@the-ai-company/cbio-node-runtime 1.34.0 → 1.35.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/runtime/bootstrap.d.ts +4 -7
- package/dist/runtime/bootstrap.js +10 -24
- package/dist/runtime/bootstrap.js.map +1 -1
- package/dist/runtime/index.d.ts +3 -3
- package/dist/runtime/index.js +1 -1
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/private-vault.d.ts +7 -12
- package/dist/runtime/private-vault.js +19 -46
- package/dist/runtime/private-vault.js.map +1 -1
- package/dist/runtime/vault-metadata.d.ts +3 -5
- package/dist/runtime/vault-metadata.js +3 -13
- package/dist/runtime/vault-metadata.js.map +1 -1
- package/package.json +1 -1
- package/dist/runtime/verifiable-metadata.d.ts +0 -18
- package/dist/runtime/verifiable-metadata.js +0 -72
- package/dist/runtime/verifiable-metadata.js.map +0 -1
|
@@ -2,14 +2,13 @@ import { type CreatePersistentVaultCoreDependenciesOptions, type VaultCore } fro
|
|
|
2
2
|
import { type VaultService, type VaultCustomFlowResolver } from "../vault-ingress/index.js";
|
|
3
3
|
import type { IStorageProvider } from "../storage/provider.js";
|
|
4
4
|
import type { CreatedIdentity } from "./identity.js";
|
|
5
|
-
export interface
|
|
5
|
+
export interface VaultMetadata extends Record<string, any> {
|
|
6
6
|
nickname?: string;
|
|
7
7
|
ownerId?: string;
|
|
8
8
|
}
|
|
9
9
|
export interface CreateVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey" | "vaultId"> {
|
|
10
10
|
vaultId?: string;
|
|
11
11
|
nickname?: string;
|
|
12
|
-
publicMetadata?: VaultPublicMetadata;
|
|
13
12
|
ownerIdentity: CreatedIdentity;
|
|
14
13
|
vault?: {
|
|
15
14
|
customFlows?: VaultCustomFlowResolver;
|
|
@@ -65,9 +64,7 @@ export declare function recoverVault(storage: IStorageProvider, options: Recover
|
|
|
65
64
|
*/
|
|
66
65
|
export declare function recoverVault(options: RecoverVaultOptions): Promise<RecoveredVault>;
|
|
67
66
|
/**
|
|
68
|
-
* Lists all
|
|
67
|
+
* Lists all vault IDs in the workspace.
|
|
68
|
+
* Metadata requires the owner's private key to decrypt.
|
|
69
69
|
*/
|
|
70
|
-
export declare function listVaults(storage: IStorageProvider): Promise<
|
|
71
|
-
vaultId: string;
|
|
72
|
-
public: VaultPublicMetadata;
|
|
73
|
-
}>>;
|
|
70
|
+
export declare function listVaults(storage: IStorageProvider): Promise<string[]>;
|
|
@@ -5,7 +5,6 @@ import { wrapVaultCoreAsVaultService, } from "../vault-ingress/index.js";
|
|
|
5
5
|
import { createPrefixedStorage } from "../storage/prefix.js";
|
|
6
6
|
import { readVaultProfile, writeVaultProfile } from "./vault-metadata.js";
|
|
7
7
|
import { createWorkspaceStorage } from "./workspace-storage.js";
|
|
8
|
-
import { writeVerifiableMetadata, readVerifiableMetadata } from "./verifiable-metadata.js";
|
|
9
8
|
function deriveVaultWorkingKey(privateKey, vaultId) {
|
|
10
9
|
return crypto
|
|
11
10
|
.createHash("sha256")
|
|
@@ -50,20 +49,14 @@ export async function createVault(storageOrOptions, maybeOptions) {
|
|
|
50
49
|
};
|
|
51
50
|
await core.bootstrapOwnerIdentity(bootstrapOwner);
|
|
52
51
|
const nickname = options.nickname?.trim() ? options.nickname.trim() : undefined;
|
|
53
|
-
//
|
|
54
|
-
const publicMetadata = {
|
|
55
|
-
...(options.publicMetadata || {}),
|
|
56
|
-
...(nickname ? { nickname } : {})
|
|
57
|
-
};
|
|
52
|
+
// All metadata (including nickname) is now stored in the encrypted sealed profile
|
|
58
53
|
await writeVaultProfile(storage, {
|
|
59
54
|
sealed: {
|
|
60
55
|
vaultId,
|
|
61
|
-
|
|
56
|
+
nickname,
|
|
57
|
+
ownerId: options.ownerIdentity.identityId,
|
|
62
58
|
},
|
|
63
|
-
public: {}, // Sealed profile no longer carries public mirror
|
|
64
59
|
}, vaultWorkingKey);
|
|
65
|
-
// Write Signed Public Profile for Discovery
|
|
66
|
-
await writeVerifiableMetadata(storage, "vault/public/profile.json", publicMetadata, options.ownerIdentity.privateKey);
|
|
67
60
|
return {
|
|
68
61
|
core,
|
|
69
62
|
vault: wrapVaultCoreAsVaultService(core, options.vault),
|
|
@@ -82,31 +75,24 @@ export async function recoverVault(storageOrOptions, maybeOptions) {
|
|
|
82
75
|
});
|
|
83
76
|
const core = createVaultCore(deps);
|
|
84
77
|
const profile = await readVaultProfile(storage, vaultWorkingKey);
|
|
85
|
-
|
|
78
|
+
if (!profile) {
|
|
79
|
+
throw new Error("vault profile not found or decryption failed");
|
|
80
|
+
}
|
|
86
81
|
return {
|
|
87
82
|
core,
|
|
88
83
|
vault: wrapVaultCoreAsVaultService(core, options.vault),
|
|
89
|
-
nickname:
|
|
84
|
+
nickname: profile.sealed.nickname,
|
|
90
85
|
storage,
|
|
91
86
|
};
|
|
92
87
|
}
|
|
93
88
|
/**
|
|
94
|
-
* Lists all
|
|
89
|
+
* Lists all vault IDs in the workspace.
