@the-ai-company/cbio-node-runtime 1.18.0 → 1.19.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +7 -0
- package/dist/runtime/child-identity.js +3 -3
- package/dist/runtime/child-identity.js.map +1 -1
- package/dist/runtime/index.d.ts +2 -0
- package/dist/runtime/private-vault.d.ts +7 -5
- package/dist/runtime/private-vault.js +61 -12
- package/dist/runtime/private-vault.js.map +1 -1
- package/docs/IDENTITY_MODEL.md +2 -0
- package/docs/REFERENCE.md +19 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -43,6 +43,8 @@ import {
|
|
|
43
43
|
createIdentity,
|
|
44
44
|
createWorkspaceStorage,
|
|
45
45
|
ensureIdentityPrivateVault,
|
|
46
|
+
readIdentityPrivateVaultProfile,
|
|
47
|
+
readIdentityPrivateVaultChildrenState,
|
|
46
48
|
restoreIdentity,
|
|
47
49
|
createVault,
|
|
48
50
|
recoverVault,
|
|
@@ -68,6 +70,9 @@ await ensureIdentityPrivateVault(storage, rootIdentity);
|
|
|
68
70
|
const childIdentity = await createChildIdentity(storage, rootIdentity, {
|
|
69
71
|
nickname: 'worker-1',
|
|
70
72
|
});
|
|
73
|
+
|
|
74
|
+
const profile = await readIdentityPrivateVaultProfile(storage, rootIdentity);
|
|
75
|
+
const children = await readIdentityPrivateVaultChildrenState(storage, rootIdentity.privateKey);
|
|
71
76
|
```
|
|
72
77
|
|
|
73
78
|
Vaults also support an optional human-readable nickname:
|
|
@@ -96,6 +101,8 @@ Each identity now has its own private namespace in storage under `vault/private/
|
|
|
96
101
|
- `profile.json`
|
|
97
102
|
- `children.json`
|
|
98
103
|
|
|
104
|
+
Those files are encrypted with a key derived from the identity private key, so they are not stored as plaintext JSON.
|
|
105
|
+
|
|
99
106
|
## Architecture
|
|
100
107
|
|
|
101
108
|
Core terms:
|
|
@@ -9,7 +9,7 @@ export async function createChildIdentity(storage, parentIdentity, options = {})
|
|
|
9
9
|
}
|
|
10
10
|
const run = async () => {
|
|
11
11
|
await ensureIdentityPrivateVault(storage, parent);
|
|
12
|
-
const state = await readIdentityPrivateVaultChildrenState(storage, parent
|
|
12
|
+
const state = await readIdentityPrivateVaultChildrenState(storage, parent);
|
|
13
13
|
const childIndex = state.nextChildIndex;
|
|
14
14
|
const childIdentity = deriveChildIdentity(parent, childIndex, options);
|
|
15
15
|
await ensureIdentityPrivateVault(storage, childIdentity);
|
|
@@ -21,9 +21,9 @@ export async function createChildIdentity(storage, parentIdentity, options = {})
|
|
|
21
21
|
nickname: childIdentity.nickname,
|
|
22
22
|
publicKey: childIdentity.publicKey,
|
|
23
23
|
});
|
|
24
|
-
await writeIdentityPrivateVaultChildrenState(storage, parent
|
|
24
|
+
await writeIdentityPrivateVaultChildrenState(storage, parent, state);
|
|
25
25
|
return childIdentity;
|
|
26
26
|
};
|
|
27
|
-
return withIdentityPrivateVaultLock(storage, parent
|
|
27
|
+
return withIdentityPrivateVaultLock(storage, parent, run);
|
|
28
28
|
}
|
|
29
29
|
//# sourceMappingURL=child-identity.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"child-identity.js","sourceRoot":"","sources":["../../src/runtime/child-identity.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,EACL,0BAA0B,EAC1B,qCAAqC,EACrC,4BAA4B,EAC5B,sCAAsC,GACvC,MAAM,oBAAoB,CAAC;AAI5B,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAyB,EACzB,cAAwC,EACxC,UAAsC,EAAE;IAExC,MAAM,MAAM,GACV,OAAO,cAAc,KAAK,QAAQ;QAChC,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,cAAc,CAAC;IACrB,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,IAA4B,EAAE;QAC7C,MAAM,0BAA0B,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,MAAM,qCAAqC,CAAC,OAAO,EAAE,MAAM,CAAC,
|
|
1
|
+
