@the-ai-company/cbio-node-runtime 1.7.0 → 1.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +18 -10
- package/dist/clients/owner/client.d.ts +11 -11
- package/dist/clients/owner/client.js +31 -31
- package/dist/clients/owner/client.js.map +1 -1
- package/dist/clients/owner/contracts.d.ts +5 -5
- package/dist/clients/owner/index.d.ts +3 -3
- package/dist/clients/owner/index.js +1 -1
- package/dist/protocol/identity.d.ts +2 -2
- package/dist/protocol/identity.js +5 -2
- package/dist/protocol/identity.js.map +1 -1
- package/dist/runtime/bootstrap.d.ts +6 -8
- package/dist/runtime/bootstrap.js +18 -6
- package/dist/runtime/bootstrap.js.map +1 -1
- package/dist/runtime/identity.d.ts +5 -0
- package/dist/runtime/identity.js +84 -6
- package/dist/runtime/identity.js.map +1 -1
- package/dist/runtime/index.d.ts +2 -1
- package/dist/runtime/index.js +2 -1
- package/dist/runtime/index.js.map +1 -1
- package/docs/ARCHITECTURE.md +3 -2
- package/docs/CUSTODY_MODEL.md +4 -29
- package/docs/IDENTITY_MODEL.md +5 -3
- package/docs/REFERENCE.md +21 -17
- package/docs/es/README.md +2 -2
- package/docs/fr/README.md +2 -2
- package/docs/ja/README.md +2 -2
- package/docs/ko/README.md +2 -2
- package/docs/pt/README.md +2 -2
- package/docs/zh/README.md +2 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -48,10 +48,11 @@ import {
|
|
|
48
48
|
createOwnerHttpFlowBoundary,
|
|
49
49
|
createStandardAcquireBoundary,
|
|
50
50
|
createStandardDispatchBoundary,
|
|
51
|
-
|
|
51
|
+
createVaultClient,
|
|
52
52
|
createAgentClient,
|
|
53
53
|
FsStorageProvider,
|
|
54
54
|
LocalVaultTransport,
|
|
55
|
+
LocalSigner,
|
|
55
56
|
} from '@the-ai-company/cbio-node-runtime';
|
|
56
57
|
```
|
|
57
58
|
|
|
@@ -61,6 +62,15 @@ Identity restore example:
|
|
|
61
62
|
const identity = restoreIdentity(existingPrivateKey);
|
|
62
63
|
```
|
|
63
64
|
|
|
65
|
+
Child identity example:
|
|
66
|
+
|
|
67
|
+
```ts
|
|
68
|
+
const rootIdentity = createIdentity({ nickname: 'root' });
|
|
69
|
+
const childIdentity = createIdentity(rootIdentity, {
|
|
70
|
+
nickname: 'worker-1',
|
|
71
|
+
});
|
|
72
|
+
```
|
|
73
|
+
|
|
64
74
|
## Architecture
|
|
65
75
|
|
|
66
76
|
Core terms:
|
|
@@ -76,7 +86,8 @@ Important role rule:
|
|
|
76
86
|
|
|
77
87
|
- outside the vault there are only identities
|
|
78
88
|
- inside a specific vault, those identities may be bound to roles such as `owner` or `agent`
|
|
79
|
-
- identities are independent
|
|
89
|
+
- root identities are independent
|
|
90
|
+
- child identities may be deterministically derived from a parent identity
|
|
80
91
|
|
|
81
92
|
The public runtime surface follows four hard rules:
|
|
82
93
|
|
|
@@ -143,7 +154,7 @@ This package now exposes the production local vault runtime surface as the prima
|
|
|
143
154
|
const ownerIdentity = createIdentity({ nickname: 'owner-main' });
|
|
144
155
|
const agentIdentity = createIdentity({ nickname: 'agent-worker' });
|
|
145
156
|
const vault = createVaultService(createDefaultVaultCoreDependencies());
|
|
146
|
-
const
|
|
157
|
+
const client = createVaultClient({ identityId: ownerIdentity.identityId }, vault, new LocalSigner(ownerIdentity), clock);
|
|
147
158
|
const transport = new LocalVaultTransport(vault, capability.capabilityId);
|
|
148
159
|
const agent = createAgentClient({ agentId: agentIdentity.identityId }, capability, new LocalSigner(agentIdentity), transport, clock);
|
|
149
160
|
```
|
|
@@ -162,13 +173,13 @@ const capability = {
|
|
|
162
173
|
issuedAt: new Date().toISOString(),
|
|
163
174
|
};
|
|
164
175
|
|
|
165
|
-
await
|
|
176
|
+
await client.grantCapability({ capability });
|
|
166
177
|
```
|
|
167
178
|
|
|
168
179
|
Custom flow example:
|
|
169
180
|
|
|
170
181
|
```ts
|
|
171
|
-
await
|
|
182
|
+
await client.registerFlow({
|
|
172
183
|
flowId: 'custom-status-read',
|
|
173
184
|
...createOwnerHttpFlowBoundary({
|
|
174
185
|
mode: 'send_secret',
|
|
@@ -199,7 +210,7 @@ const acquired = await vault.acquireSecret({
|
|
|
199
210
|
console.log(acquired.responseShape);
|
|
200
211
|
// { token_type: 'Bearer', expires_in: 3600, scope: 'read write' }
|
|
201
212
|
|
|
202
|
-
const exported = await
|
|
213
|
+
const exported = await client.exportSecret({
|
|
203
214
|
alias: 'issuer-token',
|
|
204
215
|
});
|
|
205
216
|
|
|
@@ -216,12 +227,9 @@ const createdVault = await createVault(storage, {
|
|
|
216
227
|
ownerIdentity,
|
|
217
228
|
});
|
|
218
229
|
|
|
219
|
-
// Show once to the owner and let them store it offline.
|
|
220
|
-
console.log(createdVault.initializedCustody.vaultRecoveryKey);
|
|
221
|
-
|
|
222
230
|
const recoveredVault = await recoverVault(storage, {
|
|
223
231
|
vaultId: 'vault-persistent',
|
|
224
|
-
|
|
232
|
+
ownerIdentity,
|
|
225
233
|
});
|
|
226
234
|
```
|
|
227
235
|
|
|
@@ -1,19 +1,19 @@
|
|
|
1
1
|
import type { Clock } from "../../vault-core/index.js";
|
|
2
2
|
import type { VaultService } from "../../vault-ingress/index.js";
|
|
3
|
-
import type {
|
|
4
|
-
export interface
|
|
5
|
-
|
|
3
|
+
import type { VaultAuditQueryInput, VaultExportSecretInput, VaultGrantCapabilityInput, VaultRegisterFlowInput, VaultRegisterAgentInput, OwnerWriteSecretInput } from "./contracts.js";
|
|
4
|
+
export interface VaultIdentity {
|
|
5
|
+
identityId: string;
|
|
6
6
|
}
|
|
7
|
-
export interface
|
|
7
|
+
export interface VaultSigner {
|
|
8
8
|
getPublicKey(): Promise<string>;
|
|
9
9
|
sign(input: string): Promise<string>;
|
|
10
10
|
}
|
|
11
|
-
export interface
|
|
11
|
+
export interface VaultClient {
|
|
12
12
|
writeSecret(input: OwnerWriteSecretInput): Promise<import("../../vault-core/index.js").SecretRecord>;
|
|
13
|
-
exportSecret(input:
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
13
|
+
exportSecret(input: VaultExportSecretInput): Promise<import("../../vault-core/index.js").OwnerSecretExport>;
|
|
14
|
+
grantCapability(input: VaultGrantCapabilityInput): Promise<void>;
|
|
15
|
+
readAudit(query?: VaultAuditQueryInput): Promise<readonly import("../../vault-core/index.js").AuditEntry[]>;
|
|
16
|
+
registerAgent(input: VaultRegisterAgentInput): Promise<void>;
|
|
17
|
+
registerFlow(input: VaultRegisterFlowInput): Promise<void>;
|
|
18
18
|
}
|
|
19
|
-
export declare function
|
|
19
|
+
export declare function createVaultClient(identity: VaultIdentity, vault: VaultService, signer: VaultSigner, clock: Clock): VaultClient;
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
class
|
|
1
|
+
class DefaultVaultClient {
|
|
2
2
|
_identity;
|
|
3
3
|
_vault;
|
|
4
4
|
_signer;
|
|
@@ -11,11 +11,11 @@ class DefaultOwnerClient {
|
|
|
11
11
|
}
|
|
12
12
|
async writeSecret(input) {
|
|
13
13
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
14
|
-
const requestId = `${this._identity.
