@totemsdk/identity 0.1.0

package/dist/rotation.js

@@ -0,0 +1,15 @@
+/**
+ * Identity rotation — produces a RotationClaim.
+ */
+import { createIdentityClaim } from './claims.js';
+export function rotateIdentity(opts) {
+    const { issuer, subject, newAddress } = opts;
+    return createIdentityClaim({
+        type: 'rotates_to',
+        issuer,
+        subject,
+        object: newAddress,
+        payload: {},
+        issuedAt: opts.issuedAt,
+    });
+}

package/dist/signing.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Claim signing using WOTS primitives from @totemsdk/core.
+ */
+import type { IdentityClaim, SignedIdentityClaim } from './types.js';
+export declare function claimDigest(claim: IdentityClaim): Uint8Array;
+export declare function signIdentityClaim(claim: IdentityClaim, seed: Uint8Array, keyIndex: number): Promise<SignedIdentityClaim>;

package/dist/signing.js

@@ -0,0 +1,24 @@
+/**
+ * Claim signing using WOTS primitives from @totemsdk/core.
+ */
+import { sha3_256 } from '@noble/hashes/sha3.js';
+import { wotsSign, wotsKeypairFromSeed, wotsAddressFromKeypair, bytesToHex, } from '@totemsdk/core';
+import { canonicalJson } from './canonical.js';
+export function claimDigest(claim) {
+    const canonical = canonicalJson(claim);
+    return sha3_256(new TextEncoder().encode(canonical));
+}
+export async function signIdentityClaim(claim, seed, keyIndex) {
+    const digest = claimDigest(claim);
+    const sigBytes = wotsSign(seed, keyIndex, digest);
+    const kp = wotsKeypairFromSeed(seed, keyIndex);
+    const address = wotsAddressFromKeypair(kp);
+    return {
+        claim,
+        proof: {
+            address,
+            publicKey: bytesToHex(kp.pk),
+            signature: bytesToHex(sigBytes),
+        },
+    };
+}

package/dist/types.d.ts

@@ -0,0 +1,117 @@
+/**
+ * @totemsdk/identity — Type definitions
+ *
+ * Pure schema — no network, no DHT, no blockchain submission.
+ */
+export type IdentityKind = 'person' | 'device' | 'agent' | 'service' | 'organization' | 'sensor' | 'robot' | 'gateway';
+export type IdentityStatus = 'active' | 'rotated' | 'revoked';
+export interface TotemIdentityDocument {
+    id: string;
+    kind: IdentityKind;
+    version: number;
+    rootAddress: string;
+    controllerAddress: string;
+    createdAt: number;
+    metadata?: Record<string, unknown>;
+}
+export type IdentityClaimType = 'delegates_to' | 'payment_recipient' | 'service_endpoint' | 'rotates_to' | 'revokes';
+export interface IdentityClaim {
+    id: string;
+    type: IdentityClaimType;
+    issuer: string;
+    subject: string;
+    object: string;
+    issuedAt: number;
+    expiresAt?: number;
+    payload: Record<string, unknown>;
+}
+export interface SignedIdentityClaim {
+    claim: IdentityClaim;
+    proof: {
+        address: string;
+        publicKey: string;
+        signature: string;
+        message?: string;
+    };
+    rootIdentityProof?: string;
+}
+export interface IdentityVerifyResult {
+    valid: boolean;
+    reason?: string;
+    signerAddress?: string;
+    rootAddress?: string;
+    provenAddresses?: string[];
+    metadata?: Record<string, unknown>;
+}
+export interface IdentityProofVerifier {
+    type: string;
+    verify(proof: unknown): Promise<IdentityVerifyResult>;
+}
+export interface IdentityGraph {
+    document: TotemIdentityDocument;
+    claims: SignedIdentityClaim[];
+}
+export interface ResolvedIdentity {
+    document: TotemIdentityDocument;
+    status: IdentityStatus;
+    rootAddress: string;
+    controllerAddress: string;
+    controlledAddresses: string[];
+    authorizedAddresses: string[];
+    delegates: DelegationClaim[];
+    paymentRecipients: PaymentRecipientClaim[];
+    serviceEndpoints: ServiceEndpointClaim[];
+    rotationTarget?: string;
+    revokedAt?: number;
+}
+export interface IdentityResolutionResult {
+    resolved: ResolvedIdentity | null;
+    errors: string[];
+}
+export interface DelegationClaim {
+    claimId: string;
+    issuer: string;
+    subject: string;
+    delegatedAddress: string;
+    scopes: string[];
+    issuedAt: number;
+    expiresAt?: number;
+}
+export interface PaymentRecipientClaim {
+    claimId: string;
+    issuer: string;
+    address: string;
+    label?: string;
+    issuedAt: number;
+    expiresAt?: number;
+}
+export interface ServiceEndpointClaim {
+    claimId: string;
+    issuer: string;
+    endpointType: string;
+    uri: string;
+    issuedAt: number;
+    expiresAt?: number;
+}
+export interface RotationClaim {
+    claimId: string;
+    issuer: string;
+    subject: string;
+    newAddress: string;
+    issuedAt: number;
+}
+export interface RevocationClaim {
+    claimId: string;
+    issuer: string;
+    subject: string;
+    reason?: string;
+    issuedAt: number;
+}
+export interface ManifestIdentityBinding {
+    valid: boolean;
+    reason?: string;
+    manifestId: string;
+    identityId: string;
+    signerAddress: string;
+    resolvedStatus: IdentityStatus;
+}

