@totemsdk/identity 0.1.0 → 0.1.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Totem SDK Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,306 @@
+# @totemsdk/identity
+
+Canonical identity and claims layer for Totem Edge — who controls a manifest, device, or agent.
+
+No network. No DHT. No blockchain submission. Pure schema + cryptographic binding.
+
+## Installation
+
+```bash
+npm install @totemsdk/identity
+```
+
+## Overview
+
+`@totemsdk/identity` ties together manifests, device identifiers, and agent credentials into a single coherent identity model. It provides:
+
+- **Identity documents** — a `TotemIdentityDocument` naming a root Minima address and a current controller address
+- **Claims** — typed assertions linking identities (delegation, payment routing, service endpoints, rotation, revocation)
+- **Sign / verify** — WOTS-signed claim envelopes with self-contained verification
+- **Graph resolution** — walk a set of signed claims to produce a `ResolvedIdentity` showing active delegates, payment recipients, service endpoints, and rotation/revocation status
+- **Manifest binding** — cryptographically bind a `SignedManifest` to an identity document
+
+## All exports
+
+### Document
+
+| Export | Description |
+|--------|-------------|
+| `createIdentityDocument(opts)` | Create a new `TotemIdentityDocument` |
+| `computeIdentityId(kind, rootAddress)` | SHA3-256 over stable identity fields — returns `totem:id:<kind>:<hash>` URI |
+
+### Claims
+
+| Export | Description |
+|--------|-------------|
+| `createIdentityClaim(opts)` | Create a generic `IdentityClaim` |
+| `createDelegationClaim(opts)` | `delegates_to` claim — authorize another address |
+| `createPaymentRecipientClaim(opts)` | `payment_recipient` claim — register a payment address |
+| `createServiceEndpointClaim(opts)` | `service_endpoint` claim — register a service URI |
+
+### Sign / Verify
+
+| Export | Description |
+|--------|-------------|
+| `signIdentityClaim(claim, seed, keyIndex)` | WOTS-sign a claim; returns `SignedIdentityClaim` |
+| `verifyIdentityClaim(signed)` | Verify the WOTS signature; returns `IdentityVerifyResult` |
+
+### Rotation and Revocation
+
+| Export | Description |
+|--------|-------------|
+| `rotateIdentity(doc, newAddress, seed, keyIndex)` | Issue a signed `rotates_to` claim |
+| `revokeIdentity(doc, reason, seed, keyIndex)` | Issue a signed `revokes` claim |
+
+### Resolution
+
+| Export | Description |
+|--------|-------------|
+| `resolveIdentityGraph(graph)` | Walk an `IdentityGraph` to produce `IdentityResolutionResult` |
+
+### Manifest Binding
+
+| Export | Description |
+|--------|-------------|
+| `bindManifestToIdentity(signedManifest, graph)` | Verify a `SignedManifest` against an `IdentityGraph`; returns `ManifestIdentityBinding` |
+| `verifyManifestIdentity(signedManifest, graph)` | Core verification logic (called internally by `bindManifestToIdentity`) |
+
+### Type Guards
+
+| Export | Description |
+|--------|-------------|
+| `isTotemIdentityDocument(x)` | Narrows to `TotemIdentityDocument` |
+| `isIdentityClaim(x)` | Narrows to `IdentityClaim` |
+| `isSignedIdentityClaim(x)` | Narrows to `SignedIdentityClaim` |
+| `isRotationClaim(x)` | Narrows to `RotationClaim` |
+| `isRevocationClaim(x)` | Narrows to `RevocationClaim` |
+
+## Type reference
+
+### `TotemIdentityDocument`
+
+```typescript
