@the-ai-company/cbio-node-runtime 1.10.0 → 1.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -3
- package/dist/runtime/identity.d.ts +2 -1
- package/dist/runtime/identity.js +36 -7
- package/dist/runtime/identity.js.map +1 -1
- package/dist/runtime/index.d.ts +1 -1
- package/dist/runtime/index.js +1 -1
- package/dist/runtime/index.js.map +1 -1
- package/docs/IDENTITY_MODEL.md +1 -1
- package/docs/REFERENCE.md +4 -4
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -42,7 +42,6 @@ import {
|
|
|
42
42
|
createVaultService,
|
|
43
43
|
createDefaultVaultCoreDependencies,
|
|
44
44
|
createIdentity,
|
|
45
|
-
deriveIdentity,
|
|
46
45
|
restoreIdentity,
|
|
47
46
|
createVault,
|
|
48
47
|
recoverVault,
|
|
@@ -67,7 +66,7 @@ Child identity example:
|
|
|
67
66
|
|
|
68
67
|
```ts
|
|
69
68
|
const rootIdentity = createIdentity({ nickname: 'root' });
|
|
70
|
-
const childIdentity =
|
|
69
|
+
const childIdentity = createIdentity(rootIdentity, {
|
|
71
70
|
nickname: 'worker-1',
|
|
72
71
|
});
|
|
73
72
|
```
|
|
@@ -88,7 +87,7 @@ Important role rule:
|
|
|
88
87
|
- outside the vault there are only identities
|
|
89
88
|
- inside a specific vault, those identities may be bound to roles such as `owner` or `agent`
|
|
90
89
|
- root identities are independent
|
|
91
|
-
- child identities may be deterministically derived from a parent identity
|
|
90
|
+
- child identities may be deterministically derived from a parent identity
|
|
92
91
|
|
|
93
92
|
The public runtime surface follows four hard rules:
|
|
94
93
|
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
export interface CreatedIdentity {
|
|
2
2
|
identityId: string;
|
|
3
3
|
nickname?: string;
|
|
4
|
+
parentIdentityId?: string;
|
|
4
5
|
publicKey: string;
|
|
5
6
|
privateKey: string;
|
|
6
7
|
}
|
|
@@ -13,6 +14,6 @@ export interface RestoreIdentityOptions {
|
|
|
13
14
|
export interface DeriveIdentityOptions {
|
|
14
15
|
nickname?: string;
|
|
15
16
|
}
|
|
17
|
+
export declare function createIdentity(parent?: CreatedIdentity | string, options?: CreateIdentityOptions): CreatedIdentity;
|
|
16
18
|
export declare function createIdentity(options?: CreateIdentityOptions): CreatedIdentity;
|
|
17
19
|
export declare function restoreIdentity(privateKey: string, options?: RestoreIdentityOptions): CreatedIdentity;
|
|
18
|
-
export declare function deriveIdentity(parentPrivateKey: string, path: string, options?: DeriveIdentityOptions): CreatedIdentity;
|
package/dist/runtime/identity.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { createHmac, createPrivateKey, createPublicKey } from "node:crypto";
|
|
1
|
+
import { createHmac, createPrivateKey, createPublicKey, randomBytes } from "node:crypto";
|
|
2
2
|
import { derivePublicKey, generateIdentityKeys } from "../protocol/crypto.js";
