@the-ai-company/cbio-node-runtime 1.35.0 → 1.37.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/runtime/bootstrap.d.ts +5 -3
- package/dist/runtime/bootstrap.js +23 -10
- package/dist/runtime/bootstrap.js.map +1 -1
- package/dist/runtime/index.d.ts +3 -3
- package/dist/runtime/index.js +2 -2
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/private-vault.d.ts +6 -5
- package/dist/runtime/private-vault.js +45 -17
- package/dist/runtime/private-vault.js.map +1 -1
- package/dist/runtime/vault-metadata.d.ts +11 -5
- package/dist/runtime/vault-metadata.js +35 -10
- package/dist/runtime/vault-metadata.js.map +1 -1
- package/docs/REFERENCE.md +6 -13
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -109,7 +109,7 @@ const createdVault = await createVault(storage, {
|
|
|
109
109
|
|
|
110
110
|
The workspace root can contain many vaults. Each vault is physically divided into `vault/sealed/` (encrypted) and `vault/public/` (signed discovery).
|
|
111
111
|
|
|
112
|
-
Every identity also has its own private namespace
|
|
112
|
+
Every identity also has its own private namespace for encrypted metadata, and a companion discovery area for public information.
|
|
113
113
|
|
|
114
114
|
## Architecture
|
|
115
115
|
|
|
@@ -64,7 +64,9 @@ export declare function recoverVault(storage: IStorageProvider, options: Recover
|
|
|
64
64
|
*/
|
|
65
65
|
export declare function recoverVault(options: RecoverVaultOptions): Promise<RecoveredVault>;
|
|
66
66
|
/**
|
|
67
|
-
* Lists all
|
|
68
|
-
* Metadata requires the owner's private key to decrypt.
|
|
67
|
+
* Lists all vaults in the workspace with their discovery metadata.
|
|
69
68
|
*/
|
|
70
|
-
export declare function listVaults(storage: IStorageProvider): Promise<
|
|
69
|
+
export declare function listVaults(storage: IStorageProvider): Promise<Array<{
|
|
70
|
+
vaultId: string;
|
|
71
|
+
public: any;
|
|
72
|
+
}>>;
|
|
@@ -3,7 +3,7 @@ import { createVaultCore } from "../vault-core/core.js";
|
|
|
3
3
|
import { createPersistentVaultCoreDependencies, } from "../vault-core/index.js";
|
|
4
4
|
import { wrapVaultCoreAsVaultService, } from "../vault-ingress/index.js";
|
|
5
5
|
import { createPrefixedStorage } from "../storage/prefix.js";
|
|
6
|
-
import { readVaultProfile, writeVaultProfile } from "./vault-metadata.js";
|
|
6
|
+
import { readVaultProfile, writeVaultProfile, readVaultPublicMetadata } from "./vault-metadata.js";
|
|
7
7
|
import { createWorkspaceStorage } from "./workspace-storage.js";
|
|
8
8
|
function deriveVaultWorkingKey(privateKey, vaultId) {
|
|
9
9
|
return crypto
|
|
@@ -49,14 +49,18 @@ export async function createVault(storageOrOptions, maybeOptions) {
|
|
|
49
49
|
};
|
|
50
50
|
await core.bootstrapOwnerIdentity(bootstrapOwner);
|
|
51
51
|
const nickname = options.nickname?.trim() ? options.nickname.trim() : undefined;
|
|
52
|
-
// All metadata
|
|
52
|
+
// 1. All sensitive metadata is in the private sealed profile (requires owner PK)
|
|
53
|
+
// 2. Discovery metadata (nickname) is in the public sealed profile (requires only vaultId)
|
|
53
54
|
await writeVaultProfile(storage, {
|
|
54
|
-
|
|
55
|
+
sealedPrivate: {
|
|
55
56
|
vaultId,
|
|
56
|
-
nickname,
|
|
57
57
|
ownerId: options.ownerIdentity.identityId,
|
|
58
58
|
},
|
|
59
|
-
|
|
59
|
+
sealedPublic: {
|
|
60
|
+
vaultId,
|
|
61
|
+
nickname,
|
|
62
|
+
}
|
|
63
|
+
}, vaultWorkingKey, vaultId);
|
|
60
64
|
return {
|
|
61
65
|
core,
|
|
62
66
|
vault: wrapVaultCoreAsVaultService(core, options.vault),
|
|
@@ -74,25 +78,34 @@ export async function recoverVault(storageOrOptions, maybeOptions) {
|
|
|
74
78
|
vaultWorkingKey,
|
|
75
79
|
});
|
|
76
80
|
const core = createVaultCore(deps);
|
|
77
|
-
const profile = await readVaultProfile(storage, vaultWorkingKey);
|
|
81
|
+
const profile = await readVaultProfile(storage, vaultWorkingKey, options.vaultId);
|
|
78
82
|
if (!profile) {
|
|
79
83
|
throw new Error("vault profile not found or decryption failed");
|
|
80
84
|
}
|
|
81
85
|
return {
|
|
82
86
|
core,
|
|
83
87
|
vault: wrapVaultCoreAsVaultService(core, options.vault),
|
|
84
|
-
nickname: profile.
