@the-ai-company/cbio-node-runtime 1.17.0 → 1.19.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +9 -2
- package/dist/runtime/child-identity.js +6 -6
- package/dist/runtime/child-identity.js.map +1 -1
- package/dist/runtime/index.d.ts +4 -2
- package/dist/runtime/index.js +1 -1
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/private-vault.d.ts +15 -13
- package/dist/runtime/private-vault.js +69 -20
- package/dist/runtime/private-vault.js.map +1 -1
- package/docs/IDENTITY_MODEL.md +2 -0
- package/docs/REFERENCE.md +20 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -42,7 +42,9 @@ import {
|
|
|
42
42
|
createChildIdentity,
|
|
43
43
|
createIdentity,
|
|
44
44
|
createWorkspaceStorage,
|
|
45
|
-
|
|
45
|
+
ensureIdentityPrivateVault,
|
|
46
|
+
readIdentityPrivateVaultProfile,
|
|
47
|
+
readIdentityPrivateVaultChildrenState,
|
|
46
48
|
restoreIdentity,
|
|
47
49
|
createVault,
|
|
48
50
|
recoverVault,
|
|
@@ -64,10 +66,13 @@ Child identity example:
|
|
|
64
66
|
|
|
65
67
|
```ts
|
|
66
68
|
const rootIdentity = createIdentity({ nickname: 'root' });
|
|
67
|
-
await
|
|
69
|
+
await ensureIdentityPrivateVault(storage, rootIdentity);
|
|
68
70
|
const childIdentity = await createChildIdentity(storage, rootIdentity, {
|
|
69
71
|
nickname: 'worker-1',
|
|
70
72
|
});
|
|
73
|
+
|
|
74
|
+
const profile = await readIdentityPrivateVaultProfile(storage, rootIdentity);
|
|
75
|
+
const children = await readIdentityPrivateVaultChildrenState(storage, rootIdentity.privateKey);
|
|
71
76
|
```
|
|
72
77
|
|
|
73
78
|
Vaults also support an optional human-readable nickname:
|
|
@@ -96,6 +101,8 @@ Each identity now has its own private namespace in storage under `vault/private/
|
|
|
96
101
|
- `profile.json`
|
|
97
102
|
- `children.json`
|
|
98
103
|
|
|
104
|
+
Those files are encrypted with a key derived from the identity private key, so they are not stored as plaintext JSON.
|
|
105
|
+
|
|
99
106
|
## Architecture
|
|
100
107
|
|
|
101
108
|
Core terms:
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { deriveChildIdentity } from "./identity.js";
|
|
2
|
-
import {
|
|
2
|
+
import { ensureIdentityPrivateVault, readIdentityPrivateVaultChildrenState, withIdentityPrivateVaultLock, writeIdentityPrivateVaultChildrenState, } from "./private-vault.js";
|
|
3
3
|
export async function createChildIdentity(storage, parentIdentity, options = {}) {
|
|
4
4
|
const parent = typeof parentIdentity === "string"
|
|
5
5
|
? undefined
|
|
@@ -8,11 +8,11 @@ export async function createChildIdentity(storage, parentIdentity, options = {})
|
|
|
8
8
|
throw new Error("parent identity object is required");
|
|
9
9
|
}
|
|
10
10
|
const run = async () => {
|
|
11
|
-
await
|
|
12
|
-
const state = await
|
|
11
|
+
await ensureIdentityPrivateVault(storage, parent);
|
|
12
|
+
const state = await readIdentityPrivateVaultChildrenState(storage, parent);
|
|
13
13
|
const childIndex = state.nextChildIndex;
|
|
14
14
|
const childIdentity = deriveChildIdentity(parent, childIndex, options);
|
|
15
|
-
await
|
|
15
|
+
await ensureIdentityPrivateVault(storage, childIdentity);
|
|
16
16
|
state.nextChildIndex += 1;
|
|
17
17
|
state.children.push({
|
|
18
18
|
identityId: childIdentity.identityId,
|
|
@@ -21,9 +21,9 @@ export async function createChildIdentity(storage, parentIdentity, options = {})
|
|
|
21
21
|
nickname: childIdentity.nickname,
|
|
22
22
|
publicKey: childIdentity.publicKey,
|
|
23
23
|
});
|
|
24
|
-
await
|
|
24
|
+
await writeIdentityPrivateVaultChildrenState(storage, parent, state);
|
|
25
25
|
return childIdentity;
|
|
26
26
|
};
|
|
27
|
-
return
|
|
27
|
+
return withIdentityPrivateVaultLock(storage, parent, run);
|
|
28
28
|
}
|
|
29
29
|