|
|
3
3
|
import { deriveIdentityId } from "../protocol/identity.js";
|
|
4
4
|
const ED25519_PKCS8_PREFIX = Buffer.from("302e020100300506032b657004220420", "hex");
|
|
@@ -17,7 +17,13 @@ function decodeEd25519Seed(privateKey) {
|
|
|
17
17
|
function encodeEd25519PrivateKey(seed) {
|
|
18
18
|
return Buffer.concat([ED25519_PKCS8_PREFIX, seed]).toString("base64url");
|
|
19
19
|
}
|
|
20
|
-
|
|
20
|
+
function toParentPrivateKey(parent) {
|
|
21
|
+
if (!parent) {
|
|
22
|
+
return undefined;
|
|
23
|
+
}
|
|
24
|
+
return typeof parent === "string" ? parent.trim() : parent.privateKey.trim();
|
|
25
|
+
}
|
|
26
|
+
function createRootIdentity(options = {}) {
|
|
21
27
|
const keyPair = generateIdentityKeys();
|
|
22
28
|
if (!keyPair.publicKey || !keyPair.privateKey) {
|
|
23
29
|
throw new Error("identity generation failed");
|
|
@@ -30,6 +36,29 @@ export function createIdentity(options = {}) {
|
|
|
30
36
|
privateKey: keyPair.privateKey,
|
|
31
37
|
};
|
|
32
38
|
}
|
|
39
|
+
export function createIdentity(parentOrOptions, maybeOptions = {}) {
|
|
40
|
+
const hasParent = typeof parentOrOptions === "string" ||
|
|
41
|
+
(typeof parentOrOptions === "object" &&
|
|
42
|
+
parentOrOptions !== null &&
|
|
43
|
+
"privateKey" in parentOrOptions);
|
|
44
|
+
if (!hasParent) {
|
|
45
|
+
return createRootIdentity(parentOrOptions ?? {});
|
|
46
|
+
}
|
|
47
|
+
const parentPrivateKey = toParentPrivateKey(parentOrOptions);
|
|
48
|
+
if (!parentPrivateKey) {
|
|
49
|
+
return createRootIdentity(maybeOptions);
|
|
50
|
+
}
|
|
51
|
+
const nickname = normalizeNickname(maybeOptions.nickname);
|
|
52
|
+
const relationId = randomBytes(16).toString("base64url");
|
|
53
|
+
const childIdentity = deriveIdentity(parentPrivateKey, relationId, { nickname });
|
|
54
|
+
const parentIdentity = typeof parentOrOptions === "string"
|
|
55
|
+
? restoreIdentity(parentPrivateKey)
|
|
56
|
+
: parentOrOptions;
|
|
57
|
+
return {
|
|
58
|
+
...childIdentity,
|
|
59
|
+
parentIdentityId: parentIdentity.identityId,
|
|
60
|
+
};
|
|
61
|
+
}
|
|
33
62
|
export function restoreIdentity(privateKey, options = {}) {
|
|
34
63
|
const normalizedPrivateKey = privateKey.trim();
|
|
35
64
|
if (!normalizedPrivateKey) {
|
|
@@ -44,20 +73,20 @@ export function restoreIdentity(privateKey, options = {}) {
|
|
|
44
73
|
privateKey: normalizedPrivateKey,
|
|
45
74
|
};
|
|
46
75
|
}
|
|
47
|
-
|
|
76
|
+
function deriveIdentity(parentPrivateKey, relationId, options = {}) {
|
|
48
77
|
const normalizedParentPrivateKey = parentPrivateKey.trim();
|
|
49
|
-
const
|
|
78
|
+
const normalizedRelationId = relationId.trim();
|
|
50
79
|
if (!normalizedParentPrivateKey) {
|
|
51
80
|
throw new Error("parent private key is required");
|
|
52
81
|
}
|
|
53
|
-
if (!