{"version":3,"file":"child-identity.js","sourceRoot":"","sources":["../../src/runtime/child-identity.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,EACL,0BAA0B,EAC1B,qCAAqC,EACrC,4BAA4B,EAC5B,sCAAsC,GACvC,MAAM,oBAAoB,CAAC;AAI5B,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAyB,EACzB,cAAwC,EACxC,UAAsC,EAAE;IAExC,MAAM,MAAM,GACV,OAAO,cAAc,KAAK,QAAQ;QAChC,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,cAAc,CAAC;IACrB,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,IAA4B,EAAE;QAC7C,MAAM,0BAA0B,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,MAAM,qCAAqC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3E,MAAM,UAAU,GAAG,KAAK,CAAC,cAAc,CAAC;QACxC,MAAM,aAAa,GAAG,mBAAmB,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,0BAA0B,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QACzD,KAAK,CAAC,cAAc,IAAI,CAAC,CAAC;QAC1B,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;YAClB,UAAU,EAAE,aAAa,CAAC,UAAU;YACpC,gBAAgB,EAAE,aAAa,CAAC,gBAAiB;YACjD,UAAU;YACV,QAAQ,EAAE,aAAa,CAAC,QAAQ;YAChC,SAAS,EAAE,aAAa,CAAC,SAAS;SACnC,CAAC,CAAC;QACH,MAAM,sCAAsC,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QACrE,OAAO,aAAa,CAAC;IACvB,CAAC,CAAC;IACF,OAAO,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;AAC5D,CAAC"}
|
package/dist/runtime/index.d.ts
CHANGED
|
@@ -35,6 +35,8 @@ export interface CbioRuntime {
|
|
|
35
35
|
createChildIdentity: typeof import("./child-identity.js").createChildIdentity;
|
|
36
36
|
deriveChildIdentity: typeof import("./identity.js").deriveChildIdentity;
|
|
37
37
|
ensureIdentityPrivateVault: typeof import("./private-vault.js").ensureIdentityPrivateVault;
|
|
38
|
+
readIdentityPrivateVaultProfile: typeof import("./private-vault.js").readIdentityPrivateVaultProfile;
|
|
39
|
+
readIdentityPrivateVaultChildrenState: typeof import("./private-vault.js").readIdentityPrivateVaultChildrenState;
|
|
38
40
|
createVault: typeof import("./bootstrap.js").createVault;
|
|
39
41
|
recoverVault: typeof import("./bootstrap.js").recoverVault;
|
|
40
42
|
createVaultClient: typeof import("../clients/owner/index.js").createVaultClient;
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import type { IStorageProvider } from "../storage/provider.js";
|
|
2
|
-
import type
|
|
2
|
+
import { type CreatedIdentity } from "./identity.js";
|
|
3
3
|
export interface IdentityPrivateVaultProfile {
|
|
4
4
|
identityId: string;
|
|
5
5
|
nickname?: string;
|
|
@@ -18,11 +18,13 @@ export interface IdentityPrivateVaultChildrenState {
|
|
|
18
18
|
nextChildIndex: number;
|
|
19
19
|
children: IdentityPrivateVaultChildRecord[];
|
|
20
20
|
}
|
|
21
|
+
type IdentityPrivateVaultAccess = CreatedIdentity | string;
|
|
21
22
|
export declare function identityPrivateVaultPrefix(identityId: string): string;
|
|
22
23
|
export declare function identityPrivateVaultProfileKey(identityId: string): string;
|
|
23
24
|
export declare function identityPrivateVaultChildrenKey(identityId: string): string;
|
|
24
25
|
export declare function ensureIdentityPrivateVault(storage: IStorageProvider, identity: CreatedIdentity): Promise<void>;
|
|
25
|
-
export declare function readIdentityPrivateVaultProfile(storage: IStorageProvider,
|
|
26
|
-
export declare function readIdentityPrivateVaultChildrenState(storage: IStorageProvider,
|
|
27
|
-
export declare function writeIdentityPrivateVaultChildrenState(storage: IStorageProvider,
|
|
28
|
-
export declare function withIdentityPrivateVaultLock<T>(storage: IStorageProvider,
|
|
26
|
+
export declare function readIdentityPrivateVaultProfile(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess): Promise<IdentityPrivateVaultProfile | null>;
|
|
27
|
+
