@swimmingkiim/trust-sdk 0.1.32 → 0.2.2

package/src/identity/did-manager.ts

@@ -1,25 +1,139 @@
-import { initAgent } from '../agent'
+import crypto from 'crypto'
+import { createResolver } from '../resolver'
+import { Resolver } from 'did-resolver'
+
+export interface EphemeralIdentity {
+    did: string
+    keyPair: {
+        publicKey: Uint8Array
+        secretKey: Uint8Array
+    }
+}
+
+// Ed25519 multicodec prefix (0xed01)
+const ED25519_MULTICODEC_PREFIX = new Uint8Array([0xed, 0x01])
+
+// Base58btc alphabet (Bitcoin alphabet)
+const BASE58_ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
+
+/**
+ * Encodes a Uint8Array to base58btc string.
+ * Pure implementation with no external dependencies.
+ */
+function base58btcEncode(bytes: Uint8Array): string {
+    // Count leading zeros
+    let leadingZeros = 0
+    for (let i = 0; i < bytes.length && bytes[i] === 0; i++) {
+        leadingZeros++
+    }
+
+    // Convert to BigInt for base conversion
+    let num = BigInt('0x' + Buffer.from(bytes).toString('hex'))
+    const chars: string[] = []
+
+    while (num > 0n) {
+        const remainder = Number(num % 58n)
+        chars.unshift(BASE58_ALPHABET[remainder])
+        num = num / 58n
+    }
+
+    // Add '1' for each leading zero byte
+    for (let i = 0; i < leadingZeros; i++) {
+        chars.unshift('1')
+    }
+
+    return chars.join('')
+}
+
+/**
+ * Encodes an Ed25519 public key as a did:key identifier.
+ * Format: did:key:z + base58btc(multicodec_prefix + public_key)
+ */
+function publicKeyToDidKey(publicKey: Uint8Array): string {
+    const multicodecKey = new Uint8Array(ED25519_MULTICODEC_PREFIX.length + publicKey.length)
+    multicodecKey.set(ED25519_MULTICODEC_PREFIX)
+    multicodecKey.set(publicKey, ED25519_MULTICODEC_PREFIX.length)
+    return `did:key:z${base58btcEncode(multicodecKey)}`
+}
 
 export class IdentityManager {
-    async createEphemeralDID() {
-        const agent = await initAgent()
-        const identifier = await agent.didManagerCreate({
-            provider: 'did:key'
-        })
-        return identifier
+    private resolver: Resolver
+
+    constructor(resolver?: Resolver) {
+        this.resolver = resolver ?? createResolver()
     }
 
-    async createPersistentDID(alias?: string) {
-        const agent = await initAgent()
-        const identifier = await agent.didManagerCreate({
-            provider: 'did:ethr',
-            alias
-        })
-        return identifier
+    /**
+     * Creates an ephemeral (in-memory) did:key identity.
+     * Uses Node.js built-in crypto — no external dependencies, no database.
+     */
+    async createEphemeralDID(): Promise<EphemeralIdentity> {
+        const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519')
+
+        // Export raw key bytes from DER format
+        const pubDer = publicKey.export({ type: 'spki', format: 'der' })
+        const privDer = privateKey.export({ type: 'pkcs8', format: 'der' })
+
+        // Ed25519 SPKI DER: 12-byte header + 32-byte key
+        const rawPublicKey = new Uint8Array(pubDer.subarray(pubDer.length - 32))
+        // Ed25519 PKCS8 DER: 16-byte header + 32-byte key
+        const rawSecretKey = new Uint8Array(privDer.subarray(privDer.length - 32))
+
+        const did = publicKeyToDidKey(rawPublicKey)
+
+        return {
+            did,
+            keyPair: { publicKey: rawPublicKey, secretKey: rawSecretKey },
+        }
     }
 
