@the-ai-company/cbio-node-runtime 1.34.0 → 1.36.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/runtime/bootstrap.d.ts +3 -4
- package/dist/runtime/bootstrap.js +18 -19
- package/dist/runtime/bootstrap.js.map +1 -1
- package/dist/runtime/index.d.ts +2 -2
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/private-vault.d.ts +12 -12
- package/dist/runtime/private-vault.js +33 -29
- package/dist/runtime/private-vault.js.map +1 -1
- package/dist/runtime/vault-metadata.d.ts +11 -7
- package/dist/runtime/vault-metadata.js +33 -18
- package/dist/runtime/vault-metadata.js.map +1 -1
- package/package.json +1 -1
- package/dist/runtime/verifiable-metadata.d.ts +0 -18
- package/dist/runtime/verifiable-metadata.js +0 -72
- package/dist/runtime/verifiable-metadata.js.map +0 -1
|
@@ -2,14 +2,13 @@ import { type CreatePersistentVaultCoreDependenciesOptions, type VaultCore } fro
|
|
|
2
2
|
import { type VaultService, type VaultCustomFlowResolver } from "../vault-ingress/index.js";
|
|
3
3
|
import type { IStorageProvider } from "../storage/provider.js";
|
|
4
4
|
import type { CreatedIdentity } from "./identity.js";
|
|
5
|
-
export interface
|
|
5
|
+
export interface VaultMetadata extends Record<string, any> {
|
|
6
6
|
nickname?: string;
|
|
7
7
|
ownerId?: string;
|
|
8
8
|
}
|
|
9
9
|
export interface CreateVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey" | "vaultId"> {
|
|
10
10
|
vaultId?: string;
|
|
11
11
|
nickname?: string;
|
|
12
|
-
publicMetadata?: VaultPublicMetadata;
|
|
13
12
|
ownerIdentity: CreatedIdentity;
|
|
14
13
|
vault?: {
|
|
15
14
|
customFlows?: VaultCustomFlowResolver;
|
|
@@ -65,9 +64,9 @@ export declare function recoverVault(storage: IStorageProvider, options: Recover
|
|
|
65
64
|
*/
|
|
66
65
|
export declare function recoverVault(options: RecoverVaultOptions): Promise<RecoveredVault>;
|
|
67
66
|
/**
|
|
68
|
-
* Lists all vaults in the workspace with their
|
|
67
|
+
* Lists all vaults in the workspace with their discovery metadata.
|
|
69
68
|
*/
|
|
70
69
|
export declare function listVaults(storage: IStorageProvider): Promise<Array<{
|
|
71
70
|
vaultId: string;
|
|
72
|
-
public:
|
|
71
|
+
public: any;
|
|
73
72
|
}>>;
|
|
@@ -3,9 +3,8 @@ import { createVaultCore } from "../vault-core/core.js";
|
|
|
3
3
|
import { createPersistentVaultCoreDependencies, } from "../vault-core/index.js";
|
|
4
4
|
import { wrapVaultCoreAsVaultService, } from "../vault-ingress/index.js";
|
|
5
5
|
import { createPrefixedStorage } from "../storage/prefix.js";
|
|
6
|
-
import { readVaultProfile, writeVaultProfile } from "./vault-metadata.js";
|
|
6
|
+
import { readVaultProfile, writeVaultProfile, readVaultPublicMetadata } from "./vault-metadata.js";
|
|
7
7
|
import { createWorkspaceStorage } from "./workspace-storage.js";
|
|
8
|
-
import { writeVerifiableMetadata, readVerifiableMetadata } from "./verifiable-metadata.js";
|
|
9
8
|
function deriveVaultWorkingKey(privateKey, vaultId) {
|
|
10
9
|
return crypto
|
|
11
10
|
.createHash("sha256")
|
|
@@ -50,20 +49,18 @@ export async function createVault(storageOrOptions, maybeOptions) {
|
|
|
50
49
|
};
|
|
51
50
|
await core.bootstrapOwnerIdentity(bootstrapOwner);
|
|
52
51
|
const nickname = options.nickname?.trim() ? options.nickname.trim() : undefined;
|
|
53
|
-
//
|
|
54
|
-
|
|
55
|
-
...(options.publicMetadata || {}),
|
|
56
|
-
...(nickname ? { nickname } : {})
|
|
57
|
-
};
|
|
52
|
+
// 1. All sensitive metadata is in the private sealed profile (requires owner PK)
|
|
53
|
+
// 2. Discovery metadata (nickname) is in the public sealed profile (requires only vaultId)
|
|
58
54
|
await writeVaultProfile(storage, {
|
|
59
|
-
|
|
55
|
+
sealedPrivate: {
|
|
60
56
|
vaultId,
|
|
61
|
-
|
|
57
|
+
ownerId: options.ownerIdentity.identityId,
|
|
62
58
|
},
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
59
|
+
sealedPublic: {
|
|
60
|
+
vaultId,
|
|
61
|
+
nickname,
|
|
62
|
+
}
|
|
63
|
+
}, vaultWorkingKey, vaultId);
|
|
67
64
|
return {
|
|
68
65
|
core,
|
|
69
66
|
vault: wrapVaultCoreAsVaultService(core, options.vault),
|
|
@@ -81,17 +78,19 @@ export async function recoverVault(storageOrOptions, maybeOptions) {
|
|
|
81
78
|
vaultWorkingKey,
|
|
82
79
|
});
|
|
83
80
|
const core = createVaultCore(deps);
|
|
84
|
-
const profile = await readVaultProfile(storage, vaultWorkingKey);
|
|
85
|
-
|
|
81
|
+
const profile = await readVaultProfile(storage, vaultWorkingKey, options.vaultId);
|
|
82
|
+
if (!profile) {
|
|
83
|
+
throw new Error("vault profile not found or decryption failed");
|
|
84
|
+
}
|
|
86
85
|
return {
|
|
87
86
|
core,
|
|
88
87
|
vault: wrapVaultCoreAsVaultService(core, options.vault),
|
|
89
|
-
nickname:
|
|
88
|
+
nickname: profile.sealedPublic.nickname,
|
|
90
89
|
storage,
|
|
91
90
|
};
|
|
92
91
|
}
|
|
93
92
|
/**
|
|
94
|
-
* Lists all vaults in the workspace with their
|
|
93
|
+
* Lists all vaults in the workspace with their discovery metadata.
