@totemsdk/identity 0.1.0 → 0.1.1

package/src/types.ts

@@ -1,147 +0,0 @@
-/**
- * @totemsdk/identity — Type definitions
- *
- * Pure schema — no network, no DHT, no blockchain submission.
- */
-
-export type IdentityKind =
-  | 'person'
-  | 'device'
-  | 'agent'
-  | 'service'
-  | 'organization'
-  | 'sensor'
-  | 'robot'
-  | 'gateway';
-
-export type IdentityStatus = 'active' | 'rotated' | 'revoked';
-
-export interface TotemIdentityDocument {
-  id: string;
-  kind: IdentityKind;
-  version: number;
-  rootAddress: string;
-  controllerAddress: string;
-  createdAt: number;
-  metadata?: Record<string, unknown>;
-}
-
-export type IdentityClaimType =
-  | 'delegates_to'
-  | 'payment_recipient'
-  | 'service_endpoint'
-  | 'rotates_to'
-  | 'revokes';
-
-export interface IdentityClaim {
-  id: string;
-  type: IdentityClaimType;
-  issuer: string;
-  subject: string;
-  object: string;
-  issuedAt: number;
-  expiresAt?: number;
-  payload: Record<string, unknown>;
-}
-
-export interface SignedIdentityClaim {
-  claim: IdentityClaim;
-  proof: {
-    address: string;
-    publicKey: string;
-    signature: string;
-    message?: string;
-  };
-  rootIdentityProof?: string;
-}
-
-export interface IdentityVerifyResult {
-  valid: boolean;
-  reason?: string;
-  signerAddress?: string;
-  rootAddress?: string;
-  provenAddresses?: string[];
-  metadata?: Record<string, unknown>;
-}
-
-export interface IdentityProofVerifier {
-  type: string;
-  verify(proof: unknown): Promise<IdentityVerifyResult>;
-}
-
-export interface IdentityGraph {
-  document: TotemIdentityDocument;
-  claims: SignedIdentityClaim[];
-}
-
-export interface ResolvedIdentity {
-  document: TotemIdentityDocument;
-  status: IdentityStatus;
-  rootAddress: string;
-  controllerAddress: string;
-  controlledAddresses: string[];
-  authorizedAddresses: string[];
-  delegates: DelegationClaim[];
-  paymentRecipients: PaymentRecipientClaim[];
-  serviceEndpoints: ServiceEndpointClaim[];
-  rotationTarget?: string;
-  revokedAt?: number;
-}
-
-export interface IdentityResolutionResult {
-  resolved: ResolvedIdentity | null;
-  errors: string[];
-}
-
-export interface DelegationClaim {
-  claimId: string;
-  issuer: string;
-  subject: string;
-  delegatedAddress: string;
-  scopes: string[];
-  issuedAt: number;
-  expiresAt?: number;
-}
-
-export interface PaymentRecipientClaim {
-  claimId: string;
-  issuer: string;
-  address: string;
-  label?: string;
-  issuedAt: number;
-  expiresAt?: number;
-}
-
-export interface ServiceEndpointClaim {
-  claimId: string;
-  issuer: string;
-  endpointType: string;
-  uri: string;
-  issuedAt: number;
-  expiresAt?: number;
-}
-
-export interface RotationClaim {
-  claimId: string;
-  issuer: string;
-  subject: string;
-  newAddress: string;
-  issuedAt: number;
-}
-
-export interface RevocationClaim {
-  claimId: string;
-  issuer: string;
-  subject: string;
-  reason?: string;
-  issuedAt: number;
-}
-
-export interface ManifestIdentityBinding {
-  valid: boolean;
-  reason?: string;
-  manifestId: string;
-  identityId: string;
-  signerAddress: string;
-  resolvedStatus: IdentityStatus;
-}

package/src/verify.ts

@@ -1,90 +0,0 @@
-/**
- * Claim verification.
- *
- * verifyIdentityClaim recomputes the canonical claim digest from signed.claim
- * using canonicalJson. It does NOT use proof.message as the source of truth —
- * that field is optional debug/display metadata only.
- *
- * Security: proof.address is bound to proof.publicKey by re-deriving the
- * expected address from the public key. Any mismatch fails verification,
- * preventing signer-address spoofing.
- */
-
-import { wotsVerifyDigest, hexToBytes, scriptFromWotsPk, scriptToAddress } from '@totemsdk/core';
-import { claimDigest } from './signing.js';
-import type { SignedIdentityClaim, IdentityVerifyResult } from './types.js';
-
-/**
- * Derive the Minima address from a 32-byte WOTS PKdigest (hex).
- * Returns null if the public key cannot be decoded.
- */
-function addressFromPkDigest(publicKeyHex: string): string | null {
-  try {
-    const pkDigest = hexToBytes(publicKeyHex);
-    const script = scriptFromWotsPk(pkDigest);
-    return scriptToAddress(script);
-  } catch {
-    return null;
-  }
-}
-
-export function verifyIdentityClaim(signed: SignedIdentityClaim): IdentityVerifyResult {
-  const { claim, proof } = signed;
-
-  let sigBytes: Uint8Array;
-  let pkDigest: Uint8Array;
-  try {
-    sigBytes = hexToBytes(proof.signature);
-    pkDigest = hexToBytes(proof.publicKey);
-  } catch (e) {
-    return {
-      valid: false,
-      reason: `hex decode failed: ${String(e)}`,
-      signerAddress: proof.address,
-    };
-  }
-
-  // Bind proof.address to proof.publicKey — derive expected address from the public key
-  // and verify it matches proof.address. This prevents signer-address spoofing.
-  const expectedAddress = addressFromPkDigest(proof.publicKey);
-  if (expectedAddress === null) {
-    return {
-      valid: false,
-      reason: 'could not derive address from proof.publicKey',
-      signerAddress: proof.address,
-    };
-  }
-  if (expectedAddress !== proof.address) {
-    return {
-      valid: false,
-      reason: `proof.address '${proof.address}' does not match address derived from proof.publicKey '${expectedAddress}'`,
-      signerAddress: proof.address,
-    };
-  }
-
-  const digest = claimDigest(claim);
-
-  let sigValid: boolean;
-  try {
-    sigValid = wotsVerifyDigest(sigBytes, digest, pkDigest);
-  } catch (e) {
-    return {
-      valid: false,
-      reason: `WOTS verify threw: ${String(e)}`,
-      signerAddress: proof.address,
-    };
-  }
-
-  if (!sigValid) {
-    return {
-      valid: false,
-      reason: 'WOTS signature invalid',
-      signerAddress: proof.address,
-    };
-  }
-
-  return {
-    valid: true,
-    signerAddress: proof.address,
-  };
-}