@the-ai-company/cbio-node-runtime 1.6.0 → 1.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +26 -10
- package/dist/clients/owner/client.d.ts +11 -11
- package/dist/clients/owner/client.js +31 -31
- package/dist/clients/owner/client.js.map +1 -1
- package/dist/clients/owner/contracts.d.ts +5 -5
- package/dist/clients/owner/index.d.ts +3 -3
- package/dist/clients/owner/index.js +1 -1
- package/dist/protocol/identity.d.ts +2 -2
- package/dist/protocol/identity.js +5 -2
- package/dist/protocol/identity.js.map +1 -1
- package/dist/runtime/bootstrap.d.ts +6 -8
- package/dist/runtime/bootstrap.js +18 -6
- package/dist/runtime/bootstrap.js.map +1 -1
- package/dist/runtime/identity.d.ts +8 -0
- package/dist/runtime/identity.js +67 -4
- package/dist/runtime/identity.js.map +1 -1
- package/dist/runtime/index.d.ts +3 -2
- package/dist/runtime/index.js +3 -2
- package/dist/runtime/index.js.map +1 -1
- package/docs/ARCHITECTURE.md +3 -2
- package/docs/CUSTODY_MODEL.md +4 -29
- package/docs/IDENTITY_MODEL.md +7 -3
- package/docs/REFERENCE.md +24 -17
- package/docs/es/README.md +2 -2
- package/docs/fr/README.md +2 -2
- package/docs/ja/README.md +2 -2
- package/docs/ko/README.md +2 -2
- package/docs/pt/README.md +2 -2
- package/docs/zh/README.md +2 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -42,18 +42,36 @@ import {
|
|
|
42
42
|
createVaultService,
|
|
43
43
|
createDefaultVaultCoreDependencies,
|
|
44
44
|
createIdentity,
|
|
45
|
+
deriveIdentity,
|
|
46
|
+
restoreIdentity,
|
|
45
47
|
createVault,
|
|
46
48
|
recoverVault,
|
|
47
49
|
createOwnerHttpFlowBoundary,
|
|
48
50
|
createStandardAcquireBoundary,
|
|
49
51
|
createStandardDispatchBoundary,
|
|
50
|
-
|
|
52
|
+
createVaultClient,
|
|
51
53
|
createAgentClient,
|
|
52
54
|
FsStorageProvider,
|
|
53
55
|
LocalVaultTransport,
|
|
56
|
+
LocalSigner,
|
|
54
57
|
} from '@the-ai-company/cbio-node-runtime';
|
|
55
58
|
```
|
|
56
59
|
|
|
60
|
+
Identity restore example:
|
|
61
|
+
|
|
62
|
+
```ts
|
|
63
|
+
const identity = restoreIdentity(existingPrivateKey);
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
Child identity example:
|
|
67
|
+
|
|
68
|
+
```ts
|
|
69
|
+
const rootIdentity = createIdentity({ nickname: 'root' });
|
|
70
|
+
const childIdentity = deriveIdentity(rootIdentity.privateKey, 'agents/worker-1', {
|
|
71
|
+
nickname: 'worker-1',
|
|
72
|
+
});
|
|
73
|
+
```
|
|
74
|
+
|
|
57
75
|
## Architecture
|
|
58
76
|
|
|
59
77
|
Core terms:
|
|
@@ -69,7 +87,8 @@ Important role rule:
|
|
|
69
87
|
|
|
70
88
|
- outside the vault there are only identities
|
|
71
89
|
- inside a specific vault, those identities may be bound to roles such as `owner` or `agent`
|
|
72
|
-
- identities are independent
|
|
90
|
+
- root identities are independent
|
|
91
|
+
- child identities may be deterministically derived from a parent identity private key plus a path
|
|
73
92
|
|
|
74
93
|
The public runtime surface follows four hard rules:
|
|
75
94
|
|
|
@@ -136,7 +155,7 @@ This package now exposes the production local vault runtime surface as the prima
|
|
|
136
155
|
const ownerIdentity = createIdentity({ nickname: 'owner-main' });
|
|
137
156
|
const agentIdentity = createIdentity({ nickname: 'agent-worker' });
|
|
138
157
|
const vault = createVaultService(createDefaultVaultCoreDependencies());
|
|
139
|
-
const
|
|
158
|
+
const client = createVaultClient({ identityId: ownerIdentity.identityId }, vault, new LocalSigner(ownerIdentity), clock);
|
|
140
159
|
const transport = new LocalVaultTransport(vault, capability.capabilityId);
|
|
141
160
|
const agent = createAgentClient({ agentId: agentIdentity.identityId }, capability, new LocalSigner(agentIdentity), transport, clock);
|
|
142
161
|
```
|
|
@@ -155,13 +174,13 @@ const capability = {
|
|
|
155
174
|
issuedAt: new Date().toISOString(),
|
|
156
175
|
};
|
|
157
176
|
|
|
158
|
-
await
|
|
177
|
+
await client.grantCapability({ capability });
|
|
159
178
|
```
|
|
160
179
|
|
|
161
180
|
Custom flow example:
|
|
162
181
|
|
|
163
182
|
```ts
|
|
164
|
-
await
|
|
183
|
+
await client.registerFlow({
|
|
165
184
|
flowId: 'custom-status-read',
|
|
166
185
|
...createOwnerHttpFlowBoundary({
|
|
167
186
|
mode: 'send_secret',
|
|
@@ -192,7 +211,7 @@ const acquired = await vault.acquireSecret({
|
|
|
192
211
|
console.log(acquired.responseShape);
|
|
193
212
|
// { token_type: 'Bearer', expires_in: 3600, scope: 'read write' }
|
|
194
213
|
|
|
195
|
-
const exported = await
|
|
214
|
+
const exported = await client.exportSecret({
|
|
196
215
|
alias: 'issuer-token',
|
|
197
216
|
});
|
|
198
217
|
|
|
@@ -209,12 +228,9 @@ const createdVault = await createVault(storage, {
|
|
|
209
228
|
ownerIdentity,
|
|
210
229
|
});
|
|
211
230
|
|
|
212
|
-
// Show once to the owner and let them store it offline.
|
|
213
|
-
console.log(createdVault.initializedCustody.vaultRecoveryKey);
|
|
214
|
-
|
|
215
231
|
const recoveredVault = await recoverVault(storage, {
|
|
216
232
|
vaultId: 'vault-persistent',
|
|
217
|
-
|
|
233
|
+
ownerIdentity,
|
|
218
234
|
});
|
|
219
235
|
```
|
|
220
236
|
|
|
@@ -1,19 +1,19 @@
|
|
|
1
1
|
import type { Clock } from "../../vault-core/index.js";
|
|
2
2
|
import type { VaultService } from "../../vault-ingress/index.js";
|
|
3
|
-
import type {
|
|
4
|
-
export interface
|
|
5
|
-
|
|
3
|
+
import type { VaultAuditQueryInput, VaultExportSecretInput, VaultGrantCapabilityInput, VaultRegisterFlowInput, VaultRegisterAgentInput, OwnerWriteSecretInput } from "./contracts.js";
|
|
4
|
+
export interface VaultIdentity {
|
|
5
|
+
identityId: string;
|
|
6
6
|
}
|
|
7
|
-
export interface
|
|
7
|
+
export interface VaultSigner {
|
|
8
8
|
getPublicKey(): Promise<string>;
|
|
9
9
|
sign(input: string): Promise<string>;
|
|
10
10
|
}
|
|
11
|
-
export interface
|
|
11
|
+
export interface VaultClient {
|
|
12
12
|
writeSecret(input: OwnerWriteSecretInput): Promise<import("../../vault-core/index.js").SecretRecord>;
|
|
13
|
-
exportSecret(input:
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
13
|
+
exportSecret(input: VaultExportSecretInput): Promise<import("../../vault-core/index.js").OwnerSecretExport>;
|
|
14
|
+
grantCapability(input: VaultGrantCapabilityInput): Promise<void>;
|
|
15
|
+
readAudit(query?: VaultAuditQueryInput): Promise<readonly import("../../vault-core/index.js").AuditEntry[]>;
|
|
16
|
+
registerAgent(input: VaultRegisterAgentInput): Promise<void>;
|
|
17
|
+
registerFlow(input: VaultRegisterFlowInput): Promise<void>;
|
|
18
18
|
}
|
|
19
|
-
export declare function
|
|
19
|
+
export declare function createVaultClient(identity: VaultIdentity, vault: VaultService, signer: VaultSigner, clock: Clock): VaultClient;
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
class
|
|
1
|
+
class DefaultVaultClient {
|
|
2
2
|
_identity;
|
|
3
3
|
_vault;
|
|
4
4
|
_signer;
|
|
@@ -11,11 +11,11 @@ class DefaultOwnerClient {
|
|
|
11
11
|
}
|
|
12
12
|
async writeSecret(input) {
|
|
13
13
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
14
|
-
const requestId = `${this._identity.