export declare function readIdentityPrivateVaultChildrenState(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess): Promise<IdentityPrivateVaultChildrenState>;
|
|
28
|
+
export declare function writeIdentityPrivateVaultChildrenState(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess, state: IdentityPrivateVaultChildrenState): Promise<void>;
|
|
29
|
+
export declare function withIdentityPrivateVaultLock<T>(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess, task: () => Promise<T>): Promise<T>;
|
|
30
|
+
export {};
|
|
@@ -1,4 +1,7 @@
|
|
|
1
1
|
import { Buffer } from "node:buffer";
|
|
2
|
+
import { createHash } from "node:crypto";
|
|
3
|
+
import { SEALED_BLOB_VERSION, sealBlob, unsealBlob } from "../sealed/seal.js";
|
|
4
|
+
import { restoreIdentity } from "./identity.js";
|
|
2
5
|
const PRIVATE_VAULT_PREFIX = "vault/private/identities";
|
|
3
6
|
const PRIVATE_VAULT_LOCK_SUFFIX = ".lock";
|
|
4
7
|
export function identityPrivateVaultPrefix(identityId) {
|
|
@@ -13,6 +16,48 @@ export function identityPrivateVaultChildrenKey(identityId) {
|
|
|
13
16
|
function lockKey(identityId) {
|
|
14
17
|
return `${identityPrivateVaultPrefix(identityId)}${PRIVATE_VAULT_LOCK_SUFFIX}`;
|
|
15
18
|
}
|
|
19
|
+
function normalizeIdentityAccess(identityOrPrivateKey) {
|
|
20
|
+
if (typeof identityOrPrivateKey === "string") {
|
|
21
|
+
return restoreIdentity(identityOrPrivateKey);
|
|
22
|
+
}
|
|
23
|
+
return identityOrPrivateKey;
|
|
24
|
+
}
|
|
25
|
+
function deriveIdentityPrivateVaultKey(identity) {
|
|
26
|
+
return createHash("sha256")
|
|
27
|
+
.update("cbio:identity-private-vault:v1")
|
|
28
|
+
.update("\n")
|
|
29
|
+
.update(identity.identityId)
|
|
30
|
+
.update("\n")
|
|
31
|
+
.update(identity.privateKey)
|
|
32
|
+
.digest("base64url");
|
|
33
|
+
}
|
|
34
|
+
function sealIdentityPrivateVaultJson(identity, value, kind) {
|
|
35
|
+
const sealed = sealBlob({
|
|
36
|
+
version: SEALED_BLOB_VERSION,
|
|
37
|
+
secrets: {
|
|
38
|
+
payload: JSON.stringify(value),
|
|
39
|
+
},
|
|
40
|
+
secretMetadata: {
|
|
41
|
+
kind,
|
|
42
|
+
identityId: identity.identityId,
|
|
43
|
+
},
|
|
44
|
+
}, deriveIdentityPrivateVaultKey(identity));
|
|
45
|
+
return Buffer.from(sealed, "utf8");
|
|
46
|
+
}
|
|
47
|
+
function unsealIdentityPrivateVaultJson(identity, payload, expectedKind) {
|
|
48
|
+
const unsealed = unsealBlob(payload.toString("utf8"), deriveIdentityPrivateVaultKey(identity));
|
|
49
|
+
if (unsealed.secretMetadata.kind !== expectedKind) {
|
|
50
|
+
throw new Error(`unexpected identity private vault payload kind: ${String(unsealed.secretMetadata.kind)}`);
|
|
51
|
+
}
|
|
52
|
+
if (unsealed.secretMetadata.identityId !== identity.identityId) {
|
|
53
|
+
throw new Error("identity private vault payload identity mismatch");
|
|
54
|
+
}
|
|
55
|
+
const secretPayload = unsealed.secrets.payload;
|
|
56
|
+
if (typeof secretPayload !== "string") {
|
|
57
|
+
throw new Error("identity private vault payload missing body");
|
|
58
|
+
}
|
|
59
|
+
return JSON.parse(secretPayload);
|
|
60
|
+
}
|
|
16
61
|
export async function ensureIdentityPrivateVault(storage, identity) {
|
|
17
62
|
const profile = {
|
|
18
63
|
identityId: identity.identityId,
|
|
@@ -21,40 +66,44 @@ export async function ensureIdentityPrivateVault(storage, identity) {
|
|
|
21
66
|
parentIdentityId: identity.parentIdentityId,
|
|
22
67
|
childIndex: identity.childIndex,
|
|
23
68
|
};
|
|
24
|
-
await storage.write(identityPrivateVaultProfileKey(identity.identityId),
|
|
69
|
+
await storage.write(identityPrivateVaultProfileKey(identity.identityId), sealIdentityPrivateVaultJson(identity, profile, "identity_private_vault_profile"));
