@tjamescouch/agentchat 0.13.0 → 0.14.0

package/bin/agentchat.js

@@ -550,6 +550,8 @@ program
   .option('-e, --export', 'Export public key for sharing (JSON to stdout)')
   .option('-r, --rotate', 'Rotate to new keypair (signs new key with old key)')
   .option('--verify-chain', 'Verify the rotation chain')
+  .option('--revoke [reason]', 'Generate signed revocation notice (outputs JSON)')
+  .option('--verify-revocation <file>', 'Verify a revocation notice file')
   .option('-f, --file <path>', 'Identity file path', DEFAULT_IDENTITY_PATH)
   .option('-n, --name <name>', 'Agent name (for --generate)', `agent-${process.pid}`)
   .option('--force', 'Overwrite existing identity')
@@ -638,6 +640,43 @@ program
           process.exit(1);
         }
 
+      } else if (options.revoke) {
+        // Generate revocation notice
+        const identity = await Identity.load(options.file);
+        const reason = typeof options.revoke === 'string' ? options.revoke : 'revoked';
+
+        console.error(`Generating revocation notice for identity...`);
+        console.error(`  Agent ID: ${identity.getAgentId()}`);
+        console.error(`  Reason: ${reason}`);
+        console.error('');
+        console.error('WARNING: Publishing this notice declares your key as untrusted.');
+        console.error('');
+
+        const notice = identity.revoke(reason);
+        console.log(JSON.stringify(notice, null, 2));
+
+      } else if (options.verifyRevocation) {
+        // Verify a revocation notice file
+        const noticeData = await fs.readFile(options.verifyRevocation, 'utf-8');
+        const notice = JSON.parse(noticeData);
+
+        console.log('Verifying revocation notice...');
+        const isValid = Identity.verifyRevocation(notice);
+
+        if (isValid) {
+          console.log('Revocation notice is VALID');
+          console.log(`  Agent ID: ${notice.agent_id}`);
+          console.log(`  Fingerprint: ${notice.fingerprint}`);
+          console.log(`  Reason: ${notice.reason}`);
+          console.log(`  Timestamp: ${notice.timestamp}`);
+          if (notice.original_agent_id) {
+            console.log(`  Original Agent ID: ${notice.original_agent_id}`);
+          }
+        } else {
+          console.error('Revocation notice is INVALID');
+          process.exit(1);
+        }
+
       } else {
         // Default: show if exists, otherwise show help
         const exists = await Identity.exists(options.file);
@@ -648,6 +687,10 @@ program
           console.log(`  Fingerprint: ${identity.getFingerprint()}`);
           console.log(`  Agent ID: ${identity.getAgentId()}`);
           console.log(`  Created: ${identity.created}`);
+          if (identity.rotations.length > 0) {
+            console.log(`  Rotations: ${identity.rotations.length}`);
+            console.log(`  Original Agent ID: ${identity.getOriginalAgentId()}`);
+          }
         } else {
           console.log('No identity found.');
           console.log(`Use --generate to create one at ${options.file}`);

package/lib/identity.js

@@ -295,4 +295,82 @@ export class Identity {
   getOriginalAgentId() {
     return pubkeyToAgentId(this.getOriginalPubkey());
   }
+
+  /**
+   * Generate a signed revocation notice for this identity
+   * A revocation notice declares that the key should no longer be trusted
+   * @param {string} reason - Reason for revocation (e.g., "compromised", "retired", "lost")
+   * @returns {object} Revocation notice with pubkey, reason, signature, timestamp
+   */
+  revoke(reason = 'revoked') {
+    if (!this.privkey) {
+      throw new Error('Private key not available - cannot create revocation notice');
+    }
+
+    const timestamp = new Date().toISOString();
+
+    // Create revocation content to sign
+    const revocationContent = JSON.stringify({
+      type: 'REVOCATION',
+      pubkey: this.pubkey,
+      agent_id: this.getAgentId(),
+      reason,
+      timestamp
+    });
+
+    // Sign with the key being revoked (proves ownership)
+    const signature = this.sign(revocationContent);
+
+    return {
+      type: 'REVOCATION',
+      pubkey: this.pubkey,
+      agent_id: this.getAgentId(),
+      fingerprint: this.getFingerprint(),
+      reason,
+      timestamp,
+      signature,
+      // Include rotation history for full chain verification
+      rotations: this.rotations.length > 0 ? this.rotations : undefined,
+      original_agent_id: this.rotations.length > 0 ? this.getOriginalAgentId() : undefined
+    };
+  }
+
+  /**
+   * Verify a revocation notice
+   * Checks that the signature is valid using the pubkey in the notice
+   * @param {object} notice - Revocation notice to verify
+   * @returns {boolean} True if signature is valid
+   */
+  static verifyRevocation(notice) {
+    if (!notice || notice.type !== 'REVOCATION') {
+      return false;
+    }
+
+    try {
+      const revocationContent = JSON.stringify({
+        type: 'REVOCATION',
+        pubkey: notice.pubkey,
+        agent_id: notice.agent_id,
+        reason: notice.reason,
+        timestamp: notice.timestamp
+      });
+
+      return Identity.verify(revocationContent, notice.signature, notice.pubkey);
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Check if a pubkey has been revoked by checking against a revocation notice
+   * @param {string} pubkey - Public key to check
+   * @param {object} notice - Revocation notice
+   * @returns {boolean} True if the pubkey matches the revoked key
+   */
+  static isRevoked(pubkey, notice) {
+    if (!Identity.verifyRevocation(notice)) {
+      return false;
+    }
+    return notice.pubkey === pubkey;
+  }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tjamescouch/agentchat",
-  "version": "0.13.0",
+  "version": "0.14.0",
   "description": "Real-time IRC-like communication protocol for AI agents",
   "main": "lib/client.js",
   "files": [