//# sourceMappingURL=child-identity.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"child-identity.js","sourceRoot":"","sources":["../../src/runtime/child-identity.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,EACL,
|
|
1
|
+
{"version":3,"file":"child-identity.js","sourceRoot":"","sources":["../../src/runtime/child-identity.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,EACL,0BAA0B,EAC1B,qCAAqC,EACrC,4BAA4B,EAC5B,sCAAsC,GACvC,MAAM,oBAAoB,CAAC;AAI5B,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAyB,EACzB,cAAwC,EACxC,UAAsC,EAAE;IAExC,MAAM,MAAM,GACV,OAAO,cAAc,KAAK,QAAQ;QAChC,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,cAAc,CAAC;IACrB,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,IAA4B,EAAE;QAC7C,MAAM,0BAA0B,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,MAAM,qCAAqC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3E,MAAM,UAAU,GAAG,KAAK,CAAC,cAAc,CAAC;QACxC,MAAM,aAAa,GAAG,mBAAmB,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,0BAA0B,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QACzD,KAAK,CAAC,cAAc,IAAI,CAAC,CAAC;QAC1B,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;YAClB,UAAU,EAAE,aAAa,CAAC,UAAU;YACpC,gBAAgB,EAAE,aAAa,CAAC,gBAAiB;YACjD,UAAU;YACV,QAAQ,EAAE,aAAa,CAAC,QAAQ;YAChC,SAAS,EAAE,aAAa,CAAC,SAAS;SACnC,CAAC,CAAC;QACH,MAAM,sCAAsC,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QACrE,OAAO,aAAa,CAAC;IACvB,CAAC,CAAC;IACF,OAAO,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;AAC5D,CAAC"}
|
package/dist/runtime/index.d.ts
CHANGED
|
@@ -12,7 +12,7 @@ export { createIdentity, deriveChildIdentity, restoreIdentity, type CreateIdenti
|
|
|
12
12
|
export { createChildIdentity, type CreateChildIdentityOptions, } from "./child-identity.js";
|
|
13
13
|
export { readVaultProfile, writeVaultProfile, type VaultProfile, } from "./vault-metadata.js";
|
|
14
14
|
export { createWorkspaceStorage, getDefaultWorkspaceDir, } from "./workspace-storage.js";
|
|
15
|
-
export {
|
|
15
|
+
export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultChildrenKey, type IdentityPrivateVaultProfile, type IdentityPrivateVaultChildRecord, type IdentityPrivateVaultChildrenState, } from "./private-vault.js";
|
|
16
16
|
export { createVault, recoverVault, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, type VaultObject, } from "./bootstrap.js";
|
|
17
17
|
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAgentIdentityRegistry, PersistentVaultAuditLog, PersistentVaultOwnerIdentityRegistry, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerDefineSecretTargetsCommand, type OwnerRegisterCapabilityCommand, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, type CapabilityRegistry, } from "../vault-core/index.js";
|
|
18
18
|
export { createVaultClient, type VaultClient, type CreateVaultClientOptions, type VaultIdentity, type VaultSigner, type VaultAuditQueryInput, type OwnerDefineSecretTargetsInput, type VaultExportSecretInput, type VaultGrantCapabilityInput, type VaultRegisterFlowInput, type VaultRegisterAgentInput, type OwnerSecretTargetBinding, type OwnerStoreSecretInput, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
|
|
@@ -34,7 +34,9 @@ export interface CbioRuntime {
|
|
|
34
34
|
restoreIdentity: typeof import("./identity.js").restoreIdentity;
|
|
35
35
|
createChildIdentity: typeof import("./child-identity.js").createChildIdentity;
|
|
36
36
|
deriveChildIdentity: typeof import("./identity.js").deriveChildIdentity;
|
|
37
|
-
|
|
37
|
+
ensureIdentityPrivateVault: typeof import("./private-vault.js").ensureIdentityPrivateVault;
|
|
38
|
+
readIdentityPrivateVaultProfile: typeof import("./private-vault.js").readIdentityPrivateVaultProfile;
|
|
39
|
+
readIdentityPrivateVaultChildrenState: typeof import("./private-vault.js").readIdentityPrivateVaultChildrenState;
|
|
38
40
|
createVault: typeof import("./bootstrap.js").createVault;