|
|
54
|
-
throw new Error("
|
|
82
|
+
if (!normalizedRelationId) {
|
|
83
|
+
throw new Error("relationId is required");
|
|
55
84
|
}
|
|
56
85
|
const parentSeed = decodeEd25519Seed(normalizedParentPrivateKey);
|
|
57
86
|
const childSeed = createHmac("sha256", parentSeed)
|
|
58
87
|
.update("cbio:identity:child:v1")
|
|
59
88
|
.update("\0")
|
|
60
|
-
.update(
|
|
89
|
+
.update(normalizedRelationId)
|
|
61
90
|
.digest();
|
|
62
91
|
const privateKey = encodeEd25519PrivateKey(childSeed);
|
|
63
92
|
const privateKeyObject = createPrivateKey({
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/runtime/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/runtime/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACzF,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAsB3D,MAAM,oBAAoB,GAAG,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,KAAK,CAAC,CAAC;AACpF,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,SAAS,iBAAiB,CAAC,QAAiB;IAC1C,OAAO,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAED,SAAS,iBAAiB,CAAC,UAAkB;IAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACjD,IACE,GAAG,CAAC,MAAM,KAAK,oBAAoB,CAAC,MAAM,GAAG,mBAAmB;QAChE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,oBAAoB,CAAC,EAC1E,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAY;IAC3C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAiC;IAC3D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;AAC/E,CAAC;AAED,SAAS,kBAAkB,CAAC,UAAiC,EAAE;IAC7D,MAAM,OAAO,GAAG,oBAAoB,EAAE,CAAC;IACvC,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC;QAC/C,QAAQ;QACR,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC;AACJ,CAAC;AAID,MAAM,UAAU,cAAc,CAC5B,eAAkE,EAClE,eAAsC,EAAE;IAExC,MAAM,SAAS,GACb,OAAO,eAAe,KAAK,QAAQ;QACnC,CAAC,OAAO,eAAe,KAAK,QAAQ;YAClC,eAAe,KAAK,IAAI;YACxB,YAAY,IAAI,eAAe,CAAC,CAAC;IAErC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,kBAAkB,CAAE,eAAqD,IAAI,EAAE,CAAC,CAAC;IAC1F,CAAC;IAED,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,eAA2C,CAAC,CAAC;IACzF,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,kBAAkB,CAAC,YAAY,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,QAAQ,GAAG,iBAAiB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACzD,MAAM,aAAa,GAAG,cAAc,CAAC,gBAAgB,EAAE,UAAU,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;IACjF,MAAM,cAAc,GAAG,OAAO,eAAe,KAAK,QAAQ;QACxD,CAAC,CAAC,eAAe,CAAC,gBAAgB,CAAC;QACnC,CAAC,CAAC,eAAkC,CAAC;IAEvC,OAAO;QACL,GAAG,aAAa;QAChB,gBAAgB,EAAE,cAAc,CAAC,UAAU;KAC5C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,UAAkB,EAAE,UAAkC,EAAE;IACtF,MAAM,oBAAoB,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAC/C,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,SAAS,GAAG,eAAe,CAAC,oBAAoB,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,SAAS,CAAC;QACvC,QAAQ;QACR,SAAS;QACT,UAAU,EAAE,oBAAoB;KACjC,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CACrB,gBAAwB,EACxB,UAAkB,EAClB,UAAiC,EAAE;IAEnC,MAAM,0BAA0B,GAAG,gBAAgB,CAAC,IAAI,EAAE,CAAC;IAC3D,MAAM,oBAAoB,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAC/C,IAAI,CAAC,0BAA0B,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,UAAU,GAAG,iBAAiB,CAAC,0BAA0B,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;SAC/C,MAAM,CAAC,wBAAwB,CAAC;SAChC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,oBAAoB,CAAC;SAC5B,MAAM,EAAE,CAAC;IAEZ,MAAM,UAAU,GAAG,uBAAuB,CAAC,SAAS,CAAC,CAAC;IACtD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;QACxC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC;QACzC,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,OAAO;KACd,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAC3B,eAAe,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC;QACvC,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,KAAK;KACd,CAAC,CACH,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAExB,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,SAAS,CAAC;QACvC,QAAQ,EAAE,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC7C,SAAS;QACT,UAAU;KACX,CAAC;AACJ,CAAC"}
|
package/dist/runtime/index.d.ts
CHANGED
|
@@ -8,7 +8,7 @@ export { deriveIdentityId } from "../protocol/identity.js";
|
|
|
8
8
|
export type { IStorageProvider } from "../storage/provider.js";
|
|
9
9
|
export { FsStorageProvider } from "../storage/fs.js";
|
|
10
10
|
