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  return signPayload(attestation, coachKeyPair);
+}
+function createStatusRecord(signerKeyPair, targetId, status, reason) {
+  const record = {
+    type: "scopeblind:status-record",
+    target_id: targetId,
+    status,
+    changed_at: (/* @__PURE__ */ new Date()).toISOString(),
+    issuer_id: signerKeyPair.kid,
+    ...reason ? { reason } : {}
+  };
+  return signPayload(record, signerKeyPair);
+}
+function createCoachContribution(coachKeyPair, battleId, coachedSide, noteHash, noteLength, upliftVerdict) {
+  const contribution = {
+    type: "scopeblind:coach-contribution",
+    battle_id: battleId,
+    coach_id: coachKeyPair.kid,
+    coached_side: coachedSide,
+    note_hash: noteHash,
+    note_length: noteLength,
+    ...upliftVerdict ? { uplift_verdict: upliftVerdict } : {}
+  };
+  return signPayload(contribution, coachKeyPair);
+}
+
+// src/verify.ts
+import { ed25519 as ed255193 } from "@noble/curves/ed25519";
+import { hexToBytes as hexToBytes2, utf8ToBytes as utf8ToBytes2 } from "@noble/hashes/utils";
+function verifyEnvelope(envelope, expectedPublicKey) {
+  try {
+    if (!envelope.signature?.sig || !envelope.signature?.kid) {
+      return { valid: false, error: "missing_signature" };
+    }
+    const message = utf8ToBytes2(canonicalize(envelope.payload));
+    const hash = canonicalHash(envelope.payload);
+    const payload = envelope.payload;
+    let publicKeyBytes;
+    if (expectedPublicKey) {
+      publicKeyBytes = expectedPublicKey;
+    } else if (typeof payload.public_key === "string") {
+      publicKeyBytes = base58Decode(payload.public_key);
+    } else {
+      return { valid: false, error: "no_public_key_available" };
+    }
+    if (expectedPublicKey) {
+      const expectedKid = base58Encode(expectedPublicKey);
+      const signerFingerprint = envelope.signature.kid.split(":")[2];
+      const expectedFingerprint = expectedKid.slice(0, 12);
+      if (signerFingerprint !== expectedFingerprint) {
+        return { valid: false, hash, error: "kid_mismatch" };
+      }
+    }
+    const valid = ed255193.verify(
+      hexToBytes2(envelope.signature.sig),
+      message,
+      publicKeyBytes
+    );
+    return valid ? { valid: true, hash } : { valid: false, hash, error: "invalid_signature" };
+  } catch (err) {
+    return {
+      valid: false,
+      error: `verification_error: ${err instanceof Error ? err.message : "unknown"}`
+    };
+  }
+}
+function verifyManifest(envelope) {
+  return verifyEnvelope(envelope);
+}
+function verifyOwnership(attestation, coachPublicKey) {
+  const result = verifyEnvelope(attestation, coachPublicKey);
+  if (!result.valid) return result;
+  return result;
+}
+function base58Decode(str) {
+  const ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+  let num = 0n;
+  for (const char of str) {
+    const idx = ALPHABET.indexOf(char);
+    if (idx === -1) throw new Error(`Invalid base58 character: ${char}`);
+    num = num * 58n + BigInt(idx);
+  }
+  const hex = num.toString(16).padStart(64, "0");
+  const bytes = new Uint8Array(32);
+  for (let i = 0; i < 32; i++) {
+    bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes;
+}
+
+// src/display.ts
+function formatKidShort(kid) {
+  const parts = kid.split(":");
+  const fingerprint = parts[2] || kid;
+  if (fingerprint.length <= 8) return fingerprint;
+  return `${fingerprint.slice(0, 4)}\u2026${fingerprint.slice(-4)}`;
+}
+function formatKidLabeled(kid) {
+  const parts = kid.split(":");
+  const role = parts[1] === "coach" ? "Coach" : parts[1] === "agent" ? "Agent" : "Unknown";
+  return `${role} ${formatKidShort(kid)}`;
+}
+function getCoachSummary(envelope) {
+  const m = envelope.payload;