|
|
25
70
|
const childrenKey = identityPrivateVaultChildrenKey(identity.identityId);
|
|
26
71
|
if (!(await storage.has(childrenKey))) {
|
|
27
72
|
const emptyState = {
|
|
28
73
|
nextChildIndex: 0,
|
|
29
74
|
children: [],
|
|
30
75
|
};
|
|
31
|
-
await storage.write(childrenKey,
|
|
76
|
+
await storage.write(childrenKey, sealIdentityPrivateVaultJson(identity, emptyState, "identity_private_vault_children"));
|
|
32
77
|
}
|
|
33
78
|
}
|
|
34
|
-
export async function readIdentityPrivateVaultProfile(storage,
|
|
35
|
-
const
|
|
79
|
+
export async function readIdentityPrivateVaultProfile(storage, identityOrPrivateKey) {
|
|
80
|
+
const identity = normalizeIdentityAccess(identityOrPrivateKey);
|
|
81
|
+
const raw = await storage.read(identityPrivateVaultProfileKey(identity.identityId));
|
|
36
82
|
if (!raw) {
|
|
37
83
|
return null;
|
|
38
84
|
}
|
|
39
|
-
return
|
|
85
|
+
return unsealIdentityPrivateVaultJson(identity, raw, "identity_private_vault_profile");
|
|
40
86
|
}
|
|
41
|
-
export async function readIdentityPrivateVaultChildrenState(storage,
|
|
42
|
-
const
|
|
87
|
+
export async function readIdentityPrivateVaultChildrenState(storage, identityOrPrivateKey) {
|
|
88
|
+
const identity = normalizeIdentityAccess(identityOrPrivateKey);
|
|
89
|
+
const raw = await storage.read(identityPrivateVaultChildrenKey(identity.identityId));
|
|
43
90
|
if (!raw) {
|
|
44
91
|
return { nextChildIndex: 0, children: [] };
|
|
45
92
|
}
|
|
46
|
-
const parsed =
|
|
93
|
+
const parsed = unsealIdentityPrivateVaultJson(identity, raw, "identity_private_vault_children");
|
|
47
94
|
return {
|
|
48
95
|
nextChildIndex: parsed.nextChildIndex ?? parsed.children.length,
|
|
49
96
|
children: parsed.children ?? [],
|
|
50
97
|
};
|
|
51
98
|
}
|
|
52
|
-
export async function writeIdentityPrivateVaultChildrenState(storage,
|
|
53
|
-
|
|
99
|
+
export async function writeIdentityPrivateVaultChildrenState(storage, identityOrPrivateKey, state) {
|
|
100
|
+
const identity = normalizeIdentityAccess(identityOrPrivateKey);
|
|
101
|
+
await storage.write(identityPrivateVaultChildrenKey(identity.identityId), sealIdentityPrivateVaultJson(identity, state, "identity_private_vault_children"));
|
|
54
102
|
}
|
|
55
|
-
export async function withIdentityPrivateVaultLock(storage,
|
|
103
|
+
export async function withIdentityPrivateVaultLock(storage, identityOrPrivateKey, task) {
|
|
104
|
+
const identity = normalizeIdentityAccess(identityOrPrivateKey);
|
|
56
105
|
if (storage.withLock) {
|
|
57
|
-
return storage.withLock(lockKey(identityId), task);
|
|
106
|
+
return storage.withLock(lockKey(identity.identityId), task);
|
|
58
107
|
}
|
|
59
108
|
return task();
|
|
60
109
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"private-vault.js","sourceRoot":"","sources":["../../src/runtime/private-vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"private-vault.js","sourceRoot":"","sources":["../../src/runtime/private-vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE9E,OAAO,EAAE,eAAe,EAAwB,MAAM,eAAe,CAAC;AAEtE,MAAM,oBAAoB,GAAG,0BAA0B,CAAC;AACxD,MAAM,yBAAyB,GAAG,OAAO,CAAC;AAyB1C,MAAM,UAAU,0BAA0B,CAAC,UAAkB;IAC3D,OAAO,GAAG,oBAAoB,IAAI,UAAU,EAAE,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,UAAkB;IAC/D,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,eAAe,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,+BAA+B,CAAC,UAAkB;IAChE,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,gBAAgB,CAAC;AACnE,CAAC;AAED,SAAS,OAAO,CAAC,UAAkB;IACjC,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,GAAG,yBAAyB,EAAE,CAAC;AACjF,CAAC;AAED,SAAS,uBAAuB,CAAC,oBAAgD