+interface TotemIdentityDocument {
+  id: string;                          // computeIdentityId(kind, rootAddress) — totem:id:... URI
+  kind: IdentityKind;
+  version: number;
+  rootAddress: string;                 // Minima address — permanent, never changes
+  controllerAddress: string;           // Current active controlling address
+  createdAt: number;                   // Unix ms
+  metadata?: Record<string, unknown>;
+}
+
+type IdentityKind =
+  | 'person' | 'device' | 'agent' | 'service'
+  | 'organization' | 'sensor' | 'robot' | 'gateway';
+```
+
+### `IdentityClaim`
+
+```typescript
+interface IdentityClaim {
+  id: string;
+  type: IdentityClaimType;
+  issuer: string;          // Minima address of the claim issuer
+  subject: string;         // identityId this claim is about
+  object: string;          // target address or identityId
+  issuedAt: number;        // Unix ms
+  expiresAt?: number;      // Unix ms — absent means no expiry
+  payload: Record<string, unknown>;
+}
+
+type IdentityClaimType =
+  | 'delegates_to'
+  | 'payment_recipient'
+  | 'service_endpoint'
+  | 'rotates_to'
+  | 'revokes';
+```
+
+### `SignedIdentityClaim`
+
+```typescript
+interface SignedIdentityClaim {
+  claim: IdentityClaim;
+  proof: {
+    address: string;       // Minima address that signed
+    publicKey: string;     // Full WOTS public key hex
+    signature: string;     // WOTS signature hex
+    message?: string;      // Optional human-readable signing context
+  };
+  rootIdentityProof?: string;
+}
+```
+
+### Concrete claim types
+
+```typescript
+interface DelegationClaim {
+  claimId: string;
+  issuer: string;
+  subject: string;
+  delegatedAddress: string;  // Hot-key address authorized to act on behalf of root
+  scopes: string[];           // e.g. ['manifest:sign', 'proof:create']
+  issuedAt: number;
+  expiresAt?: number;
+}
+
+interface PaymentRecipientClaim {
+  claimId: string;
+  issuer: string;
+  address: string;            // Minima address for receiving payments
+  label?: string;
+  issuedAt: number;
+  expiresAt?: number;
+}
+
+interface ServiceEndpointClaim {
+  claimId: string;
+  issuer: string;
+  endpointType: string;       // e.g. 'mqtt', 'https', 'hyperswarm'
+  uri: string;
+  issuedAt: number;
+  expiresAt?: number;
+}
+
+interface RotationClaim {
+  claimId: string;
+  issuer: string;
+  subject: string;
+  newAddress: string;         // Address the identity has rotated to
+  issuedAt: number;
+}
+
+interface RevocationClaim {
+  claimId: string;
+  issuer: string;
+  subject: string;
+  reason?: string;
+  issuedAt: number;
+}
+```
+
+### `ResolvedIdentity`
+
+```typescript
+interface ResolvedIdentity {
+  document: TotemIdentityDocument;
+  status: 'active' | 'rotated' | 'revoked';
+  rootAddress: string;
+  controllerAddress: string;
+  controlledAddresses: string[];
+  authorizedAddresses: string[];
+  delegates: DelegationClaim[];
+  paymentRecipients: PaymentRecipientClaim[];
+  serviceEndpoints: ServiceEndpointClaim[];
+  rotationTarget?: string;
+  revokedAt?: number;
+}
+```
+
+### `IdentityVerifyResult`
+
+```typescript
+interface IdentityVerifyResult {
+  valid: boolean;
+  reason?: string;
+  signerAddress?: string;
+  rootAddress?: string;
+  provenAddresses?: string[];
+  metadata?: Record<string, unknown>;
+}
+```
+
+### `ManifestIdentityBinding`
+
+```typescript
+interface ManifestIdentityBinding {