|
|
90
|
+
* Metadata requires the owner's private key to decrypt.
|
|
95
91
|
*/
|
|
96
92
|
export async function listVaults(storage) {
|
|
97
93
|
if (!storage.list) {
|
|
98
94
|
return [];
|
|
99
95
|
}
|
|
100
|
-
|
|
101
|
-
const results = [];
|
|
102
|
-
for (const id of ids) {
|
|
103
|
-
const vaultStorage = createPrefixedStorage(storage, vaultStoragePrefix(id));
|
|
104
|
-
const publicData = await readVerifiableMetadata(vaultStorage, "vault/public/profile.json").catch(() => ({}));
|
|
105
|
-
results.push({
|
|
106
|
-
vaultId: id,
|
|
107
|
-
public: (publicData || {}),
|
|
108
|
-
});
|
|
109
|
-
}
|
|
110
|
-
return results;
|
|
96
|
+
return storage.list("vaults");
|
|
111
97
|
}
|
|
112
98
|
//# sourceMappingURL=bootstrap.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,GAItC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAG7D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;
|
|
1
|
+
{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,GAItC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAG7D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAEhE,SAAS,qBAAqB,CAAC,UAAkB,EAAE,OAAe;IAChE,OAAO,MAAM;SACV,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,2BAA2B,CAAC;SACnC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,OAAO,CAAC;SACf,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAe;IACzC,OAAO,UAAU,OAAO,EAAE,CAAC;AAC7B,CAAC;AA0CD,SAAS,cAAc,CACrB,gBAA6E,EAC7E,YAAuD;IAEvD,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,OAAO,EAAE,gBAAoC;YAC7C,OAAO,EAAE,YAAY;SACtB,CAAC;IACJ,CAAC;IACD,gEAAgE;IAChE,OAAO;QACL,OAAO,EAAE,sBAAsB,EAAE;QACjC,OAAO,EAAE,gBAA4D;KACtE,CAAC;AACJ,CAAC;AAeD,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,gBAAuD,EACvD,YAAiC;IAEjC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,cAAc,CAAC,gBAAgB,EAAE,YAAY,CAG3F,CAAC;IACF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,SAAS,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;IAClE,MAAM,OAAO,GAAG,qBAAqB,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;IACrF,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACzF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO;QACP,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,cAAc,GAAwB;QAC1C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;QACzC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS;KAC3C,CAAC;IACF,MAAM,IAAI,CAAC,sBAAsB,CAAC,cAAc,CAAC,CAAC;IAElD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAEhF,kFAAkF;IAClF,MAAM,iBAAiB,CAAC,OAAO,EAAE;QAC/B,MAAM,EAAE;YACN,OAAO;YACP,QAAQ;YACR,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;SAC1C;KACF,EAAE,eAAe,CAAC,CAAC;IAEpB,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;QACvD,QAAQ;QACR,OAAO;KACR,CAAC;AACJ,CAAC;AAeD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,gBAAwD,EACxD,YAAkC;IAElC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,cAAc,CAAC,gBAAgB,EAAE,YAAY,CAG3F,CAAC;IACF,MAAM,OAAO,GAAG,qBAAqB,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IAC7F,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACjG,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;IACjE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;QACvD,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ;QACjC,OAAO;KACR,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAAyB;IACxD,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAChC,CAAC"}
|
package/dist/runtime/index.d.ts
CHANGED
|
@@ -10,10 +10,10 @@ export { FsStorageProvider } from "../storage/fs.js";
|
|
|
10
10
|
export { MemoryStorageProvider } from "../storage/memory.js";
|
|
11
11
|
export { createIdentity, deriveChildIdentity, restoreIdentity, type CreateIdentityOptions, type RestoreIdentityOptions, type ChildIdentity, type CreatedIdentity, } from "./identity.js";
|
|
12
12
|
export { createChildIdentity, type CreateChildIdentityOptions, } from "./child-identity.js";
|
|
13
|
-
export { readVaultProfile, writeVaultProfile,
|
|
13
|
+
export { readVaultProfile, writeVaultProfile, type VaultProfile, } from "./vault-metadata.js";
|
|
14
14
|
export { createWorkspaceStorage, getDefaultWorkspaceDir, } from "./workspace-storage.js";
|
|
15
|
-
export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, readIdentityMetadata, listIdentities, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultChildrenKey, type IdentityPrivateVaultProfile, type IdentityPrivateVaultChildRecord, type IdentityPrivateVaultChildrenState,
|
|
16
|
-
export { createVault, recoverVault, listVaults, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, type VaultObject, type
|
|
15
|
+
export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, readIdentityMetadata, listIdentities, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultChildrenKey, type IdentityPrivateVaultProfile, type IdentityPrivateVaultChildRecord, type IdentityPrivateVaultChildrenState, } from "./private-vault.js";