|
|
95
94
|
*/
|
|
96
95
|
export async function listVaults(storage) {
|
|
97
96
|
if (!storage.list) {
|
|
@@ -101,10 +100,10 @@ export async function listVaults(storage) {
|
|
|
101
100
|
const results = [];
|
|
102
101
|
for (const id of ids) {
|
|
103
102
|
const vaultStorage = createPrefixedStorage(storage, vaultStoragePrefix(id));
|
|
104
|
-
const publicData = await
|
|
103
|
+
const publicData = await readVaultPublicMetadata(vaultStorage, id);
|
|
105
104
|
results.push({
|
|
106
105
|
vaultId: id,
|
|
107
|
-
public:
|
|
106
|
+
public: publicData || {},
|
|
108
107
|
});
|
|
109
108
|
}
|
|
110
109
|
return results;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,GAItC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAG7D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,
|
|
1
|
+
{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,GAItC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAG7D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AACnG,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAEhE,SAAS,qBAAqB,CAAC,UAAkB,EAAE,OAAe;IAChE,OAAO,MAAM;SACV,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,2BAA2B,CAAC;SACnC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,OAAO,CAAC;SACf,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAe;IACzC,OAAO,UAAU,OAAO,EAAE,CAAC;AAC7B,CAAC;AA0CD,SAAS,cAAc,CACrB,gBAA6E,EAC7E,YAAuD;IAEvD,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,OAAO,EAAE,gBAAoC;YAC7C,OAAO,EAAE,YAAY;SACtB,CAAC;IACJ,CAAC;IACD,gEAAgE;IAChE,OAAO;QACL,OAAO,EAAE,sBAAsB,EAAE;QACjC,OAAO,EAAE,gBAA4D;KACtE,CAAC;AACJ,CAAC;AAeD,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,gBAAuD,EACvD,YAAiC;IAEjC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,cAAc,CAAC,gBAAgB,EAAE,YAAY,CAG3F,CAAC;IACF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,SAAS,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;IAClE,MAAM,OAAO,GAAG,qBAAqB,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;IACrF,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACzF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO;QACP,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,cAAc,GAAwB;QAC1C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;QACzC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS;KAC3C,CAAC;IACF,MAAM,IAAI,CAAC,sBAAsB,CAAC,cAAc,CAAC,CAAC;IAElD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAEhF,iFAAiF;IACjF,2FAA2F;IAC3F,MAAM,iBAAiB,CAAC,OAAO,EAAE;QAC/B,aAAa,EAAE;YACb,OAAO;YACP,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;SAC1C;QACD,YAAY,EAAE;YACZ,OAAO;YACP,QAAQ;SACT;KACF,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;IAE7B,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;QACvD,QAAQ;QACR,OAAO;KACR,CAAC;AACJ,CAAC;AAeD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,gBAAwD,EACxD,YAAkC;IAElC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,cAAc,CAAC,gBAAgB,EAAE,YAAY,CAG3F,CAAC;IACF,MAAM,OAAO,GAAG,qBAAqB,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IAC7F,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACjG,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAClF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;QACvD,QAAQ,EAAE,OAAO,CAAC,YAAY,CAAC,QAAQ;QACvC,OAAO;KACR,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAAyB;IACxD,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,OAAO,GAA4C,EAAE,CAAC;IAC5D,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,MAAM,YAAY,GAAG,qBAAqB,CAAC,OAAO,EAAE,kBAAkB,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5E,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QAEnE,OAAO,CAAC,IAAI,CAAC;YACX,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,UAAU,IAAI,EAAE;SACzB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
package/dist/runtime/index.d.ts
CHANGED
|
@@ -12,8 +12,8 @@ export { createIdentity, deriveChildIdentity, restoreIdentity, type CreateIdenti
|
|
|
12
12
|
export { createChildIdentity, type CreateChildIdentityOptions, } from "./child-identity.js";
|
|
13
13
|
export { readVaultProfile, writeVaultProfile, readVaultPublicMetadata, type VaultProfile, } from "./vault-metadata.js";
|
|
14
14
|
export { createWorkspaceStorage, getDefaultWorkspaceDir, } from "./workspace-storage.js";
|
|
15
|
-
export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, readIdentityMetadata, listIdentities, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultChildrenKey, type IdentityPrivateVaultProfile, type IdentityPrivateVaultChildRecord, type IdentityPrivateVaultChildrenState,
|
|
16
|
-
export { createVault, recoverVault, listVaults, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, type VaultObject, type VaultPublicMetadata, } from "./bootstrap.js";
|
|
15
|
+
export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, readIdentityMetadata, listIdentities, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultChildrenKey, type IdentityPrivateVaultProfile, type IdentityPrivateVaultChildRecord, type IdentityPrivateVaultChildrenState, } from "./private-vault.js";
|
|
16
|
+
export { createVault, recoverVault, listVaults, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, type VaultObject, type VaultMetadata as VaultPublicMetadata, } from "./bootstrap.js";