|
|
14
|
+
const requestId = `${this._identity.identityId}:${requestedAt}:${input.alias}:write_secret`;
|
|
15
15
|
const signature = await this._signer.sign(JSON.stringify({
|
|
16
16
|
requestId,
|
|
17
17
|
requestedAt,
|
|
18
|
-
ownerId: this._identity.
|
|
18
|
+
ownerId: this._identity.identityId,
|
|
19
19
|
alias: input.alias,
|
|
20
20
|
plaintext: input.plaintext,
|
|
21
21
|
targetBindings: input.targetBindings,
|
|
@@ -26,40 +26,40 @@ class DefaultOwnerClient {
|
|
|
26
26
|
requestId,
|
|
27
27
|
owner: {
|
|
28
28
|
kind: "owner",
|
|
29
|
-
id: this._identity.
|
|
29
|
+
id: this._identity.identityId,
|
|
30
30
|
},
|
|
31
31
|
alias: input.alias,
|
|
32
32
|
plaintext: input.plaintext,
|
|
33
33
|
targetBindings: input.targetBindings,
|
|
34
34
|
requestedAt,
|
|
35
35
|
proof: {
|
|
36
|
-
ownerId: this._identity.
|
|
36
|
+
ownerId: this._identity.identityId,
|
|
37
37
|
signature,
|
|
38
38
|
requestId,
|
|
39
39
|
requestedAt,
|
|
40
40
|
},
|
|
41
41
|
});
|
|
42
42
|
}
|
|
43
|
-
async
|
|
43
|
+
async readAudit(query = {}) {
|
|
44
44
|
const requestedAt = this._clock.nowIso();
|
|
45
|
-
const requestId = `${this._identity.
|
|
45
|
+
const requestId = `${this._identity.identityId}:${requestedAt}:read_audit`;
|
|
46
46
|
const signature = await this._signer.sign(JSON.stringify({
|
|
47
47
|
requestId,
|
|
48
48
|
requestedAt,
|
|
49
|
-
ownerId: this._identity.
|
|
49
|
+
ownerId: this._identity.identityId,
|
|
50
50
|
query,
|
|
51
51
|
}));
|
|
52
52
|
return this._vault.readAudit({
|
|
53
53
|
vaultId: this._vault.vaultId,
|
|
54
54
|
actor: {
|
|
55
55
|
kind: "owner",
|
|
56
|
-
id: this._identity.
|
|
56
|
+
id: this._identity.identityId,
|
|
57
57
|
},
|
|
58
58
|
query,
|
|
59
59
|
requestId,
|
|
60
60
|
requestedAt,
|
|
61
61
|
proof: {
|
|
62
|
-
ownerId: this._identity.
|
|
62
|
+
ownerId: this._identity.identityId,
|
|
63
63
|
signature,
|
|
64
64
|
requestId,
|
|
65
65
|
requestedAt,
|
|
@@ -68,33 +68,33 @@ class DefaultOwnerClient {
|
|
|
68
68
|
}
|
|
69
69
|
async exportSecret(input) {
|
|
70
70
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
71
|
-
const requestId = `${this._identity.
|
|
71
|
+
const requestId = `${this._identity.identityId}:${requestedAt}:${input.alias}:export_secret`;
|
|
72
72
|
const signature = await this._signer.sign(JSON.stringify({
|
|
73
73
|
requestId,
|
|
74
74
|
requestedAt,
|
|
75
|
-
ownerId: this._identity.
|
|
75
|
+
ownerId: this._identity.identityId,
|
|
76
76
|
alias: input.alias,
|
|
77
77
|
}));
|
|
78
78
|
return this._vault.exportSecret({
|
|
79
79
|
vaultId: this._vault.vaultId,
|
|
80
80
|
actor: {
|
|
81
81
|
kind: "owner",
|
|
82
|
-
id: this._identity.
|
|
82
|
+
id: this._identity.identityId,
|
|
83
83
|
},
|
|
84
84
|
alias: input.alias,
|
|
85
85
|
requestId,
|
|
86
86
|
requestedAt,
|
|
87
87
|
proof: {
|
|
88
|
-
ownerId: this._identity.
|
|
88
|
+
ownerId: this._identity.identityId,
|
|
89
89
|
signature,
|
|
90
90
|
requestId,
|
|
91
91
|
requestedAt,
|
|
92
92
|
},
|
|
93
93
|
});
|
|
94
94
|
}
|
|
95
|
-
async
|
|
95
|
+
async registerAgent(input) {
|
|
96
96
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
97
|
-
const requestId = `${this._identity.
|
|
97
|
+
const requestId = `${this._identity.identityId}:${requestedAt}:${input.agentId}:register_agent_identity`;
|
|
98
98
|
const agentIdentity = {
|
|
99
99
|
vaultId: this._vault.vaultId,
|
|
100
100
|
agentId: input.agentId,
|
|
@@ -103,7 +103,7 @@ class DefaultOwnerClient {
|
|
|
103
103
|
const signature = await this._signer.sign(JSON.stringify({
|
|
104
104
|
requestId,
|
|
105
105
|
requestedAt,
|
|
106
|
-
ownerId: this._identity.
|
|
106
|
+
ownerId: this._identity.identityId,
|
|
107
107
|
agentIdentity,
|
|
108
108
|
}));
|
|
109
109
|
await this._vault.registerAgentIdentity({
|
|
@@ -111,21 +111,21 @@ class DefaultOwnerClient {
|
|
|
111
111
|
requestId,
|
|
112
112
|
owner: {
|
|
113
113
|
kind: "owner",
|
|
114
|
-
id: this._identity.
|
|
114
|
+
id: this._identity.identityId,
|
|
115
115
|
},
|
|
116
116
|
agentIdentity,
|
|
117
117
|
requestedAt,
|
|
118
118
|
proof: {
|
|
119
|
-
ownerId: this._identity.
|
|
119
|
+
ownerId: this._identity.identityId,
|
|
120
120
|
signature,
|
|
121
121
|
requestId,
|
|
122
122
|
requestedAt,
|
|
123
123
|
},
|
|
124
124
|
});
|
|
125
125
|
}
|
|
126
|
-
async
|
|
126
|
+
async grantCapability(input) {
|
|
127
127
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
128
|
-
const requestId = `${this._identity.
|
|
128
|
+
const requestId = `${this._identity.identityId}:${requestedAt}:${input.capability.capabilityId}:register_capability`;
|
|
129
129
|
const capability = {
|
|
130
130
|
...input.capability,
|
|
131
131
|
vaultId: this._vault.vaultId,
|
|
@@ -133,7 +133,7 @@ class DefaultOwnerClient {
|
|
|
133
133
|
const signature = await this._signer.sign(JSON.stringify({
|
|
134
134
|
requestId,
|
|
135
135
|
requestedAt,
|
|
136
|
-
ownerId: this._identity.
|
|
136
|
+
ownerId: this._identity.identityId,
|
|
137
137
|
capability,
|
|
138
138
|
}));
|
|
139
139
|
await this._vault.registerCapability({
|
|
@@ -141,21 +141,21 @@ class DefaultOwnerClient {
|
|
|
141
141
|
requestId,
|
|
142
142
|
owner: {
|
|
143
143
|
kind: "owner",
|
|
144
|
-
id: this._identity.
|
|
144
|
+
id: this._identity.identityId,
|
|
145
145
|
},
|
|
146
146
|
capability,
|
|
147
147
|
requestedAt,
|
|
148
148
|
proof: {
|
|
149
|
-
ownerId: this._identity.
