@sentinel-atl/hsm 0.1.1

package/README.md

@@ -0,0 +1,59 @@
+# @sentinel-atl/hsm
+
+HSM and secure enclave KeyProvider backends for the Agent Trust Layer.
+
+## Providers
+
+| Provider | Status | Dependencies |
+|---|---|---|
+| `EncryptedFileKeyProvider` | **Fully functional** | None (Node.js crypto) |
+| `AWSCloudHSMKeyProvider` | Stub (interface ready) | `pkcs11js` |
+| `AzureManagedHSMKeyProvider` | Stub (interface ready) | `@azure/keyvault-keys` |
+| `PKCS11KeyProvider` | Stub (interface ready) | `pkcs11js` |
+
+## Install
+
+```bash
+npm install @sentinel-atl/hsm
+```
+
+## EncryptedFileKeyProvider
+
+Production-ready encrypted file storage using AES-256-GCM with scrypt key derivation.
+
+```ts
+import { EncryptedFileKeyProvider } from '@sentinel-atl/hsm';
+
+const provider = new EncryptedFileKeyProvider({
+  directory: './keys',
+  passphrase: process.env.KEY_PASSPHRASE!,
+});
+
+// Use as a drop-in replacement for InMemoryKeyProvider
+const kp = await provider.generate('my-agent-key');
+const sig = await provider.sign('my-agent-key', data);
+```
+
+**Security properties:**
+- AES-256-GCM authenticated encryption
+- scrypt key derivation (N=16384, r=8, p=1)
+- Random salt per key, random IV per encryption
+- Path traversal prevention on key IDs
+
+## HSM Stubs
+
+The HSM stubs implement the `KeyProvider` interface and throw informative errors telling you which SDK to install:
+
+```ts
+import { AWSCloudHSMKeyProvider } from '@sentinel-atl/hsm';
+
+const provider = new AWSCloudHSMKeyProvider({
+  clusterId: 'cluster-abc',
+  pkcs11LibPath: '/opt/cloudhsm/lib/libcloudhsm_pkcs11.so',
+  pin: process.env.HSM_PIN!,
+});
+```
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,125 @@
+/**
+ * @sentinel-atl/hsm — HSM and secure KeyProvider backends.
+ *
+ * Provides production-grade KeyProvider implementations:
+ * - EncryptedFileKeyProvider  — AES-256-GCM encrypted file storage (Node crypto)
+ * - AWSCloudHSMKeyProvider    — AWS CloudHSM (stub, requires pkcs11js)
+ * - AzureManagedHSMKeyProvider — Azure Managed HSM (stub, requires @azure/keyvault-keys)
+ * - PKCS11KeyProvider         — Generic PKCS#11 interface (stub, requires pkcs11js)
+ *
+ * The EncryptedFileKeyProvider is fully functional with zero external deps.
+ * HSM stubs provide the correct interface and throw clear "configure SDK" errors.
+ */
+import type { KeyProvider } from '@sentinel-atl/core';
+interface KeyPair {
+    publicKey: Uint8Array;
+    privateKey: Uint8Array;
+}
+export interface EncryptedFileConfig {
+    /** Directory to store encrypted key files */
+    directory: string;
+    /** Passphrase for key derivation (use a strong passphrase!) */
+    passphrase: string;
+    /** Optional: scrypt cost parameter (default: 2^14) */
+    scryptN?: number;
+}
+/**
+ * EncryptedFileKeyProvider — stores Ed25519 keys as AES-256-GCM encrypted files.