|
|
88
|
+
nickname: profile.sealedPublic.nickname,
|
|
85
89
|
storage,
|
|
86
90
|
};
|
|
87
91
|
}
|
|
88
92
|
/**
|
|
89
|
-
* Lists all
|
|
90
|
-
* Metadata requires the owner's private key to decrypt.
|
|
93
|
+
* Lists all vaults in the workspace with their discovery metadata.
|
|
91
94
|
*/
|
|
92
95
|
export async function listVaults(storage) {
|
|
93
96
|
if (!storage.list) {
|
|
94
97
|
return [];
|
|
95
98
|
}
|
|
96
|
-
|
|
99
|
+
const ids = await storage.list("vaults");
|
|
100
|
+
const results = [];
|
|
101
|
+
for (const id of ids) {
|
|
102
|
+
const vaultStorage = createPrefixedStorage(storage, vaultStoragePrefix(id));
|
|
103
|
+
const publicData = await readVaultPublicMetadata(vaultStorage, id);
|
|
104
|
+
results.push({
|
|
105
|
+
vaultId: id,
|
|
106
|
+
public: publicData || {},
|
|
107
|
+
});
|
|
108
|
+
}
|
|
109
|
+
return results;
|
|
97
110
|
}
|
|
98
111
|
//# sourceMappingURL=bootstrap.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,GAItC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAG7D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,GAItC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAG7D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AACnG,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAEhE,SAAS,qBAAqB,CAAC,UAAkB,EAAE,OAAe;IAChE,OAAO,MAAM;SACV,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,2BAA2B,CAAC;SACnC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,OAAO,CAAC;SACf,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAe;IACzC,OAAO,UAAU,OAAO,EAAE,CAAC;AAC7B,CAAC;AA0CD,SAAS,cAAc,CACrB,gBAA6E,EAC7E,YAAuD;IAEvD,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,OAAO,EAAE,gBAAoC;YAC7C,OAAO,EAAE,YAAY;SACtB,CAAC;IACJ,CAAC;IACD,gEAAgE;IAChE,OAAO;QACL,OAAO,EAAE,sBAAsB,EAAE;QACjC,OAAO,EAAE,gBAA4D;KACtE,CAAC;AACJ,CAAC;AAeD,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,gBAAuD,EACvD,YAAiC;IAEjC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,cAAc,CAAC,gBAAgB,EAAE,YAAY,CAG3F,CAAC;IACF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,SAAS,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;IAClE,MAAM,OAAO,GAAG,qBAAqB,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;IACrF,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACzF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO;QACP,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,cAAc,GAAwB;QAC1C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;QACzC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS;KAC3C,CAAC;IACF,MAAM,IAAI,CAAC,sBAAsB,CAAC,cAAc,CAAC,CAAC;IAElD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAEhF,iFAAiF;IACjF,2FAA2F;IAC3F,MAAM,iBAAiB,CAAC,OAAO,EAAE;QAC/B,aAAa,EAAE;YACb,OAAO;YACP,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;SAC1C;QACD,YAAY,EAAE;YACZ,OAAO;YACP,QAAQ;SACT;KACF,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;IAE7B,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;QACvD,QAAQ;QACR,OAAO;KACR,CAAC;AACJ,CAAC;AAeD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,gBAAwD,EACxD,YAAkC;IAElC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,cAAc,CAAC,gBAAgB,EAAE,YAAY,CAG3F,CAAC;IACF,MAAM,OAAO,GAAG,qBAAqB,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IAC7F,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACjG,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAClF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;QACvD,QAAQ,EAAE,OAAO,CAAC,YAAY,CAAC,QAAQ;QACvC,OAAO;KACR,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAAyB;IACxD,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,OAAO,GAA4C,EAAE,CAAC;IAC5D,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,MAAM,YAAY,GAAG,qBAAqB,CAAC,OAAO,EAAE,kBAAkB,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5E,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QAEnE,OAAO,CAAC,IAAI,CAAC;YACX,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,UAAU,IAAI,EAAE;SACzB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
package/dist/runtime/index.d.ts
CHANGED
|
@@ -10,10 +10,10 @@ export { FsStorageProvider } from "../storage/fs.js";
|
|
|
10
10
|
export { MemoryStorageProvider } from "../storage/memory.js";
|
|
11
11
|
export { createIdentity, deriveChildIdentity, restoreIdentity, type CreateIdentityOptions, type RestoreIdentityOptions, type ChildIdentity, type CreatedIdentity, } from "./identity.js";
|
|
12
12
|
export { createChildIdentity, type CreateChildIdentityOptions, } from "./child-identity.js";
|
|
13
|
-
export { readVaultProfile, writeVaultProfile, type VaultProfile, } from "./vault-metadata.js";
|
|
13
|
+
export { readVaultProfile, writeVaultProfile, readVaultPublicMetadata, type VaultProfile, } from "./vault-metadata.js";
|
|
14
14
|
export { createWorkspaceStorage, getDefaultWorkspaceDir, } from "./workspace-storage.js";
|
|
15
|
-
export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, readIdentityMetadata, listIdentities, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultChildrenKey, type IdentityPrivateVaultProfile, type IdentityPrivateVaultChildRecord, type IdentityPrivateVaultChildrenState, } from "./private-vault.js";