|
|
39
41
|
recoverVault: typeof import("./bootstrap.js").recoverVault;
|
|
40
42
|
createVaultClient: typeof import("../clients/owner/index.js").createVaultClient;
|
package/dist/runtime/index.js
CHANGED
|
@@ -11,7 +11,7 @@ export { createIdentity, deriveChildIdentity, restoreIdentity, } from "./identit
|
|
|
11
11
|
export { createChildIdentity, } from "./child-identity.js";
|
|
12
12
|
export { readVaultProfile, writeVaultProfile, } from "./vault-metadata.js";
|
|
13
13
|
export { createWorkspaceStorage, getDefaultWorkspaceDir, } from "./workspace-storage.js";
|
|
14
|
-
export {
|
|
14
|
+
export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultChildrenKey, } from "./private-vault.js";
|
|
15
15
|
export { createVault, recoverVault, } from "./bootstrap.js";
|
|
16
16
|
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, PersistentVaultAgentIdentityRegistry, PersistentVaultAuditLog, PersistentVaultOwnerIdentityRegistry, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
|
|
17
17
|
export { createVaultClient, } from "../clients/owner/index.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,eAAe,GAKhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,mBAAmB,GAEpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,GAElB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,eAAe,GAKhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,mBAAmB,GAEpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,GAElB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,0BAA0B,EAC1B,+BAA+B,EAC/B,qCAAqC,EACrC,0BAA0B,EAC1B,8BAA8B,EAC9B,+BAA+B,GAIhC,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,WAAW,EACX,YAAY,GAMb,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,oCAAoC,EACpC,uBAAuB,EACvB,oCAAoC,EACpC,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA+CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAclB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAQlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAWxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC"}
|
|
@@ -1,28 +1,30 @@
|
|
|
1
1
|
import type { IStorageProvider } from "../storage/provider.js";
|
|
2
|
-
import type
|
|
3
|
-
export interface
|
|
2
|
+
import { type CreatedIdentity } from "./identity.js";
|
|
3
|
+
export interface IdentityPrivateVaultProfile {
|
|
4
4
|
identityId: string;
|
|
5
5
|
nickname?: string;
|
|
6
6
|
publicKey: string;
|
|
7
7
|
parentIdentityId?: string;
|
|
8
8
|
childIndex?: number;
|
|
9
9
|
}
|
|
10
|
-
export interface
|
|
10
|
+
export interface IdentityPrivateVaultChildRecord {
|
|
11
11
|
identityId: string;
|
|
12
12
|
parentIdentityId: string;
|
|
13
13
|
childIndex: number;
|
|
14
14
|
nickname?: string;
|
|
15
15
|
publicKey: string;
|
|
16
16
|
}
|
|
17
|
-
export interface
|
|
17
|
+
export interface IdentityPrivateVaultChildrenState {
|
|
18
18
|
nextChildIndex: number;
|
|
19
|
-
children:
|
|
19
|
+
children: IdentityPrivateVaultChildRecord[];
|
|
20
20
|
}
|
|
21
|
-
|
|
22
|
-
export declare function
|
|
23
|
-
export declare function
|
|
24
|
-
export declare function
|
|
25
|
-
export declare function
|
|
26
|
-
export declare function
|
|
27
|
-
export declare function
|
|
28
|
-
export declare function
|
|
21
|
+
type IdentityPrivateVaultAccess = CreatedIdentity | string;
|
|
22
|
+
export declare function identityPrivateVaultPrefix(identityId: string): string;
|
|
23
|
+
export declare function identityPrivateVaultProfileKey(identityId: string): string;
|
|
24
|
+
export declare function identityPrivateVaultChildrenKey(identityId: string): string;
|
|
25
|
+
export declare function ensureIdentityPrivateVault(storage: IStorageProvider, identity: CreatedIdentity): Promise<void>;
|
|
26
|
+