|
|
16
|
+
export { createVault, recoverVault, listVaults, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, type VaultObject, type VaultMetadata, } from "./bootstrap.js";
|
|
17
17
|
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAgentIdentityRegistry, PersistentVaultAuditLog, PersistentVaultOwnerIdentityRegistry, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerDefineSecretTargetsCommand, type OwnerRegisterCapabilityCommand, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, type CapabilityRegistry, } from "../vault-core/index.js";
|
|
18
18
|
export { createVaultClient, type VaultClient, type CreateVaultClientOptions, type VaultIdentity, type VaultSigner, type VaultAuditQueryInput, type OwnerDefineSecretTargetsInput, type VaultExportSecretInput, type VaultGrantCapabilityInput, type VaultRegisterFlowInput, type VaultRegisterAgentInput, type OwnerSecretTargetBinding, type OwnerStoreSecretInput, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
|
|
19
19
|
export { createAgentClient, type AgentClient, type CreateAgentClientOptions, type AgentIdentity, type AgentCapabilityEnvelope, type AgentDispatchIntent, type AgentDispatchTransport, type AgentSigner, } from "../clients/agent/index.js";
|
package/dist/runtime/index.js
CHANGED
|
@@ -9,7 +9,7 @@ export { FsStorageProvider } from "../storage/fs.js";
|
|
|
9
9
|
export { MemoryStorageProvider } from "../storage/memory.js";
|
|
10
10
|
export { createIdentity, deriveChildIdentity, restoreIdentity, } from "./identity.js";
|
|
11
11
|
export { createChildIdentity, } from "./child-identity.js";
|
|
12
|
-
export { readVaultProfile, writeVaultProfile,
|
|
12
|
+
export { readVaultProfile, writeVaultProfile, } from "./vault-metadata.js";
|
|
13
13
|
export { createWorkspaceStorage, getDefaultWorkspaceDir, } from "./workspace-storage.js";
|
|
14
14
|
export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, readIdentityMetadata, listIdentities, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultChildrenKey, } from "./private-vault.js";
|
|
15
15
|
export { createVault, recoverVault, listVaults, } from "./bootstrap.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,eAAe,GAKhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,mBAAmB,GAEpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,eAAe,GAKhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,mBAAmB,GAEpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,GAElB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,0BAA0B,EAC1B,+BAA+B,EAC/B,qCAAqC,EACrC,oBAAoB,EACpB,cAAc,EACd,0BAA0B,EAC1B,8BAA8B,EAC9B,+BAA+B,GAIhC,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,WAAW,EACX,YAAY,EACZ,UAAU,GAOX,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,oCAAoC,EACpC,uBAAuB,EACvB,oCAAoC,EACpC,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA+CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAclB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAQlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAWxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC"}
|
|
@@ -3,6 +3,7 @@ import { type CreatedIdentity } from "./identity.js";
|
|
|
3
3
|
export interface IdentityPrivateVaultProfile {
|
|
4
4
|
identityId: string;
|
|
5
5
|
publicKey: string;
|
|
6
|
+
nickname?: string;
|
|
6
7
|
parentIdentityId?: string;
|
|
7
8
|
childIndex?: number;
|
|
8
9
|
}
|
|
@@ -17,29 +18,23 @@ export interface IdentityPrivateVaultChildrenState {
|
|
|
17
18
|
nextChildIndex: number;
|
|
18
19
|
children: IdentityPrivateVaultChildRecord[];
|
|
19
20
|
}
|
|
20
|
-
export interface IdentityPublicProfile {
|
|
21
|
-
identityId: string;
|
|
22
|
-
publicKey: string;
|
|
23
|
-
nickname?: string;
|
|
24
|
-
parentIdentityId?: string;
|
|
25
|
-
}
|
|
26
21
|
type IdentityPrivateVaultAccess = CreatedIdentity | string;
|
|
27
22
|
export declare function identityPrivateVaultPrefix(identityId: string): string;
|
|
28
23
|
export declare function identityPrivateVaultProfileKey(identityId: string): string;
|
|
29
24
|
export declare function identityPrivateVaultChildrenKey(identityId: string): string;
|
|
30
|
-
export declare function identityPrivateVaultPublicProfileKey(identityId: string): string;
|
|
31
25
|
export declare function ensureIdentityPrivateVault(storage: IStorageProvider, identity: CreatedIdentity): Promise<void>;
|
|
32
26
|
export declare function readIdentityPrivateVaultProfile(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess): Promise<IdentityPrivateVaultProfile | null>;
|
|
33
27
|
/**
|
|
34
|
-
*
|
|
35
|
-
*
|
|
28
|
+
* Metadata reader for identities.