|
|
16
|
-
export { createVault, recoverVault, listVaults, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, type VaultObject, type VaultMetadata, } from "./bootstrap.js";
|
|
15
|
+
export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, readIdentityMetadata, listIdentities, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultPublicSealedKey, identityPrivateVaultChildrenKey, type IdentityPrivateVaultProfile, type IdentityPrivateVaultChildRecord, type IdentityPrivateVaultChildrenState, } from "./private-vault.js";
|
|
16
|
+
export { createVault, recoverVault, listVaults, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, type VaultObject, type VaultMetadata as VaultPublicMetadata, } from "./bootstrap.js";
|
|
17
17
|
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAgentIdentityRegistry, PersistentVaultAuditLog, PersistentVaultOwnerIdentityRegistry, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerDefineSecretTargetsCommand, type OwnerRegisterCapabilityCommand, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, type CapabilityRegistry, } from "../vault-core/index.js";
|
|
18
18
|
export { createVaultClient, type VaultClient, type CreateVaultClientOptions, type VaultIdentity, type VaultSigner, type VaultAuditQueryInput, type OwnerDefineSecretTargetsInput, type VaultExportSecretInput, type VaultGrantCapabilityInput, type VaultRegisterFlowInput, type VaultRegisterAgentInput, type OwnerSecretTargetBinding, type OwnerStoreSecretInput, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
|
|
19
19
|
export { createAgentClient, type AgentClient, type CreateAgentClientOptions, type AgentIdentity, type AgentCapabilityEnvelope, type AgentDispatchIntent, type AgentDispatchTransport, type AgentSigner, } from "../clients/agent/index.js";
|
package/dist/runtime/index.js
CHANGED
|
@@ -9,9 +9,9 @@ export { FsStorageProvider } from "../storage/fs.js";
|
|
|
9
9
|
export { MemoryStorageProvider } from "../storage/memory.js";
|
|
10
10
|
export { createIdentity, deriveChildIdentity, restoreIdentity, } from "./identity.js";
|
|
11
11
|
export { createChildIdentity, } from "./child-identity.js";
|
|
12
|
-
export { readVaultProfile, writeVaultProfile, } from "./vault-metadata.js";
|
|
12
|
+
export { readVaultProfile, writeVaultProfile, readVaultPublicMetadata, } from "./vault-metadata.js";
|
|
13
13
|
export { createWorkspaceStorage, getDefaultWorkspaceDir, } from "./workspace-storage.js";
|
|
14
|
-
export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, readIdentityMetadata, listIdentities, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultChildrenKey, } from "./private-vault.js";
|
|
14
|
+
export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, readIdentityMetadata, listIdentities, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultPublicSealedKey, identityPrivateVaultChildrenKey, } from "./private-vault.js";
|
|
15
15
|
export { createVault, recoverVault, listVaults, } from "./bootstrap.js";
|
|
16
16
|
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, PersistentVaultAgentIdentityRegistry, PersistentVaultAuditLog, PersistentVaultOwnerIdentityRegistry, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
|
|
17
17
|
export { createVaultClient, } from "../clients/owner/index.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,eAAe,GAKhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,mBAAmB,GAEpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,eAAe,GAKhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,mBAAmB,GAEpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,uBAAuB,GAExB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,0BAA0B,EAC1B,+BAA+B,EAC/B,qCAAqC,EACrC,oBAAoB,EACpB,cAAc,EACd,0BAA0B,EAC1B,8BAA8B,EAC9B,mCAAmC,EACnC,+BAA+B,GAIhC,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,WAAW,EACX,YAAY,EACZ,UAAU,GAOX,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,oCAAoC,EACpC,uBAAuB,EACvB,oCAAoC,EACpC,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA+CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAclB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAQlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAWxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC"}
|
|
@@ -21,20 +21,21 @@ export interface IdentityPrivateVaultChildrenState {
|
|
|
21
21
|
type IdentityPrivateVaultAccess = CreatedIdentity | string;
|
|
22
22
|
export declare function identityPrivateVaultPrefix(identityId: string): string;
|
|
23
23
|
export declare function identityPrivateVaultProfileKey(identityId: string): string;
|
|
24
|
+
export declare function identityPrivateVaultPublicSealedKey(identityId: string): string;
|
|
24
25
|
export declare function identityPrivateVaultChildrenKey(identityId: string): string;
|
|
25
26
|
export declare function ensureIdentityPrivateVault(storage: IStorageProvider, identity: CreatedIdentity): Promise<void>;
|
|
26
27
|
export declare function readIdentityPrivateVaultProfile(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess): Promise<IdentityPrivateVaultProfile | null>;
|
|
27
28
|
/**
|
|
28
29
|
* Metadata reader for identities.