export declare function readIdentityPrivateVaultProfile(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess): Promise<IdentityPrivateVaultProfile | null>;
|
|
27
|
+
export declare function readIdentityPrivateVaultChildrenState(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess): Promise<IdentityPrivateVaultChildrenState>;
|
|
28
|
+
export declare function writeIdentityPrivateVaultChildrenState(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess, state: IdentityPrivateVaultChildrenState): Promise<void>;
|
|
29
|
+
export declare function withIdentityPrivateVaultLock<T>(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess, task: () => Promise<T>): Promise<T>;
|
|
30
|
+
export {};
|
|
@@ -1,19 +1,64 @@
|
|
|
1
1
|
import { Buffer } from "node:buffer";
|
|
2
|
+
import { createHash } from "node:crypto";
|
|
3
|
+
import { SEALED_BLOB_VERSION, sealBlob, unsealBlob } from "../sealed/seal.js";
|
|
4
|
+
import { restoreIdentity } from "./identity.js";
|
|
2
5
|
const PRIVATE_VAULT_PREFIX = "vault/private/identities";
|
|
3
6
|
const PRIVATE_VAULT_LOCK_SUFFIX = ".lock";
|
|
4
|
-
export function
|
|
7
|
+
export function identityPrivateVaultPrefix(identityId) {
|
|
5
8
|
return `${PRIVATE_VAULT_PREFIX}/${identityId}`;
|
|
6
9
|
}
|
|
7
|
-
export function
|
|
8
|
-
return `${
|
|
10
|
+
export function identityPrivateVaultProfileKey(identityId) {
|
|
11
|
+
return `${identityPrivateVaultPrefix(identityId)}/profile.json`;
|
|
9
12
|
}
|
|
10
|
-
export function
|
|
11
|
-
return `${
|
|
13
|
+
export function identityPrivateVaultChildrenKey(identityId) {
|
|
14
|
+
return `${identityPrivateVaultPrefix(identityId)}/children.json`;
|
|
12
15
|
}
|
|
13
16
|
function lockKey(identityId) {
|
|
14
|
-
return `${
|
|
17
|
+
return `${identityPrivateVaultPrefix(identityId)}${PRIVATE_VAULT_LOCK_SUFFIX}`;
|
|
15
18
|
}
|
|
16
|
-
|
|
19
|
+
function normalizeIdentityAccess(identityOrPrivateKey) {
|
|
20
|
+
if (typeof identityOrPrivateKey === "string") {
|
|
21
|
+
return restoreIdentity(identityOrPrivateKey);
|
|
22
|
+
}
|
|
23
|
+
return identityOrPrivateKey;
|
|
24
|
+
}
|
|
25
|
+
function deriveIdentityPrivateVaultKey(identity) {
|
|
26
|
+
return createHash("sha256")
|
|
27
|
+
.update("cbio:identity-private-vault:v1")
|
|
28
|
+
.update("\n")
|
|
29
|
+
.update(identity.identityId)
|
|
30
|
+
.update("\n")
|
|
31
|
+
.update(identity.privateKey)
|
|
32
|
+
.digest("base64url");
|
|
33
|
+
}
|
|
34
|
+
function sealIdentityPrivateVaultJson(identity, value, kind) {
|
|
35
|
+
const sealed = sealBlob({
|
|
36
|
+
version: SEALED_BLOB_VERSION,
|
|
37
|
+
secrets: {
|
|
38
|
+
payload: JSON.stringify(value),
|
|
39
|
+
},
|
|
40
|
+
secretMetadata: {
|
|
41
|
+
kind,
|
|
42
|
+
identityId: identity.identityId,
|
|
43
|
+
},
|
|
44
|
+
}, deriveIdentityPrivateVaultKey(identity));
|
|
45
|
+
return Buffer.from(sealed, "utf8");
|
|
46
|
+
}
|
|
47
|
+
function unsealIdentityPrivateVaultJson(identity, payload, expectedKind) {
|
|
48
|
+
const unsealed = unsealBlob(payload.toString("utf8"), deriveIdentityPrivateVaultKey(identity));
|
|
49
|
+
if (unsealed.secretMetadata.kind !== expectedKind) {
|
|
50
|
+
throw new Error(`unexpected identity private vault payload kind: ${String(unsealed.secretMetadata.kind)}`);
|
|
51
|
+
}
|
|
52
|
+
if (unsealed.secretMetadata.identityId !== identity.identityId) {
|
|
53
|
+
throw new Error("identity private vault payload identity mismatch");
|
|
54
|
+
}
|
|
55
|
+
const secretPayload = unsealed.secrets.payload;
|
|
56
|
+
if (typeof secretPayload !== "string") {
|
|
57
|
+
throw new Error("identity private vault payload missing body");
|
|
58
|
+
}
|
|
59
|
+
return JSON.parse(secretPayload);
|
|
60
|
+
}
|
|
61
|
+
export async function ensureIdentityPrivateVault(storage, identity) {
|
|
17
62
|
const profile = {
|
|
18
63
|
identityId: identity.identityId,