|
|
149
|
+
ownerId: this._identity.identityId,
|
|
150
150
|
signature,
|
|
151
151
|
requestId,
|
|
152
152
|
requestedAt,
|
|
153
153
|
},
|
|
154
154
|
});
|
|
155
155
|
}
|
|
156
|
-
async
|
|
156
|
+
async registerFlow(input) {
|
|
157
157
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
158
|
-
const requestId = `${this._identity.
|
|
158
|
+
const requestId = `${this._identity.identityId}:${requestedAt}:${input.flowId}:register_custom_flow`;
|
|
159
159
|
const flow = {
|
|
160
160
|
flowId: input.flowId,
|
|
161
161
|
mode: input.mode,
|
|
@@ -167,7 +167,7 @@ class DefaultOwnerClient {
|
|
|
167
167
|
const signature = await this._signer.sign(JSON.stringify({
|
|
168
168
|
requestId,
|
|
169
169
|
requestedAt,
|
|
170
|
-
ownerId: this._identity.
|
|
170
|
+
ownerId: this._identity.identityId,
|
|
171
171
|
flow,
|
|
172
172
|
}));
|
|
173
173
|
await this._vault.registerCustomFlow({
|
|
@@ -175,12 +175,12 @@ class DefaultOwnerClient {
|
|
|
175
175
|
requestId,
|
|
176
176
|
owner: {
|
|
177
177
|
kind: "owner",
|
|
178
|
-
id: this._identity.
|
|
178
|
+
id: this._identity.identityId,
|
|
179
179
|
},
|
|
180
180
|
flow,
|
|
181
181
|
requestedAt,
|
|
182
182
|
proof: {
|
|
183
|
-
ownerId: this._identity.
|
|
183
|
+
ownerId: this._identity.identityId,
|
|
184
184
|
signature,
|
|
185
185
|
requestId,
|
|
186
186
|
requestedAt,
|
|
@@ -188,7 +188,7 @@ class DefaultOwnerClient {
|
|
|
188
188
|
});
|
|
189
189
|
}
|
|
190
190
|
}
|
|
191
|
-
export function
|
|
192
|
-
return new
|
|
191
|
+
export function createVaultClient(identity, vault, signer, clock) {
|
|
192
|
+
return new DefaultVaultClient(identity, vault, signer, clock);
|
|
193
193
|
}
|
|
194
194
|
//# sourceMappingURL=client.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/owner/client.ts"],"names":[],"mappings":"AA6BA,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IAJnB,YACmB,SAAwB,EACxB,MAAoB,EACpB,OAAoB,EACpB,MAAa;QAHb,cAAS,GAAT,SAAS,CAAe;QACxB,WAAM,GAAN,MAAM,CAAc;QACpB,YAAO,GAAP,OAAO,CAAa;QACpB,WAAM,GAAN,MAAM,CAAO;IAC7B,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,
|
|
1
|
+
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/owner/client.ts"],"names":[],"mappings":"AA6BA,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IAJnB,YACmB,SAAwB,EACxB,MAAoB,EACpB,OAAoB,EACpB,MAAa;QAHb,cAAS,GAAT,SAAS,CAAe;QACxB,WAAM,GAAN,MAAM,CAAc;QACpB,YAAO,GAAP,OAAO,CAAa;QACpB,WAAM,GAAN,MAAM,CAAO;IAC7B,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,eAAe,CAAC;QAC5F,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YAC7B,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,KAAK,CAAC,cAAc;YACpC,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,QAA8B,EAAE;QAC9C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,aAAa,CAAC;QAC3E,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK;SACN,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;YAC3B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK;YACL,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,gBAAgB,CAAC;QAC7F,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK,EAAE,KAAK,CAAC,KAAK;SACnB,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAA8B;QAChD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,OAAO,0BAA0B,CAAC;QACzG,MAAM,aAAa,GAAG;YACpB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,aAAa;SACd,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;YACtC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,aAAa;YACb,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,KAAgC;QACpD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,UAAU,CAAC,YAAY,sBAAsB,CAAC;QACrH,MAAM,UAAU,GAAG;YACjB,GAAG,KAAK,CAAC,UAAU;YACnB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;SAC7B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,UAAU;SACX,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,UAAU;YACV,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,MAAM,uBAAuB,CAAC;QACrG,MAAM,IAAI,GAAG;YACX,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;YAC5C,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,IAAI;SACL,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,IAAI;YACJ,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAuB,EACvB,KAAmB,EACnB,MAAmB,EACnB,KAAY;IAEZ,OAAO,IAAI,kBAAkB,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;AAChE,CAAC"}
|
|
@@ -12,26 +12,26 @@ export interface OwnerWriteSecretInput {
|
|
|
12
12
|
targetBindings: readonly OwnerSecretTargetBinding[];
|
|
13
13
|
requestedAt?: string;
|
|
14
14
|
}
|
|
15
|
-
export interface
|
|
15
|
+
export interface VaultAuditQueryInput {
|
|
16
16
|
actorId?: string;
|
|
17
17
|
secretAlias?: string;
|
|
18
18
|
requestId?: string;
|
|
19
19
|
since?: string;
|
|
20
20
|
}
|
|
21
|
-
export interface
|
|
21
|
+
export interface VaultExportSecretInput {
|
|
22
22
|
alias: string;
|
|
23
23
|
requestedAt?: string;
|
|
24
24
|
}
|
|
25
|
-
export interface
|
|
25
|
+
export interface VaultRegisterAgentInput {
|
|
26
26
|
agentId: string;
|
|
27
27
|
publicKey: string;
|
|
28
28
|
requestedAt?: string;
|
|
29
29
|
}
|
|
30
|
-
export interface
|
|
30
|
+
export interface VaultRegisterFlowInput extends OwnerHttpFlowBoundary {
|
|
31
31
|
flowId: string;
|
|
32
32
|
requestedAt?: string;
|
|
33
33
|
}
|
|
34
|
-
export interface
|
|
34
|
+
export interface VaultGrantCapabilityInput {
|
|
35
35
|
capability: import("../../vault-core/index.js").AgentCapability;
|
|
36
36
|
requestedAt?: string;
|
|
37
37
|
}
|
|
@@ -1,3 +1,3 @@
|
|
|
1
|
-
export {
|
|
2
|
-
export type {
|
|
3
|
-
export type {
|
|
1
|
+
export { createVaultClient } from "./client.js";
|
|
2
|
+
export type { VaultClient, VaultIdentity, VaultSigner, } from "./client.js";
|
|
3
|
+
export type { VaultAuditQueryInput, VaultExportSecretInput, VaultGrantCapabilityInput, VaultRegisterFlowInput, VaultRegisterAgentInput, OwnerSecretTargetBinding, OwnerWriteSecretInput, } from "./contracts.js";
|
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
export {
|
|
1
|
+
export { createVaultClient } from "./client.js";
|
|
2
2
|
//# sourceMappingURL=index.js.map
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
* Claw-biometric Core Identity. Runtime utilities over protocol primitives.
|
|
3
3
|
* getVaultPath (runtime). Re-exports protocol for consumers.