|
|
29
|
-
*
|
|
30
|
+
* Discovery info (nickname) can be read with just identityId.
|
|
31
|
+
* Full profile requires privateKey.
|
|
30
32
|
*/
|
|
31
|
-
export declare function readIdentityMetadata(storage: IStorageProvider, identityId: string, privateKey?: string): Promise<IdentityPrivateVaultProfile | null>;
|
|
33
|
+
export declare function readIdentityMetadata(storage: IStorageProvider, identityId: string, privateKey?: string): Promise<IdentityPrivateVaultProfile | any | null>;
|
|
32
34
|
export declare function readIdentityPrivateVaultChildrenState(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess): Promise<IdentityPrivateVaultChildrenState>;
|
|
33
35
|
export declare function writeIdentityPrivateVaultChildrenState(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess, state: IdentityPrivateVaultChildrenState): Promise<void>;
|
|
34
36
|
export declare function withIdentityPrivateVaultLock<T>(storage: IStorageProvider, identityOrPrivateKey: IdentityPrivateVaultAccess, task: () => Promise<T>): Promise<T>;
|
|
35
37
|
/**
|
|
36
|
-
* Lists all
|
|
37
|
-
* Nicknames and other metadata require a private key to decrypt.
|
|
38
|
+
* Lists all identities in the workspace with their discovery metadata.
|
|
38
39
|
*/
|
|
39
|
-
export declare function listIdentities(storage: IStorageProvider): Promise<
|
|
40
|
+
export declare function listIdentities(storage: IStorageProvider): Promise<any[]>;
|
|
40
41
|
export {};
|
|
@@ -9,6 +9,9 @@ export function identityPrivateVaultPrefix(identityId) {
|
|
|
9
9
|
export function identityPrivateVaultProfileKey(identityId) {
|
|
10
10
|
return `${identityPrivateVaultPrefix(identityId)}/sealed/profile.sealed`;
|
|
11
11
|
}
|
|
12
|
+
export function identityPrivateVaultPublicSealedKey(identityId) {
|
|
13
|
+
return `${identityPrivateVaultPrefix(identityId)}/sealed/public.sealed`;
|
|
14
|
+
}
|
|
12
15
|
export function identityPrivateVaultChildrenKey(identityId) {
|
|
13
16
|
return `${identityPrivateVaultPrefix(identityId)}/sealed/children.sealed`;
|
|
14
17
|
}
|
|
@@ -30,6 +33,13 @@ function deriveIdentityPrivateVaultKey(identity) {
|
|
|
30
33
|
.update(identity.privateKey)
|
|
31
34
|
.digest("base64url");
|
|
32
35
|
}
|
|
36
|
+
function deriveIdentityPrivateVaultPublicWorkingKey(identityId) {
|
|
37
|
+
return createHash("sha256")
|
|
38
|
+
.update("cbio:identity-public-metadata:v1")
|
|
39
|
+
.update("\n")
|
|
40
|
+
.update(identityId)
|
|
41
|
+
.digest("base64url");
|
|
42
|
+
}
|
|
33
43
|
export async function ensureIdentityPrivateVault(storage, identity) {
|
|
34
44
|
const profileKey = identityPrivateVaultProfileKey(identity.identityId);
|
|
35
45
|
const profileRepo = new SealedJsonRepository(storage, profileKey, deriveIdentityPrivateVaultKey(identity));
|
|
@@ -41,8 +51,17 @@ export async function ensureIdentityPrivateVault(storage, identity) {
|
|
|
41
51
|
parentIdentityId: identity.parentIdentityId || existingProfile?.parentIdentityId,
|
|
42
52
|
childIndex: identity.childIndex ?? existingProfile?.childIndex,
|
|
43
53
|
};
|
|
44
|
-
//
|
|
54
|
+
// 1. Write Private Sealed Profile
|
|
45
55
|
await profileRepo.write(profile, "identity_private_vault_profile");
|
|
56
|
+
// 2. Write Public Sealed Metadata for Discovery (Encrypted for integrity, but publicly readable)
|
|
57
|
+
const publicSealedKey = identityPrivateVaultPublicSealedKey(identity.identityId);
|
|
58
|
+
const publicRepo = new SealedJsonRepository(storage, publicSealedKey, deriveIdentityPrivateVaultPublicWorkingKey(identity.identityId));
|
|
59
|
+
await publicRepo.write({
|
|
60
|
+
identityId: profile.identityId,
|
|
61
|
+
publicKey: profile.publicKey,
|
|
62
|
+
nickname: profile.nickname,
|
|
63
|
+
parentIdentityId: profile.parentIdentityId,
|
|
64
|
+
}, "identity_public_metadata");
|
|
46
65
|
const childrenKey = identityPrivateVaultChildrenKey(identity.identityId);
|
|
47
66
|
if (!(await storage.has(childrenKey))) {
|
|
48
67
|
const emptyState = {
|
|
@@ -60,23 +79,30 @@ export async function readIdentityPrivateVaultProfile(storage, identityOrPrivate
|
|
|
60
79
|
}
|
|
61
80
|
/**
|
|
62
81
|
* Metadata reader for identities.