-    async resolveDID(did: string) {
-        const agent = await initAgent()
-        return await agent.resolveDid({ didUrl: did })
+    /**
+     * Resolves a DID to its DID Document.
+     * Stateless: uses blockchain (did:ethr) or derivation (did:key).
+     */
+    async resolveDID(did: string): Promise<any> {
+        return await this.resolver.resolve(did)
+    }
+
+    /**
+     * Imports an existing Ed25519 secret key and derives the DID.
+     * Use this when you already have a fixed key (e.g., from did_keys.json).
+     *
+     * @param secretKey - 32-byte Ed25519 secret key as hex string or Uint8Array
+     * @returns EphemeralIdentity with the derived DID and key pair
+     */
+    async fromSecretKey(secretKey: string | Uint8Array): Promise<EphemeralIdentity> {
+        const rawSecretKey = typeof secretKey === 'string'
+            ? new Uint8Array(Buffer.from(secretKey.replace(/^0x/, ''), 'hex'))
+            : secretKey
+
+        if (rawSecretKey.length !== 32) {
+            throw new Error(`Invalid Ed25519 secret key length: expected 32 bytes, got ${rawSecretKey.length}`)
+        }
+
+        // Reconstruct Node.js KeyObject from raw bytes
+        // Ed25519 PKCS8 DER = fixed 16-byte header + 32-byte raw key
+        const pkcs8Header = Buffer.from([
+            0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
+            0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20,
+        ])
+        const pkcs8Der = Buffer.concat([pkcs8Header, Buffer.from(rawSecretKey)])
+        const privateKeyObject = crypto.createPrivateKey({
+            key: pkcs8Der,
+            format: 'der',
+            type: 'pkcs8',
+        })
+
+        // Derive public key
+        const publicKeyObject = crypto.createPublicKey(privateKeyObject)
+        const pubDer = publicKeyObject.export({ type: 'spki', format: 'der' })
+        const rawPublicKey = new Uint8Array(pubDer.subarray(pubDer.length - 32))
+
+        const did = publicKeyToDidKey(rawPublicKey)
+
+        return {
+            did,
+            keyPair: { publicKey: rawPublicKey, secretKey: rawSecretKey },
+        }
     }
 }

package/src/index.ts

@@ -1,3 +1,5 @@
-export * from './identity/did-manager'
-export * from './credentials/vc-handler.service'
-export * from './agent'
+export { IdentityManager } from './identity/did-manager'
+export type { EphemeralIdentity } from './identity/did-manager'
+export { VCHandler } from './credentials/vc-handler.service'
+export { createResolver } from './resolver'
+export type { ResolverOptions } from './resolver'

package/src/resolver.ts

@@ -0,0 +1,26 @@
+import { Resolver } from 'did-resolver'
+import { getResolver as getKeyResolver } from 'key-did-resolver'
+import { getResolver as getEthrResolver } from 'ethr-did-resolver'
+
+export interface ResolverOptions {
+    /** Ethereum network name for did:ethr (default: 'base') */
+    ethNetwork?: string
+    /** RPC URL for did:ethr resolution */
+    rpcUrl?: string
+}
+
+/**
+ * Creates a stateless DID Resolver.
+ * No database, no state — only blockchain/key-based resolution.
+ */
+export function createResolver(options?: ResolverOptions): Resolver {
+    const ethNetwork = options?.ethNetwork || 'base'
+    const rpcUrl = options?.rpcUrl || 'https://mainnet.base.org'
+
+    return new Resolver({
+        ...getKeyResolver(),
+        ...getEthrResolver({
+            networks: [{ name: ethNetwork, rpcUrl }],
+        }),
+    })
+}

package/test/identity.security.test.ts

@@ -1,68 +1,58 @@
-import { describe, it, expect, beforeAll, vi } from 'vitest'
+import { describe, it, expect } from 'vitest'
+import { IdentityManager } from '../src/identity/did-manager'
 import { VCHandler } from '../src/credentials/vc-handler.service'
 
-// Mocking agent to simulate verification failure on tampered data
-vi.mock('../src/agent', () => {
-    const mockAgent = {
-        verifyCredential: vi.fn().mockImplementation(async ({ credential }) => {
-            // Check for expiration FIRST
-            if (credential.expirationDate === '1999-01-01T00:00:00Z') {
-                return { verified: false, error: 'Credential expired' }
-            }
-            // Then check for signature
-            if (credential.proof && credential.proof.jwt === 'valid_signature') {
-                return { verified: true }
-            }
-            return { verified: false, error: 'Invalid signature' }
-        }),
-        createVerifiableCredential: vi.fn().mockResolvedValue({
-            proof: { jwt: 'valid_signature' },
-            credentialSubject: { id: 'did:example:123', name: 'Test' },
-            issuanceDate: new Date().toISOString()
-        })
-    }
-    return {
-        agent: mockAgent,
-        // Ensure initAgent returns the object containing verify/create methods
-        initAgent: vi.fn().mockResolvedValue(mockAgent)
-    }
-})
-
+/**
+ * Security Tests (No Mocks — Real JWT Verification)
+ */
 describe('a2trust: Security Tests', () => {
+    let idManager: IdentityManager
     let vcHandler: VCHandler
 