|
|
14
|
+
const requestId = `${this._identity.identityId}:${requestedAt}:${input.alias}:write_secret`;
|
|
15
15
|
const signature = await this._signer.sign(JSON.stringify({
|
|
16
16
|
requestId,
|
|
17
17
|
requestedAt,
|
|
18
|
-
ownerId: this._identity.
|
|
18
|
+
ownerId: this._identity.identityId,
|
|
19
19
|
alias: input.alias,
|
|
20
20
|
plaintext: input.plaintext,
|
|
21
21
|
targetBindings: input.targetBindings,
|
|
@@ -26,40 +26,40 @@ class DefaultOwnerClient {
|
|
|
26
26
|
requestId,
|
|
27
27
|
owner: {
|
|
28
28
|
kind: "owner",
|
|
29
|
-
id: this._identity.
|
|
29
|
+
id: this._identity.identityId,
|
|
30
30
|
},
|
|
31
31
|
alias: input.alias,
|
|
32
32
|
plaintext: input.plaintext,
|
|
33
33
|
targetBindings: input.targetBindings,
|
|
34
34
|
requestedAt,
|
|
35
35
|
proof: {
|
|
36
|
-
ownerId: this._identity.
|
|
36
|
+
ownerId: this._identity.identityId,
|
|
37
37
|
signature,
|
|
38
38
|
requestId,
|
|
39
39
|
requestedAt,
|
|
40
40
|
},
|
|
41
41
|
});
|
|
42
42
|
}
|
|
43
|
-
async
|
|
43
|
+
async readAudit(query = {}) {
|
|
44
44
|
const requestedAt = this._clock.nowIso();
|
|
45
|
-
const requestId = `${this._identity.
|
|
45
|
+
const requestId = `${this._identity.identityId}:${requestedAt}:read_audit`;
|
|
46
46
|
const signature = await this._signer.sign(JSON.stringify({
|
|
47
47
|
requestId,
|
|
48
48
|
requestedAt,
|
|
49
|
-
ownerId: this._identity.
|
|
49
|
+
ownerId: this._identity.identityId,
|
|
50
50
|
query,
|
|
51
51
|
}));
|
|
52
52
|
return this._vault.readAudit({
|
|
53
53
|
vaultId: this._vault.vaultId,
|
|
54
54
|
actor: {
|
|
55
55
|
kind: "owner",
|
|
56
|
-
id: this._identity.
|
|
56
|
+
id: this._identity.identityId,
|
|
57
57
|
},
|
|
58
58
|
query,
|
|
59
59
|
requestId,
|
|
60
60
|
requestedAt,
|
|
61
61
|
proof: {
|
|
62
|
-
ownerId: this._identity.
|
|
62
|
+
ownerId: this._identity.identityId,
|
|
63
63
|
signature,
|
|
64
64
|
requestId,
|
|
65
65
|
requestedAt,
|
|
@@ -68,33 +68,33 @@ class DefaultOwnerClient {
|
|
|
68
68
|
}
|
|
69
69
|
async exportSecret(input) {
|
|
70
70
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
71
|
-
const requestId = `${this._identity.
|
|
71
|
+
const requestId = `${this._identity.identityId}:${requestedAt}:${input.alias}:export_secret`;
|
|
72
72
|
const signature = await this._signer.sign(JSON.stringify({
|
|
73
73
|
requestId,
|
|
74
74
|
requestedAt,
|
|
75
|
-
ownerId: this._identity.
|
|
75
|
+
ownerId: this._identity.identityId,
|
|
76
76
|
alias: input.alias,
|
|
77
77
|
}));
|
|
78
78
|
return this._vault.exportSecret({
|
|
79
79
|
vaultId: this._vault.vaultId,
|
|
80
80
|
actor: {
|
|
81
81
|
kind: "owner",
|
|
82
|
-
id: this._identity.
|
|
82
|
+
id: this._identity.identityId,
|
|
83
83
|
},
|
|
84
84
|
alias: input.alias,
|
|
85
85
|
requestId,
|
|
86
86
|
requestedAt,
|
|
87
87
|
proof: {
|
|
88
|
-
ownerId: this._identity.
|
|
88
|
+
ownerId: this._identity.identityId,
|
|
89
89
|
signature,
|
|
90
90
|
requestId,
|
|
91
91
|
requestedAt,
|
|
92
92
|
},
|
|
93
93
|
});
|
|
94
94
|
}
|
|
95
|
-
async
|
|
95
|
+
async registerAgent(input) {
|
|
96
96
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
97
|
-
const requestId = `${this._identity.
|
|
97
|
+
const requestId = `${this._identity.identityId}:${requestedAt}:${input.agentId}:register_agent_identity`;
|
|
98
98
|
const agentIdentity = {
|
|
99
99
|
vaultId: this._vault.vaultId,
|
|
100
100
|
agentId: input.agentId,
|
|
@@ -103,7 +103,7 @@ class DefaultOwnerClient {
|
|
|
103
103
|
const signature = await this._signer.sign(JSON.stringify({
|
|
104
104
|
requestId,
|
|
105
105
|
requestedAt,
|
|
106
|
-
ownerId: this._identity.
|
|
106
|
+
ownerId: this._identity.identityId,
|
|
107
107
|
agentIdentity,
|
|
108
108
|
}));
|
|
109
109
|
await this._vault.registerAgentIdentity({
|
|
@@ -111,21 +111,21 @@ class DefaultOwnerClient {
|
|
|
111
111
|
requestId,
|
|
112
112
|
owner: {
|
|
113
113
|
kind: "owner",
|
|
114
|
-
id: this._identity.
|
|
114
|
+
id: this._identity.identityId,
|
|
115
115
|
},
|
|
116
116
|
agentIdentity,
|
|
117
117
|
requestedAt,
|
|
118
118
|
proof: {
|
|
119
|
-
ownerId: this._identity.
|
|
119
|
+
ownerId: this._identity.identityId,
|
|
120
120
|
signature,
|
|
121
121
|
requestId,
|
|
122
122
|
requestedAt,
|
|
123
123
|
},
|
|
124
124
|
});
|
|
125
125
|
}
|
|
126
|
-
async
|
|
126
|
+
async grantCapability(input) {
|
|
127
127
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
128
|
-
const requestId = `${this._identity.
|
|
128
|
+
const requestId = `${this._identity.identityId}:${requestedAt}:${input.capability.capabilityId}:register_capability`;
|
|
129
129
|
const capability = {
|
|
130
130
|
...input.capability,
|
|
131
131
|
vaultId: this._vault.vaultId,
|
|
@@ -133,7 +133,7 @@ class DefaultOwnerClient {
|
|
|
133
133
|
const signature = await this._signer.sign(JSON.stringify({
|
|
134
134
|
requestId,
|
|
135
135
|
requestedAt,
|
|
136
|
-
ownerId: this._identity.