;IAC/E,IAAI,OAAO,oBAAoB,KAAK,QAAQ,EAAE,CAAC;QAC7C,OAAO,eAAe,CAAC,oBAAoB,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED,SAAS,6BAA6B,CAAC,QAAyB;IAC9D,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,gCAAgC,CAAC;SACxC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;SAC3B,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;SAC3B,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,4BAA4B,CAAC,QAAyB,EAAE,KAAc,EAAE,IAAY;IAC3F,MAAM,MAAM,GAAG,QAAQ,CACrB;QACE,OAAO,EAAE,mBAAmB;QAC5B,OAAO,EAAE;YACP,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;SAC/B;QACD,cAAc,EAAE;YACd,IAAI;YACJ,UAAU,EAAE,QAAQ,CAAC,UAAU;SAChC;KACF,EACD,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,8BAA8B,CACrC,QAAyB,EACzB,OAAe,EACf,YAAoB;IAEpB,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,6BAA6B,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC/F,IAAI,QAAQ,CAAC,cAAc,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,mDAAmD,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7G,CAAC;IACD,IAAI,QAAQ,CAAC,cAAc,CAAC,UAAU,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC;QAC/D,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC;IAC/C,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,aAAa,CAAM,CAAC;AACxC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,OAAyB,EACzB,QAAyB;IAEzB,MAAM,OAAO,GAAgC;QAC3C,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;QAC3C,UAAU,EAAE,QAAQ,CAAC,UAAU;KAChC,CAAC;IACF,MAAM,OAAO,CAAC,KAAK,CACjB,8BAA8B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACnD,4BAA4B,CAAC,QAAQ,EAAE,OAAO,EAAE,gCAAgC,CAAC,CAClF,CAAC;IAEF,MAAM,WAAW,GAAG,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACzE,IAAI,CAAC,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACtC,MAAM,UAAU,GAAsC;YACpD,cAAc,EAAE,CAAC;YACjB,QAAQ,EAAE,EAAE;SACb,CAAC;QACF,MAAM,OAAO,CAAC,KAAK,CACjB,WAAW,EACX,4BAA4B,CAAC,QAAQ,EAAE,UAAU,EAAE,iCAAiC,CAAC,CACtF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,OAAyB,EACzB,oBAAgD;IAEhD,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,8BAA8B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;IACpF,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,8BAA8B,CACnC,QAAQ,EACR,GAAG,EACH,gCAAgC,CACjC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qCAAqC,CACzD,OAAyB,EACzB,oBAAgD;IAEhD,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;IACrF,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,cAAc,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC7C,CAAC;IACD,MAAM,MAAM,GAAG,8BAA8B,CAC3C,QAAQ,EACR,GAAG,EACH,iCAAiC,CAClC,CAAC;IACF,OAAO;QACL,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM;QAC/D,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;KAChC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sCAAsC,CAC1D,OAAyB,EACzB,oBAAgD,EAChD,KAAwC;IAExC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,OAAO,CAAC,KAAK,CACjB,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACpD,4BAA4B,CAAC,QAAQ,EAAE,KAAK,EAAE,iCAAiC,CAAC,CACjF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAyB,EACzB,oBAAgD,EAChD,IAAsB;IAEtB,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,IAAI,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,IAAI,EAAE,CAAC;AAChB,CAAC"}
|
package/docs/IDENTITY_MODEL.md
CHANGED
|
@@ -80,6 +80,8 @@ For existing private keys, the runtime exposes `restoreIdentity(...)`, which rec
|
|
|
80
80
|
|
|
81
81
|
For child identities, the runtime exposes `createChildIdentity(storage, parentIdentity, { nickname })` for user-facing creation, and `deriveChildIdentity(parentIdentity, childIndex, { nickname })` for deterministic reconstruction when the stored `childIndex` is known. `nickname` remains display-only.