+  valid: boolean;
+  reason?: string;
+  manifestId: string;
+  identityId: string;
+  signerAddress: string;
+  resolvedStatus: 'active' | 'rotated' | 'revoked';
+}
+```
+
+## Usage: create → sign → resolve → bind
+
+```typescript
+import {
+  createIdentityDocument,
+  computeIdentityId,
+  createDelegationClaim,
+  signIdentityClaim,
+  verifyIdentityClaim,
+  resolveIdentityGraph,
+  bindManifestToIdentity,
+} from '@totemsdk/identity';
+import { signManifest } from '@totemsdk/manifest';
+
+// 1. Create identity document
+const doc = createIdentityDocument({
+  kind: 'service',
+  rootAddress: 'MxABC123...',
+  controllerAddress: 'MxABC123...',
+});
+// computeIdentityId(kind, rootAddress) matches doc.id — use to derive it independently
+console.log('Identity ID:', computeIdentityId('service', 'MxABC123...'));
+
+// 2. Delegate a hot key
+const delegationClaim = createDelegationClaim({
+  issuer: doc.rootAddress,
+  subject: doc.id,
+  delegatedAddress: 'MxHOT456...',
+  scopes: ['manifest:sign'],
+});
+
+// seed = 32-byte WOTS seed; keyIndex = reserved via @totemsdk/wots-lease
+const signedDelegation = await signIdentityClaim(delegationClaim, seed, keyIndex);
+
+// 3. Verify immediately
+const verifyResult = await verifyIdentityClaim(signedDelegation);
+console.assert(verifyResult.valid, 'Claim signature invalid');
+
+// 4. Resolve the full graph
+const { resolved, errors } = resolveIdentityGraph({
+  document: doc,
+  claims: [signedDelegation],
+});
+console.log('Status:', resolved?.status);           // 'active'
+console.log('Delegates:', resolved?.delegates);     // [DelegationClaim]
+
+// 5. Bind a manifest — bindManifestToIdentity takes an IdentityGraph, not a document
+const signedManifest = await signManifest(edgeServiceManifest, seed, keyIndex2);
+const binding = await bindManifestToIdentity(signedManifest, {
+  document: doc,
+  claims: [signedDelegation],
+});
+console.assert(binding.valid, 'Manifest not bound to identity');
+```
+
+## Security notes
+
+### Issuer verification
+
+`verifyIdentityClaim` only checks that the WOTS signature is valid for `proof.address`. It does **not** check whether the issuer is trusted — that is the role of `resolveIdentityGraph`.
+
+Always resolve the full graph before acting on claims:
+- A claim where `issuer` is not the `rootAddress` or a currently authorized address is silently excluded by the resolver.
+- `rotates_to` and `revokes` claims from unauthorized issuers are ignored.
+- An attacker who signs a claim but sets `issuer = rootAddress` will be caught: the resolver checks that `proof.address` matches the declared `issuer`, not just that the signature is structurally valid.
+
+### One-time WOTS keys
+
+Each claim signature consumes one WOTS key index. Use `@totemsdk/wots-lease` to reserve indexes before calling `signIdentityClaim`. Reusing an index exposes the private key.
+
+## Related packages
+
+- [`@totemsdk/manifest`](https://www.npmjs.com/package/@totemsdk/manifest) — signed declaration format for Totem Edge entities
+- [`@totemsdk/edge`](https://www.npmjs.com/package/@totemsdk/edge) — compose identity into an edge runtime
+- [`@totemsdk/core`](https://www.npmjs.com/package/@totemsdk/core) — WOTS signing primitives used internally
+- [`@totemsdk/root-identity`](https://www.npmjs.com/package/@totemsdk/root-identity) — multi-address root identity SDK
+
+## License
+
+MIT