|
|
136
|
+
ownerId: this._identity.identityId,
|
|
137
137
|
capability,
|
|
138
138
|
}));
|
|
139
139
|
await this._vault.registerCapability({
|
|
@@ -141,21 +141,21 @@ class DefaultOwnerClient {
|
|
|
141
141
|
requestId,
|
|
142
142
|
owner: {
|
|
143
143
|
kind: "owner",
|
|
144
|
-
id: this._identity.
|
|
144
|
+
id: this._identity.identityId,
|
|
145
145
|
},
|
|
146
146
|
capability,
|
|
147
147
|
requestedAt,
|
|
148
148
|
proof: {
|
|
149
|
-
ownerId: this._identity.
|
|
149
|
+
ownerId: this._identity.identityId,
|
|
150
150
|
signature,
|
|
151
151
|
requestId,
|
|
152
152
|
requestedAt,
|
|
153
153
|
},
|
|
154
154
|
});
|
|
155
155
|
}
|
|
156
|
-
async
|
|
156
|
+
async registerFlow(input) {
|
|
157
157
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
158
|
-
const requestId = `${this._identity.
|
|
158
|
+
const requestId = `${this._identity.identityId}:${requestedAt}:${input.flowId}:register_custom_flow`;
|
|
159
159
|
const flow = {
|
|
160
160
|
flowId: input.flowId,
|
|
161
161
|
mode: input.mode,
|
|
@@ -167,7 +167,7 @@ class DefaultOwnerClient {
|
|
|
167
167
|
const signature = await this._signer.sign(JSON.stringify({
|
|
168
168
|
requestId,
|
|
169
169
|
requestedAt,
|
|
170
|
-
ownerId: this._identity.
|
|
170
|
+
ownerId: this._identity.identityId,
|
|
171
171
|
flow,
|
|
172
172
|
}));
|
|
173
173
|
await this._vault.registerCustomFlow({
|
|
@@ -175,12 +175,12 @@ class DefaultOwnerClient {
|
|
|
175
175
|
requestId,
|
|
176
176
|
owner: {
|
|
177
177
|
kind: "owner",
|
|
178
|
-
id: this._identity.
|
|
178
|
+
id: this._identity.identityId,
|
|
179
179
|
},
|
|
180
180
|
flow,
|
|
181
181
|
requestedAt,
|
|
182
182
|
proof: {
|
|
183
|
-
ownerId: this._identity.
|
|
183
|
+
ownerId: this._identity.identityId,
|
|
184
184
|
signature,
|
|
185
185
|
requestId,
|
|
186
186
|
requestedAt,
|
|
@@ -188,7 +188,7 @@ class DefaultOwnerClient {
|
|
|
188
188
|
});
|
|
189
189
|
}
|
|
190
190
|
}
|
|
191
|
-
export function
|
|
192
|
-
return new
|
|
191
|
+
export function createVaultClient(identity, vault, signer, clock) {
|
|
192
|
+
return new DefaultVaultClient(identity, vault, signer, clock);
|
|
193
193
|
}
|
|
194
194
|
//# sourceMappingURL=client.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/owner/client.ts"],"names":[],"mappings":"AA6BA,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IAJnB,YACmB,SAAwB,EACxB,MAAoB,EACpB,OAAoB,EACpB,MAAa;QAHb,cAAS,GAAT,SAAS,CAAe;QACxB,WAAM,GAAN,MAAM,CAAc;QACpB,YAAO,GAAP,OAAO,CAAa;QACpB,WAAM,GAAN,MAAM,CAAO;IAC7B,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,
|
|
1
|
+
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/owner/client.ts"],"names":[],"mappings":"AA6BA,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IAJnB,YACmB,SAAwB,EACxB,MAAoB,EACpB,OAAoB,EACpB,MAAa;QAHb,cAAS,GAAT,SAAS,CAAe;QACxB,WAAM,GAAN,MAAM,CAAc;QACpB,YAAO,GAAP,OAAO,CAAa;QACpB,WAAM,GAAN,MAAM,CAAO;IAC7B,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,eAAe,CAAC;QAC5F,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YAC7B,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,KAAK,CAAC,cAAc;YACpC,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,QAA8B,EAAE;QAC9C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,aAAa,CAAC;QAC3E,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK;SACN,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;YAC3B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK;YACL,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,gBAAgB,CAAC;QAC7F,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK,EAAE,KAAK,CAAC,KAAK;SACnB,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAA8B;QAChD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,OAAO,0BAA0B,CAAC;QACzG,MAAM,aAAa,GAAG;YACpB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,aAAa;SACd,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;YACtC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,aAAa;YACb,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,KAAgC;QACpD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,UAAU,CAAC,YAAY,sBAAsB,CAAC;QACrH,MAAM,UAAU,GAAG;YACjB,GAAG,KAAK,CAAC,UAAU;YACnB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;SAC7B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,UAAU;SACX,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,UAAU;YACV,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,MAAM,uBAAuB,CAAC;QACrG,MAAM,IAAI,GAAG;YACX,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;YAC5C,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,IAAI;SACL,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,IAAI;YACJ,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAuB,EACvB,KAAmB,EACnB,MAAmB,EACnB,KAAY;IAEZ,OAAO,IAAI,kBAAkB,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;AAChE,CAAC"}
|
|
@@ -12,26 +12,26 @@ export interface OwnerWriteSecretInput {
|
|
|
12
12
|
targetBindings: readonly OwnerSecretTargetBinding[];
|
|
13
13
|
requestedAt?: string;
|
|
14
14
|
}
|
|
15
|
-
export interface
|
|
15
|
+
export interface VaultAuditQueryInput {
|
|
16
16
|
actorId?: string;
|
|
17
17
|
secretAlias?: string;
|
|
18
18
|
requestId?: string;
|
|
19
19
|
since?: string;
|
|
20
20
|
}
|
|
21
|
-
export interface
|
|
21
|
+
export interface VaultExportSecretInput {
|
|
22
22
|
alias: string;
|
|
23
23
|
requestedAt?: string;
|
|
24
24
|
}
|
|
25
|
-
export interface
|
|
25
|
+
export interface VaultRegisterAgentInput {
|
|
26
26
|
agentId: string;
|
|
27
27
|
publicKey: string;
|
|
28
28
|
requestedAt?: string;
|
|
29
29
|
}
|
|
30
|
-
export interface
|
|
30
|
+
export interface VaultRegisterFlowInput extends OwnerHttpFlowBoundary {
|
|
31
31
|
flowId: string;
|
|
32
32
|
requestedAt?: string;
|
|
33
33
|
}
|
|
34
|
-
export interface
|
|
34
|
+
export interface VaultGrantCapabilityInput {
|
|
35
35
|
capability: import("../../vault-core/index.js").AgentCapability;
|
|
36
36
|
requestedAt?: string;
|
|
37
37
|
}
|
|
@@ -1,3 +1,3 @@
|
|
|
1
|
-
export {
|
|
2
|
-
export type {
|
|
3
|
-
export type {
|
|
1
|
+
export { createVaultClient } from "./client.js";
|
|
2
|
+
export type { VaultClient, VaultIdentity, VaultSigner, } from "./client.js";
|
|
3
|
+
export type { VaultAuditQueryInput, VaultExportSecretInput, VaultGrantCapabilityInput, VaultRegisterFlowInput, VaultRegisterAgentInput, OwnerSecretTargetBinding, OwnerWriteSecretInput, } from "./contracts.js";
|
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
export {
|
|
1
|
+
export { createVaultClient } from "./client.js";
|
|
2
2
|
//# sourceMappingURL=index.js.map
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
* Claw-biometric Core Identity. Runtime utilities over protocol primitives.