+  return {
+    kid: m.id,
+    displayName: m.display_name,
+    shortId: formatKidShort(m.id),
+    version: m.version,
+    createdAt: m.created_at
+  };
+}
+function getAgentSummary(envelope) {
+  const m = envelope.payload;
+  return {
+    kid: m.id,
+    name: m.public_profile.name,
+    shortId: formatKidShort(m.id),
+    version: m.version,
+    domainLanes: m.public_profile.domain_lanes,
+    createdAt: m.created_at
+  };
+}
+function isCoachManifest(manifest) {
+  return manifest.type === "scopeblind:coach-manifest";
+}
+function isAgentManifest(manifest) {
+  return manifest.type === "scopeblind:agent-manifest";
+}
+
+// src/issuer.ts
+import { ed25519 as ed255194 } from "@noble/curves/ed25519";
+import { bytesToHex as bytesToHex3, hexToBytes as hexToBytes3, utf8ToBytes as utf8ToBytes3 } from "@noble/hashes/utils";
+function generateIssuerKey() {
+  const secretKeyRaw = ed255194.utils.randomPrivateKey();
+  const publicKey = ed255194.getPublicKey(secretKeyRaw);
+  const fingerprint = base58Encode(publicKey).slice(0, 12);
+  return {
+    publicKeyHex: bytesToHex3(publicKey),
+    secretKeyHex: bytesToHex3(secretKeyRaw),
+    issuerId: `sb:issuer:${fingerprint}`
+  };
+}
+function signReceipt(payload, issuerSecretKeyHex, issuerId) {
+  const message = utf8ToBytes3(canonicalize(payload));
+  const sigBytes = ed255194.sign(message, hexToBytes3(issuerSecretKeyHex));
+  return {
+    payload,
+    signature: {
+      alg: "EdDSA",
+      kid: issuerId,
+      sig: bytesToHex3(sigBytes)
+    }
+  };
+}
+function createArenaBattleReceipt(input, issuerSecretKeyHex, issuerId) {
+  const receipt = {
+    type: "blindllm:arena-battle",
+    battle_id: input.battleId,
+    lane_id: input.laneId,
+    agent_a: input.agentA,
+    agent_b: input.agentB,
+    winner: input.winner,
+    issued_at: (/* @__PURE__ */ new Date()).toISOString(),
+    issuer_id: issuerId,
+    ...input.coach ? { coach: input.coach } : {}
+  };
+  return signReceipt(receipt, issuerSecretKeyHex, issuerId);
+}
+function createCoachUpliftReceipt(input, issuerSecretKeyHex, issuerId) {
+  const receipt = {
+    type: "blindllm:coach-uplift",
+    battle_id: input.battleId,
+    coach_id: input.coachId,
+    coached_side: input.coachedSide,
+    uplift_verdict: input.upliftVerdict,
+    issued_at: (/* @__PURE__ */ new Date()).toISOString(),
+    issuer_id: issuerId
+  };
+  return signReceipt(receipt, issuerSecretKeyHex, issuerId);
+}
+function createFormalDebateReceipt(input, issuerSecretKeyHex, issuerId) {
+  const receipt = {
+    type: "blindllm:formal-debate",
+    debate_id: input.debateId,
+    spec_id: input.specId,
+    lane_id: input.laneId,
+    artifact_hash: input.artifactHash,
+    resolution_hash: input.resolutionHash,
+    pro: input.pro,
+    con: input.con,
+    audience_winner: input.audienceWinner,
+    judge_winner: input.judgeWinner,
+    restraint_result: input.restraintResult,
+    issued_at: (/* @__PURE__ */ new Date()).toISOString(),
+    issuer_id: issuerId
+  };
+  return signReceipt(receipt, issuerSecretKeyHex, issuerId);
+}
+function hexToBase64url(hex) {
+  const bytes = hexToBytes3(hex);
+  const binary = String.fromCharCode(...bytes);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function buildPublicKeyEndpoint(issuerPublicKeyHex, issuerId) {
+  return {
+    keys: [{
+      kty: "OKP",
+      crv: "Ed25519",
+      kid: issuerId,
+      x: hexToBase64url(issuerPublicKeyHex),
+      use: "sig"
+    }],
+    issuer: "blindllm",
+    updated_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function deriveIssuerFromSeed(secretKeyHex) {
+  const secretKeyBytes = hexToBytes3(secretKeyHex);
+  const publicKey = ed255194.getPublicKey(secretKeyBytes);