-    beforeAll(async () => {
-        const { agent: mockAgent } = await import('../src/agent')
-        console.error('DEBUG: Security Test mockAgent keys:', Object.keys(mockAgent))
-        vcHandler = new VCHandler(mockAgent as any)
-    })
+    idManager = new IdentityManager()
+    vcHandler = new VCHandler()
 
-    it('Security: Should reject tampered VC', async () => {
-        // 1. Create a "valid" VC (MOCKED)
-        const validVC = await vcHandler.createCredential('issuer', 'subject', {})
+    it('should reject a tampered JWT', async () => {
+        const identity = await idManager.createEphemeralDID()
 
-        // 2. Tamper with the VC (e.g., change the signature)
-        const tamperedVC = { ...validVC, proof: { jwt: 'malicious_signature' } }
+        const validJwt = await vcHandler.createCredential(
+            identity.did,
+            identity.did,
+            { walletAddress: '0x123' },
+            identity.keyPair
+        )
 
-        // 3. Verify -> Should rely on our mock logic simulating failure
-        // Import mocked agent
-        const { agent } = await import('../src/agent')
-        const result = await agent.verifyCredential({ credential: tamperedVC as any })
+        // Tamper with the JWT payload
+        const parts = validJwt.split('.')
+        const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString())
+        payload.vc.credentialSubject.walletAddress = '0xHACKED'
+        parts[1] = Buffer.from(JSON.stringify(payload)).toString('base64url')
+        const tamperedJwt = parts.join('.')
 
-        expect(result.verified).toBe(false)
-        expect(result.error).toBeDefined()
+        const result = await vcHandler.verifyCredential(tamperedJwt)
+        expect(result).toBe(false)
     })
 
-    it('Security: Should reject expired VC', async () => {
-        const { agent } = await import('../src/agent')
-
-        const expiredVC = {
-            proof: { jwt: 'valid_signature' },
-            expirationDate: '1999-01-01T00:00:00Z'
-        }
+    it('should reject a completely invalid JWT string', async () => {
+        const result = await vcHandler.verifyCredential('not.a.valid.jwt')
+        expect(result).toBe(false)
+    })
 
-        const result = await agent.verifyCredential({ credential: expiredVC as any })
-        expect(result.verified).toBe(false)
-        expect(result.error).toMatch(/expired/)
+    it('should reject a JWT signed by unknown issuer', async () => {
+        // Create a VC signed by identity A
+        const identityA = await idManager.createEphemeralDID()
+        const identityB = await idManager.createEphemeralDID()
+
+        // Sign with A's key but claim issuer is B
+        // This should fail because B's DID document won't match A's key
+        const vcJwt = await vcHandler.createCredential(
+            identityB.did,  // claim to be B
+            identityB.did,
+            { walletAddress: '0x123' },
+            identityA.keyPair  // but sign with A's key
+        )
+
+        const result = await vcHandler.verifyCredential(vcJwt)
+        expect(result).toBe(false)
     })
 })

package/test/identity.test.ts

@@ -1,69 +1,81 @@
-import { describe, it, expect, beforeAll, vi } from 'vitest'
+import { describe, it, expect } from 'vitest'
 import { IdentityManager } from '../src/identity/did-manager'
 import { VCHandler } from '../src/credentials/vc-handler.service'
-import { agent } from '../src/agent'
-
-// Mock the agent module to avoid loading Veramo dependencies which cause syntax errors in Node 22
-vi.mock('../src/agent', () => {
-    const mockAgent = {
-        didManagerCreate: vi.fn().mockResolvedValue({ did: 'did:key:mocked123' }),
-        createVerifiableCredential: vi.fn().mockResolvedValue({
-            proof: { jwt: 'mock_jwt' },
-            credentialSubject: { id: 'did:key:mocked123', name: 'Test Agent' }
-        }),
-        verifyCredential: vi.fn().mockResolvedValue({ verified: true })
-    }
-    return {
-        agent: mockAgent,
-        initAgent: vi.fn().mockResolvedValue(mockAgent)
-    }
-})
 