|
|
17
17
|
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAgentIdentityRegistry, PersistentVaultAuditLog, PersistentVaultOwnerIdentityRegistry, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerDefineSecretTargetsCommand, type OwnerRegisterCapabilityCommand, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, type CapabilityRegistry, } from "../vault-core/index.js";
|
|
18
18
|
export { createVaultClient, type VaultClient, type CreateVaultClientOptions, type VaultIdentity, type VaultSigner, type VaultAuditQueryInput, type OwnerDefineSecretTargetsInput, type VaultExportSecretInput, type VaultGrantCapabilityInput, type VaultRegisterFlowInput, type VaultRegisterAgentInput, type OwnerSecretTargetBinding, type OwnerStoreSecretInput, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
|
|
19
19
|
export { createAgentClient, type AgentClient, type CreateAgentClientOptions, type AgentIdentity, type AgentCapabilityEnvelope, type AgentDispatchIntent, type AgentDispatchTransport, type AgentSigner, } from "../clients/agent/index.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,eAAe,GAKhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,mBAAmB,GAEpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,uBAAuB,GAExB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,0BAA0B,EAC1B,+BAA+B,EAC/B,qCAAqC,EACrC,oBAAoB,EACpB,cAAc,EACd,0BAA0B,EAC1B,8BAA8B,EAC9B,+BAA+B,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,eAAe,GAKhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,mBAAmB,GAEpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,uBAAuB,GAExB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,0BAA0B,EAC1B,+BAA+B,EAC/B,qCAAqC,EACrC,oBAAoB,EACpB,cAAc,EACd,0BAA0B,EAC1B,8BAA8B,EAC9B,+BAA+B,GAIhC,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,WAAW,EACX,YAAY,EACZ,UAAU,GAOX,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,oCAAoC,EACpC,uBAAuB,EACvB,oCAAoC,EACpC,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA+CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAclB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAQlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAWxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC"}
|
|
@@ -3,6 +3,7 @@ import { type CreatedIdentity } from "./identity.js";
|
|
|
3
3
|
export interface IdentityPrivateVaultProfile {
|
|
4
4
|
identityId: string;
|
|
5
5
|
publicKey: string;
|
|
6
|
+
nickname?: string;
|
|
6
7
|
parentIdentityId?: string;
|
|
7
8
|
childIndex?: number;
|
|
8
9
|
}
|
|
@@ -17,29 +18,28 @@ export interface IdentityPrivateVaultChildrenState {
|
|
|
17
18
|
nextChildIndex: number;
|
|
18
19
|
children: IdentityPrivateVaultChildRecord[];
|
|
19
20
|
}
|
|
20
|
-
export interface IdentityPublicProfile {
|
|
21
|
-
identityId: string;
|
|
22
|
-
publicKey: string;
|
|
23
|
-
nickname?: string;
|
|
24
|
-
parentIdentityId?: string;
|
|
25
|
-
}
|
|
26
21
|
type IdentityPrivateVaultAccess = CreatedIdentity | string;
|
|
27
22
|
export declare function identityPrivateVaultPrefix(identityId: string): string;
|
|
28
23
|
export declare function identityPrivateVaultProfileKey(identityId: string): string;
|
|
24
|
+
export declare function identityPrivateVaultPublicSealedKey(identityId: string): string;
|
|
29
25
|
export declare function identityPrivateVaultChildrenKey(identityId: string): string;
|
|
30
|
-
|
|
26
|
+
/**
|
|
27
|
+
* Derives a key that is publicly available to anyone who knows the identityId.
|
|
28
|
+
*/
|
|
29
|
+
export declare function deriveIdentityPrivateVaultPublicWorkingKey(identityId: string): string;
|
|
31
30
|
export declare function ensureIdentityPrivateVault(storage: IStorageProvider, identity: CreatedIdentity): Promise<void>;
|
|
32
31
|
export declare function readIdentityPrivateVaultProfile(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess): Promise<IdentityPrivateVaultProfile | null>;
|
|
33
32
|
/**
|
|
34
|
-
*
|
|
35
|
-
*
|
|
33
|
+
* Metadata reader for identities.
|
|
34
|
+
* Discovery info (nickname) can be read with just identityId.
|
|
35
|
+
* Full profile requires privateKey.
|
|
36
36
|
*/
|
|
37
|
-
export declare function readIdentityMetadata(storage: IStorageProvider, identityId: string, privateKey?: string): Promise<IdentityPrivateVaultProfile |
|
|
37
|
+
export declare function readIdentityMetadata(storage: IStorageProvider, identityId: string, privateKey?: string): Promise<IdentityPrivateVaultProfile | any | null>;
|
|
38
38
|
export declare function readIdentityPrivateVaultChildrenState(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess): Promise<IdentityPrivateVaultChildrenState>;
|
|
39
39
|
export declare function writeIdentityPrivateVaultChildrenState(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess, state: IdentityPrivateVaultChildrenState): Promise<void>;
|
|
40
40
|
export declare function withIdentityPrivateVaultLock<T>(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess, task: () => Promise<T>): Promise<T>;
|
|
41
41
|
/**
|
|
42
|
-
* Lists all identities in the workspace with their
|
|
42
|
+
* Lists all identities in the workspace with their discovery metadata.