|
|
63
|
-
*
|
|
82
|
+
* Discovery info (nickname) can be read with just identityId.
|
|
83
|
+
* Full profile requires privateKey.
|
|
64
84
|
*/
|
|
65
85
|
export async function readIdentityMetadata(storage, identityId, privateKey) {
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
86
|
+
const publicSealedKey = identityPrivateVaultPublicSealedKey(identityId);
|
|
87
|
+
const publicRepo = new SealedJsonRepository(storage, publicSealedKey, deriveIdentityPrivateVaultPublicWorkingKey(identityId));
|
|
88
|
+
const publicMetadata = await publicRepo.read(null).catch(() => null);
|
|
89
|
+
if (privateKey) {
|
|
90
|
+
try {
|
|
91
|
+
const identity = restoreIdentity(privateKey);
|
|
92
|
+
if (identity.identityId !== identityId) {
|
|
93
|
+
throw new Error("identityId mismatch");
|
|
94
|
+
}
|
|
95
|
+
const sealed = await readIdentityPrivateVaultProfile(storage, identity);
|
|
96
|
+
return {
|
|
97
|
+
...(publicMetadata || {}),
|
|
98
|
+
...(sealed || {}),
|
|
99
|
+
};
|
|
100
|
+
}
|
|
101
|
+
catch (e) {
|
|
102
|
+
console.warn(`[IdentityMetadata] Decryption failed for ${identityId}:`, e);
|
|
73
103
|
}
|
|
74
|
-
return await readIdentityPrivateVaultProfile(storage, identity);
|
|
75
|
-
}
|
|
76
|
-
catch (e) {
|
|
77
|
-
console.warn(`[IdentityMetadata] Decryption failed for ${identityId}:`, e);
|
|
78
|
-
return null;
|
|
79
104
|
}
|
|
105
|
+
return publicMetadata;
|
|
80
106
|
}
|
|
81
107
|
export async function readIdentityPrivateVaultChildrenState(storage, identityOrPrivateKey) {
|
|
82
108
|
const identity = normalizeIdentityAccess(identityOrPrivateKey);
|
|
@@ -100,8 +126,7 @@ export async function withIdentityPrivateVaultLock(storage, identityOrPrivateKey
|
|
|
100
126
|
return task();
|
|
101
127
|
}
|
|
102
128
|
/**
|
|
103
|
-
* Lists all
|
|
104
|
-
* Nicknames and other metadata require a private key to decrypt.
|
|
129
|
+
* Lists all identities in the workspace with their discovery metadata.
|
|
105
130
|
*/
|
|
106
131
|
export async function listIdentities(storage) {
|
|
107
132
|
if (!storage.list) {
|
|
@@ -112,7 +137,10 @@ export async function listIdentities(storage) {
|
|
|
112
137
|
for (const id of ids) {
|
|
113
138
|
if (id.endsWith(PRIVATE_VAULT_LOCK_SUFFIX))
|
|
114
139
|
continue;
|
|
115
|
-
|
|
140
|
+
const profile = await readIdentityMetadata(storage, id);
|
|
141
|
+
if (profile) {
|
|
142
|
+
results.push(profile);
|
|
143
|
+
}
|
|
116
144
|
}
|
|
117
145
|
return results;
|
|
118
146
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"private-vault.js","sourceRoot":"","sources":["../../src/runtime/private-vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE1D,OAAO,EAAE,eAAe,EAAwB,MAAM,eAAe,CAAC;AAEtE,MAAM,oBAAoB,GAAG,YAAY,CAAC;AAC1C,MAAM,yBAAyB,GAAG,OAAO,CAAC;AA0B1C,MAAM,UAAU,0BAA0B,CAAC,UAAkB;IAC3D,OAAO,GAAG,oBAAoB,IAAI,UAAU,EAAE,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,UAAkB;IAC/D,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,wBAAwB,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,+BAA+B,CAAC,UAAkB;IAChE,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,yBAAyB,CAAC;AAC5E,CAAC;
|
|
1
|
+
{"version":3,"file":"private-vault.js","sourceRoot":"","sources":["../../src/runtime/private-vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE1D,OAAO,EAAE,eAAe,EAAwB,MAAM,eAAe,CAAC;AAEtE,MAAM,oBAAoB,GAAG,YAAY,CAAC;AAC1C,MAAM,yBAAyB,GAAG,OAAO,CAAC;AA0B1C,MAAM,UAAU,0BAA0B,CAAC,UAAkB;IAC3D,OAAO,GAAG,oBAAoB,IAAI,UAAU,EAAE,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,UAAkB;IAC/D,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,wBAAwB,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,mCAAmC,CAAC,UAAkB;IACpE,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,uBAAuB,CAAC;AAC1E,CAAC;AAED,MAAM,UAAU,+BAA+B,CAAC,UAAkB;IAChE,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,yBAAyB,CAAC;AAC5E,CAAC;AAED,SAAS,OAAO,CAAC,UAAkB;IACjC,OAAO,GAAG,0BAA0B,CAAC,UAAU,CAAC,sBAAsB,yBAAyB,EAAE,CAAC;AACpG,CAAC;AAED,SAAS,uBAAuB,CAAC,oBAAgD;IAC/E,IAAI,OAAO,oBAAoB,KAAK,QAAQ,EAAE,CAAC;QAC7C,OAAO,eAAe,CAAC,oBAAoB,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED,SAAS,6BAA6B,CAAC,QAAyB;IAC9D,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,gCAAgC,CAAC;SACxC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;SAC3B,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;SAC3B,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,0CAA0C