package/dist/canonical.js

@@ -1,8 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.toHex = toHex;
+exports.canonicalJson = canonicalJson;
 /**
  * Plain hex encoder (no 0x prefix) for use in ID URIs and deterministic identifiers.
  * bytesToHex from @totemsdk/core adds a 0x prefix — use this for URI-safe hex IDs.
  */
-export function toHex(bytes) {
+function toHex(bytes) {
     return Array.from(bytes)
         .map((b) => b.toString(16).padStart(2, '0'))
         .join('');
@@ -12,7 +16,7 @@ export function toHex(bytes) {
  * Recursively sorts object keys before serializing — used for hashing and signing.
  * Never use bare JSON.stringify on objects passed to hash or sign operations.
  */
-export function canonicalJson(value) {
+function canonicalJson(value) {
     if (value === null || typeof value !== 'object') {
         return JSON.stringify(value);
     }

package/dist/claims.js

@@ -1,16 +1,22 @@
+"use strict";
 /**
  * Claim creation helpers.
  *
  * Claim IDs are deterministic: SHA3-256 of claim fields + canonical payload hash.
  */
-import { sha3_256 } from '@noble/hashes/sha3.js';
-import { canonicalJson, toHex } from './canonical.js';
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createIdentityClaim = createIdentityClaim;
+exports.createDelegationClaim = createDelegationClaim;
+exports.createPaymentRecipientClaim = createPaymentRecipientClaim;
+exports.createServiceEndpointClaim = createServiceEndpointClaim;
+const sha3_js_1 = require("@noble/hashes/sha3.js");
+const canonical_js_1 = require("./canonical.js");
 function computeClaimId(type, issuer, subject, object, issuedAt, payload) {
-    const canonical = canonicalJson({ type, issuer, subject, object, issuedAt, payload });
-    const hash = sha3_256(new TextEncoder().encode(canonical));
-    return toHex(hash);
+    const canonical = (0, canonical_js_1.canonicalJson)({ type, issuer, subject, object, issuedAt, payload });
+    const hash = (0, sha3_js_1.sha3_256)(new TextEncoder().encode(canonical));
+    return (0, canonical_js_1.toHex)(hash);
 }
-export function createIdentityClaim(opts) {
+function createIdentityClaim(opts) {
     const { type, issuer, subject, object, payload, expiresAt } = opts;
     const issuedAt = opts.issuedAt ?? Date.now();
     const id = computeClaimId(type, issuer, subject, object, issuedAt, payload);
@@ -25,7 +31,7 @@ export function createIdentityClaim(opts) {
         payload,
     };
 }
-export function createDelegationClaim(opts) {
+function createDelegationClaim(opts) {
     const { issuer, subject, delegatedAddress, scopes, expiresAt } = opts;
     return createIdentityClaim({
         type: 'delegates_to',
@@ -37,7 +43,7 @@ export function createDelegationClaim(opts) {
         expiresAt,
     });
 }
-export function createPaymentRecipientClaim(opts) {
+function createPaymentRecipientClaim(opts) {
     const { issuer, subject, address, label, expiresAt } = opts;
     const payload = {};
     if (label !== undefined)
@@ -52,7 +58,7 @@ export function createPaymentRecipientClaim(opts) {
         expiresAt,
     });
 }
-export function createServiceEndpointClaim(opts) {
+function createServiceEndpointClaim(opts) {
     const { issuer, subject, endpointType, uri, expiresAt } = opts;
     return createIdentityClaim({
         type: 'service_endpoint',

package/dist/constants.js

@@ -1 +1,4 @@
-export const IDENTITY_VERSION = 1;
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IDENTITY_VERSION = void 0;
+exports.IDENTITY_VERSION = 1;

package/dist/document.js

@@ -1,23 +1,27 @@
+"use strict";
 /**
  * Identity document creation and ID computation.
  *
  * computeIdentityId: deterministic SHA3-256 of "totem-identity" + kind + rootAddress.
  * Version is NOT part of the ID hash — schema version upgrades must not change the identity ID.
  */
-import { sha3_256 } from '@noble/hashes/sha3.js';
-import { IDENTITY_VERSION } from './constants.js';
-import { toHex } from './canonical.js';
-export function computeIdentityId(kind, rootAddress) {
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeIdentityId = computeIdentityId;
+exports.createIdentityDocument = createIdentityDocument;
+const sha3_js_1 = require("@noble/hashes/sha3.js");
+const constants_js_1 = require("./constants.js");
+const canonical_js_1 = require("./canonical.js");
+function computeIdentityId(kind, rootAddress) {
     const input = `totem-identity\0${kind}\0${rootAddress}`;
-    const hash = sha3_256(new TextEncoder().encode(input));
-    return `totem:id:${kind}:${toHex(hash)}`;
+    const hash = (0, sha3_js_1.sha3_256)(new TextEncoder().encode(input));
+    return `totem:id:${kind}:${(0, canonical_js_1.toHex)(hash)}`;
 }
-export function createIdentityDocument(opts) {
+function createIdentityDocument(opts) {
     const { kind, rootAddress, controllerAddress, metadata } = opts;
     return {
         id: computeIdentityId(kind, rootAddress),
         kind,
-        version: IDENTITY_VERSION,
+        version: constants_js_1.IDENTITY_VERSION,
         rootAddress,
         controllerAddress,
         createdAt: Date.now(),