+/**
+ * Identity & Credentials Tests (No Mocks)
+ *
+ * These test REAL in-memory behavior — no vi.mock, no DB.
+ */
 describe('a2trust: Identity & Credentials', () => {
     let idManager: IdentityManager
     let vcHandler: VCHandler
-    let issuerDid: string
-    let subjectDid: string
-
-    beforeAll(async () => {
-        // Since we mocked the module, imports of ../src/agent return the mock
-        const { agent: mockAgent } = await import('../src/agent')
 
-        idManager = new IdentityManager()
-        // Inject the mocked agent into VCHandler
-        vcHandler = new VCHandler(mockAgent as any)
-    })
+    idManager = new IdentityManager()
+    vcHandler = new VCHandler()
 
     it('should create an ephemeral did:key', async () => {
-        // This calls idManager -> initAgent (mocked) -> agent.didManagerCreate (mocked)
-        const did = await idManager.createEphemeralDID()
-        expect(did).toBeDefined()
-        expect(did.did).toMatch(/^did:key:/)
-        issuerDid = did.did
+        const result = await idManager.createEphemeralDID()
+        expect(result).toBeDefined()
+        expect(result.did).toMatch(/^did:key:/)
     })
 
-    it('should create a persistent did:ethr', async () => {
-        // Mock returns same structure
-        const did = await idManager.createEphemeralDID()
-        subjectDid = did.did
-        expect(subjectDid).toBeDefined()
+    it('should resolve a created DID', async () => {
+        const created = await idManager.createEphemeralDID()
+        const resolved = await idManager.resolveDID(created.did)
+
+        expect(resolved).toBeDefined()
+        expect(resolved.didDocument).toBeDefined()
+        expect(resolved.didDocument?.id).toBe(created.did)
     })
 
-    it('should issue a Verifiable Credential', async () => {
+    it('should issue a Verifiable Credential as JWT', async () => {
+        const identity = await idManager.createEphemeralDID()
         const claims = { name: 'Test Agent', role: 'Tester' }
-        const vc = await vcHandler.createCredential(issuerDid, subjectDid, claims)
+
+        const vc = await vcHandler.createCredential(
+            identity.did,
+            identity.did,
+            claims,
+            identity.keyPair
+        )
 
         expect(vc).toBeDefined()
-        expect(vc.proof).toBeDefined()
-        expect(vc.credentialSubject.name).toBe('Test Agent')
+        expect(typeof vc).toBe('string')
+
+        // Should be a valid JWT (3 parts separated by dots)
+        const parts = vc.split('.')
+        expect(parts.length).toBe(3)
     })
 
-    it('should verify a Verifiable Credential', async () => {
+    it('should verify a valid Verifiable Credential', async () => {
+        const identity = await idManager.createEphemeralDID()
         const claims = { name: 'Verified Agent' }
-        const vc = await vcHandler.createCredential(issuerDid, subjectDid, claims)
 
-        // Use the imported (mocked) agent to verify
-        const result = await agent.verifyCredential({ credential: vc as any })
-        expect(result.verified).toBe(true)
+        const vcJwt = await vcHandler.createCredential(
+            identity.did,
+            identity.did,
+            claims,
+            identity.keyPair
+        )
+
+        const result = await vcHandler.verifyCredential(vcJwt)
+        expect(result).toBe(true)
+    })
+
+    it('createCredential should include claims in the VC payload', async () => {
+        const identity = await idManager.createEphemeralDID()
+        const claims = { walletAddress: '0xABCDEF1234567890' }
+
+        const vcJwt = await vcHandler.createCredential(
+            identity.did,
+            identity.did,
+            claims,
+            identity.keyPair
+        )
+
+        // Decode the JWT payload
+        const payload = JSON.parse(Buffer.from(vcJwt.split('.')[1], 'base64').toString())
+        expect(payload.vc.credentialSubject.walletAddress).toBe('0xABCDEF1234567890')
     })
 })