|
|
3
3
|
* getVaultPath (runtime). Re-exports protocol for consumers.
|
|
4
4
|
*/
|
|
5
|
-
import { deriveRootAgentId } from '@the-ai-company/cbio-protocol';
|
|
6
5
|
import { getChildIdentitySecretName, CHILD_KEY_PREFIX } from './childSecretNaming.js';
|
|
7
|
-
export {
|
|
6
|
+
export { getChildIdentitySecretName, CHILD_KEY_PREFIX };
|
|
7
|
+
export declare function deriveIdentityId(publicKey: string): string;
|
|
8
8
|
export declare function getVaultPath(publicKey: string): string;
|
|
@@ -5,9 +5,12 @@
|
|
|
5
5
|
import * as os from 'node:os';
|
|
6
6
|
import * as path from 'node:path';
|
|
7
7
|
import * as crypto from 'node:crypto';
|
|
8
|
-
import { deriveRootAgentId } from '@the-ai-company/cbio-protocol';
|
|
8
|
+
import { deriveRootAgentId as protocolDeriveIdentityId } from '@the-ai-company/cbio-protocol';
|
|
9
9
|
import { getChildIdentitySecretName, CHILD_KEY_PREFIX } from './childSecretNaming.js';
|
|
10
|
-
export {
|
|
10
|
+
export { getChildIdentitySecretName, CHILD_KEY_PREFIX };
|
|
11
|
+
export function deriveIdentityId(publicKey) {
|
|
12
|
+
return protocolDeriveIdentityId(publicKey);
|
|
13
|
+
}
|
|
11
14
|
export function getVaultPath(publicKey) {
|
|
12
15
|
const hash = crypto.createHash('sha256').update(publicKey).digest('hex').substring(0, 12);
|
|
13
16
|
const baseDir = process.env.C_BIO_VAULT_DIR || path.join(os.homedir(), '.c-bio');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/protocol/identity.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;
|
|
1
|
+
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/protocol/identity.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,iBAAiB,IAAI,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AAC9F,OAAO,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAEtF,OAAO,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,CAAC;AAExD,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAC9C,OAAO,wBAAwB,CAAC,SAAS,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,SAAiB;IAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1F,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IACjF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,IAAI,MAAM,CAAC,CAAC;AACnD,CAAC"}
|
|
@@ -1,9 +1,9 @@
|
|
|
1
|
-
import { type CreatePersistentVaultCoreDependenciesOptions, type
|
|
1
|
+
import { type CreatePersistentVaultCoreDependenciesOptions, type VaultCore } from "../vault-core/index.js";
|
|
2
2
|
import { type VaultService, type VaultCustomFlowResolver } from "../vault-ingress/index.js";
|
|
3
3
|
import type { IStorageProvider } from "../storage/provider.js";
|
|
4
4
|
import type { CreatedIdentity } from "./identity.js";
|
|
5
|
-
export interface CreateVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey"> {
|
|
6
|
-
|
|
5
|
+
export interface CreateVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey" | "vaultId"> {
|
|
6
|
+
vaultId?: string;
|
|
7
7
|
ownerIdentity: CreatedIdentity;
|
|
8
8
|
vault?: {
|
|
9
9
|
customFlows?: VaultCustomFlowResolver;
|
|
@@ -11,20 +11,18 @@ export interface CreateVaultOptions extends Omit<CreatePersistentVaultCoreDepend
|
|
|
11
11
|
};
|
|
12
12
|
}
|
|
13
13
|
export interface CreatedVault {
|
|
14
|
-
initializedCustody: InitializedVaultCustody;
|
|
15
14
|
core: VaultCore;
|
|
16
15
|
vault: VaultService;
|
|
17
16
|
}
|
|
18
|
-
export interface RecoverVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey"> {
|
|
19
|
-
|
|
20
|
-
|
|
17
|
+
export interface RecoverVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey" | "vaultId"> {
|
|
18
|
+
vaultId: string;
|
|
19
|
+
ownerIdentity: CreatedIdentity;
|
|
21
20
|
vault?: {
|
|
22
21
|
customFlows?: VaultCustomFlowResolver;
|
|
23
22
|
fetchImpl?: typeof fetch;
|
|
24
23
|
};
|
|
25
24
|
}
|
|
26
25
|
export interface RecoveredVault {
|
|
27
|
-
vaultWorkingKey: string;
|
|
28
26
|
core: VaultCore;
|
|
29
27
|
vault: VaultService;
|
|
30
28
|
}
|
|
@@ -1,11 +1,24 @@
|
|
|
1
|
+
import crypto from "node:crypto";
|
|
1
2
|
import { createVaultCore } from "../vault-core/core.js";
|
|
2
|
-
import { createPersistentVaultCoreDependencies,
|
|
3
|
+
import { createPersistentVaultCoreDependencies, } from "../vault-core/index.js";
|
|
3
4
|
import { wrapVaultCoreAsVaultService, } from "../vault-ingress/index.js";
|
|
5
|
+
function deriveVaultWorkingKey(privateKey, vaultId) {
|
|
6
|
+
return crypto
|
|
7
|
+
.createHash("sha256")
|
|
8
|
+
.update("cbio:vault-working-key:v1")
|
|
9
|
+
.update("\n")
|
|
10
|
+
.update(vaultId)
|
|
11
|
+
.update("\n")
|
|
12
|
+
.update(privateKey)
|
|
13
|
+
.digest("base64url");
|
|
14
|
+
}
|
|
4
15
|
export async function createVault(storage, options) {
|
|
5
|
-
const
|
|
16
|
+
const vaultId = options.vaultId ?? `vault_${crypto.randomUUID()}`;
|
|
17
|
+
const vaultWorkingKey = deriveVaultWorkingKey(options.ownerIdentity.privateKey, vaultId);
|
|
6
18
|
const deps = createPersistentVaultCoreDependencies(storage, {
|
|
7
19
|
...options,
|
|
8
|
-
|
|
20
|
+
vaultId,
|
|
21
|
+
vaultWorkingKey,
|
|
9
22
|
});
|
|
10
23
|
const core = createVaultCore(deps);
|
|
11
24
|
const bootstrapOwner = {
|
|
@@ -15,20 +28,19 @@ export async function createVault(storage, options) {
|
|
|
15
28
|
};
|
|
16
29
|
await core.bootstrapOwnerIdentity(bootstrapOwner);
|
|
17
30
|
return {
|
|
18
|
-
initializedCustody,
|
|
19
31
|
core,
|
|
20
32
|
vault: wrapVaultCoreAsVaultService(core, options.vault),
|
|
21
33
|
};
|
|
22
34
|
}
|
|
23
35
|
export async function recoverVault(storage, options) {
|
|
24
|
-
const vaultWorkingKey =
|
|
36
|
+
const vaultWorkingKey = deriveVaultWorkingKey(options.ownerIdentity.privateKey, options.vaultId);
|
|
25
37
|
const deps = createPersistentVaultCoreDependencies(storage, {
|
|
26
38
|
...options,
|
|
39
|
+
vaultId: options.vaultId,
|
|
27
40
|
vaultWorkingKey,
|
|
28
41
|
});
|
|
29
42
|
const core = createVaultCore(deps);
|
|
30
43
|
return {
|
|
31
|
-
vaultWorkingKey,
|
|
32
44
|
core,
|
|
33
45
|
vault: wrapVaultCoreAsVaultService(core, options.vault),
|
|
34
46
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,
|
|
1
|
+
{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,GAItC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AAInC,SAAS,qBAAqB,CAAC,UAAkB,EAAE,OAAe;IAChE,OAAO,MAAM;SACV,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,2BAA2B,CAAC;SACnC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,OAAO,CAAC;SACf,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AA8BD,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAyB,EACzB,OAA2B;IAE3B,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,SAAS,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;IAClE,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACzF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO;QACP,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,cAAc,GAAwB;QAC1C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;QACzC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS;KAC3C,CAAC;IACF,MAAM,IAAI,CAAC,sBAAsB,CAAC,cAAc,CAAC,CAAC;IAClD,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;KACxD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAAyB,EACzB,OAA4B;IAE5B,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACjG,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;KACxD,CAAC;AACJ,CAAC"}