,CAAC,UAAkB;IACpE,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,kCAAkC,CAAC;SAC1C,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,OAAyB,EACzB,QAAyB;IAEzB,MAAM,UAAU,GAAG,8BAA8B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACvE,MAAM,WAAW,GAAG,IAAI,oBAAoB,CAC1C,OAAO,EACP,UAAU,EACV,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IAEF,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC;IAE5D,MAAM,OAAO,GAAgC;QAC3C,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,eAAe,EAAE,QAAQ;QACxD,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB,IAAI,eAAe,EAAE,gBAAgB;QAChF,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,eAAe,EAAE,UAAU;KAC/D,CAAC;IAEF,kCAAkC;IAClC,MAAM,WAAW,CAAC,KAAK,CAAC,OAAO,EAAE,gCAAgC,CAAC,CAAC;IAEnE,iGAAiG;IACjG,MAAM,eAAe,GAAG,mCAAmC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACjF,MAAM,UAAU,GAAG,IAAI,oBAAoB,CACzC,OAAO,EACP,eAAe,EACf,0CAA0C,CAAC,QAAQ,CAAC,UAAU,CAAC,CAChE,CAAC;IACF,MAAM,UAAU,CAAC,KAAK,CAAC;QACrB,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;KAC3C,EAAE,0BAA0B,CAAC,CAAC;IAE/B,MAAM,WAAW,GAAG,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACzE,IAAI,CAAC,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACtC,MAAM,UAAU,GAAsC;YACpD,cAAc,EAAE,CAAC;YACjB,QAAQ,EAAE,EAAE;SACb,CAAC;QACF,MAAM,YAAY,GAAG,IAAI,oBAAoB,CAC3C,OAAO,EACP,WAAW,EACX,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;QACF,MAAM,YAAY,CAAC,KAAK,CAAC,UAAU,EAAE,iCAAiC,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,OAAyB,EACzB,oBAAgD;IAEhD,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,oBAAoB,CACnC,OAAO,EACP,8BAA8B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACnD,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IACF,OAAO,IAAI,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC;AAChC,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAAyB,EACzB,UAAkB,EAClB,UAAmB;IAEnB,MAAM,eAAe,GAAG,mCAAmC,CAAC,UAAU,CAAC,CAAC;IACxE,MAAM,UAAU,GAAG,IAAI,oBAAoB,CACzC,OAAO,EACP,eAAe,EACf,0CAA0C,CAAC,UAAU,CAAC,CACvD,CAAC;IACF,MAAM,cAAc,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAE5E,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;YAC7C,IAAI,QAAQ,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;gBACvC,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;YACzC,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,+BAA+B,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACxE,OAAO;gBACL,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC;gBACzB,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;aAClB,CAAC;QACJ,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC,4CAA4C,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAED,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qCAAqC,CACzD,OAAyB,EACzB,oBAAgD;IAEhD,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,oBAAoB,CACnC,OAAO,EACP,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACpD,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;IACpE,OAAO;QACL,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM;QAC/D,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;KAChC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sCAAsC,CAC1D,OAAyB,EACzB,oBAAgD,EAChD,KAAwC;IAExC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,IAAI,GAAG,IAAI,oBAAoB,CACnC,OAAO,EACP,+BAA+B,CAAC,QAAQ,CAAC,UAAU,CAAC,EACpD,6BAA6B,CAAC,QAAQ,CAAC,CACxC,CAAC;IACF,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,iCAAiC,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAyB,EACzB,oBAAgD,EAChD,IAAsB;IAEtB,MAAM,QAAQ,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,IAAI,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,IAAI,EAAE,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAyB;IAC5D,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACrD,MAAM,OAAO,GAAU,EAAE,CAAC;IAC1B,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,EAAE,CAAC,QAAQ,CAAC,yBAAyB,CAAC;YAAE,SAAS;QAErD,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QACxD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -1,12 +1,18 @@
|
|
|
1
1
|
import type { IStorageProvider } from "../storage/provider.js";
|
|
2
2
|
export interface VaultProfile {
|
|
3
|
-
|
|
3
|
+
sealedPublic: Record<string, any> & {
|
|
4
4
|
nickname?: string;
|
|
5
5
|
};
|
|
6
|
+
sealedPrivate: Record<string, any>;
|
|
6
7
|
}
|
|
7
8
|
/**
|
|
8
|
-
*
|
|
9
|
-
*
|
|
9
|
+
* Derives a key that is publicly available to anyone who knows the vaultId.