|
|
43
43
|
*/
|
|
44
|
-
export declare function listIdentities(storage: IStorageProvider): Promise<
|
|
44
|
+
export declare function listIdentities(storage: IStorageProvider): Promise<any[]>;
|
|
45
45
|
export {};
|
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
import { createHash } from "node:crypto";
|
|
2
2
|
import { SealedJsonRepository } from "../sealed/index.js";
|
|
3
3
|
import { restoreIdentity } from "./identity.js";
|
|
4
|
-
import { writeVerifiableMetadata, readVerifiableMetadata } from "./verifiable-metadata.js";
|
|
5
4
|
const PRIVATE_VAULT_PREFIX = "identities";
|
|
6
5
|
const PRIVATE_VAULT_LOCK_SUFFIX = ".lock";
|
|
7
6
|
export function identityPrivateVaultPrefix(identityId) {
|
|
@@ -10,12 +9,12 @@ export function identityPrivateVaultPrefix(identityId) {
|
|
|
10
9
|
export function identityPrivateVaultProfileKey(identityId) {
|
|
11
10
|
return `${identityPrivateVaultPrefix(identityId)}/sealed/profile.sealed`;
|
|
12
11
|
}
|
|
12
|
+
export function identityPrivateVaultPublicSealedKey(identityId) {
|
|
13
|
+
return `${identityPrivateVaultPrefix(identityId)}/sealed/public.sealed`;
|
|
14
|
+
}
|
|
13
15
|
export function identityPrivateVaultChildrenKey(identityId) {
|
|
14
16
|
return `${identityPrivateVaultPrefix(identityId)}/sealed/children.sealed`;
|
|
15
17
|
}
|
|
16
|
-
export function identityPrivateVaultPublicProfileKey(identityId) {
|
|
17
|
-
return `${identityPrivateVaultPrefix(identityId)}/public/profile.json`;
|
|
18
|
-
}
|
|
19
18
|
function lockKey(identityId) {
|
|
20
19
|
return `${identityPrivateVaultPrefix(identityId)}/sealed/locks/vault${PRIVATE_VAULT_LOCK_SUFFIX}`;
|
|
21
20
|
}
|
|
@@ -34,30 +33,38 @@ function deriveIdentityPrivateVaultKey(identity) {
|
|
|
34
33
|
.update(identity.privateKey)
|
|
35
34
|
.digest("base64url");
|
|
36
35
|
}
|
|
36
|
+
/**
|
|
37
|
+
* Derives a key that is publicly available to anyone who knows the identityId.
|
|
38
|
+
*/
|
|
39
|
+
export function deriveIdentityPrivateVaultPublicWorkingKey(identityId) {
|
|
40
|
+
return createHash("sha256")
|
|
41
|
+
.update("cbio:identity-public-metadata:v1")
|
|
42
|
+
.update("\n")
|
|
43
|
+
.update(identityId)
|
|
44
|
+
.digest("base64url");
|
|
45
|
+
}
|
|
37
46
|
export async function ensureIdentityPrivateVault(storage, identity) {
|
|
38
47
|
const profileKey = identityPrivateVaultProfileKey(identity.identityId);
|
|
39
48
|
const profileRepo = new SealedJsonRepository(storage, profileKey, deriveIdentityPrivateVaultKey(identity));
|
|
40
49
|
const existingProfile = await profileRepo.read(null);
|
|
41
|
-
// Read current public profile to preserve nickname if needed
|
|
42
|
-
const publicPath = identityPrivateVaultPublicProfileKey(identity.identityId);
|
|
43
|
-
const publicRaw = await storage.read(publicPath);
|
|
44
|
-
const existingPublic = publicRaw ? JSON.parse(publicRaw.toString()) : null;
|
|
45
50
|
const profile = {
|
|
46
51
|
identityId: identity.identityId,
|
|
47
52
|
publicKey: identity.publicKey,
|
|
53
|
+
nickname: identity.nickname || existingProfile?.nickname,
|
|
48
54
|
parentIdentityId: identity.parentIdentityId || existingProfile?.parentIdentityId,
|
|
49
55
|
childIndex: identity.childIndex ?? existingProfile?.childIndex,
|
|
50
56
|
};
|
|
51
|
-
//
|
|
57
|
+
// 1. Write Private Sealed Profile
|
|
52
58
|
await profileRepo.write(profile, "identity_private_vault_profile");
|
|
53
|
-
// Write
|
|
54
|
-
const
|
|
59
|
+
// 2. Write Public Sealed Metadata for Discovery (Encrypted for integrity, but publicly readable)
|
|
60
|
+
const publicSealedKey = identityPrivateVaultPublicSealedKey(identity.identityId);
|
|
61
|
+
const publicRepo = new SealedJsonRepository(storage, publicSealedKey, deriveIdentityPrivateVaultPublicWorkingKey(identity.identityId));
|
|
62
|
+
await publicRepo.write({
|
|
55
63
|
identityId: profile.identityId,
|
|
56
64
|
publicKey: profile.publicKey,
|
|
57
|
-
nickname:
|
|
65
|
+
nickname: profile.nickname,
|
|
58
66
|
parentIdentityId: profile.parentIdentityId,
|
|
59
|
-
};
|
|
60
|
-
await writeVerifiableMetadata(storage, publicPath, publicProfile, identity.privateKey);
|
|
67
|
+
}, "identity_public_metadata");
|
|
61
68
|
const childrenKey = identityPrivateVaultChildrenKey(identity.identityId);
|
|
62
69
|
if (!(await storage.has(childrenKey))) {
|
|
63
70
|
const emptyState = {
|
|
@@ -74,13 +81,14 @@ export async function readIdentityPrivateVaultProfile(storage, identityOrPrivate
|
|
|
74
81
|
return repo.read(null);
|
|
75
82
|
}
|
|
76
83
|
/**
|
|
77
|
-
*
|
|
78
|
-
*
|
|
84
|
+
* Metadata reader for identities.
|
|
85
|
+
* Discovery info (nickname) can be read with just identityId.
|
|
86
|
+
* Full profile requires privateKey.