|
|
@@ -7,4 +7,12 @@ export interface CreatedIdentity {
|
|
|
7
7
|
export interface CreateIdentityOptions {
|
|
8
8
|
nickname?: string;
|
|
9
9
|
}
|
|
10
|
+
export interface RestoreIdentityOptions {
|
|
11
|
+
nickname?: string;
|
|
12
|
+
}
|
|
13
|
+
export interface DeriveIdentityOptions {
|
|
14
|
+
nickname?: string;
|
|
15
|
+
}
|
|
10
16
|
export declare function createIdentity(options?: CreateIdentityOptions): CreatedIdentity;
|
|
17
|
+
export declare function restoreIdentity(privateKey: string, options?: RestoreIdentityOptions): CreatedIdentity;
|
|
18
|
+
export declare function deriveIdentity(parentPrivateKey: string, path: string, options?: DeriveIdentityOptions): CreatedIdentity;
|
package/dist/runtime/identity.js
CHANGED
|
@@ -1,16 +1,79 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import {
|
|
1
|
+
import { createHmac, createPrivateKey, createPublicKey } from "node:crypto";
|
|
2
|
+
import { derivePublicKey, generateIdentityKeys } from "../protocol/crypto.js";
|
|
3
|
+
import { deriveIdentityId } from "../protocol/identity.js";
|
|
4
|
+
const ED25519_PKCS8_PREFIX = Buffer.from("302e020100300506032b657004220420", "hex");
|
|
5
|
+
const ED25519_SEED_LENGTH = 32;
|
|
6
|
+
function normalizeNickname(nickname) {
|
|
7
|
+
return nickname?.trim() ? nickname.trim() : undefined;
|
|
8
|
+
}
|
|
9
|
+
function decodeEd25519Seed(privateKey) {
|
|
10
|
+
const der = Buffer.from(privateKey, "base64url");
|
|
11
|
+
if (der.length !== ED25519_PKCS8_PREFIX.length + ED25519_SEED_LENGTH ||
|
|
12
|
+
!der.subarray(0, ED25519_PKCS8_PREFIX.length).equals(ED25519_PKCS8_PREFIX)) {
|
|
13
|
+
throw new Error("unsupported private key format");
|
|
14
|
+
}
|
|
15
|
+
return der.subarray(ED25519_PKCS8_PREFIX.length);
|
|
16
|
+
}
|
|
17
|
+
function encodeEd25519PrivateKey(seed) {
|
|
18
|
+
return Buffer.concat([ED25519_PKCS8_PREFIX, seed]).toString("base64url");
|
|
19
|
+
}
|
|
3
20
|
export function createIdentity(options = {}) {
|
|
4
21
|
const keyPair = generateIdentityKeys();
|
|
5
22
|
if (!keyPair.publicKey || !keyPair.privateKey) {
|
|
6
23
|
throw new Error("identity generation failed");
|
|
7
24
|
}
|
|
8
|
-
const nickname =
|
|
25
|
+
const nickname = normalizeNickname(options.nickname);
|
|
9
26
|
return {
|
|
10
|
-
identityId:
|
|
27
|
+
identityId: deriveIdentityId(keyPair.publicKey),
|
|
11
28
|
nickname,
|
|
12
29
|
publicKey: keyPair.publicKey,
|
|
13
30
|
privateKey: keyPair.privateKey,
|
|
14
31
|
};
|
|
15
32
|
}
|
|
33
|
+
export function restoreIdentity(privateKey, options = {}) {
|
|
34
|
+
const normalizedPrivateKey = privateKey.trim();
|
|
35
|
+
if (!normalizedPrivateKey) {
|
|
36
|
+
throw new Error("private key is required");
|
|
37
|
+
}
|
|
38
|
+
const publicKey = derivePublicKey(normalizedPrivateKey);
|
|
39
|
+
const nickname = normalizeNickname(options.nickname);
|
|
40
|
+
return {
|
|
41
|
+
identityId: deriveIdentityId(publicKey),
|
|
42
|
+
nickname,
|
|
43
|
+
publicKey,
|
|
44
|
+
privateKey: normalizedPrivateKey,
|
|
45
|
+
};
|
|
46
|
+
}
|
|
47
|
+
export function deriveIdentity(parentPrivateKey, path, options = {}) {
|
|
48
|
+
const normalizedParentPrivateKey = parentPrivateKey.trim();
|
|
49
|
+
const normalizedPath = path.trim();
|
|
50
|
+
if (!normalizedParentPrivateKey) {
|
|
51
|
+
throw new Error("parent private key is required");
|
|
52
|
+
}
|
|
53
|
+
if (!normalizedPath) {
|
|
54
|
+
throw new Error("path is required");
|
|
55
|
+
}
|
|
56
|
+
const parentSeed = decodeEd25519Seed(normalizedParentPrivateKey);
|
|
57
|
+
const childSeed = createHmac("sha256", parentSeed)
|
|
58
|
+
.update("cbio:identity:child:v1")
|
|
59
|
+
.update("\0")
|
|
60
|
+
.update(normalizedPath)
|
|
61
|
+
.digest();
|
|
62
|
+
const privateKey = encodeEd25519PrivateKey(childSeed);
|
|
63
|
+
const privateKeyObject = createPrivateKey({
|
|
64
|
+
key: Buffer.from(privateKey, "base64url"),
|
|
65
|
+
format: "der",
|
|
66
|
+
type: "pkcs8",
|
|
67
|
+
});
|
|
68
|
+
const publicKey = Buffer.from(createPublicKey(privateKeyObject).export({
|
|
69
|
+
type: "spki",
|
|
70
|
+
format: "der",
|
|
71
|
+
})).toString("base64url");
|
|
72
|
+
return {
|
|
73
|
+
identityId: deriveIdentityId(publicKey),
|
|
74
|
+
nickname: normalizeNickname(options.nickname),
|
|
75
|
+
publicKey,
|
|
76
|
+
privateKey,
|
|
77
|
+
};
|
|
78
|
+
}
|
|
16
79
|
//# sourceMappingURL=identity.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/runtime/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/runtime/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC5E,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAqB3D,MAAM,oBAAoB,GAAG,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,KAAK,CAAC,CAAC;AACpF,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,SAAS,iBAAiB,CAAC,QAAiB;IAC1C,OAAO,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAED,SAAS,iBAAiB,CAAC,UAAkB;IAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACjD,IACE,GAAG,CAAC,MAAM,KAAK,oBAAoB,CAAC,MAAM,GAAG,mBAAmB;QAChE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,oBAAoB,CAAC,EAC1E,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAY;IAC3C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,UAAiC,EAAE;IAChE,MAAM,OAAO,GAAG,oBAAoB,EAAE,CAAC;IACvC,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC;QAC/C,QAAQ;QACR,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,UAAkB,EAAE,UAAkC,EAAE;IACtF,MAAM,oBAAoB,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAC/C,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,SAAS,GAAG,eAAe,CAAC,oBAAoB,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,SAAS,CAAC;QACvC,QAAQ;QACR,SAAS;QACT,UAAU,EAAE,oBAAoB;KACjC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,gBAAwB,EACxB,IAAY,EACZ,UAAiC,EAAE;IAEnC,MAAM,0BAA0B,GAAG,gBAAgB,CAAC,IAAI,EAAE,CAAC;IAC3D,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,CAAC,0BAA0B,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,UAAU,GAAG,iBAAiB,CAAC,0BAA0B,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;SAC/C,MAAM,CAAC,wBAAwB,CAAC;SAChC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,cAAc,CAAC;SACtB,MAAM,EAAE,CAAC;IAEZ,MAAM,UAAU,GAAG,uBAAuB,CAAC,SAAS,CAAC,CAAC;IACtD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;QACxC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC;QACzC,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,OAAO;KACd,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAC3B,eAAe,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC;QACvC,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,KAAK;KACd,CAAC,CACH,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAExB,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,SAAS,CAAC;QACvC,QAAQ,EAAE,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC7C,SAAS;QACT,UAAU;KACX,CAAC;AACJ,CAAC"}