|
|
10
|
+
* Used to encrypt 'public' metadata to prevent JSON tampering on disk.
|
|
10
11
|
*/
|
|
11
|
-
export declare function
|
|
12
|
-
|
|
12
|
+
export declare function deriveVaultPublicWorkingKey(vaultId: string): string;
|
|
13
|
+
/**
|
|
14
|
+
* Reads the 'public' metadata of a vault. Requires vaultId but no private key.
|
|
15
|
+
*/
|
|
16
|
+
export declare function readVaultPublicMetadata(storage: IStorageProvider, vaultId: string): Promise<Record<string, any>>;
|
|
17
|
+
export declare function writeVaultProfile(storage: IStorageProvider, profile: VaultProfile, vaultWorkingKey: string, vaultId: string): Promise<void>;
|
|
18
|
+
export declare function readVaultProfile(storage: IStorageProvider, vaultWorkingKey: string, vaultId: string): Promise<VaultProfile | null>;
|
|
@@ -1,21 +1,46 @@
|
|
|
1
|
+
import { createHash } from "node:crypto";
|
|
1
2
|
import { SealedJsonRepository } from "../sealed/index.js";
|
|
2
3
|
const VAULT_SEALED_PROFILE_KEY = "vault/sealed/profile.sealed";
|
|
4
|
+
const VAULT_PUBLIC_SEALED_PROFILE_KEY = "vault/sealed/public.sealed";
|
|
3
5
|
/**
|
|
4
|
-
*
|
|
5
|
-
*
|
|
6
|
+
* Derives a key that is publicly available to anyone who knows the vaultId.
|
|
7
|
+
* Used to encrypt 'public' metadata to prevent JSON tampering on disk.
|
|
6
8
|
*/
|
|
7
|
-
export
|
|
8
|
-
|
|
9
|
-
|
|
9
|
+
export function deriveVaultPublicWorkingKey(vaultId) {
|
|
10
|
+
return createHash("sha256")
|
|
11
|
+
.update("cbio:vault-public-metadata:v1")
|
|
12
|
+
.update("\n")
|
|
13
|
+
.update(vaultId)
|
|
14
|
+
.digest("base64url");
|
|
10
15
|
}
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
16
|
+
/**
|
|
17
|
+
* Reads the 'public' metadata of a vault. Requires vaultId but no private key.
|
|
18
|
+
*/
|
|
19
|
+
export async function readVaultPublicMetadata(storage, vaultId) {
|
|
20
|
+
const publicWorkingKey = deriveVaultPublicWorkingKey(vaultId);
|
|
21
|
+
const repo = new SealedJsonRepository(storage, VAULT_PUBLIC_SEALED_PROFILE_KEY, publicWorkingKey);
|
|
22
|
+
const data = await repo.read(null).catch(() => null);
|
|
23
|
+
return data || {};
|
|
24
|
+
}
|
|
25
|
+
export async function writeVaultProfile(storage, profile, vaultWorkingKey, vaultId) {
|
|
26
|
+
// 1. Write Private Sealed Profile
|
|
27
|
+
const privateRepo = new SealedJsonRepository(storage, VAULT_SEALED_PROFILE_KEY, vaultWorkingKey);
|
|
28
|
+
await privateRepo.write(profile.sealedPrivate, "vault_profile_private");
|
|
29
|
+
// 2. Write Public Sealed Profile (encrypted for format protection, but publicly-read via side-channel)
|
|
30
|
+
const publicWorkingKey = deriveVaultPublicWorkingKey(vaultId);
|
|
31
|
+
const publicRepo = new SealedJsonRepository(storage, VAULT_PUBLIC_SEALED_PROFILE_KEY, publicWorkingKey);
|
|
32
|
+
await publicRepo.write(profile.sealedPublic, "vault_profile_public");
|
|
33
|
+
}
|
|
34
|
+
export async function readVaultProfile(storage, vaultWorkingKey, vaultId) {
|
|
35
|
+
const privateRepo = new SealedJsonRepository(storage, VAULT_SEALED_PROFILE_KEY, vaultWorkingKey);
|
|
36
|
+
const sealedPrivate = await privateRepo.read(null);
|
|
37
|
+
if (!sealedPrivate) {
|
|
15
38
|
return null;
|
|
16
39
|
}
|
|
40
|
+
const sealedPublic = await readVaultPublicMetadata(storage, vaultId);
|
|
17
41
|
return {
|
|
18
|
-
|
|
42
|
+
sealedPublic,
|
|
43
|
+
sealedPrivate,
|
|
19
44
|
};
|
|
20
45
|
}
|
|
21
46
|
//# sourceMappingURL=vault-metadata.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vault-metadata.js","sourceRoot":"","sources":["../../src/runtime/vault-metadata.