|
|
79
87
|
*/
|
|
80
88
|
export async function readIdentityMetadata(storage, identityId, privateKey) {
|
|
81
|
-
const
|
|
82
|
-
const
|
|
83
|
-
|
|
89
|
+
const publicSealedKey = identityPrivateVaultPublicSealedKey(identityId);
|
|
90
|
+
const publicRepo = new SealedJsonRepository(storage, publicSealedKey, deriveIdentityPrivateVaultPublicWorkingKey(identityId));
|
|
91
|
+
const publicMetadata = await publicRepo.read(null).catch(() => null);
|
|
84
92
|
if (privateKey) {
|
|
85
93
|
try {
|
|
86
94
|
const identity = restoreIdentity(privateKey);
|
|
@@ -88,19 +96,16 @@ export async function readIdentityMetadata(storage, identityId, privateKey) {
|
|
|
88
96
|
throw new Error("identityId mismatch");
|
|
89
97
|
}
|
|
90
98
|
const sealed = await readIdentityPrivateVaultProfile(storage, identity);
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
};
|
|
96
|
-
}
|
|
99
|
+
return {
|
|
100
|
+
...(publicMetadata || {}),
|
|
101
|
+
...(sealed || {}),
|
|
102
|
+
};
|
|
97
103
|
}
|
|
98
104
|
catch (e) {
|
|
99
|
-
// Fallback to public if decryption fails
|
|
100
105
|
console.warn(`[IdentityMetadata] Decryption failed for ${identityId}:`, e);
|
|
101
106
|
}
|
|
102
107
|
}
|
|
103
|
-
return
|
|
108
|
+
return publicMetadata;
|
|
104
109
|
}
|
|
105
110
|
export async function readIdentityPrivateVaultChildrenState(storage, identityOrPrivateKey) {
|
|
106
111
|
const identity = normalizeIdentityAccess(identityOrPrivateKey);
|
|
@@ -124,7 +129,7 @@ export async function withIdentityPrivateVaultLock(storage, identityOrPrivateKey
|
|
|
124
129
|
return task();
|
|
125
130
|
}
|
|
126
131
|
/**
|
|
127
|
-
* Lists all identities in the workspace with their
|
|
132
|
+
* Lists all identities in the workspace with their discovery metadata.
|
|
128
133
|
*/
|
|
129
134
|
export async function listIdentities(storage) {
|
|
130
135
|
if (!storage.list) {
|
|
@@ -133,7 +138,6 @@ export async function listIdentities(storage) {
|
|
|
133
138
|
const ids = await storage.list(PRIVATE_VAULT_PREFIX);
|
|
134
139
|
const results = [];
|
|
135
140
|
for (const id of ids) {
|
|
136
|
-
// Skip non-identity directories or lock files if any
|
|
137
141
|
if (id.endsWith(PRIVATE_VAULT_LOCK_SUFFIX))
|
|
138
142
|
continue;
|
|
139
143
|
const profile = await readIdentityMetadata(storage, id);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"private-vault.js","sourceRoot":"","sources":["../../src/runtime/private-vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE1D,OAAO,EAAE,eAAe,EAAwB,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"private-vault.js","sourceRoot":"","sources":["../../src/runtime/private-vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE1D,OAAO,EAAE,eAAe,EAAwB,MAAM,eAAe,CAAC;AAEtE,MAAM,oBAAoB,GAAG,YAAY,CAAC;AAC1C,MAAM,yBAAyB,GAAG,OAAO,CAAC;AA0B1C,MAAM,UAAU,0BAA0B,CAAC,UAAkB;IAC3D,OAAO,GAAG,oBAAoB,IAAI,UAAU,EAAE,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,UAAkB;IAC/D,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,wBAAwB,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,mCAAmC,CAAC,UAAkB;IACpE,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,uBAAuB,CAAC;AAC1E,CAAC;AAED,MAAM,UAAU,+BAA+B,CAAC,UAAkB;IAChE,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,yBAAyB,CAAC;AAC5E,CAAC;AAED,SAAS,OAAO,CAAC,UAAkB;IACjC,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,sBAAsB,yBAAyB,EAAE,CAAC;AACpG,CAAC;AAED,SAAS,uBAAuB,CAAC,oBAAgD;IAC/E,IAAI,OAAO,oBAAoB,KAAK,QAAQ,EAAE,CAAC;QAC7C,OAAO,eAAe,CAAC,oBAAoB,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED,SAAS,6BAA6B,CAAC,QAAyB;IAC9D,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,gCAAgC,CAAC;SACxC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;SAC3B,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;SAC3B,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,0CAA0C,CAAC,UAAkB;IAC3E,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,kCAAkC,CAAC;SAC1C,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,OAAyB,EACzB,QAAyB;IAEzB,MAAM,UAAU,GAAG,8BAA8B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACvE,MAAM,WAAW,GAAG,IAAI,oBAAoB,CAC1C,OAAO,EACP,UAAU,EACV,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IAEF,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC;IAE5D,MAAM,OAAO,GAAgC;QAC3C,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,eAAe,EAAE,QAAQ;QACxD,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB,IAAI,eAAe,EAAE,gBAAgB;QAChF,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,eAAe,EAAE,UAAU;KAC/D,CAAC;IAEF,kCAAkC;IAClC,MAAM,WAAW,CAAC,KAAK,CAAC,OAAO,EAAE,gCAAgC,CAAC,CAAC;IAEnE,iGAAiG;IACjG,MAAM,eAAe,GAAG,mCAAmC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACjF,MAAM,UAAU,GAAG,IAAI,oBAAoB,CACzC,OAAO,EACP,eAAe,EACf,0CAA0C,CAAC,QAAQ,CAAC,UAAU,CAAC,CAChE,CAAC;IACF,MAAM,UAAU,CAAC,KAAK,CAAC;QACrB,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;KAC3C,EAAE,0BAA0B,CAAC,CAAC;IAE/B,MAAM,WAAW,GAAG,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACzE,IAAI,CAAC,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACtC,MAAM,UAAU,GAAsC;YACpD,cAAc,EAAE,