|
package/dist/runtime/index.d.ts
CHANGED
|
@@ -4,13 +4,14 @@
|
|
|
4
4
|
*/
|
|
5
5
|
export { IdentityError, IdentityErrorCode } from "../errors.js";
|
|
6
6
|
export { derivePublicKey, LocalSigner } from "../protocol/crypto.js";
|
|
7
|
+
export { deriveIdentityId } from "../protocol/identity.js";
|
|
7
8
|
export type { IStorageProvider } from "../storage/provider.js";
|
|
8
9
|
export { FsStorageProvider } from "../storage/fs.js";
|
|
9
10
|
export { MemoryStorageProvider } from "../storage/memory.js";
|
|
10
|
-
export { createIdentity, type CreateIdentityOptions, type CreatedIdentity, } from "./identity.js";
|
|
11
|
+
export { createIdentity, deriveIdentity, restoreIdentity, type CreateIdentityOptions, type DeriveIdentityOptions, type RestoreIdentityOptions, type CreatedIdentity, } from "./identity.js";
|
|
11
12
|
export { createVault, recoverVault, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, } from "./bootstrap.js";
|
|
12
13
|
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerRegisterCapabilityCommand, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, type CapabilityRegistry, } from "../vault-core/index.js";
|
|
13
|
-
export {
|
|
14
|
+
export { createVaultClient, type VaultClient, type VaultIdentity, type VaultSigner, type VaultAuditQueryInput, type VaultExportSecretInput, type VaultGrantCapabilityInput, type VaultRegisterFlowInput, type VaultRegisterAgentInput, type OwnerSecretTargetBinding, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
|
|
14
15
|
export { createAgentClient, type AgentClient, type AgentIdentity, type AgentCapabilityEnvelope, type AgentDispatchIntent, type AgentDispatchTransport, type AgentSigner, } from "../clients/agent/index.js";
|
|
15
16
|
export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, type VaultService, type VaultAcquireSecretInput, type VaultAcquireSecretResult, type VaultAcquireSecretFlow, type VaultCustomFlowResolver, type VaultAgentDispatchRequest, type VaultAgentDispatchResponse, type VaultAgentDispatchErrorResponse, type RedactedResponseShape, type OwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
|
|
16
17
|
export { LocalVaultTransport, } from "../vault-ingress/defaults.js";
|
package/dist/runtime/index.js
CHANGED
|
@@ -4,12 +4,13 @@
|
|
|
4
4
|
*/
|
|
5
5
|
export { IdentityError, IdentityErrorCode } from "../errors.js";
|
|
6
6
|
export { derivePublicKey, LocalSigner } from "../protocol/crypto.js";
|
|
7
|
+
export { deriveIdentityId } from "../protocol/identity.js";
|
|
7
8
|
export { FsStorageProvider } from "../storage/fs.js";
|
|
8
9
|
export { MemoryStorageProvider } from "../storage/memory.js";
|
|
9
|
-
export { createIdentity, } from "./identity.js";
|
|
10
|
+
export { createIdentity, deriveIdentity, restoreIdentity, } from "./identity.js";
|
|
10
11
|
export { createVault, recoverVault, } from "./bootstrap.js";
|
|
11
12
|
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
|
|
12
|
-
export {
|
|
13
|
+
export { createVaultClient, } from "../clients/owner/index.js";
|
|
13
14
|
export { createAgentClient, } from "../clients/agent/index.js";
|
|
14
15
|
export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
|
|
15
16
|
export { LocalVaultTransport, } from "../vault-ingress/defaults.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,cAAc,EACd,eAAe,GAKhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,WAAW,EACX,YAAY,GAKb,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,uBAAuB,EACvB,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA8CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAWlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAOlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAWxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,mBAAmB,GACpB,MAAM,8BAA8B,CAAC"}
|
package/docs/ARCHITECTURE.md
CHANGED
|
@@ -10,7 +10,7 @@ Related design note:
|
|
|
10
10
|
Recommended persistent-vault lifecycle:
|
|
11
11
|
|
|
12
12
|
- create through `createVault(...)`
|
|
13
|
-
- recover through `recoverVault(...)`
|
|
13
|
+
- recover through `recoverVault(...)` using the owner's identity
|
|
14
14
|
|
|
15
15
|
## Identity And Roles
|
|
16
16
|
|
|
@@ -27,7 +27,8 @@ This means:
|
|
|
27
27
|
|
|
28
28
|
- outside the vault there are only identities
|
|
29
29
|
- inside a specific vault, identities are bound to roles such as `owner` or `agent`
|
|
30
|
-
- identities are independent
|
|
30
|
+
- root identities are independent
|
|
31
|
+
- child identities may be deterministically derived from a parent identity private key plus a path
|
|
31
32
|
- an identity may be the `owner` of one vault and an `agent` in another vault
|
|
32
33
|
|
|
33
34
|
## Public Modules
|
package/docs/CUSTODY_MODEL.md
CHANGED
|
@@ -65,36 +65,14 @@ Non-purpose:
|
|
|
65
65
|
- not a user-facing day-to-day API credential
|
|
66
66
|
- not the preferred recovery artifact presented to the owner
|
|
67
67
|
|
|
68
|
-
### `vaultRecoveryKey`
|
|
69
|
-
|
|
70
|
-
The owner-held recovery artifact.
|
|
71
|
-
|
|
72
|
-
Purpose:
|
|
73
|
-
|
|
74
|
-
- recover or re-establish access to vault secret custody
|
|
75
|
-
- support migration and disaster recovery
|
|
76
|
-
- preserve owner material sovereignty over stored secrets
|
|
77
|
-
|
|
78
|
-
Expected lifecycle:
|
|
79
|
-
|
|
80
|
-
- generated during vault initialization
|
|
81
|
-
- shown to the owner once
|
|
82
|
-
- then stored by the owner outside the normal runtime working path
|
|
83
|
-
|
|
84
|
-
Non-purpose:
|
|
85
|
-
|
|
86
|
-
- not the owner's signing identity
|
|
87
|
-
- not the normal runtime key used for every operation
|
|
88
|
-
|
|
89
68
|
## Current Runtime Surface
|
|
90
69
|
|
|
91
70
|
The persistent runtime surface uses `vaultWorkingKey` as the runtime material-control key.
|
|
92
|
-
|
|
93
|
-
The older `custodyKey` term is intentionally not part of the current product model.
|
|
71
|
+
The working key is now derived from the owner's private key plus `vaultId` in the high-level runtime path.
|
|
94
72
|
|
|
95
73
|
## Required Separation
|
|
96
74
|
|
|
97
|
-
The runtime separates
|
|
75
|
+
The runtime separates two concerns in the high-level path:
|
|
98
76
|
|
|
99
77
|
1. Identity authority
|
|
100
78
|
`ownerPrivateKey`
|
|
@@ -102,9 +80,6 @@ The runtime separates three concerns:
|
|
|
102
80
|
2. Runtime material control
|
|
103
81
|
`vaultWorkingKey`
|
|
104
82
|
|
|
105
|
-
3. Recovery authority
|
|
106
|
-
`vaultRecoveryKey`
|
|
107
|
-
|
|
108
83
|
This separation is deliberate.