|
|
4
4
|
*/
|
|
5
|
-
import { deriveRootAgentId } from '@the-ai-company/cbio-protocol';
|
|
6
5
|
import { getChildIdentitySecretName, CHILD_KEY_PREFIX } from './childSecretNaming.js';
|
|
7
|
-
export {
|
|
6
|
+
export { getChildIdentitySecretName, CHILD_KEY_PREFIX };
|
|
7
|
+
export declare function deriveIdentityId(publicKey: string): string;
|
|
8
8
|
export declare function getVaultPath(publicKey: string): string;
|
|
@@ -5,9 +5,12 @@
|
|
|
5
5
|
import * as os from 'node:os';
|
|
6
6
|
import * as path from 'node:path';
|
|
7
7
|
import * as crypto from 'node:crypto';
|
|
8
|
-
import { deriveRootAgentId } from '@the-ai-company/cbio-protocol';
|
|
8
|
+
import { deriveRootAgentId as protocolDeriveIdentityId } from '@the-ai-company/cbio-protocol';
|
|
9
9
|
import { getChildIdentitySecretName, CHILD_KEY_PREFIX } from './childSecretNaming.js';
|
|
10
|
-
export {
|
|
10
|
+
export { getChildIdentitySecretName, CHILD_KEY_PREFIX };
|
|
11
|
+
export function deriveIdentityId(publicKey) {
|
|
12
|
+
return protocolDeriveIdentityId(publicKey);
|
|
13
|
+
}
|
|
11
14
|
export function getVaultPath(publicKey) {
|
|
12
15
|
const hash = crypto.createHash('sha256').update(publicKey).digest('hex').substring(0, 12);
|
|
13
16
|
const baseDir = process.env.C_BIO_VAULT_DIR || path.join(os.homedir(), '.c-bio');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/protocol/identity.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;
|
|
1
|
+
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/protocol/identity.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,iBAAiB,IAAI,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AAC9F,OAAO,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAEtF,OAAO,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,CAAC;AAExD,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAC9C,OAAO,wBAAwB,CAAC,SAAS,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,SAAiB;IAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1F,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IACjF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,IAAI,MAAM,CAAC,CAAC;AACnD,CAAC"}
|
|
@@ -1,9 +1,9 @@
|
|
|
1
|
-
import { type CreatePersistentVaultCoreDependenciesOptions, type
|
|
1
|
+
import { type CreatePersistentVaultCoreDependenciesOptions, type VaultCore } from "../vault-core/index.js";
|
|
2
2
|
import { type VaultService, type VaultCustomFlowResolver } from "../vault-ingress/index.js";
|
|
3
3
|
import type { IStorageProvider } from "../storage/provider.js";
|
|
4
4
|
import type { CreatedIdentity } from "./identity.js";
|
|
5
|
-
export interface CreateVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey"> {
|
|
6
|
-
|
|
5
|
+
export interface CreateVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey" | "vaultId"> {
|
|
6
|
+
vaultId?: string;
|
|
7
7
|
ownerIdentity: CreatedIdentity;
|
|
8
8
|
vault?: {
|
|
9
9
|
customFlows?: VaultCustomFlowResolver;
|
|
@@ -11,20 +11,18 @@ export interface CreateVaultOptions extends Omit<CreatePersistentVaultCoreDepend
|
|
|
11
11
|
};
|
|
12
12
|
}
|
|
13
13
|
export interface CreatedVault {
|
|
14
|
-
initializedCustody: InitializedVaultCustody;
|
|
15
14
|
core: VaultCore;
|
|
16
15
|
vault: VaultService;
|
|
17
16
|
}
|
|
18
|
-
export interface RecoverVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey"> {
|
|
19
|
-
|
|
20
|
-
|
|
17
|
+
export interface RecoverVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey" | "vaultId"> {
|
|
18
|
+
vaultId: string;
|
|
19
|
+
ownerIdentity: CreatedIdentity;
|
|
21
20
|
vault?: {
|
|
22
21
|
customFlows?: VaultCustomFlowResolver;
|
|
23
22
|
fetchImpl?: typeof fetch;
|
|
24
23
|
};
|
|
25
24
|
}
|
|
26
25
|
export interface RecoveredVault {
|
|
27
|
-
vaultWorkingKey: string;
|
|
28
26
|
core: VaultCore;
|
|
29
27
|
vault: VaultService;
|
|
30
28
|
}
|
|
@@ -1,11 +1,24 @@
|
|
|
1
|
+
import crypto from "node:crypto";
|
|
1
2
|
import { createVaultCore } from "../vault-core/core.js";
|
|
2
|
-
import { createPersistentVaultCoreDependencies,
|
|
3
|
+
import { createPersistentVaultCoreDependencies, } from "../vault-core/index.js";
|
|
3
4
|
import { wrapVaultCoreAsVaultService, } from "../vault-ingress/index.js";
|
|
5
|
+
function deriveVaultWorkingKey(privateKey, vaultId) {
|
|
6
|
+
return crypto
|
|
7
|
+
.createHash("sha256")
|
|
8
|
+
.update("cbio:vault-working-key:v1")
|
|
9
|
+
.update("\n")
|
|
10
|
+
.update(vaultId)
|
|
11
|
+
.update("\n")
|
|
12
|
+
.update(privateKey)
|
|
13
|
+
.digest("base64url");
|
|
14
|
+
}
|
|
4
15
|
export async function createVault(storage, options) {
|
|
5
|
-
const
|
|
16
|
+
const vaultId = options.vaultId ?? `vault_${crypto.randomUUID()}`;
|
|
17
|
+
const vaultWorkingKey = deriveVaultWorkingKey(options.ownerIdentity.privateKey, vaultId);
|
|
6
18
|
const deps = createPersistentVaultCoreDependencies(storage, {
|
|
7
19
|
...options,
|
|
8
|
-
|
|
20
|
+
vaultId,
|
|
21
|
+
vaultWorkingKey,
|
|
9
22
|
});
|
|
10
23
|
const core = createVaultCore(deps);
|
|
11
24
|
const bootstrapOwner = {
|
|
@@ -15,20 +28,19 @@ export async function createVault(storage, options) {
|
|
|
15
28
|
};
|
|
16
29
|
await core.bootstrapOwnerIdentity(bootstrapOwner);
|
|
17
30
|
return {
|
|
18
|
-
initializedCustody,
|
|
19
31
|
core,
|
|
20
32
|
vault: wrapVaultCoreAsVaultService(core, options.vault),
|
|
21
33
|
};
|
|
22
34
|
}
|
|
23
35
|
export async function recoverVault(storage, options) {
|
|
24
|
-
const vaultWorkingKey =
|
|
36
|
+
const vaultWorkingKey = deriveVaultWorkingKey(options.ownerIdentity.privateKey, options.vaultId);
|
|
25
37
|
const deps = createPersistentVaultCoreDependencies(storage, {
|
|
26
38
|
...options,
|
|
39
|
+
vaultId: options.vaultId,
|
|
27
40
|
vaultWorkingKey,
|
|
28
41
|
});
|
|
29
42
|
const core = createVaultCore(deps);
|
|
30
43
|
return {
|
|
31
|
-
vaultWorkingKey,
|
|
32
44
|
core,
|
|
33
45
|
vault: wrapVaultCoreAsVaultService(core, options.vault),
|
|
34
46
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,
|
|
1
|
+
{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,GAItC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AAInC,SAAS,qBAAqB,CAAC,UAAkB,EAAE,OAAe;IAChE,OAAO,MAAM;SACV,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,2BAA2B,CAAC;SACnC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,OAAO,CAAC;SACf,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AA8BD,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAyB,EACzB,OAA2B;IAE3B,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,SAAS,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;IAClE,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACzF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO;QACP,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,cAAc,GAAwB;QAC1C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;QACzC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS;KAC3C,CAAC;IACF,MAAM,IAAI,CAAC,sBAAsB,CAAC,cAAc,CAAC,CAAC;IAClD,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;KACxD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAAyB,EACzB,OAA4B;IAE5B,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACjG,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;KACxD,CAAC;AACJ,CAAC"}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
export interface CreatedIdentity {
|
|
2
2
|
identityId: string;
|
|
3
3
|
nickname?: string;