|
|
82
82
|
|
|
83
|
+
Identity-private state is stored under `vault/private/identities/<identityId>/...` and encrypted with a key derived from that identity's private key. To inspect those records, callers use `readIdentityPrivateVaultProfile(...)` and `readIdentityPrivateVaultChildrenState(...)` with the identity object or private key.
|
|
84
|
+
|
|
83
85
|
In other words:
|
|
84
86
|
|
|
85
87
|
- public key or a stable derived id answers "who is this cryptographically"
|
package/docs/REFERENCE.md
CHANGED
|
@@ -19,6 +19,8 @@ The main constructors are:
|
|
|
19
19
|
- `createChildIdentity(...)`
|
|
20
20
|
- `deriveChildIdentity(...)`
|
|
21
21
|
- `ensureIdentityPrivateVault(...)`
|
|
22
|
+
- `readIdentityPrivateVaultProfile(...)`
|
|
23
|
+
- `readIdentityPrivateVaultChildrenState(...)`
|
|
22
24
|
- `restoreIdentity(...)`
|
|
23
25
|
- `createVault(...)`
|
|
24
26
|
- `recoverVault(...)`
|
|
@@ -76,13 +78,29 @@ Role rules:
|
|
|
76
78
|
|
|
77
79
|
`deriveChildIdentity(parentIdentity, childIndex, { nickname })` deterministically reconstructs a child identity for a known `childIndex`.
|
|
78
80
|
|
|
79
|
-
`ensureIdentityPrivateVault(storage, identity)` creates or refreshes the identity's fixed namespace under `vault/private/identities/<identityId>/...`.
|
|
81
|
+
`ensureIdentityPrivateVault(storage, identity)` creates or refreshes the identity's fixed namespace under `vault/private/identities/<identityId>/...`.
|
|
82
|
+
|
|
83
|
+
That namespace stores identity-level files such as:
|
|
80
84
|
|
|
81
85
|
- `profile.json`
|
|
82
86
|
- `children.json`
|
|
83
87
|
|
|
88
|
+
Those files are encrypted at rest with a key derived from that identity's private key. They are not readable as plain JSON on disk.
|
|
89
|
+
|
|
84
90
|
`restoreIdentity(privateKey)` returns the same shape for an existing private key.
|
|
85
91
|
|
|
92
|
+
`readIdentityPrivateVaultProfile(storage, identityOrPrivateKey)` decrypts and returns the current identity profile for the supplied identity or private key.
|
|
93
|
+
|
|
94
|
+
`readIdentityPrivateVaultChildrenState(storage, identityOrPrivateKey)` decrypts and returns the child index state for the supplied identity or private key.
|
|
95
|
+
|
|
96
|
+
Typical relationship lookup flow when you already have a private key:
|
|
97
|
+
|
|
98
|
+
1. `const identity = restoreIdentity(privateKey)`
|
|
99
|
+
2. `const profile = await readIdentityPrivateVaultProfile(storage, identity)`
|
|
100
|
+
3. `const children = await readIdentityPrivateVaultChildrenState(storage, identity)`
|
|
101
|
+
|
|
102
|
+
`profile.parentIdentityId` tells you whether the identity is a child. `children.children` tells you which child identities were created beneath that identity.
|
|
103
|
+
|
|
86
104
|
## Secret-Flow Model
|
|
87
105
|
|
|
88
106
|
The current HTTP-facing API supports two explicit secret-flow classes:
|
package/package.json
CHANGED