CAAC;YACjB,QAAQ,EAAE,EAAE;SACb,CAAC;QACF,MAAM,YAAY,GAAG,IAAI,oBAAoB,CAC3C,OAAO,EACP,WAAW,EACX,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;QACF,MAAM,YAAY,CAAC,KAAK,CAAC,UAAU,EAAE,iCAAiC,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,OAAyB,EACzB,oBAAgD;IAEhD,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,oBAAoB,CACnC,OAAO,EACP,8BAA8B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACnD,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IACF,OAAO,IAAI,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC;AAChC,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAAyB,EACzB,UAAkB,EAClB,UAAmB;IAEnB,MAAM,eAAe,GAAG,mCAAmC,CAAC,UAAU,CAAC,CAAC;IACxE,MAAM,UAAU,GAAG,IAAI,oBAAoB,CACzC,OAAO,EACP,eAAe,EACf,0CAA0C,CAAC,UAAU,CAAC,CACvD,CAAC;IACF,MAAM,cAAc,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAE5E,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;YAC7C,IAAI,QAAQ,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;gBACvC,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;YACzC,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,+BAA+B,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACxE,OAAO;gBACL,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC;gBACzB,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;aAClB,CAAC;QACJ,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC,4CAA4C,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAED,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qCAAqC,CACzD,OAAyB,EACzB,oBAAgD;IAEhD,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,oBAAoB,CACnC,OAAO,EACP,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACpD,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;IACpE,OAAO;QACL,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM;QAC/D,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;KAChC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sCAAsC,CAC1D,OAAyB,EACzB,oBAAgD,EAChD,KAAwC;IAExC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,oBAAoB,CACnC,OAAO,EACP,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACpD,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IACF,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,iCAAiC,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAyB,EACzB,oBAAgD,EAChD,IAAsB;IAEtB,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,IAAI,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,IAAI,EAAE,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAyB;IAC5D,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACrD,MAAM,OAAO,GAAU,EAAE,CAAC;IAC1B,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,EAAE,CAAC,QAAQ,CAAC,yBAAyB,CAAC;YAAE,SAAS;QAErD,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QACxD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -1,14 +1,18 @@
|
|
|
1
1
|
import type { IStorageProvider } from "../storage/provider.js";
|
|
2
2
|
export interface VaultProfile {
|
|
3
|
-
|
|
4
|
-
public: Record<string, any> & {
|
|
3
|
+
sealedPublic: Record<string, any> & {
|
|
5
4
|
nickname?: string;
|
|
6
5
|
};
|
|
6
|
+
sealedPrivate: Record<string, any>;
|
|
7
7
|
}
|
|
8
|
-
export declare const VAULT_PUBLIC_PROFILE_KEY = "vault/public/profile.json";
|
|
9
8
|
/**
|
|
10
|
-
*
|
|
9
|
+
* Derives a key that is publicly available to anyone who knows the vaultId.
|
|
10
|
+
* Used to encrypt 'public' metadata to prevent JSON tampering on disk.
|
|
11
11
|
*/
|
|
12
|
-
export declare function
|
|
13
|
-
|
|
14
|
-
|
|
12
|
+
export declare function deriveVaultPublicWorkingKey(vaultId: string): string;
|
|
13
|
+
/**
|
|
14
|
+
* Reads the 'public' metadata of a vault. Requires vaultId but no private key.
|
|
15
|
+
*/
|
|
16
|
+
export declare function readVaultPublicMetadata(storage: IStorageProvider, vaultId: string): Promise<Record<string, any>>;
|
|
17
|
+
export declare function writeVaultProfile(storage: IStorageProvider, profile: VaultProfile, vaultWorkingKey: string, vaultId: string): Promise<void>;
|
|
18
|
+
export declare function readVaultProfile(storage: IStorageProvider, vaultWorkingKey: string, vaultId: string): Promise<VaultProfile | null>;
|
|
@@ -1,31 +1,46 @@
|
|
|
1
|
+
import { createHash } from "node:crypto";
|
|
1
2
|
import { SealedJsonRepository } from "../sealed/index.js";
|
|
2
3
|
const VAULT_SEALED_PROFILE_KEY = "vault/sealed/profile.sealed";
|
|
3
|
-
|
|
4
|
-
import { readVerifiableMetadata } from "./verifiable-metadata.js";
|
|
4
|
+
const VAULT_PUBLIC_SEALED_PROFILE_KEY = "vault/sealed/public.sealed";
|
|
5
5
|
/**
|
|
6
|
-
*
|
|
6
|
+
* Derives a key that is publicly available to anyone who knows the vaultId.
|
|
7
|
+
* Used to encrypt 'public' metadata to prevent JSON tampering on disk.
|
|
7
8
|
*/
|
|
8
|
-
export
|
|
9
|
-
|
|
9
|
+
export function deriveVaultPublicWorkingKey(vaultId) {
|
|
10
|
+
return createHash("sha256")
|
|
11
|
+
.update("cbio:vault-public-metadata:v1")
|
|
12
|
+
.update("\n")
|
|
13
|
+
.update(vaultId)
|
|
14
|
+
.digest("base64url");
|
|
15
|
+
}
|
|
16
|
+
/**
|
|
17
|
+
* Reads the 'public' metadata of a vault. Requires vaultId but no private key.