package/test/stateless.test.ts

@@ -0,0 +1,133 @@
+import { describe, it, expect } from 'vitest'
+
+/**
+ * Stateless Property Tests
+ *
+ * These tests verify that trust-sdk operates without ANY database dependency.
+ * No environment variables, no DB connections, no external state.
+ */
+describe('trust-sdk: Stateless Properties', () => {
+    it('should create an IdentityManager without any env vars or DB', async () => {
+        // Must import without AGENT_SECRET_KEY or DB env vars set
+        const { IdentityManager } = await import('../src/identity/did-manager')
+        const idManager = new IdentityManager()
+        expect(idManager).toBeDefined()
+    })
+
+    it('should create a VCHandler without any env vars or DB', async () => {
+        const { VCHandler } = await import('../src/credentials/vc-handler.service')
+        const vcHandler = new VCHandler()
+        expect(vcHandler).toBeDefined()
+    })
+
+    it('should create a DID without any database', async () => {
+        const { IdentityManager } = await import('../src/identity/did-manager')
+        const idManager = new IdentityManager()
+
+        const result = await idManager.createEphemeralDID()
+        expect(result).toBeDefined()
+        expect(result.did).toMatch(/^did:key:/)
+        // Must return a key pair (or at least the DID string)
+        expect(typeof result.did).toBe('string')
+    })
+
+    it('should resolve a did:key without any database', async () => {
+        const { IdentityManager } = await import('../src/identity/did-manager')
+        const idManager = new IdentityManager()
+
+        const created = await idManager.createEphemeralDID()
+        const resolved = await idManager.resolveDID(created.did)
+
+        expect(resolved).toBeDefined()
+        expect(resolved.didDocument).toBeDefined()
+        expect(resolved.didDocument?.id).toBe(created.did)
+    })
+
+    it('should issue and verify a VC E2E without any database', async () => {
+        const { IdentityManager } = await import('../src/identity/did-manager')
+        const { VCHandler } = await import('../src/credentials/vc-handler.service')
+
+        const idManager = new IdentityManager()
+        const vcHandler = new VCHandler()
+
+        // Create a DID
+        const identity = await idManager.createEphemeralDID()
+
+        // Issue a self-signed VC
+        const vc = await vcHandler.createCredential(
+            identity.did,
+            identity.did,
+            { walletAddress: '0x1234567890abcdef' },
+            identity.keyPair // pass the signing key
+        )
+
+        expect(vc).toBeDefined()
+        expect(typeof vc).toBe('string') // JWT string
+
+        // Verify the VC
+        const isValid = await vcHandler.verifyCredential(vc)
+        expect(isValid).toBe(true)
+    })
+
+    it('should export createResolver from the SDK', async () => {
+        const sdk = await import('../src/index')
+        expect(sdk.createResolver).toBeDefined()
+        expect(typeof sdk.createResolver).toBe('function')
+    })
+
+    it('should NOT export agent or initAgent', async () => {
+        const sdk = await import('../src/index')
+        expect((sdk as any).agent).toBeUndefined()
+        expect((sdk as any).initAgent).toBeUndefined()
+    })
+
+    it('should import an existing secret key via fromSecretKey (hex string)', async () => {
+        const { IdentityManager } = await import('../src/identity/did-manager')
+        const idManager = new IdentityManager()
+
+        // Generate a key first, then re-import it
+        const original = await idManager.createEphemeralDID()
+        const hexKey = Buffer.from(original.keyPair.secretKey).toString('hex')
+
+        const imported = await idManager.fromSecretKey(hexKey)
+        expect(imported.did).toBe(original.did) // same key = same DID
+        expect(imported.keyPair.publicKey).toEqual(original.keyPair.publicKey)
+    })
+
+    it('should import a 0x-prefixed hex secret key', async () => {
+        const { IdentityManager } = await import('../src/identity/did-manager')
+        const idManager = new IdentityManager()
+
+        const original = await idManager.createEphemeralDID()
+        const hexKey = '0x' + Buffer.from(original.keyPair.secretKey).toString('hex')
+
+        const imported = await idManager.fromSecretKey(hexKey)
+        expect(imported.did).toBe(original.did)
+    })
+
+    it('should issue and verify a VC using imported key', async () => {
+        const { IdentityManager } = await import('../src/identity/did-manager')
+        const { VCHandler } = await import('../src/credentials/vc-handler.service')
+
+        const idManager = new IdentityManager()
+        const vcHandler = new VCHandler()
+
+        // Simulate a bot with a fixed key
+        const original = await idManager.createEphemeralDID()
+        const hexKey = Buffer.from(original.keyPair.secretKey).toString('hex')
+
+        // Import the key (as a bot would)
+        const identity = await idManager.fromSecretKey(hexKey)
+
+        // Create and verify VC
+        const vc = await vcHandler.createCredential(
+            identity.did,
+            identity.did,
+            { walletAddress: '0xBotWallet123' },
+            identity.keyPair
+        )
+
+        const isValid = await vcHandler.verifyCredential(vc)
+        expect(isValid).toBe(true)
+    })
+})