|
|
29
|
+
* Only works if the private key is provided, as all metadata is now encrypted.
|
|
36
30
|
*/
|
|
37
|
-
export declare function readIdentityMetadata(storage: IStorageProvider, identityId: string, privateKey?: string): Promise<IdentityPrivateVaultProfile |
|
|
31
|
+
export declare function readIdentityMetadata(storage: IStorageProvider, identityId: string, privateKey?: string): Promise<IdentityPrivateVaultProfile | null>;
|
|
38
32
|
export declare function readIdentityPrivateVaultChildrenState(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess): Promise<IdentityPrivateVaultChildrenState>;
|
|
39
33
|
export declare function writeIdentityPrivateVaultChildrenState(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess, state: IdentityPrivateVaultChildrenState): Promise<void>;
|
|
40
34
|
export declare function withIdentityPrivateVaultLock<T>(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess, task: () => Promise<T>): Promise<T>;
|
|
41
35
|
/**
|
|
42
|
-
* Lists all
|
|
36
|
+
* Lists all identity IDs in the workspace.
|
|
37
|
+
* Nicknames and other metadata require a private key to decrypt.
|
|
43
38
|
*/
|
|
44
|
-
export declare function listIdentities(storage: IStorageProvider): Promise<
|
|
39
|
+
export declare function listIdentities(storage: IStorageProvider): Promise<string[]>;
|
|
45
40
|
export {};
|
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
import { createHash } from "node:crypto";
|
|
2
2
|
import { SealedJsonRepository } from "../sealed/index.js";
|
|
3
3
|
import { restoreIdentity } from "./identity.js";
|
|
4
|
-
import { writeVerifiableMetadata, readVerifiableMetadata } from "./verifiable-metadata.js";
|
|
5
4
|
const PRIVATE_VAULT_PREFIX = "identities";
|
|
6
5
|
const PRIVATE_VAULT_LOCK_SUFFIX = ".lock";
|
|
7
6
|
export function identityPrivateVaultPrefix(identityId) {
|
|
@@ -13,9 +12,6 @@ export function identityPrivateVaultProfileKey(identityId) {
|
|
|
13
12
|
export function identityPrivateVaultChildrenKey(identityId) {
|
|
14
13
|
return `${identityPrivateVaultPrefix(identityId)}/sealed/children.sealed`;
|
|
15
14
|
}
|
|
16
|
-
export function identityPrivateVaultPublicProfileKey(identityId) {
|
|
17
|
-
return `${identityPrivateVaultPrefix(identityId)}/public/profile.json`;
|
|
18
|
-
}
|
|
19
15
|
function lockKey(identityId) {
|
|
20
16
|
return `${identityPrivateVaultPrefix(identityId)}/sealed/locks/vault${PRIVATE_VAULT_LOCK_SUFFIX}`;
|
|
21
17
|
}
|
|
@@ -38,26 +34,15 @@ export async function ensureIdentityPrivateVault(storage, identity) {
|
|
|
38
34
|
const profileKey = identityPrivateVaultProfileKey(identity.identityId);
|
|
39
35
|
const profileRepo = new SealedJsonRepository(storage, profileKey, deriveIdentityPrivateVaultKey(identity));
|
|
40
36
|
const existingProfile = await profileRepo.read(null);
|
|
41
|
-
// Read current public profile to preserve nickname if needed
|
|
42
|
-
const publicPath = identityPrivateVaultPublicProfileKey(identity.identityId);
|
|
43
|
-
const publicRaw = await storage.read(publicPath);
|
|
44
|
-
const existingPublic = publicRaw ? JSON.parse(publicRaw.toString()) : null;
|
|
45
37
|
const profile = {
|
|
46
38
|
identityId: identity.identityId,
|
|
47
39
|
publicKey: identity.publicKey,
|
|
40
|
+
nickname: identity.nickname || existingProfile?.nickname,
|
|
48
41
|
parentIdentityId: identity.parentIdentityId || existingProfile?.parentIdentityId,
|
|
49
42
|
childIndex: identity.childIndex ?? existingProfile?.childIndex,
|
|
50
43
|
};
|
|
51
|
-
// Profile data in sealed area
|
|
44
|
+
// Profile data is now fully encrypted in the sealed area
|
|
52
45
|
await profileRepo.write(profile, "identity_private_vault_profile");
|
|
53
|
-
// Write Signed Public Profile for Discovery
|
|
54
|
-
const publicProfile = {
|
|
55
|
-
identityId: profile.identityId,
|
|
56
|
-
publicKey: profile.publicKey,
|
|
57
|
-
nickname: identity.nickname || existingPublic?.payload.nickname,
|
|
58
|
-
parentIdentityId: profile.parentIdentityId,
|
|
59
|
-
};
|
|
60
|
-
await writeVerifiableMetadata(storage, publicPath, publicProfile, identity.privateKey);
|
|
61
46
|
const childrenKey = identityPrivateVaultChildrenKey(identity.identityId);
|
|
62
47
|
if (!(await storage.has(childrenKey))) {
|
|
63
48
|
const emptyState = {
|
|
@@ -74,33 +59,24 @@ export async function readIdentityPrivateVaultProfile(storage, identityOrPrivate
|
|
|
74
59
|
return repo.read(null);
|
|
75
60
|
}
|
|
76
61
|
/**
|
|
77
|
-
*
|
|
78
|
-
*
|
|
62
|
+
* Metadata reader for identities.