|
|
109
84
|
|
|
110
85
|
The runtime should not default to a model where one owner signing key directly acts as the encryption root for all stored secret material.
|
|
@@ -124,7 +99,7 @@ Instead:
|
|
|
124
99
|
In practical terms:
|
|
125
100
|
|
|
126
101
|
- owner must be able to export secret plaintext through a formal audited interface
|
|
127
|
-
- owner must be able to recover the vault through
|
|
102
|
+
- owner must be able to recover the vault through the owner identity path
|
|
128
103
|
- owner does not need to directly hold the working key during normal runtime operation
|
|
129
104
|
|
|
130
105
|
## Export / Reveal Policy
|
|
@@ -145,7 +120,7 @@ Future hardening such as MFA/TOTP may be added on top of this model, but it does
|
|
|
145
120
|
The runtime now includes:
|
|
146
121
|
|
|
147
122
|
1. formal vault creation through `createVault(...)`
|
|
148
|
-
2.
|
|
123
|
+
2. owner-identity based re-entry through `recoverVault(...)`
|
|
149
124
|
3. explicit `vaultWorkingKey` terminology in the persistent dependency surface
|
|
150
125
|
4. continued support for explicit owner export through `exportSecret(...)`
|
|
151
126
|
|
package/docs/IDENTITY_MODEL.md
CHANGED
|
@@ -26,8 +26,8 @@ An `identity` is an external principal represented by a public/private keypair.
|
|
|
26
26
|
|
|
27
27
|
Properties:
|
|
28
28
|
|
|
29
|
-
-
|
|
30
|
-
-
|
|
29
|
+
- root identities are independent
|
|
30
|
+
- child identities may be deterministically derived from a parent identity private key plus a path
|
|
31
31
|
- no built-in inheritance
|
|
32
32
|
- no built-in "owner creates agent identity" relationship
|
|
33
33
|
|
|
@@ -51,7 +51,7 @@ The vault should not treat a display label as the root identity truth.
|
|
|
51
51
|
|
|
52
52
|
## Stable Identity ID
|
|
53
53
|
|
|
54
|
-
The runtime already has a stable public-key-derived identity primitive available through `
|
|
54
|
+
The runtime already has a stable public-key-derived identity primitive available through `deriveIdentityId(...)`.
|
|
55
55
|
|
|
56
56
|
That derived value is useful for:
|
|
57
57
|
|
|
@@ -76,6 +76,10 @@ These should be treated as labels, aliases, or local names rather than the deepe
|
|
|
76
76
|
|
|
77
77
|
The runtime now exposes this concept directly as optional `nickname` on `createIdentity(...)`.
|
|
78
78
|
|
|
79
|
+
For existing private keys, the runtime exposes `restoreIdentity(...)`, which reconstructs the same identity shape from the private key alone.
|
|
80
|
+
|
|
81
|
+
For child identities, the runtime exposes `deriveIdentity(parentPrivateKey, path)`, which deterministically derives the same child identity every time for the same parent key and path.
|
|
82
|
+
|
|
79
83
|
In other words:
|
|
80
84
|
|
|
81
85
|
- public key or a stable derived id answers "who is this cryptographically"
|
package/docs/REFERENCE.md
CHANGED
|
@@ -18,9 +18,11 @@ The main constructors are:
|
|
|
18
18
|
- `createVaultCore(...)`
|
|
19
19
|
- `createVaultService(...)`
|
|
20
20
|
- `createIdentity(...)`
|
|
21
|
+
- `deriveIdentity(...)`
|
|
22
|
+
- `restoreIdentity(...)`
|
|
21
23
|
- `createVault(...)`
|
|
22
24
|
- `recoverVault(...)`
|
|
23
|
-
- `
|
|
25
|
+
- `createVaultClient(...)`
|
|
24
26
|
- `createAgentClient(...)`
|
|
25
27
|
- `LocalVaultTransport`
|
|
26
28
|
|
|
@@ -51,7 +53,8 @@ Role rules:
|
|
|
51
53
|
|
|
52
54
|
- outside the vault there are only identities
|
|
53
55
|
- inside a vault, identities are bound to roles such as `owner` or `agent`
|
|
54
|
-
- identities are independent
|
|
56
|
+
- root identities are independent
|
|
57
|
+
- child identities may be deterministically derived from a parent identity private key plus a path
|
|
55
58
|
- the same identity may be `owner` in one vault and `agent` in another
|
|
56
59
|
|
|
57
60
|
## Identity Creation
|
|
@@ -65,6 +68,10 @@ Role rules:
|
|
|
65
68
|
|
|
66
69
|
`nickname` is human-readable only. It does not affect the derived `identityId`, cryptographic verification, or vault-local role binding.
|
|
67
70
|
|
|
71
|
+
`restoreIdentity(privateKey)` returns the same shape for an existing private key.
|
|
72
|
+
|
|
73
|
+
`deriveIdentity(parentPrivateKey, path)` returns the same shape for a deterministic child identity.
|
|
74
|
+
|
|
68
75
|
## Secret-Flow Model
|
|
69
76
|
|
|
70
77
|
The current HTTP-facing API supports two explicit secret-flow classes:
|
|
@@ -97,7 +104,7 @@ The runtime does not claim to understand arbitrary network protocols. The API co
|
|
|
97
104
|
Important methods:
|
|
98
105
|
|
|
99
106
|
- `bootstrapOwnerIdentity(...)`
|
|
100
|
-
- `
|
|
107
|
+
- `registerAgent(...)`
|
|
101
108
|
- `writeSecret(...)`
|
|
102
109
|
- `exportSecret(...)`
|
|
103
110
|
- `acquireSecret(...)`
|
|
@@ -119,30 +126,30 @@ await vault.bootstrapOwnerIdentity({
|
|
|
119
126
|
|
|
120
127
|
The runtime treats this first owner as the single vault admin. Additional principals should be modeled as agents plus capabilities rather than extra owners.
|
|
121
128
|
|
|
122
|
-
##
|
|
129
|
+
## Vault Client
|
|
123
130
|
|
|
124
|
-
`clients/owner`
|
|
131
|
+
`clients/owner` currently implements the public vault-management client surface for the identity currently bound to the vault's single admin role.