package/dist/guards.js

@@ -1,7 +1,14 @@
+"use strict";
 /**
  * Type guards for identity types.
  */
-export function isTotemIdentityDocument(value) {
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isTotemIdentityDocument = isTotemIdentityDocument;
+exports.isIdentityClaim = isIdentityClaim;
+exports.isSignedIdentityClaim = isSignedIdentityClaim;
+exports.isRotationClaim = isRotationClaim;
+exports.isRevocationClaim = isRevocationClaim;
+function isTotemIdentityDocument(value) {
     if (!value || typeof value !== 'object')
         return false;
     const v = value;
@@ -12,7 +19,7 @@ export function isTotemIdentityDocument(value) {
         typeof v.controllerAddress === 'string' &&
         typeof v.createdAt === 'number');
 }
-export function isIdentityClaim(value) {
+function isIdentityClaim(value) {
     if (!value || typeof value !== 'object')
         return false;
     const v = value;
@@ -25,7 +32,7 @@ export function isIdentityClaim(value) {
         typeof v.payload === 'object' &&
         v.payload !== null);
 }
-export function isSignedIdentityClaim(value) {
+function isSignedIdentityClaim(value) {
     if (!value || typeof value !== 'object')
         return false;
     const v = value;
@@ -38,7 +45,7 @@ export function isSignedIdentityClaim(value) {
         typeof p.publicKey === 'string' &&
         typeof p.signature === 'string');
 }
-export function isRotationClaim(value) {
+function isRotationClaim(value) {
     if (!value || typeof value !== 'object')
         return false;
     const v = value;
@@ -48,7 +55,7 @@ export function isRotationClaim(value) {
         typeof v.newAddress === 'string' &&
         typeof v.issuedAt === 'number');
 }
-export function isRevocationClaim(value) {
+function isRevocationClaim(value) {
     if (!value || typeof value !== 'object')
         return false;
     const v = value;

