@ternent/core 0.0.1

package/.changeset/README.md

@@ -0,0 +1,8 @@
+# Changesets
+
+Hello and welcome! This folder has been automatically generated by `@changesets/cli`, a build tool that works
+with multi-package repos, or single-package repos to help you version and publish your code. You can
+find the full documentation for it [in our repository](https://github.com/changesets/changesets).
+
+We have a quick list of common questions to get you started engaging with this project in
+[our documentation](https://github.com/changesets/changesets/blob/main/docs/common-questions.md).

package/.changeset/config.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "https://unpkg.com/@changesets/config@2.3.1/schema.json",
+  "changelog": [
+    "@changesets/changelog-github",
+    {
+      "repo": "ternent/core"
+    }
+  ],
+  "commit": true,
+  "commitMessage": "${type}(${scope}): ${description}",
+  "fixed": [],
+  "linked": [],
+  "access": "restricted",
+  "baseBranch": "main",
+  "updateInternalDependencies": "patch",
+  "ignore": []
+}

package/.github/workflows/deploy-armour.yml

@@ -0,0 +1,42 @@
+name: Deploy Armour Package
+
+on:
+  push:
+    tags:
+      - "@ternent/armour-*.*.*"
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    name: Publish @ternent/armour
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
+
+      - name: Upgrade npm
+        run: npm install -g npm@latest
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build @ternent/armour
+        run: pnpm --filter @ternent/armour build
+
+      - name: Publish @ternent/armour
+        run: pnpm --filter @ternent/armour publish --no-git-checks --access public --provenance

package/.github/workflows/deploy-identity.yml

@@ -0,0 +1,42 @@
+name: Deploy Identity Package
+
+on:
+  push:
+    tags:
+      - "@ternent/identity-*.*.*"
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    name: Publish @ternent/identity
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
+
+      - name: Upgrade npm
+        run: npm install -g npm@latest
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build @ternent/identity
+        run: pnpm --filter @ternent/identity build
+
+      - name: Publish @ternent/identity
+        run: pnpm --filter @ternent/identity publish --no-git-checks --access public --provenance

package/.github/workflows/deploy-seal.yml

@@ -0,0 +1,42 @@
+name: Deploy Seal Package
+
+on:
+  push:
+    tags:
+      - "@ternent/seal-*.*.*"
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    name: Publish @ternent/seal
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
+
+      - name: Upgrade npm
+        run: npm install -g npm@latest
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build @ternent/seal
+        run: pnpm --filter @ternent/utils --filter @ternent/identity --filter @ternent/armour --filter @ternent/seal build
+
+      - name: Publish @ternent/seal
+        run: pnpm --filter @ternent/seal publish --no-git-checks --access public --provenance

package/.github/workflows/deploy-ui.yml

@@ -0,0 +1,42 @@
+name: Deploy UI Package
+
+on:
+  push:
+    tags:
+      - "@ternent/ui-*.*.*"
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    name: Publish @ternent/ui
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
+
+      - name: Upgrade npm
+        run: npm install -g npm@latest
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build @ternent/ui
+        run: pnpm --filter @ternent/ui build
+
+      - name: Publish @ternent/ui
+        run: pnpm --filter @ternent/ui publish --no-git-checks --access public --provenance

package/.github/workflows/deploy-utils.yml

@@ -0,0 +1,42 @@
+name: Deploy Utils Package
+
+on:
+  push:
+    tags:
+      - "@ternent/utils-*.*.*"
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    name: Publish @ternent/utils
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
+
+      - name: Upgrade npm
+        run: npm install -g npm@latest
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build @ternent/utils
+        run: pnpm --filter @ternent/utils build
+
+      - name: Publish @ternent/utils
+        run: pnpm --filter @ternent/utils publish --no-git-checks --access public --provenance

package/.github/workflows/release-create.yml

@@ -0,0 +1,59 @@
+name: Create Release
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  PNPM_CACHE_PATH: ~/.pnpm-store
+  PNPM_CACHE_NAME: pnpm-store-cache
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release:
+    name: Deploy
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@master
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Get branch name
+        id: branch
+        run: |
+          echo "branch_name=$(echo ${GITHUB_REF#refs/heads/} | tr / -)" >> $GITHUB_ENV
+
+      - name: Get node version
+        id: nvmrc
+        run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
+
+      - name: Setup PNPM
+        uses: pnpm/action-setup@v2
+        with:
+          version: 10
+
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          always-auth: true
+          node-version-file: ".nvmrc"
+          registry-url: https://registry.npmjs.org
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Create release pull request
+        id: changesets
+        uses: changesets/action@v1.4.1
+        with:
+          title: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