|
|
125
132
|
|
|
126
|
-
Current
|
|
133
|
+
Current management operations:
|
|
127
134
|
|
|
128
135
|
- `writeSecret(...)`
|
|
129
136
|
- `exportSecret(...)`
|
|
130
|
-
- `
|
|
131
|
-
- `
|
|
132
|
-
- `
|
|
133
|
-
- `
|
|
137
|
+
- `readAudit(...)`
|
|
138
|
+
- `registerAgent(...)`
|
|
139
|
+
- `grantCapability(...)`
|
|
140
|
+
- `registerFlow(...)`
|
|
134
141
|
|
|
135
142
|
Example:
|
|
136
143
|
|
|
137
144
|
```ts
|
|
138
|
-
const
|
|
145
|
+
const client = createVaultClient({ identityId: ownerIdentity.identityId }, vault, ownerSigner, clock);
|
|
139
146
|
|
|
140
|
-
await
|
|
147
|
+
await client.registerAgent({
|
|
141
148
|
agentId: 'agent-1',
|
|
142
149
|
publicKey: agentPublicKey,
|
|
143
150
|
});
|
|
144
151
|
|
|
145
|
-
await
|
|
152
|
+
await client.registerFlow({
|
|
146
153
|
flowId: 'custom-status-read',
|
|
147
154
|
mode: 'send_secret',
|
|
148
155
|
targetUrl: 'https://api.example.com/custom-status',
|
|
@@ -150,7 +157,7 @@ await owner.registerCustomFlow({
|
|
|
150
157
|
responseVisibility: 'shape_only',
|
|
151
158
|
});
|
|
152
159
|
|
|
153
|
-
await
|
|
160
|
+
await client.writeSecret({
|
|
154
161
|
alias: 'api-token',
|
|
155
162
|
plaintext: 'secret-value',
|
|
156
163
|
targetBindings: [
|
|
@@ -163,7 +170,7 @@ await owner.writeSecret({
|
|
|
163
170
|
],
|
|
164
171
|
});
|
|
165
172
|
|
|
166
|
-
const exportedSecret = await
|
|
173
|
+
const exportedSecret = await client.exportSecret({
|
|
167
174
|
alias: 'api-token',
|
|
168
175
|
});
|
|
169
176
|
```
|
|
@@ -202,7 +209,7 @@ const capability = {
|
|
|
202
209
|
issuedAt: new Date().toISOString(),
|
|
203
210
|
};
|
|
204
211
|
|
|
205
|
-
await
|
|
212
|
+
await client.grantCapability({ capability });
|
|
206
213
|
```
|
|
207
214
|
|
|
208
215
|
Custom capability example:
|
|
@@ -220,7 +227,7 @@ const customCapability = {
|
|
|
220
227
|
issuedAt: new Date().toISOString(),
|
|
221
228
|
};
|
|
222
229
|
|
|
223
|
-
await
|
|
230
|
+
await client.grantCapability({ capability: customCapability });
|
|
224
231
|
```
|
|
225
232
|
|
|
226
233
|
## Acquisition Result Shape
|
package/docs/es/README.md
CHANGED
|
@@ -23,7 +23,7 @@ import {
|
|
|
23
23
|
createVault,
|
|
24
24
|
recoverVault,
|
|
25
25
|
LocalVaultTransport,
|
|
26
|
-
|
|
26
|
+
createVaultClient,
|
|
27
27
|
createAgentClient,
|
|
28
28
|
FsStorageProvider,
|
|
29
29
|
} from '@the-ai-company/cbio-node-runtime';
|
|
@@ -39,7 +39,7 @@ import {
|
|
|
39
39
|
Ruta principal recomendada para vault persistente:
|
|
40
40
|
|
|
41
41
|
- crear el vault persistente con `createVault(...)`
|
|
42
|
-
- recuperar el vault persistente con `recoverVault(...)` usando la
|
|
42
|
+
- recuperar el vault persistente con `recoverVault(...)` usando la identidad del owner
|
|
43
43
|
|
|
44
44
|
La API antigua centrada en `CbioIdentity` ya no es la superficie principal del producto.
|
|
45
45
|
|
package/docs/fr/README.md
CHANGED
|
@@ -23,7 +23,7 @@ import {
|
|
|
23
23
|
createVault,
|
|
24
24
|
recoverVault,
|
|
25
25
|
LocalVaultTransport,
|
|
26
|
-
|
|
26
|
+
createVaultClient,
|
|
27
27
|
createAgentClient,
|
|
28
28
|
FsStorageProvider,
|
|
29
29
|
} from '@the-ai-company/cbio-node-runtime';
|
|
@@ -39,7 +39,7 @@ import {
|
|
|
39
39
|
Chemin principal recommande pour un vault persistant :
|
|
40
40
|
|
|
41
41
|
- creer le vault persistant avec `createVault(...)`
|
|
42
|
-
- restaurer le vault persistant avec `recoverVault(...)` via
|
|
42
|
+
- restaurer le vault persistant avec `recoverVault(...)` via l'identite du owner
|
|
43
43
|
|
|
44
44
|
L'ancienne API centree sur `CbioIdentity` n'est plus la surface principale du produit.
|
|
45
45
|
|
package/docs/ja/README.md
CHANGED
|
@@ -23,7 +23,7 @@ import {
|
|
|
23
23
|
createVault,
|
|
24
24
|
recoverVault,
|
|
25
25
|
LocalVaultTransport,
|
|
26
|
-
|
|
26
|
+
createVaultClient,
|
|
27
27
|
createAgentClient,
|
|
28
28
|
FsStorageProvider,
|
|
29
29
|
} from '@the-ai-company/cbio-node-runtime';
|
|
@@ -39,7 +39,7 @@ import {
|
|
|
39
39
|
推奨される persistent-vault の主経路:
|
|
40
40
|
|
|
41
41
|
- `createVault(...)` で persistent vault を作成する
|
|
42
|
-
- `recoverVault(...)` で
|
|
42
|
+
- `recoverVault(...)` で owner identity を使って persistent vault を復旧する
|
|
43
43
|
|
|
44
44
|
旧 `CbioIdentity` 中心 API は、もはや主要な公開面ではありません。
|
|
45
45
|
|
package/docs/ko/README.md
CHANGED
|
@@ -23,7 +23,7 @@ import {
|
|
|
23
23
|
createVault,
|
|
24
24
|
recoverVault,
|
|
25
25
|
LocalVaultTransport,
|
|
26
|
-
|
|
26
|
+
createVaultClient,
|
|
27
27
|
createAgentClient,
|
|
28
28
|
FsStorageProvider,
|
|
29
29
|
} from '@the-ai-company/cbio-node-runtime';
|
|
@@ -39,7 +39,7 @@ import {
|
|
|
39
39
|
권장되는 persistent-vault 주 경로:
|
|
40
40
|
|
|
41
41
|
- `createVault(...)` 로 persistent vault 를 생성합니다
|
|
42
|
-
- `recoverVault(...)` 로
|
|
42
|
+
- `recoverVault(...)` 로 owner identity 를 사용해 persistent vault 를 복구합니다
|
|
43
43
|
|
|
44
44
|
이전 `CbioIdentity` 중심 API 는 더 이상 주요 제품 표면이 아닙니다.
|
|
45
45
|
|
package/docs/pt/README.md
CHANGED
|
@@ -23,7 +23,7 @@ import {
|
|
|
23
23
|
createVault,
|
|
24
24
|
recoverVault,
|
|
25
25
|
LocalVaultTransport,
|
|
26
|
-
|
|
26
|
+
createVaultClient,
|
|
27
27
|
createAgentClient,
|
|
28
28
|
FsStorageProvider,
|
|
29
29
|
} from '@the-ai-company/cbio-node-runtime';
|
|
@@ -39,7 +39,7 @@ import {
|
|
|
39
39
|
Caminho principal recomendado para vault persistente:
|
|
40
40
|
|
|
41
41
|
- criar o vault persistente com `createVault(...)`
|
|
42
|
-
- recuperar o vault persistente com `recoverVault(...)` usando a
|
|
42
|
+
- recuperar o vault persistente com `recoverVault(...)` usando a identidade do owner
|
|
43
43
|
|
|
44
44
|
A antiga API centrada em `CbioIdentity` nao e mais a superficie principal do produto.
|
|
45
45
|
|
package/docs/zh/README.md
CHANGED
|
@@ -23,7 +23,7 @@ import {
|
|
|
23
23
|
createVault,
|
|
24
24
|
recoverVault,
|
|
25
25
|
LocalVaultTransport,
|
|
26
|
-
|
|
26
|
+
createVaultClient,
|
|
27
27
|
createAgentClient,
|
|
28
28
|
FsStorageProvider,
|
|
29
29
|
} from '@the-ai-company/cbio-node-runtime';
|
|
@@ -39,7 +39,7 @@ import {
|
|
|
39
39
|
推荐的持久化主路径:
|
|
40
40
|
|
|
41
41
|
- 通过 `createVault(...)` 创建持久化 vault
|
|
42
|
-
- 通过 `recoverVault(...)` 用
|
|
42
|
+
- 通过 `recoverVault(...)` 用 owner 身份恢复持久化 vault
|
|
43
43
|
|
|
44
44
|
## 构建
|
|
45
45
|
|
package/package.json
CHANGED