package/dist/index.js

@@ -1,16 +1,38 @@
+"use strict";
 /**
  * @module @totemsdk/identity
  *
  * Canonical identity and claims layer for Totem Edge.
  * Pure package — no network, no DHT, no blockchain submission.
  */
-export { IDENTITY_VERSION } from './constants.js';
-export { computeIdentityId, createIdentityDocument } from './document.js';
-export { createIdentityClaim, createDelegationClaim, createPaymentRecipientClaim, createServiceEndpointClaim, } from './claims.js';
-export { signIdentityClaim } from './signing.js';
-export { verifyIdentityClaim } from './verify.js';
-export { rotateIdentity } from './rotation.js';
-export { revokeIdentity } from './revocation.js';
-export { resolveIdentityGraph } from './resolver.js';
-export { bindManifestToIdentity, verifyManifestIdentity } from './manifest-binding.js';
-export { isTotemIdentityDocument, isIdentityClaim, isSignedIdentityClaim, isRotationClaim, isRevocationClaim, } from './guards.js';
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isRevocationClaim = exports.isRotationClaim = exports.isSignedIdentityClaim = exports.isIdentityClaim = exports.isTotemIdentityDocument = exports.verifyManifestIdentity = exports.bindManifestToIdentity = exports.resolveIdentityGraph = exports.revokeIdentity = exports.rotateIdentity = exports.verifyIdentityClaim = exports.signIdentityClaim = exports.createServiceEndpointClaim = exports.createPaymentRecipientClaim = exports.createDelegationClaim = exports.createIdentityClaim = exports.createIdentityDocument = exports.computeIdentityId = exports.IDENTITY_VERSION = void 0;
+var constants_js_1 = require("./constants.js");
+Object.defineProperty(exports, "IDENTITY_VERSION", { enumerable: true, get: function () { return constants_js_1.IDENTITY_VERSION; } });
+var document_js_1 = require("./document.js");
+Object.defineProperty(exports, "computeIdentityId", { enumerable: true, get: function () { return document_js_1.computeIdentityId; } });
+Object.defineProperty(exports, "createIdentityDocument", { enumerable: true, get: function () { return document_js_1.createIdentityDocument; } });
+var claims_js_1 = require("./claims.js");
+Object.defineProperty(exports, "createIdentityClaim", { enumerable: true, get: function () { return claims_js_1.createIdentityClaim; } });
+Object.defineProperty(exports, "createDelegationClaim", { enumerable: true, get: function () { return claims_js_1.createDelegationClaim; } });
+Object.defineProperty(exports, "createPaymentRecipientClaim", { enumerable: true, get: function () { return claims_js_1.createPaymentRecipientClaim; } });
+Object.defineProperty(exports, "createServiceEndpointClaim", { enumerable: true, get: function () { return claims_js_1.createServiceEndpointClaim; } });
+var signing_js_1 = require("./signing.js");
+Object.defineProperty(exports, "signIdentityClaim", { enumerable: true, get: function () { return signing_js_1.signIdentityClaim; } });
+var verify_js_1 = require("./verify.js");
+Object.defineProperty(exports, "verifyIdentityClaim", { enumerable: true, get: function () { return verify_js_1.verifyIdentityClaim; } });
+var rotation_js_1 = require("./rotation.js");
+Object.defineProperty(exports, "rotateIdentity", { enumerable: true, get: function () { return rotation_js_1.rotateIdentity; } });
+var revocation_js_1 = require("./revocation.js");
+Object.defineProperty(exports, "revokeIdentity", { enumerable: true, get: function () { return revocation_js_1.revokeIdentity; } });
+var resolver_js_1 = require("./resolver.js");
+Object.defineProperty(exports, "resolveIdentityGraph", { enumerable: true, get: function () { return resolver_js_1.resolveIdentityGraph; } });
+var manifest_binding_js_1 = require("./manifest-binding.js");
+Object.defineProperty(exports, "bindManifestToIdentity", { enumerable: true, get: function () { return manifest_binding_js_1.bindManifestToIdentity; } });
+Object.defineProperty(exports, "verifyManifestIdentity", { enumerable: true, get: function () { return manifest_binding_js_1.verifyManifestIdentity; } });
+var guards_js_1 = require("./guards.js");
+Object.defineProperty(exports, "isTotemIdentityDocument", { enumerable: true, get: function () { return guards_js_1.isTotemIdentityDocument; } });
+Object.defineProperty(exports, "isIdentityClaim", { enumerable: true, get: function () { return guards_js_1.isIdentityClaim; } });
+Object.defineProperty(exports, "isSignedIdentityClaim", { enumerable: true, get: function () { return guards_js_1.isSignedIdentityClaim; } });
+Object.defineProperty(exports, "isRotationClaim", { enumerable: true, get: function () { return guards_js_1.isRotationClaim; } });
+Object.defineProperty(exports, "isRevocationClaim", { enumerable: true, get: function () { return guards_js_1.isRevocationClaim; } });