|
|
4
|
+
parentIdentityId?: string;
|
|
4
5
|
publicKey: string;
|
|
5
6
|
privateKey: string;
|
|
6
7
|
}
|
|
@@ -10,5 +11,9 @@ export interface CreateIdentityOptions {
|
|
|
10
11
|
export interface RestoreIdentityOptions {
|
|
11
12
|
nickname?: string;
|
|
12
13
|
}
|
|
14
|
+
export interface DeriveIdentityOptions {
|
|
15
|
+
nickname?: string;
|
|
16
|
+
}
|
|
17
|
+
export declare function createIdentity(parent?: CreatedIdentity | string, options?: CreateIdentityOptions): CreatedIdentity;
|
|
13
18
|
export declare function createIdentity(options?: CreateIdentityOptions): CreatedIdentity;
|
|
14
19
|
export declare function restoreIdentity(privateKey: string, options?: RestoreIdentityOptions): CreatedIdentity;
|
package/dist/runtime/identity.js
CHANGED
|
@@ -1,30 +1,108 @@
|
|
|
1
|
+
import { createHmac, createPrivateKey, createPublicKey, randomBytes } from "node:crypto";
|
|
1
2
|
import { derivePublicKey, generateIdentityKeys } from "../protocol/crypto.js";
|
|
2
|
-
import {
|
|
3
|
-
|
|
3
|
+
import { deriveIdentityId } from "../protocol/identity.js";
|
|
4
|
+
const ED25519_PKCS8_PREFIX = Buffer.from("302e020100300506032b657004220420", "hex");
|
|
5
|
+
const ED25519_SEED_LENGTH = 32;
|
|
6
|
+
function normalizeNickname(nickname) {
|
|
7
|
+
return nickname?.trim() ? nickname.trim() : undefined;
|
|
8
|
+
}
|
|
9
|
+
function decodeEd25519Seed(privateKey) {
|
|
10
|
+
const der = Buffer.from(privateKey, "base64url");
|
|
11
|
+
if (der.length !== ED25519_PKCS8_PREFIX.length + ED25519_SEED_LENGTH ||
|
|
12
|
+
!der.subarray(0, ED25519_PKCS8_PREFIX.length).equals(ED25519_PKCS8_PREFIX)) {
|
|
13
|
+
throw new Error("unsupported private key format");
|
|
14
|
+
}
|
|
15
|
+
return der.subarray(ED25519_PKCS8_PREFIX.length);
|
|
16
|
+
}
|
|
17
|
+
function encodeEd25519PrivateKey(seed) {
|
|
18
|
+
return Buffer.concat([ED25519_PKCS8_PREFIX, seed]).toString("base64url");
|
|
19
|
+
}
|
|
20
|
+
function toParentPrivateKey(parent) {
|
|
21
|
+
if (!parent) {
|
|
22
|
+
return undefined;
|
|
23
|
+
}
|
|
24
|
+
return typeof parent === "string" ? parent.trim() : parent.privateKey.trim();
|
|
25
|
+
}
|
|
26
|
+
function createRootIdentity(options = {}) {
|
|
4
27
|
const keyPair = generateIdentityKeys();
|
|
5
28
|
if (!keyPair.publicKey || !keyPair.privateKey) {
|
|
6
29
|
throw new Error("identity generation failed");
|
|
7
30
|
}
|
|
8
|
-
const nickname =
|
|
31
|
+
const nickname = normalizeNickname(options.nickname);
|
|
9
32
|
return {
|
|
10
|
-
identityId:
|
|
33
|
+
identityId: deriveIdentityId(keyPair.publicKey),
|
|
11
34
|
nickname,
|
|
12
35
|
publicKey: keyPair.publicKey,
|
|
13
36
|
privateKey: keyPair.privateKey,
|
|
14
37
|
};
|
|
15
38
|
}
|
|
39
|
+
export function createIdentity(parentOrOptions, maybeOptions = {}) {
|
|
40
|
+
const hasParent = typeof parentOrOptions === "string" ||
|
|
41
|
+
(typeof parentOrOptions === "object" &&
|
|
42
|
+
parentOrOptions !== null &&
|
|
43
|
+
"privateKey" in parentOrOptions);
|
|
44
|
+
if (!hasParent) {
|
|
45
|
+
return createRootIdentity(parentOrOptions ?? {});
|
|
46
|
+
}
|
|
47
|
+
const parentPrivateKey = toParentPrivateKey(parentOrOptions);
|
|
48
|
+
if (!parentPrivateKey) {
|
|
49
|
+
return createRootIdentity(maybeOptions);
|
|
50
|
+
}
|
|
51
|
+
const nickname = normalizeNickname(maybeOptions.nickname);
|
|
52
|
+
const relationId = randomBytes(16).toString("base64url");
|
|
53
|
+
const childIdentity = deriveIdentity(parentPrivateKey, relationId, { nickname });
|
|
54
|
+
const parentIdentity = typeof parentOrOptions === "string"
|
|
55
|
+
? restoreIdentity(parentPrivateKey)
|
|
56
|
+
: parentOrOptions;
|
|
57
|
+
return {
|
|
58
|
+
...childIdentity,
|
|
59
|
+
parentIdentityId: parentIdentity.identityId,
|
|
60
|
+
};
|
|
61
|
+
}
|
|
16
62
|
export function restoreIdentity(privateKey, options = {}) {
|
|
17
63
|
const normalizedPrivateKey = privateKey.trim();
|
|
18
64
|
if (!normalizedPrivateKey) {
|
|
19
65
|
throw new Error("private key is required");
|
|
20
66
|
}
|
|
21
67
|
const publicKey = derivePublicKey(normalizedPrivateKey);
|
|
22
|
-
const nickname =
|
|
68
|
+
const nickname = normalizeNickname(options.nickname);
|
|
23
69
|
return {
|
|
24
|
-
identityId:
|
|
70
|
+
identityId: deriveIdentityId(publicKey),
|
|
25
71
|
nickname,
|
|
26
72
|
publicKey,
|
|
27
73
|
privateKey: normalizedPrivateKey,
|
|
28
74
|
};
|
|
29
75
|
}
|
|
76
|
+
function deriveIdentity(parentPrivateKey, relationId, options = {}) {
|
|
77
|
+
const normalizedParentPrivateKey = parentPrivateKey.trim();
|
|
78
|
+
const normalizedRelationId = relationId.trim();
|
|
79
|
+
if (!normalizedParentPrivateKey) {
|
|
80
|
+
throw new Error("parent private key is required");
|
|
81
|
+
}
|
|
82
|
+
if (!normalizedRelationId) {
|
|
83
|
+
throw new Error("relationId is required");
|
|
84
|
+
}
|
|
85
|
+
const parentSeed = decodeEd25519Seed(normalizedParentPrivateKey);
|
|
86
|
+
const childSeed = createHmac("sha256", parentSeed)
|
|
87
|
+
.update("cbio:identity:child:v1")
|
|
88
|
+
.update("\0")
|
|
89
|
+
.update(normalizedRelationId)
|
|
90
|
+
.digest();
|
|
91
|
+
const privateKey = encodeEd25519PrivateKey(childSeed);
|
|
92
|
+
const privateKeyObject = createPrivateKey({
|
|
93
|
+
key: Buffer.from(privateKey, "base64url"),
|
|
94
|
+
format: "der",
|
|
95
|
+
type: "pkcs8",
|
|
96
|
+
});
|
|
97
|
+
const publicKey = Buffer.from(createPublicKey(privateKeyObject).export({
|
|
98
|
+
type: "spki",
|
|
99
|
+
format: "der",
|
|
100
|
+
})).toString("base64url");
|
|
101
|
+
return {
|
|
102
|
+
identityId: deriveIdentityId(publicKey),
|
|
103
|
+
nickname: normalizeNickname(options.nickname),
|
|
104
|
+
publicKey,
|
|
105
|
+
privateKey,
|
|
106
|
+
};
|
|
107
|
+
}
|
|
30
108
|
//# sourceMappingURL=identity.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/runtime/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/runtime/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACzF,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAsB3D,MAAM,oBAAoB,GAAG,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,KAAK,CAAC,CAAC;AACpF,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,SAAS,iBAAiB,CAAC,QAAiB;IAC1C,OAAO,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAED,SAAS,iBAAiB,CAAC,UAAkB;IAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACjD,IACE,GAAG,CAAC,MAAM,KAAK,oBAAoB,CAAC,MAAM,GAAG,mBAAmB;QAChE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,oBAAoB,CAAC,EAC1E,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAY;IAC3C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAiC;IAC3D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;AAC/E,CAAC;AAED,SAAS,kBAAkB,CAAC,UAAiC,EAAE;IAC7D,MAAM,OAAO,GAAG,oBAAoB,EAAE,CAAC;IACvC,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC;QAC/C,QAAQ;QACR,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC;AACJ,CAAC;AAID,MAAM,UAAU,cAAc,CAC5B,eAAkE,EAClE,eAAsC,EAAE;IAExC,MAAM,SAAS,GACb,OAAO,eAAe,KAAK,QAAQ;QACnC,CAAC,OAAO,eAAe,KAAK,QAAQ;YAClC,eAAe,KAAK,IAAI;YACxB,YAAY,IAAI,eAAe,CAAC,CAAC;IAErC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,kBAAkB,CAAE,eAAqD,IAAI,EAAE,CAAC,CAAC;IAC1F,CAAC;IAED,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,eAA2C,CAAC,CAAC;IACzF,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,kBAAkB,CAAC,YAAY,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,