export { MemoryStorageProvider } from "../storage/memory.js";
|
|
11
|
-
export { createIdentity,
|
|
11
|
+
export { createIdentity, restoreIdentity, type CreateIdentityOptions, type RestoreIdentityOptions, type CreatedIdentity, } from "./identity.js";
|
|
12
12
|
export { createVault, recoverVault, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, } from "./bootstrap.js";
|
|
13
13
|
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerRegisterCapabilityCommand, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, type CapabilityRegistry, } from "../vault-core/index.js";
|
|
14
14
|
export { createVaultClient, type VaultClient, type VaultIdentity, type VaultSigner, type VaultAuditQueryInput, type VaultExportSecretInput, type VaultGrantCapabilityInput, type VaultRegisterFlowInput, type VaultRegisterAgentInput, type OwnerSecretTargetBinding, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
|
package/dist/runtime/index.js
CHANGED
|
@@ -7,7 +7,7 @@ export { derivePublicKey, LocalSigner } from "../protocol/crypto.js";
|
|
|
7
7
|
export { deriveIdentityId } from "../protocol/identity.js";
|
|
8
8
|
export { FsStorageProvider } from "../storage/fs.js";
|
|
9
9
|
export { MemoryStorageProvider } from "../storage/memory.js";
|
|
10
|
-
export { createIdentity,
|
|
10
|
+
export { createIdentity, restoreIdentity, } from "./identity.js";
|
|
11
11
|
export { createVault, recoverVault, } from "./bootstrap.js";
|
|
12
12
|
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
|
|
13
13
|
export { createVaultClient, } from "../clients/owner/index.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,eAAe,GAIhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,WAAW,EACX,YAAY,GAKb,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,uBAAuB,EACvB,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA8CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAWlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAOlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAWxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,mBAAmB,GACpB,MAAM,8BAA8B,CAAC"}
|
package/docs/IDENTITY_MODEL.md
CHANGED
|
@@ -78,7 +78,7 @@ The runtime now exposes this concept directly as optional `nickname` on `createI
|
|
|
78
78
|
|
|
79
79
|
For existing private keys, the runtime exposes `restoreIdentity(...)`, which reconstructs the same identity shape from the private key alone.
|
|
80
80
|
|
|
81
|
-
For child identities, the runtime exposes `
|
|
81
|
+
For child identities, the runtime exposes `createIdentity(parentIdentity, { nickname })`. Child identities include `parentIdentityId`, while `nickname` remains display-only.
|
|
82
82
|
|
|
83
83
|
In other words:
|
|
84
84
|
|
package/docs/REFERENCE.md
CHANGED
|
@@ -18,7 +18,6 @@ The main constructors are:
|
|
|
18
18
|
- `createVaultCore(...)`
|
|
19
19
|
- `createVaultService(...)`
|
|
20
20
|
- `createIdentity(...)`
|
|
21
|
-
- `deriveIdentity(...)`
|
|
22
21
|
- `restoreIdentity(...)`
|
|
23
22
|
- `createVault(...)`
|
|
24
23
|
- `recoverVault(...)`
|
|
@@ -54,7 +53,7 @@ Role rules:
|
|
|
54
53
|
- outside the vault there are only identities
|
|
55
54
|
- inside a vault, identities are bound to roles such as `owner` or `agent`
|
|
56
55
|
- root identities are independent
|
|
57
|
-
- child identities may be deterministically derived from a parent identity
|
|
56
|
+
- child identities may be deterministically derived from a parent identity
|
|
58
57
|
- the same identity may be `owner` in one vault and `agent` in another
|
|
59
58
|
|
|
60
59
|
## Identity Creation
|
|
@@ -65,12 +64,13 @@ Role rules:
|
|
|
65
64
|
- `publicKey`
|
|
66
65
|
- `privateKey`
|
|
67
66
|
- optional `nickname`
|
|
67
|
+
- optional `parentIdentityId` for child identities
|
|
68
68
|
|
|
69
69
|
`nickname` is human-readable only. It does not affect the derived `identityId`, cryptographic verification, or vault-local role binding.
|
|
70
70
|
|
|
71
|
-
`
|
|
71
|
+
`createIdentity(parentIdentity, { nickname })` creates a child identity when a parent identity is provided, and the returned identity includes `parentIdentityId`.
|
|
72
72
|
|
|
73
|
-
`
|
|
73
|
+
`restoreIdentity(privateKey)` returns the same shape for an existing private key.
|
|
74
74
|
|
|
75
75
|
## Secret-Flow Model
|
|
76
76
|
|
package/package.json
CHANGED