+  const fingerprint = base58Encode(publicKey).slice(0, 12);
+  return {
+    publicKeyHex: bytesToHex3(publicKey),
+    secretKeyHex,
+    issuerId: `sb:issuer:${fingerprint}`
+  };
+}
+
+// src/portable.ts
+import { bytesToHex as bytesToHex4, hexToBytes as hexToBytes4 } from "@noble/hashes/utils";
+import { ed25519 as ed255195 } from "@noble/curves/ed25519";
+function exportPassportBundle(bundle) {
+  return {
+    v: 1,
+    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+    passport: {
+      kid: bundle.key.kid,
+      role: bundle.key.role,
+      created_at: bundle.key.created_at,
+      publicKeyHex: bytesToHex4(bundle.key.publicKey),
+      secretKeyHex: bytesToHex4(bundle.key.secretKey)
+    },
+    manifests: bundle.manifests,
+    ownership_attestations: bundle.ownership_attestations,
+    status_records: bundle.status_records
+  };
+}
+function serializeBundle(bundle) {
+  return JSON.stringify(bundle, null, 2);
+}
+function importPassportBundle(json) {
+  const errors = [];
+  const warnings = [];
+  let raw;
+  try {
+    raw = JSON.parse(json);
+  } catch {
+    return { valid: false, errors: ["Invalid JSON"], warnings };
+  }
+  const data = raw;
+  if (data.v !== 1) {
+    errors.push(`Unsupported bundle version: ${data.v}`);
+    return { valid: false, errors, warnings };
+  }
+  const passport = data.passport;
+  if (!passport) {
+    errors.push("Missing passport field");
+    return { valid: false, errors, warnings };
+  }
+  if (typeof passport.publicKeyHex !== "string" || typeof passport.secretKeyHex !== "string") {
+    errors.push("Missing or invalid key hex values");
+    return { valid: false, errors, warnings };
+  }
+  if (typeof passport.kid !== "string" || !passport.kid.startsWith("sb:")) {
+    errors.push("Invalid passport kid format");
+    return { valid: false, errors, warnings };
+  }
+  const role = passport.role;
+  if (role !== "coach" && role !== "agent") {
+    errors.push(`Invalid role: ${role}`);
+    return { valid: false, errors, warnings };
+  }
+  let publicKey;
+  let secretKey;
+  try {
+    publicKey = hexToBytes4(passport.publicKeyHex);
+    secretKey = hexToBytes4(passport.secretKeyHex);
+  } catch {
+    errors.push("Failed to decode key hex values");
+    return { valid: false, errors, warnings };
+  }
+  if (publicKey.length !== 32) {
+    errors.push(`Invalid public key length: ${publicKey.length} (expected 32)`);
+    return { valid: false, errors, warnings };
+  }
+  if (secretKey.length !== 64) {
+    errors.push(`Invalid secret key length: ${secretKey.length} (expected 64)`);
+    return { valid: false, errors, warnings };
+  }
+  const seed = secretKey.slice(0, 32);
+  let derivedPublicKey;
+  try {
+    derivedPublicKey = ed255195.getPublicKey(seed);
+  } catch {
+    errors.push("Secret key seed is not a valid Ed25519 private key");
+    return { valid: false, errors, warnings };
+  }
+  if (bytesToHex4(derivedPublicKey) !== bytesToHex4(publicKey)) {
+    errors.push("Key coherence failure: secret key does not derive to the claimed public key");
+    return { valid: false, errors, warnings };
+  }
+  const expectedKid = derivePassportId(publicKey, role);
+  if (passport.kid !== expectedKid) {
+    errors.push(`Kid mismatch: bundle claims ${passport.kid} but public key derives to ${expectedKid}`);
+    return { valid: false, errors, warnings };
+  }
+  const key = {
+    publicKey,
+    secretKey,
+    kid: passport.kid,
+    role,
+    created_at: passport.created_at || (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const rawManifests = Array.isArray(data.manifests) ? data.manifests : [];
+  const validManifests = [];
+  for (const m of rawManifests) {
+    const result = verifyManifest(m);
+    if (!result.valid) {