+ *
+ * Each key is stored as a separate .key file:
+ *   {directory}/{id}.key → { salt, iv, tag, ciphertext } (JSON)
+ *
+ * Key derivation: scrypt(passphrase, salt) → 32-byte AES key
+ * Encryption: AES-256-GCM with random IV per key
+ */
+export declare class EncryptedFileKeyProvider implements KeyProvider {
+    private directory;
+    private passphrase;
+    private scryptN;
+    private cache;
+    constructor(config: EncryptedFileConfig);
+    generate(id: string): Promise<KeyPair>;
+    sign(id: string, data: Uint8Array): Promise<Uint8Array>;
+    getPublicKey(id: string): Promise<Uint8Array>;
+    has(id: string): Promise<boolean>;
+    delete(id: string): Promise<void>;
+    list(): Promise<string[]>;
+    exportPrivateKey(id: string): Promise<Uint8Array>;
+    private keyPath;
+    private deriveKey;
+    private encryptAndStore;
+    private loadKey;
+}
+export interface AWSCloudHSMConfig {
+    /** CloudHSM cluster ID */
+    clusterId: string;
+    /** PKCS#11 library path (e.g., /opt/cloudhsm/lib/libcloudhsm_pkcs11.so) */
+    pkcs11LibPath: string;
+    /** HSM user PIN */
+    pin: string;
+}
+/**
+ * AWSCloudHSMKeyProvider — interface for AWS CloudHSM.
+ *
+ * Requires the `pkcs11js` npm package and a configured CloudHSM cluster.
+ * This stub provides the correct KeyProvider interface; actual HSM operations
+ * require the PKCS#11 library to be installed and configured.
+ */
+export declare class AWSCloudHSMKeyProvider implements KeyProvider {
+    private config;
+    constructor(config: AWSCloudHSMConfig);
+    generate(id: string): Promise<KeyPair>;
+    sign(id: string, data: Uint8Array): Promise<Uint8Array>;
+    getPublicKey(id: string): Promise<Uint8Array>;
+    has(id: string): Promise<boolean>;
+    delete(id: string): Promise<void>;
+    list(): Promise<string[]>;
+}
+export interface AzureManagedHSMConfig {
+    /** HSM vault URL (e.g., https://myhsm.managedhsm.azure.net) */
+    vaultUrl: string;
+    /** Optional: Azure credential (DefaultAzureCredential used if omitted) */
+    credential?: unknown;
+}
+/**
+ * AzureManagedHSMKeyProvider — interface for Azure Managed HSM.
+ *
+ * Requires @azure/keyvault-keys and @azure/identity packages.
+ * Keys are stored in Azure Managed HSM; signing happens server-side.
+ */
+export declare class AzureManagedHSMKeyProvider implements KeyProvider {
+    private config;
+    constructor(config: AzureManagedHSMConfig);
+    generate(id: string): Promise<KeyPair>;
+    sign(id: string, data: Uint8Array): Promise<Uint8Array>;
+    getPublicKey(id: string): Promise<Uint8Array>;
+    has(id: string): Promise<boolean>;
+    delete(id: string): Promise<void>;
+    list(): Promise<string[]>;
+}
+export interface PKCS11Config {
+    /** Path to the PKCS#11 shared library */
+    libraryPath: string;
+    /** Slot index to use */
+    slotIndex?: number;
+    /** User PIN for authentication */
+    pin: string;
+}
+/**
+ * PKCS11KeyProvider — generic PKCS#11 interface for any HSM.
+ *
+ * Requires the `pkcs11js` npm package and a PKCS#11-compatible HSM.
+ * Works with YubiKey, SoftHSM, Thales Luna, nCipher, etc.