|
|
63
|
+
* Only works if the private key is provided, as all metadata is now encrypted.
|
|
79
64
|
*/
|
|
80
65
|
export async function readIdentityMetadata(storage, identityId, privateKey) {
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
throw new Error("identityId mismatch");
|
|
89
|
-
}
|
|
90
|
-
const sealed = await readIdentityPrivateVaultProfile(storage, identity);
|
|
91
|
-
if (sealed) {
|
|
92
|
-
return {
|
|
93
|
-
...publicProfile, // Spread public profile (contains nickname)
|
|
94
|
-
...sealed, // Spread sealed profile (contains keys/metadata)
|
|
95
|
-
};
|
|
96
|
-
}
|
|
97
|
-
}
|
|
98
|
-
catch (e) {
|
|
99
|
-
// Fallback to public if decryption fails
|
|
100
|
-
console.warn(`[IdentityMetadata] Decryption failed for ${identityId}:`, e);
|
|
66
|
+
if (!privateKey) {
|
|
67
|
+
return null; // Metadata is encrypted at rest.
|
|
68
|
+
}
|
|
69
|
+
try {
|
|
70
|
+
const identity = restoreIdentity(privateKey);
|
|
71
|
+
if (identity.identityId !== identityId) {
|
|
72
|
+
throw new Error("identityId mismatch");
|
|
101
73
|
}
|
|
74
|
+
return await readIdentityPrivateVaultProfile(storage, identity);
|
|
75
|
+
}
|
|
76
|
+
catch (e) {
|
|
77
|
+
console.warn(`[IdentityMetadata] Decryption failed for ${identityId}:`, e);
|
|
78
|
+
return null;
|
|
102
79
|
}
|
|
103
|
-
return publicProfile;
|
|
104
80
|
}
|
|
105
81
|
export async function readIdentityPrivateVaultChildrenState(storage, identityOrPrivateKey) {
|
|
106
82
|
const identity = normalizeIdentityAccess(identityOrPrivateKey);
|
|
@@ -124,7 +100,8 @@ export async function withIdentityPrivateVaultLock(storage, identityOrPrivateKey
|
|
|
124
100
|
return task();
|
|
125
101
|
}
|
|
126
102
|
/**
|
|
127
|
-
* Lists all
|
|
103
|
+
* Lists all identity IDs in the workspace.
|
|
104
|
+
* Nicknames and other metadata require a private key to decrypt.
|
|
128
105
|
*/
|
|
129
106
|
export async function listIdentities(storage) {
|
|
130
107
|
if (!storage.list) {
|
|
@@ -133,13 +110,9 @@ export async function listIdentities(storage) {
|
|
|
133
110
|
const ids = await storage.list(PRIVATE_VAULT_PREFIX);
|
|
134
111
|
const results = [];
|
|
135
112
|
for (const id of ids) {
|
|
136
|
-
// Skip non-identity directories or lock files if any
|
|
137
113
|
if (id.endsWith(PRIVATE_VAULT_LOCK_SUFFIX))
|
|
138
114
|
continue;
|
|
139
|
-
|
|
140
|
-
if (profile) {
|
|
141
|
-
results.push(profile);
|
|
142
|
-
}
|
|
115
|
+
results.push(id);
|
|
143
116
|
}
|
|
144
117
|
return results;
|
|
145
118
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"private-vault.js","sourceRoot":"","sources":["../../src/runtime/private-vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE1D,OAAO,EAAE,eAAe,EAAwB,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"private-vault.js","sourceRoot":"","sources":["../../src/runtime/private-vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE1D,OAAO,EAAE,eAAe,EAAwB,MAAM,eAAe,CAAC;AAEtE,MAAM,oBAAoB,GAAG,YAAY,CAAC;AAC1C,MAAM,yBAAyB,GAAG,OAAO,CAAC;AA0B1C,MAAM,UAAU,0BAA0B,CAAC,UAAkB;IAC3D,OAAO,GAAG,oBAAoB,IAAI,UAAU,EAAE,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,UAAkB;IAC/D,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,wBAAwB,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,+BAA+B,CAAC,UAAkB;IAChE,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,yBAAyB,CAAC;AAC5E,CAAC;AAGD,SAAS,OAAO,CAAC,UAAkB;IACjC,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,sBAAsB,yBAAyB,EAAE,CAAC;AACpG,CAAC;AAED,SAAS,uBAAuB,CAAC,oBAAgD;IAC/E,IAAI,OAAO,oBAAoB,KAAK,QAAQ,EAAE,CAAC;QAC7C,OAAO,eAAe,CAAC,oBAAoB,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED,SAAS,6BAA6B,CAAC,QAAyB;IAC9D,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,gCAAgC,CAAC;SACxC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;SAC3B,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;SAC3B,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,OAAyB,EACzB,QAAyB;IAEzB,MAAM,UAAU,GAAG,8BAA8B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACvE,MAAM,WAAW,GAAG,IAAI,oBAAoB,CAC1C,OAAO,EACP,UAAU,EACV,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IAEF,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC;IAE5D,MAAM,OAAO,GAAgC;QAC3C,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,eAAe,EAAE,QAAQ;QACxD,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB,IAAI,eAAe,EAAE,gBAAgB;QAChF,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,eAAe,EAAE,UAAU;KAC/D,CAAC;IAEF,yDAAyD;IACzD,MAAM,WAAW,CAAC,KAAK,CAAC,OAAO,EAAE,gCAAgC,CAAC,CAAC;IAEnE,MAAM,WAAW,GAAG,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACzE,IAAI,CAAC,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACtC,MAAM,UAAU,GAAsC;YACpD,cAAc,EAAE,CAAC;YACjB,QAAQ,EAAE,EAAE;SACb,CAAC;QACF,MAAM,YAAY,GAAG,IAAI,oBAAoB,CAC3C,OAAO,EACP,WAAW,EACX,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;QACF,MAAM,YAAY,CAAC,KAAK,CAAC,UAAU,EAAE,iCAAiC,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,OAAyB,EACzB,oBAAgD;IAEhD,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,oBAAoB,CACnC,OAAO,EACP,8BAA8B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACnD,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IACF,OAAO,IAAI,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAAyB,EACzB,UAAkB,EAClB,UAAmB;IAEnB,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC,CAAC,iCAAiC;IAChD,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;QAC7C,IAAI,QAAQ,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACzC,CAAC;QACD,OAAO,MAAM,+BAA+B,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAClE,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,4CAA4C,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC;QAC3E,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qCAAqC,CACzD,OAAyB,EACzB,oBAAgD;IAEhD,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,oBAAoB,CACnC,OAAO,EACP,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACpD,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;IACpE,OAAO;QACL,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM;QAC/D,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;KAChC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sCAAsC,CAC1D,OAAyB,EACzB,oBAAgD,EAChD,KAAwC;IAExC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,oBAAoB,CACnC,OAAO,EACP,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACpD,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IACF,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,iCAAiC,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAyB,EACzB,oBAAgD,EAChD,IAAsB;IAEtB,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,IAAI,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,IAAI,EAAE,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAyB;IAC5D,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACrD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,EAAE,CAAC,QAAQ,CAAC,yBAAyB,CAAC;YAAE,SAAS;QACrD,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -1,14 +1,12 @@
|
|
|
1
1
|
import type { IStorageProvider } from "../storage/provider.js";
|
|
2
2
|
export interface VaultProfile {
|
|
3
|
-
sealed: Record<string, any
|
|
4
|
-
public: Record<string, any> & {
|
|
3
|
+
sealed: Record<string, any> & {
|
|
5
4
|
nickname?: string;
|
|
6
5
|
};
|
|
7
6
|
}
|
|
8
|
-
export declare const VAULT_PUBLIC_PROFILE_KEY = "vault/public/profile.json";
|
|
9
7
|
/**
|
|
10
|
-
*
|
|
8
|
+
* Vault metadata is now fully encrypted.
|
|
9
|
+
* 'Public' access is only possible via an authorized API service that holds the key.
|
|
11
10
|
*/
|
|
12
|
-
export declare function readVaultPublicMetadata(storage: IStorageProvider): Promise<Record<string, any>>;
|
|
13
11
|
export declare function writeVaultProfile(storage: IStorageProvider, profile: VaultProfile, vaultWorkingKey: string): Promise<void>;
|
|
14
12
|
export declare function readVaultProfile(storage: IStorageProvider, vaultWorkingKey: string): Promise<VaultProfile | null>;
|
|
@@ -1,31 +1,21 @@
|
|
|
1
1
|
import { SealedJsonRepository } from "../sealed/index.js";
|
|
2
2
|
const VAULT_SEALED_PROFILE_KEY = "vault/sealed/profile.sealed";
|
|
3
|
-
export const VAULT_PUBLIC_PROFILE_KEY = "vault/public/profile.json";
|
|
4
|
-
import { readVerifiableMetadata } from "./verifiable-metadata.js";
|
|
5
3
|
/**
|
|
6
|
-
*
|
|
4
|
+
* Vault metadata is now fully encrypted.