|
|
19
64
|
nickname: identity.nickname,
|
|
@@ -21,40 +66,44 @@ export async function ensurePrivateVault(storage, identity) {
|
|
|
21
66
|
parentIdentityId: identity.parentIdentityId,
|
|
22
67
|
childIndex: identity.childIndex,
|
|
23
68
|
};
|
|
24
|
-
await storage.write(
|
|
25
|
-
const childrenKey =
|
|
69
|
+
await storage.write(identityPrivateVaultProfileKey(identity.identityId), sealIdentityPrivateVaultJson(identity, profile, "identity_private_vault_profile"));
|
|
70
|
+
const childrenKey = identityPrivateVaultChildrenKey(identity.identityId);
|
|
26
71
|
if (!(await storage.has(childrenKey))) {
|
|
27
72
|
const emptyState = {
|
|
28
73
|
nextChildIndex: 0,
|
|
29
74
|
children: [],
|
|
30
75
|
};
|
|
31
|
-
await storage.write(childrenKey,
|
|
76
|
+
await storage.write(childrenKey, sealIdentityPrivateVaultJson(identity, emptyState, "identity_private_vault_children"));
|
|
32
77
|
}
|
|
33
78
|
}
|
|
34
|
-
export async function
|
|
35
|
-
const
|
|
79
|
+
export async function readIdentityPrivateVaultProfile(storage, identityOrPrivateKey) {
|
|
80
|
+
const identity = normalizeIdentityAccess(identityOrPrivateKey);
|
|
81
|
+
const raw = await storage.read(identityPrivateVaultProfileKey(identity.identityId));
|
|
36
82
|
if (!raw) {
|
|
37
83
|
return null;
|
|
38
84
|
}
|
|
39
|
-
return
|
|
85
|
+
return unsealIdentityPrivateVaultJson(identity, raw, "identity_private_vault_profile");
|
|
40
86
|
}
|
|
41
|
-
export async function
|
|
42
|
-
const
|
|
87
|
+
export async function readIdentityPrivateVaultChildrenState(storage, identityOrPrivateKey) {
|
|
88
|
+
const identity = normalizeIdentityAccess(identityOrPrivateKey);
|
|
89
|
+
const raw = await storage.read(identityPrivateVaultChildrenKey(identity.identityId));
|
|
43
90
|
if (!raw) {
|
|
44
91
|
return { nextChildIndex: 0, children: [] };
|
|
45
92
|
}
|
|
46
|
-
const parsed =
|
|
93
|
+
const parsed = unsealIdentityPrivateVaultJson(identity, raw, "identity_private_vault_children");
|
|
47
94
|
return {
|
|
48
95
|
nextChildIndex: parsed.nextChildIndex ?? parsed.children.length,
|
|
49
96
|
children: parsed.children ?? [],
|
|
50
97
|
};
|
|
51
98
|
}
|
|
52
|
-
export async function
|
|
53
|
-
|
|
99
|
+
export async function writeIdentityPrivateVaultChildrenState(storage, identityOrPrivateKey, state) {
|
|
100
|
+
const identity = normalizeIdentityAccess(identityOrPrivateKey);
|
|
101
|
+
await storage.write(identityPrivateVaultChildrenKey(identity.identityId), sealIdentityPrivateVaultJson(identity, state, "identity_private_vault_children"));
|
|
54
102
|
}
|
|
55
|
-
export async function
|
|
103
|
+
export async function withIdentityPrivateVaultLock(storage, identityOrPrivateKey, task) {
|
|
104
|
+
const identity = normalizeIdentityAccess(identityOrPrivateKey);
|
|
56
105
|
if (storage.withLock) {
|
|
57
|
-
return storage.withLock(lockKey(identityId), task);
|
|
106
|
+
return storage.withLock(lockKey(identity.identityId), task);
|
|
58
107
|
}
|
|
59
108
|
return task();
|
|
60
109
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"private-vault.js","sourceRoot":"","sources":["../../src/runtime/private-vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"private-vault.js","sourceRoot":"","sources":["../../src/runtime/private-vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE9E,OAAO,EAAE,eAAe,EAAwB,MAAM,eAAe,CAAC;AAEtE,MAAM,oBAAoB,GAAG,0BAA0B,CAAC;AACxD,MAAM,yBAAyB,GAAG,OAAO,CAAC;AAyB1C,MAAM,UAAU,0BAA0B,CAAC,UAAkB;IAC3D,OAAO,GAAG,oBAAoB,IAAI,UAAU,EAAE,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,UAAkB;IAC/D,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,eAAe,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,+BAA+B,CAAC,UAAkB;IAChE,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,gBAAgB,CAAC;AACnE,CAAC;AAED