+ */
+export declare class PKCS11KeyProvider implements KeyProvider {
+    private config;
+    constructor(config: PKCS11Config);
+    generate(id: string): Promise<KeyPair>;
+    sign(id: string, data: Uint8Array): Promise<Uint8Array>;
+    getPublicKey(id: string): Promise<Uint8Array>;
+    has(id: string): Promise<boolean>;
+    delete(id: string): Promise<void>;
+    list(): Promise<string[]>;
+}
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAOtD,UAAU,OAAO;IACf,SAAS,EAAE,UAAU,CAAC;IACtB,UAAU,EAAE,UAAU,CAAC;CACxB;AAID,MAAM,WAAW,mBAAmB;IAClC,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,+DAA+D;IAC/D,UAAU,EAAE,MAAM,CAAC;IACnB,sDAAsD;IACtD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;GAQG;AACH,qBAAa,wBAAyB,YAAW,WAAW;IAC1D,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,KAAK,CAA8B;gBAE/B,MAAM,EAAE,mBAAmB;IASjC,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAUtC,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAMvD,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAK7C,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKjC,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASjC,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAQzB,gBAAgB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAOvD,OAAO,CAAC,OAAO;IAMf,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,eAAe;YA0BT,OAAO;CAwBtB;AAID,MAAM,WAAW,iBAAiB;IAChC,0BAA0B;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB;IACnB,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;;;;GAMG;AACH,qBAAa,sBAAuB,YAAW,WAAW;IACxD,OAAO,CAAC,MAAM,CAAoB;gBAEtB,MAAM,EAAE,iBAAiB;IAI/B,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAOtC,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAMvD,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAM7C,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIjC,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;CAGhC;AAID,MAAM,WAAW,qBAAqB;IACpC,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,0EAA0E;IAC1E,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;;;;GAKG;AACH,qBAAa,0BAA2B,YAAW,WAAW;IAC5D,OAAO,CAAC,MAAM,CAAwB;gBAE1B,MAAM,EAAE,qBAAqB;IAInC,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAOtC,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAMvD,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAI7C,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIjC,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;CAGhC;AAID,MAAM,WAAW,YAAY;IAC3B,yCAAyC;IACzC,WAAW,EAAE,MAAM,CAAC;IACpB,wBAAwB;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;;;GAKG;AACH,qBAAa,iBAAkB,YAAW,WAAW;IACnD,OAAO,CAAC,MAAM,CAAe;gBAEjB,MAAM,EAAE,YAAY;IAI1B,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAMtC,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAIvD,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAI7C,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIjC,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;CAGhC"}

package/dist/index.js

@@ -0,0 +1,225 @@
+/**
+ * @sentinel-atl/hsm — HSM and secure KeyProvider backends.
+ *
+ * Provides production-grade KeyProvider implementations:
+ * - EncryptedFileKeyProvider  — AES-256-GCM encrypted file storage (Node crypto)
+ * - AWSCloudHSMKeyProvider    — AWS CloudHSM (stub, requires pkcs11js)
+ * - AzureManagedHSMKeyProvider — Azure Managed HSM (stub, requires @azure/keyvault-keys)
+ * - PKCS11KeyProvider         — Generic PKCS#11 interface (stub, requires pkcs11js)
+ *
+ * The EncryptedFileKeyProvider is fully functional with zero external deps.
+ * HSM stubs provide the correct interface and throw clear "configure SDK" errors.
+ */
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto';
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import { join } from 'node:path';
+/**
+ * EncryptedFileKeyProvider — stores Ed25519 keys as AES-256-GCM encrypted files.