QAAQ,GAAG,iBAAiB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACzD,MAAM,aAAa,GAAG,cAAc,CAAC,gBAAgB,EAAE,UAAU,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;IACjF,MAAM,cAAc,GAAG,OAAO,eAAe,KAAK,QAAQ;QACxD,CAAC,CAAC,eAAe,CAAC,gBAAgB,CAAC;QACnC,CAAC,CAAC,eAAkC,CAAC;IAEvC,OAAO;QACL,GAAG,aAAa;QAChB,gBAAgB,EAAE,cAAc,CAAC,UAAU;KAC5C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,UAAkB,EAAE,UAAkC,EAAE;IACtF,MAAM,oBAAoB,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAC/C,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,SAAS,GAAG,eAAe,CAAC,oBAAoB,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,SAAS,CAAC;QACvC,QAAQ;QACR,SAAS;QACT,UAAU,EAAE,oBAAoB;KACjC,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CACrB,gBAAwB,EACxB,UAAkB,EAClB,UAAiC,EAAE;IAEnC,MAAM,0BAA0B,GAAG,gBAAgB,CAAC,IAAI,EAAE,CAAC;IAC3D,MAAM,oBAAoB,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAC/C,IAAI,CAAC,0BAA0B,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,UAAU,GAAG,iBAAiB,CAAC,0BAA0B,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;SAC/C,MAAM,CAAC,wBAAwB,CAAC;SAChC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,oBAAoB,CAAC;SAC5B,MAAM,EAAE,CAAC;IAEZ,MAAM,UAAU,GAAG,uBAAuB,CAAC,SAAS,CAAC,CAAC;IACtD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;QACxC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC;QACzC,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,OAAO;KACd,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAC3B,eAAe,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC;QACvC,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,KAAK;KACd,CAAC,CACH,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAExB,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,SAAS,CAAC;QACvC,QAAQ,EAAE,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC7C,SAAS;QACT,UAAU;KACX,CAAC;AACJ,CAAC"}
|
package/dist/runtime/index.d.ts
CHANGED
|
@@ -4,13 +4,14 @@
|
|
|
4
4
|
*/
|
|
5
5
|
export { IdentityError, IdentityErrorCode } from "../errors.js";
|
|
6
6
|
export { derivePublicKey, LocalSigner } from "../protocol/crypto.js";
|
|
7
|
+
export { deriveIdentityId } from "../protocol/identity.js";
|
|
7
8
|
export type { IStorageProvider } from "../storage/provider.js";
|
|
8
9
|
export { FsStorageProvider } from "../storage/fs.js";
|
|
9
10
|
export { MemoryStorageProvider } from "../storage/memory.js";
|
|
10
11
|
export { createIdentity, restoreIdentity, type CreateIdentityOptions, type RestoreIdentityOptions, type CreatedIdentity, } from "./identity.js";
|
|
11
12
|
export { createVault, recoverVault, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, } from "./bootstrap.js";
|
|
12
13
|
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerRegisterCapabilityCommand, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, type CapabilityRegistry, } from "../vault-core/index.js";
|
|
13
|
-
export {
|
|
14
|
+
export { createVaultClient, type VaultClient, type VaultIdentity, type VaultSigner, type VaultAuditQueryInput, type VaultExportSecretInput, type VaultGrantCapabilityInput, type VaultRegisterFlowInput, type VaultRegisterAgentInput, type OwnerSecretTargetBinding, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
|
|
14
15
|
export { createAgentClient, type AgentClient, type AgentIdentity, type AgentCapabilityEnvelope, type AgentDispatchIntent, type AgentDispatchTransport, type AgentSigner, } from "../clients/agent/index.js";
|
|
15
16
|
export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, type VaultService, type VaultAcquireSecretInput, type VaultAcquireSecretResult, type VaultAcquireSecretFlow, type VaultCustomFlowResolver, type VaultAgentDispatchRequest, type VaultAgentDispatchResponse, type VaultAgentDispatchErrorResponse, type RedactedResponseShape, type OwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
|
|
16
17
|
export { LocalVaultTransport, } from "../vault-ingress/defaults.js";
|
package/dist/runtime/index.js
CHANGED
|
@@ -4,12 +4,13 @@
|
|
|
4
4
|
*/
|
|
5
5
|
export { IdentityError, IdentityErrorCode } from "../errors.js";
|
|
6
6
|
export { derivePublicKey, LocalSigner } from "../protocol/crypto.js";
|
|
7
|
+
export { deriveIdentityId } from "../protocol/identity.js";
|
|
7
8
|
export { FsStorageProvider } from "../storage/fs.js";
|
|
8
9
|
export { MemoryStorageProvider } from "../storage/memory.js";
|
|
9
10
|
export { createIdentity, restoreIdentity, } from "./identity.js";
|
|
10
11
|
export { createVault, recoverVault, } from "./bootstrap.js";
|
|
11
12
|
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
|
|
12
|
-
export {
|
|
13
|
+
export { createVaultClient, } from "../clients/owner/index.js";
|
|
13
14
|
export { createAgentClient, } from "../clients/agent/index.js";
|
|
14
15
|
export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
|
|
15
16
|
export { LocalVaultTransport, } from "../vault-ingress/defaults.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,eAAe,GAIhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,WAAW,EACX,YAAY,GAKb,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,uBAAuB,EACvB,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA8CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAWlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAOlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAWxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,mBAAmB,GACpB,MAAM,8BAA8B,CAAC"}
|
package/docs/ARCHITECTURE.md
CHANGED
|
@@ -10,7 +10,7 @@ Related design note:
|
|
|
10
10
|
Recommended persistent-vault lifecycle:
|
|
11
11
|
|
|
12
12
|
- create through `createVault(...)`
|
|
13
|
-
- recover through `recoverVault(...)`
|
|
13
|
+
- recover through `recoverVault(...)` using the owner's identity
|
|
14
14
|
|
|
15
15
|
## Identity And Roles
|
|
16
16
|
|
|
@@ -27,7 +27,8 @@ This means:
|
|
|
27
27
|
|
|
28
28
|
- outside the vault there are only identities
|
|
29
29
|
- inside a specific vault, identities are bound to roles such as `owner` or `agent`
|
|
30
|
-
- identities are independent
|
|
30
|
+
- root identities are independent
|
|
31
|
+
- child identities may be deterministically derived from a parent identity private key plus a path
|
|
31
32
|
- an identity may be the `owner` of one vault and an `agent` in another vault
|
|
32
33
|
|
|
33
34
|
## Public Modules
|
package/docs/CUSTODY_MODEL.md
CHANGED
|
@@ -65,36 +65,14 @@ Non-purpose:
|
|
|
65
65
|
- not a user-facing day-to-day API credential
|
|
66
66
|
- not the preferred recovery artifact presented to the owner
|
|
67
67
|
|
|
68
|
-
### `vaultRecoveryKey`
|
|
69
|
-
|
|
70
|
-
The owner-held recovery artifact.
|
|
71
|
-
|
|
72
|
-
Purpose:
|
|
73
|
-
|
|
74
|
-
- recover or re-establish access to vault secret custody
|
|
75
|
-
- support migration and disaster recovery
|
|
76
|
-
- preserve owner material sovereignty over stored secrets
|
|
77
|
-
|
|
78
|
-
Expected lifecycle:
|
|
79
|
-
|
|
80
|
-
- generated during vault initialization
|
|
81
|
-
- shown to the owner once
|
|
82
|
-
- then stored by the owner outside the normal runtime working path
|
|
83
|
-
|
|
84
|
-
Non-purpose:
|
|
85
|
-
|
|
86
|
-
- not the owner's signing identity
|
|
87
|
-
- not the normal runtime key used for every operation
|
|
88
|
-
|
|
89
68
|
## Current Runtime Surface
|
|
90
69
|
|
|
91
70
|
The persistent runtime surface uses `vaultWorkingKey` as the runtime material-control key.