|
|
5
|
+
* 'Public' access is only possible via an authorized API service that holds the key.
|
|
7
6
|
*/
|
|
8
|
-
export async function readVaultPublicMetadata(storage) {
|
|
9
|
-
const data = await readVerifiableMetadata(storage, VAULT_PUBLIC_PROFILE_KEY).catch(() => null);
|
|
10
|
-
return data || {};
|
|
11
|
-
}
|
|
12
7
|
export async function writeVaultProfile(storage, profile, vaultWorkingKey) {
|
|
13
|
-
// 1. Write Sealed Profile
|
|
14
8
|
const repo = new SealedJsonRepository(storage, VAULT_SEALED_PROFILE_KEY, vaultWorkingKey);
|
|
15
9
|
await repo.write(profile.sealed, "vault_profile_sealed");
|
|
16
|
-
// NOTE: Public profile writing is handled separately via writeVerifiableMetadata
|
|
17
|
-
// by the component that holds the owner's private key (e.g., bootstrap.ts).
|
|
18
10
|
}
|
|
19
11
|
export async function readVaultProfile(storage, vaultWorkingKey) {
|
|
20
12
|
const repo = new SealedJsonRepository(storage, VAULT_SEALED_PROFILE_KEY, vaultWorkingKey);
|
|
21
|
-
const sealed = await repo.read(null);
|
|
13
|
+
const sealed = (await repo.read(null));
|
|
22
14
|
if (!sealed) {
|
|
23
15
|
return null;
|
|
24
16
|
}
|
|
25
|
-
const publicData = await readVaultPublicMetadata(storage);
|
|
26
17
|
return {
|
|
27
18
|
sealed,
|
|
28
|
-
public: publicData,
|
|
29
19
|
};
|
|
30
20
|
}
|
|
31
21
|
//# sourceMappingURL=vault-metadata.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vault-metadata.js","sourceRoot":"","sources":["../../src/runtime/vault-metadata.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"vault-metadata.js","sourceRoot":"","sources":["../../src/runtime/vault-metadata.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAM1D,MAAM,wBAAwB,GAAG,6BAA6B,CAAC;AAE/D;;;GAGG;AAEH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAyB,EACzB,OAAqB,EACrB,eAAuB;IAEvB,MAAM,IAAI,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,wBAAwB,EAAE,eAAe,CAAC,CAAC;IAC/G,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAyB,EACzB,eAAuB;IAEvB,MAAM,IAAI,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,wBAAwB,EAAE,eAAe,CAAC,CAAC;IAC/G,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,IAAW,CAAC,CAAyD,CAAC;IACtG,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO;QACL,MAAM;KACP,CAAC;AACJ,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
import type { IStorageProvider } from "../storage/provider.js";
|
|
2
|
-
/**
|
|
3
|
-
* A verifiable envelope for public metadata.
|
|
4
|
-
* Proves that the data was signed by the rightful owner.
|
|
5
|
-
*/
|
|
6
|
-
export interface VerifiableMetadata<T> {
|
|
7
|
-
payload: T;
|
|
8
|
-
signature: string;
|
|
9
|
-
signer: string;
|
|
10
|
-
}
|
|
11
|
-
/**
|
|
12
|
-
* Signs and writes a payload to storage as a verifiable metadata envelope.
|
|
13
|
-
*/
|
|
14
|
-
export declare function writeVerifiableMetadata<T>(storage: IStorageProvider, path: string, payload: T, privateKey: string): Promise<void>;
|
|
15
|
-
/**
|
|
16
|
-
* Reads and optionally verifies a verifiable metadata envelope from storage.
|
|
17
|
-
*/
|
|
18
|
-
export declare function readVerifiableMetadata<T>(storage: IStorageProvider, path: string, expectedSigner?: string): Promise<T | null>;
|
|
@@ -1,72 +0,0 @@
|
|
|
1
|
-
import { signPayload, verifySignature, derivePublicKey } from "../protocol/crypto.js";
|
|
2
|
-
/**
|
|
3
|
-
* Hardcoded field order for canonical JSON stringification.
|
|
4
|
-
* This ensures that even if different environments parse/stringify,
|
|
5
|
-
* the signature check string is always identical.
|
|
6
|
-
*/
|
|
7
|
-
function canonicalStringify(obj) {
|
|
8
|
-
if (!obj || typeof obj !== "object" || Array.isArray(obj)) {
|
|
9
|
-
return JSON.stringify(obj);
|
|
10
|
-
}
|
|
11
|
-
const keys = Object.keys(obj).sort();
|
|
12
|
-
const parts = [];
|
|
13
|
-
for (const key of keys) {
|
|
14
|
-
const value = obj[key];
|
|
15
|
-
if (value === undefined)
|
|
16
|
-
continue;
|
|
17
|
-
// Recursive canonical for nested objects if any (mostly for publicMetadata)
|
|
18
|
-
parts.push(`${JSON.stringify(key)}:${canonicalStringify(value)}`);
|
|
19
|
-
}
|
|
20
|
-
return `{${parts.join(",")}}`;
|
|
21
|
-
}
|
|
22
|
-
/**
|
|
23
|
-
* Signs and writes a payload to storage as a verifiable metadata envelope.