+ *
+ * Each key is stored as a separate .key file:
+ *   {directory}/{id}.key → { salt, iv, tag, ciphertext } (JSON)
+ *
+ * Key derivation: scrypt(passphrase, salt) → 32-byte AES key
+ * Encryption: AES-256-GCM with random IV per key
+ */
+export class EncryptedFileKeyProvider {
+    directory;
+    passphrase;
+    scryptN;
+    cache = new Map();
+    constructor(config) {
+        this.directory = config.directory;
+        this.passphrase = config.passphrase;
+        this.scryptN = config.scryptN ?? 16384; // 2^14
+        if (!existsSync(this.directory)) {
+            mkdirSync(this.directory, { recursive: true });
+        }
+    }
+    async generate(id) {
+        const ed = await import('@noble/ed25519');
+        const privKey = randomBytes(32);
+        const pubKey = await ed.getPublicKeyAsync(privKey);
+        const kp = { publicKey: pubKey, privateKey: new Uint8Array(privKey) };
+        this.encryptAndStore(id, kp);
+        this.cache.set(id, kp);
+        return kp;
+    }
+    async sign(id, data) {
+        const kp = await this.loadKey(id);
+        const ed = await import('@noble/ed25519');
+        return ed.signAsync(data, kp.privateKey);
+    }
+    async getPublicKey(id) {
+        const kp = await this.loadKey(id);
+        return kp.publicKey;
+    }
+    async has(id) {
+        if (this.cache.has(id))
+            return true;
+        return existsSync(this.keyPath(id));
+    }
+    async delete(id) {
+        this.cache.delete(id);
+        const path = this.keyPath(id);
+        if (existsSync(path)) {
+            const { unlinkSync } = await import('node:fs');
+            unlinkSync(path);
+        }
+    }
+    async list() {
+        const { readdirSync } = await import('node:fs');
+        const files = readdirSync(this.directory);
+        return files
+            .filter(f => f.endsWith('.key'))
+            .map(f => f.slice(0, -4));
+    }
+    async exportPrivateKey(id) {
+        const kp = await this.loadKey(id);
+        return kp.privateKey;
+    }
+    // ─── Internal helpers ────────────────────────────────────────
+    keyPath(id) {
+        // Sanitize id to prevent path traversal
+        const safeId = id.replace(/[^a-zA-Z0-9_-]/g, '_');
+        return join(this.directory, `${safeId}.key`);
+    }
+    deriveKey(salt) {
+        return scryptSync(this.passphrase, salt, 32, { N: this.scryptN, r: 8, p: 1 });
+    }
+    encryptAndStore(id, kp) {
+        const salt = randomBytes(16);
+        const aesKey = this.deriveKey(salt);
+        const iv = randomBytes(12);
+        const cipher = createCipheriv('aes-256-gcm', aesKey, iv);
+        // Concatenate pub + priv for storage
+        const plaintext = Buffer.concat([
+            Buffer.from(kp.publicKey),
+            Buffer.from(kp.privateKey),
+        ]);
+        const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        const stored = {
+            salt: salt.toString('hex'),
+            iv: iv.toString('hex'),
+            tag: tag.toString('hex'),
+            ciphertext: ciphertext.toString('hex'),
+            pubKeyLen: kp.publicKey.length,
+        };
+        writeFileSync(this.keyPath(id), JSON.stringify(stored), 'utf-8');
+    }
+    async loadKey(id) {
+        if (this.cache.has(id))
+            return this.cache.get(id);
+        const path = this.keyPath(id);
+        if (!existsSync(path))
+            throw new Error(`Key not found: ${id}`);
+        const raw = JSON.parse(readFileSync(path, 'utf-8'));
+        const salt = Buffer.from(raw.salt, 'hex');
+        const iv = Buffer.from(raw.iv, 'hex');
+        const tag = Buffer.from(raw.tag, 'hex');
+        const ciphertext = Buffer.from(raw.ciphertext, 'hex');
+        const aesKey = this.deriveKey(salt);
+        const decipher = createDecipheriv('aes-256-gcm', aesKey, iv);
+        decipher.setAuthTag(tag);
+        const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+        const publicKey = new Uint8Array(plaintext.subarray(0, raw.pubKeyLen));
+        const privateKey = new Uint8Array(plaintext.subarray(raw.pubKeyLen));
+        const kp = { publicKey, privateKey };
+        this.cache.set(id, kp);
+        return kp;
+    }
+}
+/**
+ * AWSCloudHSMKeyProvider — interface for AWS CloudHSM.
+ *
+ * Requires the `pkcs11js` npm package and a configured CloudHSM cluster.
+ * This stub provides the correct KeyProvider interface; actual HSM operations
+ * require the PKCS#11 library to be installed and configured.