|
|
92
|
-
|
|
93
|
-
The older `custodyKey` term is intentionally not part of the current product model.
|
|
71
|
+
The working key is now derived from the owner's private key plus `vaultId` in the high-level runtime path.
|
|
94
72
|
|
|
95
73
|
## Required Separation
|
|
96
74
|
|
|
97
|
-
The runtime separates
|
|
75
|
+
The runtime separates two concerns in the high-level path:
|
|
98
76
|
|
|
99
77
|
1. Identity authority
|
|
100
78
|
`ownerPrivateKey`
|
|
@@ -102,9 +80,6 @@ The runtime separates three concerns:
|
|
|
102
80
|
2. Runtime material control
|
|
103
81
|
`vaultWorkingKey`
|
|
104
82
|
|
|
105
|
-
3. Recovery authority
|
|
106
|
-
`vaultRecoveryKey`
|
|
107
|
-
|
|
108
83
|
This separation is deliberate.
|
|
109
84
|
|
|
110
85
|
The runtime should not default to a model where one owner signing key directly acts as the encryption root for all stored secret material.
|
|
@@ -124,7 +99,7 @@ Instead:
|
|
|
124
99
|
In practical terms:
|
|
125
100
|
|
|
126
101
|
- owner must be able to export secret plaintext through a formal audited interface
|
|
127
|
-
- owner must be able to recover the vault through
|
|
102
|
+
- owner must be able to recover the vault through the owner identity path
|
|
128
103
|
- owner does not need to directly hold the working key during normal runtime operation
|
|
129
104
|
|
|
130
105
|
## Export / Reveal Policy
|
|
@@ -145,7 +120,7 @@ Future hardening such as MFA/TOTP may be added on top of this model, but it does
|
|
|
145
120
|
The runtime now includes:
|
|
146
121
|
|
|
147
122
|
1. formal vault creation through `createVault(...)`
|
|
148
|
-
2.
|
|
123
|
+
2. owner-identity based re-entry through `recoverVault(...)`
|
|
149
124
|
3. explicit `vaultWorkingKey` terminology in the persistent dependency surface
|
|
150
125
|
4. continued support for explicit owner export through `exportSecret(...)`
|
|
151
126
|
|
package/docs/IDENTITY_MODEL.md
CHANGED
|
@@ -26,8 +26,8 @@ An `identity` is an external principal represented by a public/private keypair.
|
|
|
26
26
|
|
|
27
27
|
Properties:
|
|
28
28
|
|
|
29
|
-
-
|
|
30
|
-
-
|
|
29
|
+
- root identities are independent
|
|
30
|
+
- child identities may be deterministically derived from a parent identity private key plus a path
|
|
31
31
|
- no built-in inheritance
|
|
32
32
|
- no built-in "owner creates agent identity" relationship
|
|
33
33
|
|
|
@@ -51,7 +51,7 @@ The vault should not treat a display label as the root identity truth.
|
|
|
51
51
|
|
|
52
52
|
## Stable Identity ID
|
|
53
53
|
|
|
54
|
-
The runtime already has a stable public-key-derived identity primitive available through `
|
|
54
|
+
The runtime already has a stable public-key-derived identity primitive available through `deriveIdentityId(...)`.
|
|
55
55
|
|
|
56
56
|
That derived value is useful for:
|
|
57
57
|
|
|
@@ -78,6 +78,8 @@ The runtime now exposes this concept directly as optional `nickname` on `createI
|
|
|
78
78
|
|
|
79
79
|
For existing private keys, the runtime exposes `restoreIdentity(...)`, which reconstructs the same identity shape from the private key alone.
|
|
80
80
|
|
|
81
|
+
For child identities, the runtime exposes `createIdentity(parentIdentity, { nickname })`. Child identities include `parentIdentityId`, while `nickname` remains display-only.
|
|
82
|
+
|
|
81
83
|
In other words:
|
|
82
84
|
|
|
83
85
|
- public key or a stable derived id answers "who is this cryptographically"
|
package/docs/REFERENCE.md
CHANGED
|
@@ -21,7 +21,7 @@ The main constructors are:
|
|
|
21
21
|
- `restoreIdentity(...)`
|
|
22
22
|
- `createVault(...)`
|
|
23
23
|
- `recoverVault(...)`
|
|
24
|
-
- `
|
|
24
|
+
- `createVaultClient(...)`
|
|
25
25
|
- `createAgentClient(...)`
|
|
26
26
|
- `LocalVaultTransport`
|
|
27
27
|
|
|
@@ -52,7 +52,8 @@ Role rules:
|
|
|
52
52
|
|
|
53
53
|
- outside the vault there are only identities
|
|
54
54
|
- inside a vault, identities are bound to roles such as `owner` or `agent`
|
|
55
|
-
- identities are independent
|
|
55
|
+
- root identities are independent
|
|
56
|
+
- child identities may be deterministically derived from a parent identity
|
|
56
57
|
- the same identity may be `owner` in one vault and `agent` in another
|
|
57
58
|
|
|
58
59
|
## Identity Creation
|
|
@@ -63,9 +64,12 @@ Role rules:
|
|
|
63
64
|
- `publicKey`
|
|
64
65
|
- `privateKey`
|
|
65
66
|
- optional `nickname`
|
|
67
|
+
- optional `parentIdentityId` for child identities
|
|
66
68
|
|
|
67
69
|
`nickname` is human-readable only. It does not affect the derived `identityId`, cryptographic verification, or vault-local role binding.
|
|
68
70
|
|
|
71
|
+
`createIdentity(parentIdentity, { nickname })` creates a child identity when a parent identity is provided, and the returned identity includes `parentIdentityId`.
|
|
72
|
+
|
|
69
73
|
`restoreIdentity(privateKey)` returns the same shape for an existing private key.
|
|
70
74
|
|
|
71
75
|
## Secret-Flow Model
|
|
@@ -100,7 +104,7 @@ The runtime does not claim to understand arbitrary network protocols. The API co
|
|
|
100
104
|
Important methods:
|
|
101
105
|
|
|
102
106
|
- `bootstrapOwnerIdentity(...)`
|
|
103
|
-
- `
|
|
107
|
+
- `registerAgent(...)`
|
|
104
108
|
- `writeSecret(...)`
|
|
105
109
|
- `exportSecret(...)`
|
|
106
110
|
- `acquireSecret(...)`
|
|
@@ -122,30 +126,30 @@ await vault.bootstrapOwnerIdentity({
|
|
|
122
126
|
|
|
123
127
|
The runtime treats this first owner as the single vault admin. Additional principals should be modeled as agents plus capabilities rather than extra owners.
|
|
124
128
|
|
|
125
|
-
##
|
|
129
|
+
## Vault Client
|
|
126
130
|
|
|
127
|
-
`clients/owner`
|
|
131
|
+
`clients/owner` currently implements the public vault-management client surface for the identity currently bound to the vault's single admin role.