,SAAS,OAAO,CAAC,UAAkB;IACjC,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,GAAG,yBAAyB,EAAE,CAAC;AACjF,CAAC;AAED,SAAS,uBAAuB,CAAC,oBAAgD;IAC/E,IAAI,OAAO,oBAAoB,KAAK,QAAQ,EAAE,CAAC;QAC7C,OAAO,eAAe,CAAC,oBAAoB,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED,SAAS,6BAA6B,CAAC,QAAyB;IAC9D,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,gCAAgC,CAAC;SACxC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;SAC3B,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;SAC3B,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,4BAA4B,CAAC,QAAyB,EAAE,KAAc,EAAE,IAAY;IAC3F,MAAM,MAAM,GAAG,QAAQ,CACrB;QACE,OAAO,EAAE,mBAAmB;QAC5B,OAAO,EAAE;YACP,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;SAC/B;QACD,cAAc,EAAE;YACd,IAAI;YACJ,UAAU,EAAE,QAAQ,CAAC,UAAU;SAChC;KACF,EACD,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,8BAA8B,CACrC,QAAyB,EACzB,OAAe,EACf,YAAoB;IAEpB,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,6BAA6B,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC/F,IAAI,QAAQ,CAAC,cAAc,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,mDAAmD,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7G,CAAC;IACD,IAAI,QAAQ,CAAC,cAAc,CAAC,UAAU,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC;QAC/D,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC;IAC/C,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,aAAa,CAAM,CAAC;AACxC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,OAAyB,EACzB,QAAyB;IAEzB,MAAM,OAAO,GAAgC;QAC3C,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;QAC3C,UAAU,EAAE,QAAQ,CAAC,UAAU;KAChC,CAAC;IACF,MAAM,OAAO,CAAC,KAAK,CACjB,8BAA8B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACnD,4BAA4B,CAAC,QAAQ,EAAE,OAAO,EAAE,gCAAgC,CAAC,CAClF,CAAC;IAEF,MAAM,WAAW,GAAG,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACzE,IAAI,CAAC,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACtC,MAAM,UAAU,GAAsC;YACpD,cAAc,EAAE,CAAC;YACjB,QAAQ,EAAE,EAAE;SACb,CAAC;QACF,MAAM,OAAO,CAAC,KAAK,CACjB,WAAW,EACX,4BAA4B,CAAC,QAAQ,EAAE,UAAU,EAAE,iCAAiC,CAAC,CACtF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,OAAyB,EACzB,oBAAgD;IAEhD,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,8BAA8B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;IACpF,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,8BAA8B,CACnC,QAAQ,EACR,GAAG,EACH,gCAAgC,CACjC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qCAAqC,CACzD,OAAyB,EACzB,oBAAgD;IAEhD,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;IACrF,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,cAAc,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC7C,CAAC;IACD,MAAM,MAAM,GAAG,8BAA8B,CAC3C,QAAQ,EACR,GAAG,EACH,iCAAiC,CAClC,CAAC;IACF,OAAO;QACL,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM;QAC/D,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;KAChC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sCAAsC,CAC1D,OAAyB,EACzB,oBAAgD,EAChD,KAAwC;IAExC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,OAAO,CAAC,KAAK,CACjB,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACpD,4BAA4B,CAAC,QAAQ,EAAE,KAAK,EAAE,iCAAiC,CAAC,CACjF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAyB,EACzB,oBAAgD,EAChD,IAAsB;IAEtB,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,IAAI,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,IAAI,EAAE,CAAC;AAChB,CAAC"}
|
package/docs/IDENTITY_MODEL.md
CHANGED
|
@@ -80,6 +80,8 @@ For existing private keys, the runtime exposes `restoreIdentity(...)`, which rec
|
|
|
80
80
|
|
|
81
81
|
For child identities, the runtime exposes `createChildIdentity(storage, parentIdentity, { nickname })` for user-facing creation, and `deriveChildIdentity(parentIdentity, childIndex, { nickname })` for deterministic reconstruction when the stored `childIndex` is known. `nickname` remains display-only.