package/.github/workflows/release-publish.yml

@@ -0,0 +1,54 @@
+name: Publish Release
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  PNPM_CACHE_PATH: ~/.pnpm-store
+  PNPM_CACHE_NAME: pnpm-store-cache
+
+jobs:
+  release:
+    if: ${{ contains(github.event.head_commit.message, 'changeset-release/') }}
+    name: Deploy
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@master
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Get branch name
+        id: branch
+        run: |
+          echo "branch_name=$(echo ${GITHUB_REF#refs/heads/} | tr / -)" >> $GITHUB_ENV
+
+      - name: Get node version
+        id: nvmrc
+        run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
+
+      - name: Setup PNPM
+        uses: pnpm/action-setup@v2
+        with:
+          version: 10
+
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          always-auth: true
+          node-version-file: ".nvmrc"
+          registry-url: https://registry.npmjs.org
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Publish Release
+        run: node .ops/publish.mjs
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

package/.nvmrc

@@ -0,0 +1 @@
+23.7.0

package/.ops/publish.mjs

@@ -0,0 +1,31 @@
+import shell from "shelljs";
+
+const packagesToPublish = [
+  "../packages/armour",
+  "../packages/identity",
+  "../packages/ui",
+  "../packages/utils",
+];
+
+let i = 0;
+for (; i < packagesToPublish.length; i++) {
+  const { version, name } = (
+    await import(`${packagesToPublish[i]}/package.json`, { with: { type: "json" } })
+  ).default;
+
+  const fullChangelog = shell
+    .exec(
+      `gh pr list -B "main" -s merged -H changeset-release/"main" --json body --jq '.[].body' -L 1`,
+      { silent: true },
+    )
+    .toString();
+
+  const changelog = fullChangelog?.split(`## ${name}@${version}`)[1]?.split("## ")[1];
+
+  if (changelog) {
+    shell.exec(
+      `gh release create "${name}-${version}" -t "${name}-${version}" -n "${name}-${version}" -n "${changelog}"`,
+      { silent: true },
+    );
+  }
+}

package/package.json

@@ -0,0 +1,16 @@
+{
+  "name": "@ternent/core",
+  "version": "0.0.1",
+  "author": "sam@ternent.dev",
+  "scripts": {
+    "build:ui": "pnpm --filter @ternent/ui build",
+    "fmt": "oxfmt",
+    "fmt:check": "oxfmt --check"
+  },
+  "devDependencies": {
+    "@changesets/changelog-github": "^0.7.0",
+    "@changesets/cli": "^2.31.0",
+    "oxfmt": "^0.50.0",
+    "shelljs": "^0.10.0"
+  }
+}