+ */
+export class AWSCloudHSMKeyProvider {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async generate(id) {
+        throw new Error(`AWSCloudHSMKeyProvider.generate(): Requires pkcs11js package and CloudHSM cluster "${this.config.clusterId}". ` +
+            'Install pkcs11js and configure your cluster to use this provider.');
+    }
+    async sign(id, data) {
+        throw new Error('AWSCloudHSMKeyProvider.sign(): Requires pkcs11js. Keys never leave the HSM.');
+    }
+    async getPublicKey(id) {
+        throw new Error('AWSCloudHSMKeyProvider.getPublicKey(): Requires pkcs11js.');
+    }
+    async has(id) {
+        throw new Error('AWSCloudHSMKeyProvider.has(): Requires pkcs11js.');
+    }
+    async delete(id) {
+        throw new Error('AWSCloudHSMKeyProvider.delete(): Requires pkcs11js.');
+    }
+    async list() {
+        throw new Error('AWSCloudHSMKeyProvider.list(): Requires pkcs11js.');
+    }
+}
+/**
+ * AzureManagedHSMKeyProvider — interface for Azure Managed HSM.
+ *
+ * Requires @azure/keyvault-keys and @azure/identity packages.
+ * Keys are stored in Azure Managed HSM; signing happens server-side.
+ */
+export class AzureManagedHSMKeyProvider {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async generate(id) {
+        throw new Error(`AzureManagedHSMKeyProvider.generate(): Requires @azure/keyvault-keys. ` +
+            `HSM URL: ${this.config.vaultUrl}`);
+    }
+    async sign(id, data) {
+        throw new Error('AzureManagedHSMKeyProvider.sign(): Requires @azure/keyvault-keys. Signing happens server-side.');
+    }
+    async getPublicKey(id) {
+        throw new Error('AzureManagedHSMKeyProvider.getPublicKey(): Requires @azure/keyvault-keys.');
+    }
+    async has(id) {
+        throw new Error('AzureManagedHSMKeyProvider.has(): Requires @azure/keyvault-keys.');
+    }
+    async delete(id) {
+        throw new Error('AzureManagedHSMKeyProvider.delete(): Requires @azure/keyvault-keys.');
+    }
+    async list() {
+        throw new Error('AzureManagedHSMKeyProvider.list(): Requires @azure/keyvault-keys.');
+    }
+}
+/**
+ * PKCS11KeyProvider — generic PKCS#11 interface for any HSM.
+ *
+ * Requires the `pkcs11js` npm package and a PKCS#11-compatible HSM.
+ * Works with YubiKey, SoftHSM, Thales Luna, nCipher, etc.
+ */
+export class PKCS11KeyProvider {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async generate(id) {
+        throw new Error(`PKCS11KeyProvider.generate(): Requires pkcs11js and library at "${this.config.libraryPath}".`);
+    }
+    async sign(id, data) {
+        throw new Error('PKCS11KeyProvider.sign(): Requires pkcs11js.');
+    }
+    async getPublicKey(id) {
+        throw new Error('PKCS11KeyProvider.getPublicKey(): Requires pkcs11js.');
+    }
+    async has(id) {
+        throw new Error('PKCS11KeyProvider.has(): Requires pkcs11js.');
+    }
+    async delete(id) {
+        throw new Error('PKCS11KeyProvider.delete(): Requires pkcs11js.');
+    }
+    async list() {
+        throw new Error('PKCS11KeyProvider.list(): Requires pkcs11js.');
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAc,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACpG,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAW,MAAM,WAAW,CAAC;AAoB1C;;;;;;;;GAQG;AACH,MAAM,OAAO,wBAAwB;IAC3B,SAAS,CAAS;IAClB,UAAU,CAAS;IACnB,OAAO,CAAS;IAChB,KAAK,GAAG,IAAI,GAAG,EAAmB,CAAC;IAE3C,YAAY,MAA2B;QACrC,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;QAClC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;QACpC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,KAAK,CAAC,CAAC,OAAO;QAC/C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YAChC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,EAAU;QACvB,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC1C,MAAM,OAAO,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAChC,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QACnD,MAAM,EAAE,GAAY,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/E,IAAI,CAAC,eAAe,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC7B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QACvB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAU,EAAE,IAAgB;QACrC,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAClC,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC1C,OAAO,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,EAAU;QAC3B,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAClC,OAAO,EAAE,CAAC,SAAS,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAAE,OAAO,IAAI,CAAC;QACpC,OAAO,