|
|
82
82
|
|
|
83
|
+
Identity-private state is stored under `vault/private/identities/<identityId>/...` and encrypted with a key derived from that identity's private key. To inspect those records, callers use `readIdentityPrivateVaultProfile(...)` and `readIdentityPrivateVaultChildrenState(...)` with the identity object or private key.
|
|
84
|
+
|
|
83
85
|
In other words:
|
|
84
86
|
|
|
85
87
|
- public key or a stable derived id answers "who is this cryptographically"
|
package/docs/REFERENCE.md
CHANGED
|
@@ -18,7 +18,9 @@ The main constructors are:
|
|
|
18
18
|
- `createIdentity(...)`
|
|
19
19
|
- `createChildIdentity(...)`
|
|
20
20
|
- `deriveChildIdentity(...)`
|
|
21
|
-
- `
|
|
21
|
+
- `ensureIdentityPrivateVault(...)`
|
|
22
|
+
- `readIdentityPrivateVaultProfile(...)`
|
|
23
|
+
- `readIdentityPrivateVaultChildrenState(...)`
|
|
22
24
|
- `restoreIdentity(...)`
|
|
23
25
|
- `createVault(...)`
|
|
24
26
|
- `recoverVault(...)`
|
|
@@ -76,13 +78,29 @@ Role rules:
|
|
|
76
78
|
|
|
77
79
|
`deriveChildIdentity(parentIdentity, childIndex, { nickname })` deterministically reconstructs a child identity for a known `childIndex`.
|
|
78
80
|
|
|
79
|
-
`
|
|
81
|
+
`ensureIdentityPrivateVault(storage, identity)` creates or refreshes the identity's fixed namespace under `vault/private/identities/<identityId>/...`.
|
|
82
|
+
|
|
83
|
+
That namespace stores identity-level files such as:
|
|
80
84
|
|
|
81
85
|
- `profile.json`
|
|
82
86
|
- `children.json`
|
|
83
87
|
|
|
88
|
+
Those files are encrypted at rest with a key derived from that identity's private key. They are not readable as plain JSON on disk.
|
|
89
|
+
|
|
84
90
|
`restoreIdentity(privateKey)` returns the same shape for an existing private key.
|
|
85
91
|
|
|
92
|
+
`readIdentityPrivateVaultProfile(storage, identityOrPrivateKey)` decrypts and returns the current identity profile for the supplied identity or private key.
|
|
93
|
+
|
|
94
|
+
`readIdentityPrivateVaultChildrenState(storage, identityOrPrivateKey)` decrypts and returns the child index state for the supplied identity or private key.
|
|
95
|
+
|
|
96
|
+
Typical relationship lookup flow when you already have a private key:
|
|
97
|
+
|
|
98
|
+
1. `const identity = restoreIdentity(privateKey)`
|
|
99
|
+
2. `const profile = await readIdentityPrivateVaultProfile(storage, identity)`
|
|
100
|
+
3. `const children = await readIdentityPrivateVaultChildrenState(storage, identity)`
|
|
101
|
+
|
|
102
|
+
`profile.parentIdentityId` tells you whether the identity is a child. `children.children` tells you which child identities were created beneath that identity.
|
|
103
|
+
|
|
86
104
|
## Secret-Flow Model
|
|
87
105
|
|
|
88
106
|
The current HTTP-facing API supports two explicit secret-flow classes:
|
package/package.json
CHANGED