+      errors.push(`Manifest ${m.payload?.id || "unknown"} has invalid signature: ${result.error}`);
+      continue;
+    }
+    if (m.payload?.id && m.payload.id !== key.kid) {
+      warnings.push(`Dropped manifest ${m.payload.id}: does not belong to passport ${key.kid}`);
+      continue;
+    }
+    validManifests.push(m);
+  }
+  const bundle = {
+    key,
+    manifests: validManifests,
+    ownership_attestations: Array.isArray(data.ownership_attestations) ? data.ownership_attestations : [],
+    status_records: Array.isArray(data.status_records) ? data.status_records : []
+  };
+  return {
+    valid: errors.length === 0,
+    bundle,
+    errors,
+    warnings
+  };
+}
+
+// src/artifact-bridge.ts
+function passportToArtifact(envelope, options) {
+  return {
+    version: "2.0",
+    format: options?.format || inferFormat(envelope),
+    payload: envelope.payload,
+    signature: {
+      alg: envelope.signature.alg || "EdDSA",
+      kid: envelope.signature.kid,
+      sig: envelope.signature.sig,
+      ...envelope.signature.pub && { pub: envelope.signature.pub }
+    },
+    meta: {
+      issuer: options?.issuer || "blindllm.com",
+      source: "passport",
+      timestamp: extractTimestamp(envelope.payload)
+    }
+  };
+}
+function passportBatchToArtifacts(envelopes, options) {
+  return envelopes.map((e) => passportToArtifact(e, options));
+}
+function createPassportAuditBundle(envelopes, keys, options) {
+  const artifacts = passportBatchToArtifacts(envelopes, options);
+  return {
+    version: "1.0",
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    issuer: options?.issuer || "blindllm.com",
+    receipts: artifacts,
+    keys: Object.fromEntries(
+      Object.entries(keys).map(([kid, k]) => [kid, { alg: "EdDSA", pub: k.pub, issuer: k.issuer }])
+    ),
+    summary: {
+      total_receipts: artifacts.length,
+      time_range: {
+        first: Math.min(...artifacts.map((a) => a.meta?.timestamp || 0)),
+        last: Math.max(...artifacts.map((a) => a.meta?.timestamp || 0))
+      }
+    }
+  };
+}
+function inferFormat(envelope) {
+  const payload = envelope.payload;
+  if (payload.type === "arena-battle-receipt") return "passport-battle-v1";
+  if (payload.type === "coach-uplift-receipt") return "passport-coach-uplift-v1";
+  if (payload.type === "formal-debate-receipt") return "passport-debate-v1";
+  if (payload.type === "agent-manifest") return "passport-manifest-v1";
+  if (payload.type === "coach-contribution") return "passport-contribution-v1";
+  return "passport-generic-v1";
+}
+function extractTimestamp(payload) {
+  if (typeof payload === "object" && payload !== null) {
+    const p = payload;
+    if (typeof p.timestamp === "number") return p.timestamp;
+    if (typeof p.created_at === "string") return new Date(p.created_at).getTime();
+    if (typeof p.iat === "number") return p.iat * 1e3;
+  }
+  return Date.now();
+}
+export {
+  base58Encode,
+  buildPublicKeyEndpoint,
+  canonicalHash,
+  canonicalize,
+  createAgentManifest,
+  createArenaBattleReceipt,
+  createCoachContribution,
+  createCoachManifest,
+  createCoachUpliftReceipt,
+  createFormalDebateReceipt,
+  createOwnershipAttestation,
+  createPassportAuditBundle,
+  createStatusRecord,
+  deriveIssuerFromSeed,
+  derivePassportId,
+  exportPassportBundle,
+  formatKidLabeled,
+  formatKidShort,
+  generateIssuerKey,
+  generatePassportKey,
+  getAgentSummary,
+  getCoachSummary,
+  getSigningKey,
+  getVerifyKey,
+  hashString,
+  importPassportBundle,
+  isAgentManifest,
+  isCoachManifest,
+  passportBatchToArtifacts,
+  passportToArtifact,
+  serializeBundle,
+  signPayload,
+  signReceipt,
+  verifyEnvelope,
+  verifyManifest,
+  verifyOwnership
+};