|
|
18
|
+
*/
|
|
19
|
+
export async function readVaultPublicMetadata(storage, vaultId) {
|
|
20
|
+
const publicWorkingKey = deriveVaultPublicWorkingKey(vaultId);
|
|
21
|
+
const repo = new SealedJsonRepository(storage, VAULT_PUBLIC_SEALED_PROFILE_KEY, publicWorkingKey);
|
|
22
|
+
const data = await repo.read(null).catch(() => null);
|
|
10
23
|
return data || {};
|
|
11
24
|
}
|
|
12
|
-
export async function writeVaultProfile(storage, profile, vaultWorkingKey) {
|
|
13
|
-
// 1. Write Sealed Profile
|
|
14
|
-
const
|
|
15
|
-
await
|
|
16
|
-
//
|
|
17
|
-
|
|
25
|
+
export async function writeVaultProfile(storage, profile, vaultWorkingKey, vaultId) {
|
|
26
|
+
// 1. Write Private Sealed Profile
|
|
27
|
+
const privateRepo = new SealedJsonRepository(storage, VAULT_SEALED_PROFILE_KEY, vaultWorkingKey);
|
|
28
|
+
await privateRepo.write(profile.sealedPrivate, "vault_profile_private");
|
|
29
|
+
// 2. Write Public Sealed Profile (encrypted for format protection, but publicly-read via side-channel)
|
|
30
|
+
const publicWorkingKey = deriveVaultPublicWorkingKey(vaultId);
|
|
31
|
+
const publicRepo = new SealedJsonRepository(storage, VAULT_PUBLIC_SEALED_PROFILE_KEY, publicWorkingKey);
|
|
32
|
+
await publicRepo.write(profile.sealedPublic, "vault_profile_public");
|
|
18
33
|
}
|
|
19
|
-
export async function readVaultProfile(storage, vaultWorkingKey) {
|
|
20
|
-
const
|
|
21
|
-
const
|
|
22
|
-
if (!
|
|
34
|
+
export async function readVaultProfile(storage, vaultWorkingKey, vaultId) {
|
|
35
|
+
const privateRepo = new SealedJsonRepository(storage, VAULT_SEALED_PROFILE_KEY, vaultWorkingKey);
|
|
36
|
+
const sealedPrivate = await privateRepo.read(null);
|
|
37
|
+
if (!sealedPrivate) {
|
|
23
38
|
return null;
|
|
24
39
|
}
|
|
25
|
-
const
|
|
40
|
+
const sealedPublic = await readVaultPublicMetadata(storage, vaultId);
|
|
26
41
|
return {
|
|
27
|
-
|
|
28
|
-
|
|
42
|
+
sealedPublic,
|
|
43
|
+
sealedPrivate,
|
|
29
44
|
};
|
|
30
45
|
}
|
|
31
46
|
//# sourceMappingURL=vault-metadata.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vault-metadata.js","sourceRoot":"","sources":["../../src/runtime/vault-metadata.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"vault-metadata.js","sourceRoot":"","sources":["../../src/runtime/vault-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAO1D,MAAM,wBAAwB,GAAG,6BAA6B,CAAC;AAC/D,MAAM,+BAA+B,GAAG,4BAA4B,CAAC;AAErE;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CAAC,OAAe;IACzD,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,+BAA+B,CAAC;SACvC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,OAAO,CAAC;SACf,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAyB,EACzB,OAAe;IAEf,MAAM,gBAAgB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAC9D,MAAM,IAAI,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,+BAA+B,EAAE,gBAAgB,CAAC,CAAC;IACvH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC5D,OAAO,IAAI,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAyB,EACzB,OAAqB,EACrB,eAAuB,EACvB,OAAe;IAEf,kCAAkC;IAClC,MAAM,WAAW,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,wBAAwB,EAAE,eAAe,CAAC,CAAC;IACtH,MAAM,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,EAAE,uBAAuB,CAAC,CAAC;IAExE,uGAAuG;IACvG,MAAM,gBAAgB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,+BAA+B,EAAE,gBAAgB,CAAC,CAAC;IAC7H,MAAM,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,EAAE,sBAAsB,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAyB,EACzB,eAAuB,EACvB,OAAe;IAEf,MAAM,WAAW,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,wBAAwB,EAAE,eAAe,CAAC,CAAC;IACtH,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC;IAC1D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAErE,OAAO;QACL,YAAY;QACZ,aAAa;KACd,CAAC;AACJ,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
import type { IStorageProvider } from "../storage/provider.js";
|
|
2
|
-
/**
|
|
3
|
-
* A verifiable envelope for public metadata.
|
|
4
|
-
* Proves that the data was signed by the rightful owner.
|
|
5
|
-
*/
|
|
6
|
-
export interface VerifiableMetadata<T> {
|
|
7
|
-
payload: T;
|
|
8
|
-
signature: string;
|
|
9
|
-
signer: string;
|
|
10
|
-
}
|
|
11
|
-
/**
|
|
12
|
-
* Signs and writes a payload to storage as a verifiable metadata envelope.
|
|
13
|
-
*/
|
|
14
|
-
export declare function writeVerifiableMetadata<T>(storage: IStorageProvider, path: string, payload: T, privateKey: string): Promise<void>;
|
|
15
|
-
/**
|
|
16
|
-
* Reads and optionally verifies a verifiable metadata envelope from storage.
|
|
17
|
-
*/
|
|
18
|
-
export declare function readVerifiableMetadata<T>(storage: IStorageProvider, path: string, expectedSigner?: string): Promise<T | null>;
|
|
@@ -1,72 +0,0 @@
|
|
|
1
|
-
import { signPayload, verifySignature, derivePublicKey } from "../protocol/crypto.js";
|
|
2
|
-
/**
|
|
3
|
-
* Hardcoded field order for canonical JSON stringification.