package/packages/armour/CHANGELOG.md

@@ -0,0 +1,66 @@
+# @ternent/armour
+
+## 0.2.3
+
+### Patch Changes
+
+- [`4c4a1c8`](https://github.com/ternent/core/commit/4c4a1c83f1f8d0ebe354f0589159ba84d60ab8f3) Thanks [@samternent](https://github.com/samternent)! - Adds armour workflow
+
+## 0.2.2
+
+### Patch Changes
+
+- [`e6f7d70`](https://github.com/ternent/core/commit/e6f7d70e7d94bf7d6e6730c228f3f06c250da621) Thanks [@samternent](https://github.com/samternent)! - Publuish armour
+
+## 0.2.1
+
+### Patch Changes
+
+- [`c674665`](https://github.com/ternent/core/commit/c674665919ba0d610b77938c728c75265b343c41) Thanks [@samternent](https://github.com/samternent)! - publish armour
+
+## 0.2.0
+
+### Minor Changes
+
+- [`a73a962`](https://github.com/ternent/core/commit/a73a962540b89985ed5227e3b39742432fbc965e) Thanks [@samternent](https://github.com/samternent)! - Move armour to org
+
+- [`89ed4d7`](https://github.com/ternent/core/commit/89ed4d73d016d1d3b7b2905298cf22977b7f26be) Thanks [@samternent](https://github.com/samternent)! - fix package formats
+
+### Patch Changes
+
+- Updated dependencies [[`89ed4d7`](https://github.com/ternent/core/commit/89ed4d73d016d1d3b7b2905298cf22977b7f26be)]:
+  - @ternent/identity@0.5.0
+
+## 0.1.5
+
+### Patch Changes
+
+- [`cb63d9c1dc91e0cd3924bafd5abcde89cc02992f`](https://github.com/samternent/home/commit/cb63d9c1dc91e0cd3924bafd5abcde89cc02992f) Thanks [@samternent](https://github.com/samternent)! - Fix workflows
+
+- Updated dependencies [[`cb63d9c1dc91e0cd3924bafd5abcde89cc02992f`](https://github.com/samternent/home/commit/cb63d9c1dc91e0cd3924bafd5abcde89cc02992f)]:
+  - @ternent/identity@0.3.1
+  - @ternent/rage@0.1.3
+
+## 0.1.4
+
+### Patch Changes
+
+- [`acf974919a1176da235e7ec7468c46df8bc13402`](https://github.com/samternent/home/commit/acf974919a1176da235e7ec7468c46df8bc13402) Thanks [@samternent](https://github.com/samternent)! - Update build configs
+
+## 0.1.3
+
+### Patch Changes
+
+- [`109f8c3989b16a161a34b933dcad68390d9219c5`](https://github.com/samternent/home/commit/109f8c3989b16a161a34b933dcad68390d9219c5) Thanks [@samternent](https://github.com/samternent)! - Fix deps
+
+## 0.1.2
+
+### Patch Changes
+
+- [`db52303d4c626a97abb4e1fd04ee04019404b6fa`](https://github.com/samternent/home/commit/db52303d4c626a97abb4e1fd04ee04019404b6fa) Thanks [@samternent](https://github.com/samternent)! - fix armour tests
+
+## 0.1.1
+
+### Patch Changes
+
+- [`4d5f4e0deddc1a5cc1aed49745f27b0979adfe7e`](https://github.com/samternent/home/commit/4d5f4e0deddc1a5cc1aed49745f27b0979adfe7e) Thanks [@samternent](https://github.com/samternent)! - adds armour package

package/packages/armour/CLAUDE.md

@@ -0,0 +1,8 @@
+# CLAUDE.md
+
+`@ternent/armour` bridges identity-derived keys and rage encryption APIs.
+
+- Keep scope narrow: encryption/decryption helpers only.
+- Do not add app/domain policy logic here.
+- Do not mix signing concerns into armour APIs.
+- For Concord apps, prefer ledger-native protected entries first; use armour directly only when runtime-layer artifacts require it.

package/packages/armour/README.md

@@ -0,0 +1,103 @@
+# `@ternent/armour`
+
+`@ternent/armour` is the opinionated bridge between `@ternent/identity` and `@ternent/rage`.
+
+It exists to:
+
+- derive age-compatible recipients and secret keys from `@ternent/identity`
+- expose explicit recipient-mode and passphrase-mode encryption APIs
+- keep browser-facing helpers async and environment-safe
+
+It is not:
+
+- a crypto engine
+- a signing library
+- a storage layer
+- a mode-detecting convenience wrapper
+- a transport artifact format
+
+`@ternent/rage` owns encryption and decryption.
+`@ternent/identity` owns seed-backed identity parsing and age derivation.
+`@ternent/armour` composes those two layers without inventing new cryptography.
+Portable artifacts and sealed containers belong to `@ternent/seal`.
+
+## Initialization
+
+All operational APIs are async. Initialize Armour before encrypting or decrypting:
+
+```ts
+import { initArmour } from "@ternent/armour";
+
+await initArmour();
+```
+
+## Identity-based encryption
+
+```ts
+import { createIdentity } from "@ternent/identity";
+import { decryptTextWithIdentity, encryptTextForIdentities, initArmour } from "@ternent/armour";
+
+await initArmour();
+
+const identity = await createIdentity();
+const ciphertext = await encryptTextForIdentities({
+  identities: [identity],
+  text: "hello world",
+});
+
+const plaintext = await decryptTextWithIdentity({
+  identity,
+  data: ciphertext,
+});
+```
+
+## Multi-recipient encryption
+
+```ts
+import { createIdentity } from "@ternent/identity";
+import { decryptWithIdentity, encryptForIdentities, initArmour } from "@ternent/armour";
+
+await initArmour();
+
+const alice = await createIdentity();
+const bob = await createIdentity();
+
+const ciphertext = await encryptForIdentities({
+  identities: [alice, bob],
+  data: new TextEncoder().encode("shared secret"),
+  output: "binary",
+});
+
+const plaintext = await decryptWithIdentity({
+  identity: bob,
+  data: ciphertext,
+});
+```
+
+## Passphrase encryption
+
+```ts
+import { decryptTextWithPassphrase, encryptTextWithPassphrase, initArmour } from "@ternent/armour";
+
+await initArmour();
+
+const ciphertext = await encryptTextWithPassphrase({
+  passphrase: "correct horse battery staple",
+  text: "secret",
+});
+
+const plaintext = await decryptTextWithPassphrase({
+  passphrase: "correct horse battery staple",
+  data: ciphertext,
+});
+```
+
+## Relationship to the lower layers
+
+- `@ternent/identity` defines the identity model and deterministic age derivation
+- `@ternent/rage` performs age-compatible encryption and decryption
+- `@ternent/armour` keeps recipient mode and passphrase mode explicit
+- `@ternent/seal` owns portable artifact formats and signing
+
+Encryption is not signing.
+This package does not imply authenticity, signer identity, or origin integrity.