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC9B,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;YAC/C,UAAU,CAAC,IAAI,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC1C,OAAO,KAAK;aACT,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;aAC/B,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,EAAU;QAC/B,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAClC,OAAO,EAAE,CAAC,UAAU,CAAC;IACvB,CAAC;IAED,gEAAgE;IAExD,OAAO,CAAC,EAAU;QACxB,wCAAwC;QACxC,MAAM,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC;QAClD,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,CAAC;IAC/C,CAAC;IAEO,SAAS,CAAC,IAAY;QAC5B,OAAO,UAAU,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAW,CAAC;IAC1F,CAAC;IAEO,eAAe,CAAC,EAAU,EAAE,EAAW;QAC7C,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;QAEzD,qCAAqC;QACrC,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC;SAC3B,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC7E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEhC,MAAM,MAAM,GAAG;YACb,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;YAC1B,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;YACtB,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC;YACxB,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC;YACtC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM;SAC/B,CAAC;QAEF,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;IACnE,CAAC;IAEO,KAAK,CAAC,OAAO,CAAC,EAAU;QAC9B,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC;QAEnD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC9B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;QAE/D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC1C,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QACtC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAEtD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;QAC7D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QAEzB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACjF,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;QACvE,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;QAErE,MAAM,EAAE,GAAY,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;QAC9C,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QACvB,OAAO,EAAE,CAAC;IACZ,CAAC;CACF;AAaD;;;;;;GAMG;AACH,MAAM,OAAO,sBAAsB;IACzB,MAAM,CAAoB;IAElC,YAAY,MAAyB;QACnC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,EAAU;QACvB,MAAM,IAAI,KAAK,CACb,sFAAsF,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK;YAChH,mEAAmE,CACpE,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAU,EAAE,IAAgB;QACrC,MAAM,IAAI,KAAK,CACb,6EAA6E,CAC9E,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,EAAU;QAC3B,MAAM,IAAI,KAAK,CACb,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;CACF;AAWD;;;;;GAKG;AACH,MAAM,OAAO,0BAA0B;IAC7B,MAAM,CAAwB;IAEtC,YAAY,MAA6B;QACvC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,EAAU;QACvB,MAAM,IAAI,KAAK,CACb,wEAAwE;YACxE,YAAY,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CACnC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAU,EAAE,IAAgB;QACrC,MAAM,IAAI,KAAK,CACb,gGAAgG,CACjG,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,EAAU;QAC3B,MAAM,IAAI,KAAK,CAAC,2EAA2E,CAAC,CAAC;IAC/F,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;IACzF,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACvF,CAAC;CACF;AAaD;;;;;GAKG;AACH,MAAM,OAAO,iBAAiB;IACpB,MAAM,CAAe;IAE7B,YAAY,MAAoB;QAC9B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,EAAU;QACvB,MAAM,IAAI,KAAK,CACb,mEAAmE,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,CAC/F,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAU,EAAE,IAAgB;QACrC,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,EAAU;QAC3B,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;CACF"}

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@sentinel-atl/hsm",
+  "version": "0.1.1",
+  "description": "HSM and secure enclave KeyProvider backends — AWS CloudHSM, Azure Managed HSM, PKCS#11, and encrypted file storage",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "@sentinel-atl/core": "*"
+  },
+  "devDependencies": {
+    "typescript": "^5.7.0"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/sentinel-atl/project-sentinel.git",
+    "directory": "packages/hsm"
+  },
+  "keywords": [
+    "ai-agent",
+    "trust",
+    "identity",
+    "did",
+    "verifiable-credentials",
+    "mcp",
+    "security"
+  ],
+  "homepage": "https://github.com/sentinel-atl/project-sentinel#readme",
+  "bugs": {
+    "url": "https://github.com/sentinel-atl/project-sentinel/issues"
+  }
+}