|
|
4
|
-
* This ensures that even if different environments parse/stringify,
|
|
5
|
-
* the signature check string is always identical.
|
|
6
|
-
*/
|
|
7
|
-
function canonicalStringify(obj) {
|
|
8
|
-
if (!obj || typeof obj !== "object" || Array.isArray(obj)) {
|
|
9
|
-
return JSON.stringify(obj);
|
|
10
|
-
}
|
|
11
|
-
const keys = Object.keys(obj).sort();
|
|
12
|
-
const parts = [];
|
|
13
|
-
for (const key of keys) {
|
|
14
|
-
const value = obj[key];
|
|
15
|
-
if (value === undefined)
|
|
16
|
-
continue;
|
|
17
|
-
// Recursive canonical for nested objects if any (mostly for publicMetadata)
|
|
18
|
-
parts.push(`${JSON.stringify(key)}:${canonicalStringify(value)}`);
|
|
19
|
-
}
|
|
20
|
-
return `{${parts.join(",")}}`;
|
|
21
|
-
}
|
|
22
|
-
/**
|
|
23
|
-
* Signs and writes a payload to storage as a verifiable metadata envelope.
|
|
24
|
-
*/
|
|
25
|
-
export async function writeVerifiableMetadata(storage, path, payload, privateKey) {
|
|
26
|
-
const payloadStr = canonicalStringify(payload);
|
|
27
|
-
const signature = await signPayload(privateKey, payloadStr);
|
|
28
|
-
const signer = derivePublicKey(privateKey);
|
|
29
|
-
// Self-verify check
|
|
30
|
-
const isCorrect = await verifySignature(signer, payloadStr, signature);
|
|
31
|
-
if (!isCorrect) {
|
|
32
|
-
throw new Error(`[VerifiableMetadata] SDK Integrity Failure: Generated signature is invalid for the payload.
|
|
33
|
-
Payload: ${payloadStr}
|
|
34
|
-
Signer: ${signer}
|
|
35
|
-
Signature: ${signature}`);
|
|
36
|
-
}
|
|
37
|
-
const envelope = {
|
|
38
|
-
payload,
|
|
39
|
-
signature,
|
|
40
|
-
signer,
|
|
41
|
-
};
|
|
42
|
-
await storage.write(path, Buffer.from(JSON.stringify(envelope, null, 2)));
|
|
43
|
-
}
|
|
44
|
-
/**
|
|
45
|
-
* Reads and optionally verifies a verifiable metadata envelope from storage.
|
|
46
|
-
*/
|
|
47
|
-
export async function readVerifiableMetadata(storage, path, expectedSigner) {
|
|
48
|
-
const raw = await storage.read(path);
|
|
49
|
-
if (!raw)
|
|
50
|
-
return null;
|
|
51
|
-
try {
|
|
52
|
-
const envelope = JSON.parse(raw.toString());
|
|
53
|
-
// If expectedSigner is provided, we MUST verify
|
|
54
|
-
if (expectedSigner && envelope.signer !== expectedSigner) {
|
|
55
|
-
return null; // Signer mismatch
|
|
56
|
-
}
|
|
57
|
-
const payloadStr = canonicalStringify(envelope.payload);
|
|
58
|
-
const isValid = await verifySignature(envelope.signer, payloadStr, envelope.signature);
|
|
59
|
-
if (!isValid) {
|
|
60
|
-
console.warn(`[VerifiableMetadata] Invalid signature at ${path}`);
|
|
61
|
-
console.warn(`[VerifiableMetadata] Signer: ${envelope.signer}`);
|
|
62
|
-
console.warn(`[VerifiableMetadata] Payload String: ${payloadStr}`);
|
|
63
|
-
console.warn(`[VerifiableMetadata] Signature: ${envelope.signature}`);
|
|
64
|
-
return null;
|
|
65
|
-
}
|
|
66
|
-
return envelope.payload;
|
|
67
|
-
}
|
|
68
|
-
catch (e) {
|
|
69
|
-
return null;
|
|
70
|
-
}
|
|
71
|
-
}
|
|
72
|
-
//# sourceMappingURL=verifiable-metadata.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"verifiable-metadata.js","sourceRoot":"","sources":["../../src/runtime/verifiable-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAatF;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,GAAQ;IAClC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,KAAK,KAAK,SAAS;YAAE,SAAS;QAElC,4EAA4E;QAC5E,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAyB,EACzB,IAAY,EACZ,OAAU,EACV,UAAkB;IAElB,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAE3C,oBAAoB;IACpB,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IACvE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC;WACT,UAAU;UACX,MAAM;aACH,SAAS,EAAE,CAAC,CAAC;IACxB,CAAC;IAED,MAAM,QAAQ,GAA0B;QACtC,OAAO;QACP,SAAS;QACT,MAAM;KACP,CAAC;IAEF,MAAM,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,OAAyB,EACzB,IAAY,EACZ,cAAuB;IAEvB,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,CAA0B,CAAC;QAErE,gDAAgD;QAChD,IAAI,cAAc,IAAI,QAAQ,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;YACzD,OAAO,IAAI,CAAC,CAAC,kBAAkB;QACjC,CAAC;QAED,MAAM,UAAU,GAAG,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACxD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;QAEvF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,6CAA6C,IAAI,EAAE,CAAC,CAAC;YAClE,OAAO,CAAC,IAAI,CAAC,gCAAgC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAChE,OAAO,CAAC,IAAI,CAAC,wCAAwC,UAAU,EAAE,CAAC,CAAC;YACnE,OAAO,CAAC,IAAI,CAAC,mCAAmC,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;YACtE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,QAAQ,CAAC,OAAO,CAAC;IAC1B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
|