|
|
128
132
|
|
|
129
|
-
Current
|
|
133
|
+
Current management operations:
|
|
130
134
|
|
|
131
135
|
- `writeSecret(...)`
|
|
132
136
|
- `exportSecret(...)`
|
|
133
|
-
- `
|
|
134
|
-
- `
|
|
135
|
-
- `
|
|
136
|
-
- `
|
|
137
|
+
- `readAudit(...)`
|
|
138
|
+
- `registerAgent(...)`
|
|
139
|
+
- `grantCapability(...)`
|
|
140
|
+
- `registerFlow(...)`
|
|
137
141
|
|
|
138
142
|
Example:
|
|
139
143
|
|
|
140
144
|
```ts
|
|
141
|
-
const
|
|
145
|
+
const client = createVaultClient({ identityId: ownerIdentity.identityId }, vault, ownerSigner, clock);
|
|
142
146
|
|
|
143
|
-
await
|
|
147
|
+
await client.registerAgent({
|
|
144
148
|
agentId: 'agent-1',
|
|
145
149
|
publicKey: agentPublicKey,
|
|
146
150
|
});
|
|
147
151
|
|
|
148
|
-
await
|
|
152
|
+
await client.registerFlow({
|
|
149
153
|
flowId: 'custom-status-read',
|
|
150
154
|
mode: 'send_secret',
|
|
151
155
|
targetUrl: 'https://api.example.com/custom-status',
|
|
@@ -153,7 +157,7 @@ await owner.registerCustomFlow({
|
|
|
153
157
|
responseVisibility: 'shape_only',
|
|
154
158
|
});
|
|
155
159
|
|
|
156
|
-
await
|
|
160
|
+
await client.writeSecret({
|
|
157
161
|
alias: 'api-token',
|
|
158
162
|
plaintext: 'secret-value',
|
|
159
163
|
targetBindings: [
|
|
@@ -166,7 +170,7 @@ await owner.writeSecret({
|
|
|
166
170
|
],
|
|
167
171
|
});
|
|
168
172
|
|
|
169
|
-
const exportedSecret = await
|
|
173
|
+
const exportedSecret = await client.exportSecret({
|
|
170
174
|
alias: 'api-token',
|
|
171
175
|
});
|
|
172
176
|
```
|
|
@@ -205,7 +209,7 @@ const capability = {
|
|
|
205
209
|
issuedAt: new Date().toISOString(),
|
|
206
210
|
};
|
|
207
211
|
|
|
208
|
-
await
|
|
212
|
+
await client.grantCapability({ capability });
|
|
209
213
|
```
|
|
210
214
|
|
|
211
215
|
Custom capability example:
|
|
@@ -223,7 +227,7 @@ const customCapability = {
|
|
|
223
227
|
issuedAt: new Date().toISOString(),
|
|
224
228
|
};
|
|
225
229
|
|
|
226
|
-
await
|
|
230
|
+
await client.grantCapability({ capability: customCapability });
|
|
227
231
|
```
|
|
228
232
|
|
|
229
233
|
## Acquisition Result Shape
|
package/docs/es/README.md
CHANGED
|
@@ -23,7 +23,7 @@ import {
|
|
|
23
23
|
createVault,
|
|
24
24
|
recoverVault,
|
|
25
25
|
LocalVaultTransport,
|
|
26
|
-
|
|
26
|
+
createVaultClient,
|
|
27
27
|
createAgentClient,
|
|
28
28
|
FsStorageProvider,
|
|
29
29
|
} from '@the-ai-company/cbio-node-runtime';
|
|
@@ -39,7 +39,7 @@ import {
|
|
|
39
39
|
Ruta principal recomendada para vault persistente:
|
|
40
40
|
|
|
41
41
|
- crear el vault persistente con `createVault(...)`
|
|
42
|
-
- recuperar el vault persistente con `recoverVault(...)` usando la
|
|
42
|
+
- recuperar el vault persistente con `recoverVault(...)` usando la identidad del owner
|
|
43
43
|
|
|
44
44
|
La API antigua centrada en `CbioIdentity` ya no es la superficie principal del producto.
|
|
45
45
|
|
package/docs/fr/README.md
CHANGED
|
@@ -23,7 +23,7 @@ import {
|
|
|
23
23
|
createVault,
|
|
24
24
|
recoverVault,
|
|
25
25
|
LocalVaultTransport,
|
|
26
|
-
|
|
26
|
+
createVaultClient,
|
|
27
27
|
createAgentClient,
|
|
28
28
|
FsStorageProvider,
|
|
29
29
|
} from '@the-ai-company/cbio-node-runtime';
|
|
@@ -39,7 +39,7 @@ import {
|
|
|
39
39
|
Chemin principal recommande pour un vault persistant :
|
|
40
40
|
|
|
41
41
|
- creer le vault persistant avec `createVault(...)`
|
|
42
|
-
- restaurer le vault persistant avec `recoverVault(...)` via
|
|
42
|
+
- restaurer le vault persistant avec `recoverVault(...)` via l'identite du owner
|
|
43
43
|
|
|
44
44
|
L'ancienne API centree sur `CbioIdentity` n'est plus la surface principale du produit.
|
|
45
45
|
|
package/docs/ja/README.md
CHANGED
|
@@ -23,7 +23,7 @@ import {
|
|
|
23
23
|
createVault,
|
|
24
24
|
recoverVault,
|
|
25
25
|
LocalVaultTransport,
|
|
26
|
-
|
|
26
|
+
createVaultClient,
|
|
27
27
|
createAgentClient,
|
|
28
28
|
FsStorageProvider,
|
|
29
29
|
} from '@the-ai-company/cbio-node-runtime';
|
|
@@ -39,7 +39,7 @@ import {
|
|
|
39
39
|
推奨される persistent-vault の主経路:
|
|
40
40
|
|
|
41
41
|
- `createVault(...)` で persistent vault を作成する
|
|
42
|
-
- `recoverVault(...)` で
|
|
42
|
+
- `recoverVault(...)` で owner identity を使って persistent vault を復旧する
|
|
43
43
|
|
|
44
44
|
旧 `CbioIdentity` 中心 API は、もはや主要な公開面ではありません。
|
|
45
45
|
|
package/docs/ko/README.md
CHANGED
|
@@ -23,7 +23,7 @@ import {
|
|
|
23
23
|
createVault,
|
|
24
24
|
recoverVault,
|
|
25
25
|
LocalVaultTransport,
|
|
26
|
-
|
|
26
|
+
createVaultClient,
|
|
27
27
|
createAgentClient,
|
|
28
28
|
FsStorageProvider,
|
|
29
29
|
} from '@the-ai-company/cbio-node-runtime';
|
|
@@ -39,7 +39,7 @@ import {
|
|
|
39
39
|
권장되는 persistent-vault 주 경로:
|
|
40
40
|
|
|
41
41
|
- `createVault(...)` 로 persistent vault 를 생성합니다
|
|
42
|
-
- `recoverVault(...)` 로
|
|
42
|
+
- `recoverVault(...)` 로 owner identity 를 사용해 persistent vault 를 복구합니다
|
|
43
43
|
|
|
44
44
|
이전 `CbioIdentity` 중심 API 는 더 이상 주요 제품 표면이 아닙니다.
|
|
45
45
|
|
package/docs/pt/README.md
CHANGED
|
@@ -23,7 +23,7 @@ import {
|
|
|
23
23
|
createVault,
|
|
24
24
|
recoverVault,
|
|
25
25
|
LocalVaultTransport,
|
|
26
|
-
|
|
26
|
+
createVaultClient,
|
|
27
27
|
createAgentClient,
|
|
28
28
|
FsStorageProvider,
|
|
29
29
|
} from '@the-ai-company/cbio-node-runtime';
|
|
@@ -39,7 +39,7 @@ import {
|
|
|
39
39
|
Caminho principal recomendado para vault persistente:
|
|
40
40
|
|
|
41
41
|
- criar o vault persistente com `createVault(...)`
|
|
42
|
-
- recuperar o vault persistente com `recoverVault(...)` usando a
|
|
42
|
+
- recuperar o vault persistente com `recoverVault(...)` usando a identidade do owner
|
|
43
43
|
|
|
44
44
|
A antiga API centrada em `CbioIdentity` nao e mais a superficie principal do produto.
|
|
45
45
|
|
package/docs/zh/README.md
CHANGED
|
@@ -23,7 +23,7 @@ import {
|
|
|
23
23
|
createVault,
|
|
24
24
|
recoverVault,
|
|
25
25
|
LocalVaultTransport,
|
|
26
|
-
|
|
26
|
+
createVaultClient,
|
|
27
27
|
createAgentClient,
|
|
28
28
|
FsStorageProvider,
|
|
29
29
|
} from '@the-ai-company/cbio-node-runtime';
|
|
@@ -39,7 +39,7 @@ import {
|
|
|
39
39
|
推荐的持久化主路径:
|
|
40
40
|
|
|
41
41
|
- 通过 `createVault(...)` 创建持久化 vault
|
|
42
|
-
- 通过 `recoverVault(...)` 用
|
|
42
|
+
- 通过 `recoverVault(...)` 用 owner 身份恢复持久化 vault
|
|
43
43
|
|
|
44
44
|
## 构建
|
|
45
45
|
|
package/package.json
CHANGED