|
|
24
|
-
*/
|
|
25
|
-
export async function writeVerifiableMetadata(storage, path, payload, privateKey) {
|
|
26
|
-
const payloadStr = canonicalStringify(payload);
|
|
27
|
-
const signature = await signPayload(privateKey, payloadStr);
|
|
28
|
-
const signer = derivePublicKey(privateKey);
|
|
29
|
-
// Self-verify check
|
|
30
|
-
const isCorrect = await verifySignature(signer, payloadStr, signature);
|
|
31
|
-
if (!isCorrect) {
|
|
32
|
-
throw new Error(`[VerifiableMetadata] SDK Integrity Failure: Generated signature is invalid for the payload.
|
|
33
|
-
Payload: ${payloadStr}
|
|
34
|
-
Signer: ${signer}
|
|
35
|
-
Signature: ${signature}`);
|
|
36
|
-
}
|
|
37
|
-
const envelope = {
|
|
38
|
-
payload,
|
|
39
|
-
signature,
|
|
40
|
-
signer,
|
|
41
|
-
};
|
|
42
|
-
await storage.write(path, Buffer.from(JSON.stringify(envelope, null, 2)));
|
|
43
|
-
}
|
|
44
|
-
/**
|
|
45
|
-
* Reads and optionally verifies a verifiable metadata envelope from storage.
|
|
46
|
-
*/
|
|
47
|
-
export async function readVerifiableMetadata(storage, path, expectedSigner) {
|
|
48
|
-
const raw = await storage.read(path);
|
|
49
|
-
if (!raw)
|
|
50
|
-
return null;
|
|
51
|
-
try {
|
|
52
|
-
const envelope = JSON.parse(raw.toString());
|
|
53
|
-
// If expectedSigner is provided, we MUST verify
|
|
54
|
-
if (expectedSigner && envelope.signer !== expectedSigner) {
|
|
55
|
-
return null; // Signer mismatch
|
|
56
|
-
}
|
|
57
|
-
const payloadStr = canonicalStringify(envelope.payload);
|
|
58
|
-
const isValid = await verifySignature(envelope.signer, payloadStr, envelope.signature);
|
|
59
|
-
if (!isValid) {
|
|
60
|
-
console.warn(`[VerifiableMetadata] Invalid signature at ${path}`);
|
|
61
|
-
console.warn(`[VerifiableMetadata] Signer: ${envelope.signer}`);
|
|
62
|
-
console.warn(`[VerifiableMetadata] Payload String: ${payloadStr}`);
|
|
63
|
-
console.warn(`[VerifiableMetadata] Signature: ${envelope.signature}`);
|
|
64
|
-
return null;
|
|
65
|
-
}
|
|
66
|
-
return envelope.payload;
|
|
67
|
-
}
|
|
68
|
-
catch (e) {
|
|
69
|
-
return null;
|
|
70
|
-
}
|
|
71
|
-
}
|
|
72
|
-
//# sourceMappingURL=verifiable-metadata.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"verifiable-metadata.js","sourceRoot":"","sources":["../../src/runtime/verifiable-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAatF;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,GAAQ;IAClC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,KAAK,KAAK,SAAS;YAAE,SAAS;QAElC,4EAA4E;QAC5E,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAyB,EACzB,IAAY,EACZ,OAAU,EACV,UAAkB;IAElB,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAE3C,oBAAoB;IACpB,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IACvE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC;WACT,UAAU;UACX,MAAM;aACH,SAAS,EAAE,CAAC,CAAC;IACxB,CAAC;IAED,MAAM,QAAQ,GAA0B;QACtC,OAAO;QACP,SAAS;QACT,MAAM;KACP,CAAC;IAEF,MAAM,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,OAAyB,EACzB,IAAY,EACZ,cAAuB;IAEvB,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,CAA0B,CAAC;QAErE,gDAAgD;QAChD,IAAI,cAAc,IAAI,QAAQ,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;YACzD,OAAO,IAAI,CAAC,CAAC,kBAAkB;QACjC,CAAC;QAED,MAAM,UAAU,GAAG,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACxD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;QAEvF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,6CAA6C,IAAI,EAAE,CAAC,CAAC;YAClE,OAAO,CAAC,IAAI,CAAC,gCAAgC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAChE,OAAO,CAAC,IAAI,CAAC,wCAAwC,UAAU,EAAE,CAAC,CAAC;YACnE,OAAO,CAAC,IAAI,CAAC,mCAAmC,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;YACtE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,QAAQ,CAAC,OAAO,CAAC;IAC1B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
|