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"vault-metadata.js","sourceRoot":"","sources":["../../src/runtime/vault-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAO1D,MAAM,wBAAwB,GAAG,6BAA6B,CAAC;AAC/D,MAAM,+BAA+B,GAAG,4BAA4B,CAAC;AAErE;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CAAC,OAAe;IACzD,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,+BAA+B,CAAC;SACvC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,OAAO,CAAC;SACf,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAyB,EACzB,OAAe;IAEf,MAAM,gBAAgB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAC9D,MAAM,IAAI,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,+BAA+B,EAAE,gBAAgB,CAAC,CAAC;IACvH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC5D,OAAO,IAAI,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAyB,EACzB,OAAqB,EACrB,eAAuB,EACvB,OAAe;IAEf,kCAAkC;IAClC,MAAM,WAAW,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,wBAAwB,EAAE,eAAe,CAAC,CAAC;IACtH,MAAM,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,EAAE,uBAAuB,CAAC,CAAC;IAExE,uGAAuG;IACvG,MAAM,gBAAgB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,+BAA+B,EAAE,gBAAgB,CAAC,CAAC;IAC7H,MAAM,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,EAAE,sBAAsB,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAyB,EACzB,eAAuB,EACvB,OAAe;IAEf,MAAM,WAAW,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,wBAAwB,EAAE,eAAe,CAAC,CAAC;IACtH,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC;IAC1D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAErE,OAAO;QACL,YAAY;QACZ,aAAa;KACd,CAAC;AACJ,CAAC"}
|
package/docs/REFERENCE.md
CHANGED
|
@@ -98,7 +98,7 @@ Role rules:
|
|
|
98
98
|
|
|
99
99
|
Those files are encrypted at rest in the `sealed/` sub-directory and are not readable as plain JSON on disk.
|
|
100
100
|
|
|
101
|
-
Identities also maintain a **public discovery area
|
|
101
|
+
Identities also maintain a **public discovery area**. This region is encrypted with a key derived from the identity ID, making it accessible via the API without the owner's private key, while ensuring all data on disk remains fully encrypted and tamper-resistant.
|
|
102
102
|
|
|
103
103
|
`restoreIdentity(privateKey)` returns the same shape for an existing private key.
|
|
104
104
|
|
|
@@ -373,20 +373,13 @@ If the custom flow mode includes secret acquisition, the owner also defines a re
|
|
|
373
373
|
}
|
|
374
374
|
```
|
|
375
375
|
|
|
376
|
-
##
|
|
376
|
+
## Public-Ready Discovery (Encrypted)
|
|
377
377
|
|
|
378
|
-
The CBIO Node Runtime implements a **Public-
|
|
378
|
+
The CBIO Node Runtime implements a **Public-Ready Encryption** model for discovery metadata. This allows public information (like nicknames) to be accessible via the API without requiring a private key, while ensuring all data on disk is encrypted.
|
|
379
379
|
|
|
380
|
-
- **Storage**:
|
|
381
|
-
- **Integrity**: These files are
|
|
382
|
-
|
|
383
|
-
{
|
|
384
|
-
"payload": { "nickname": "...", ... },
|
|
385
|
-
"signature": "...",
|
|
386
|
-
"signer": "publicKey"
|
|
387
|
-
}
|
|
388
|
-
```
|
|
389
|
-
- **Verification**: The SDK automatically verifies signatures during `listVaults`, `listIdentities`, and retrieval. Corrupted or tampered files are ignored to prevent phishing or metadata poisoning.
|
|
380
|
+
- **Storage**: Managed internally within the `sealed/` directory.
|
|
381
|
+
- **Integrity**: These files are encrypted using a key derived from the Vault or Identity ID (`sha256(cbio:vault-public-metadata:v1 + id)`). This provides tamper-resistance and ensures that the file content remains a black box on disk.
|
|
382
|
+
- **Verification**: The SDK automatically derives the required discovery keys during `listVaults`, `listIdentities`, and retrieval. Corrupted or tampered files are identified by the cryptographic layer and safely ignored.
|
|
390
383
|
|
|
391
384
|
## Persistent Dependencies
|
|
392
385
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@the-ai-company/cbio-node-runtime",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.37.0",
|
|
4
4
|
"description": "Node.js runtime for cbio identity and credential vault. Library only, no CLI or TUI.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/runtime/index.js",
|
|
@@ -23,7 +23,7 @@
|
|
|
23
23
|
"@the-ai-company/cbio-protocol": "^1.0.3"
|
|
24
24
|
},
|
|
25
25
|
"scripts": {
|
|
26
|
-
"build": "
|
|
26
|
+
"build": "tsc",
|
|
27
27
|
"prepare": "npm run build",
|
|
28
28
|
"test": "npm run build && npm run test:acceptance",
|
|
29
29
|
"test:acceptance": "node tests/smoke/runtime-surface.js && node tests/smoke/policy-and-persistence.js && node tests/smoke/replay-guard.js && node tests/smoke/security-guards.js"
|