package/packages/armour/SPEC.md

@@ -0,0 +1,92 @@
+# `@ternent/armour` Specification
+
+`@ternent/armour` does not define or export any portable artifact format.
+Transport containers and sealed artifacts belong to `@ternent/seal`.
+
+## Overview
+
+`@ternent/armour` is the identity-aware encryption bridge above `@ternent/rage`.
+
+It is responsible for:
+
+- parsing `@ternent/identity` serialized identities
+- deriving age recipient and secret key strings from those identities
+- exposing explicit async encryption APIs for recipient mode and passphrase mode
+- normalizing upstream errors into Armour-specific error classes and codes
+
+It is not responsible for:
+
+- raw crypto implementation
+- WASM bootstrap internals beyond delegating `initArmour()` to `initRage()`
+- signing
+- identity seed generation
+- mode autodetection
+- transport containers or portable artifact semantics
+
+## Public API
+
+### Initialization
+
+- `initArmour(): Promise<void>`
+
+### Identity bridge
+
+- `resolveIdentity(input): Promise<SerializedIdentity>`
+- `recipientFromIdentity(input): Promise<string>`
+- `secretKeyFromIdentity(input): Promise<string>`
+
+### Recipient mode
+
+- `encryptForRecipients({ recipients, data, output? }): Promise<Uint8Array>`
+- `decryptWithSecretKey({ secretKey, data }): Promise<Uint8Array>`
+- `encryptForIdentities({ identities, data, output? }): Promise<Uint8Array>`
+- `decryptWithIdentity({ identity, data }): Promise<Uint8Array>`
+
+### Passphrase mode
+
+- `encryptWithPassphrase({ passphrase, data, output? }): Promise<Uint8Array>`
+- `decryptWithPassphrase({ passphrase, data }): Promise<Uint8Array>`
+
+### Text helpers
+
+- `encryptTextForIdentities({ identities, text }): Promise<string>`
+- `decryptTextWithIdentity({ identity, data }): Promise<string>`
+- `encryptTextWithPassphrase({ passphrase, text }): Promise<string>`
+- `decryptTextWithPassphrase({ passphrase, data }): Promise<string>`
+
+### Binary helpers
+
+- `encryptBinaryForIdentities({ identities, data, output? }): Promise<Uint8Array>`
+- `decryptBinaryWithIdentity({ identity, data }): Promise<Uint8Array>`
+- `encryptBinaryWithPassphrase({ passphrase, data, output? }): Promise<Uint8Array>`
+- `decryptBinaryWithPassphrase({ passphrase, data }): Promise<Uint8Array>`
+
+`data` may be a `Uint8Array`, `ArrayBuffer`, `Blob`, or `File` via the `Blob` type path.
+
+## Error model
+
+Armour normalizes upstream failures to:
+
+- `ArmourInitError`
+- `ArmourValidationError`
+- `ArmourIdentityError`
+- `ArmourEncryptionError`
+- `ArmourDecryptionError`
+
+Primary public codes:
+
+- `ARMOUR_INIT_FAILED`
+- `ARMOUR_INVALID_IDENTITY`
+- `ARMOUR_IDENTITY_DERIVATION_FAILED`
+- `ARMOUR_ENCRYPT_FAILED`
+- `ARMOUR_DECRYPT_FAILED`
+
+Additional validation codes may be raised for empty data, invalid recipients, invalid secret keys, empty passphrases, and oversized payloads.
+
+## Boundary rules
+
+- Encryption and decryption must delegate to `@ternent/rage`
+- Identity derivation must delegate to `@ternent/identity`
+- Signing logic must not exist in this package
+- Recipient mode and passphrase mode must remain separate
+- Portable artifacts and sealed containers belong to `@ternent/seal`