package/dist/manifest-binding.js

@@ -1,3 +1,4 @@
+"use strict";
 /**
  * Manifest identity binding.
  *
@@ -21,13 +22,16 @@
  *   4. Address membership check
  *   5. Identity status check (revoked = invalid)
  */
-import { verifyManifest, computeManifestId } from '@totemsdk/manifest';
-import { resolveIdentityGraph } from './resolver.js';
-export async function verifyManifestIdentity(signedManifest, identityGraph, options) {
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyManifestIdentity = verifyManifestIdentity;
+exports.bindManifestToIdentity = bindManifestToIdentity;
+const manifest_1 = require("@totemsdk/manifest");
+const resolver_js_1 = require("./resolver.js");
+async function verifyManifestIdentity(signedManifest, identityGraph, options) {
     const proofVerifiers = options?.proofVerifiers ?? {};
-    const manifestId = computeManifestId(signedManifest.manifest);
+    const manifestId = (0, manifest_1.computeManifestId)(signedManifest.manifest);
     // Step 1: verify manifest signature first — fail fast on invalid manifest
-    const manifestVerifyResult = verifyManifest(signedManifest);
+    const manifestVerifyResult = (0, manifest_1.verifyManifest)(signedManifest);
     if (!manifestVerifyResult.valid) {
         return {
             valid: false,
@@ -39,7 +43,7 @@ export async function verifyManifestIdentity(signedManifest, identityGraph, opti
         };
     }
     // Step 2: resolve identity graph (includes claim signature verification)
-    const resolution = resolveIdentityGraph(identityGraph);
+    const resolution = (0, resolver_js_1.resolveIdentityGraph)(identityGraph);
     if (!resolution.resolved) {
         return {
             valid: false,
@@ -125,6 +129,6 @@ export async function verifyManifestIdentity(signedManifest, identityGraph, opti
         resolvedStatus: resolved.status,
     };
 }
-export async function bindManifestToIdentity(signedManifest, identityGraph, options) {
+async function bindManifestToIdentity(signedManifest, identityGraph, options) {
     return verifyManifestIdentity(signedManifest, identityGraph, options);
 }

package/dist/resolver.js

@@ -1,3 +1,4 @@
+"use strict";
 /**
  * Local-only identity graph resolver.
  *
@@ -17,13 +18,15 @@
  *     3. An address holding an active + signature-verified delegates_to claim from the subject
  *   Claims from unauthorized issuers are silently dropped.
  */
-import { verifyIdentityClaim } from './verify.js';
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveIdentityGraph = resolveIdentityGraph;
+const verify_js_1 = require("./verify.js");
 function isExpired(claim) {
     if (claim.expiresAt === undefined)
         return false;
     return Date.now() > claim.expiresAt;
 }
-export function resolveIdentityGraph(graph) {
+function resolveIdentityGraph(graph) {
     const { document, claims } = graph;
     const { rootAddress, controllerAddress } = document;
     // Step 1: signature-verify all claims upfront and collect the valid ones.
@@ -34,7 +37,7 @@ export function resolveIdentityGraph(graph) {
     // This prevents issuer-field spoofing: an attacker cannot set claim.issuer to a privileged
     // address (root, controller, delegate) if they signed with their own key.
     const verifiedClaims = claims.filter((sc) => {
-        const result = verifyIdentityClaim(sc);
+        const result = (0, verify_js_1.verifyIdentityClaim)(sc);
         return result.valid && result.signerAddress === sc.claim.issuer;
     });
     // Step 2: collect delegation claims issued by root or controller only (first-level authority).

package/dist/revocation.js

@@ -1,13 +1,16 @@
+"use strict";
 /**
  * Identity revocation — produces a RevocationClaim.
  */
-import { createIdentityClaim } from './claims.js';
-export function revokeIdentity(opts) {
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.revokeIdentity = revokeIdentity;
+const claims_js_1 = require("./claims.js");
+function revokeIdentity(opts) {
     const { issuer, subject, reason } = opts;
     const payload = {};
     if (reason !== undefined)
         payload.reason = reason;
-    return createIdentityClaim({
+    return (0, claims_js_1.createIdentityClaim)({
         type: 'revokes',
         issuer,
         subject,

package/dist/rotation.js

@@ -1,10 +1,13 @@
+"use strict";
 /**
  * Identity rotation — produces a RotationClaim.
  */
-import { createIdentityClaim } from './claims.js';
-export function rotateIdentity(opts) {
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rotateIdentity = rotateIdentity;
+const claims_js_1 = require("./claims.js");
+function rotateIdentity(opts) {
     const { issuer, subject, newAddress } = opts;
-    return createIdentityClaim({
+    return (0, claims_js_1.createIdentityClaim)({
         type: 'rotates_to',
         issuer,
         subject,