package/dist/types.js

@@ -0,0 +1,6 @@
+/**
+ * @totemsdk/identity — Type definitions
+ *
+ * Pure schema — no network, no DHT, no blockchain submission.
+ */
+export {};

package/dist/verify.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Claim verification.
+ *
+ * verifyIdentityClaim recomputes the canonical claim digest from signed.claim
+ * using canonicalJson. It does NOT use proof.message as the source of truth —
+ * that field is optional debug/display metadata only.
+ *
+ * Security: proof.address is bound to proof.publicKey by re-deriving the
+ * expected address from the public key. Any mismatch fails verification,
+ * preventing signer-address spoofing.
+ */
+import type { SignedIdentityClaim, IdentityVerifyResult } from './types.js';
+export declare function verifyIdentityClaim(signed: SignedIdentityClaim): IdentityVerifyResult;

package/dist/verify.js

@@ -0,0 +1,83 @@
+/**
+ * Claim verification.
+ *
+ * verifyIdentityClaim recomputes the canonical claim digest from signed.claim
+ * using canonicalJson. It does NOT use proof.message as the source of truth —
+ * that field is optional debug/display metadata only.
+ *
+ * Security: proof.address is bound to proof.publicKey by re-deriving the
+ * expected address from the public key. Any mismatch fails verification,
+ * preventing signer-address spoofing.
+ */
+import { wotsVerifyDigest, hexToBytes, scriptFromWotsPk, scriptToAddress } from '@totemsdk/core';
+import { claimDigest } from './signing.js';
+/**
+ * Derive the Minima address from a 32-byte WOTS PKdigest (hex).
+ * Returns null if the public key cannot be decoded.
+ */
+function addressFromPkDigest(publicKeyHex) {
+    try {
+        const pkDigest = hexToBytes(publicKeyHex);
+        const script = scriptFromWotsPk(pkDigest);
+        return scriptToAddress(script);
+    }
+    catch {
+        return null;
+    }
+}
+export function verifyIdentityClaim(signed) {
+    const { claim, proof } = signed;
+    let sigBytes;
+    let pkDigest;
+    try {
+        sigBytes = hexToBytes(proof.signature);
+        pkDigest = hexToBytes(proof.publicKey);
+    }
+    catch (e) {
+        return {
+            valid: false,
+            reason: `hex decode failed: ${String(e)}`,
+            signerAddress: proof.address,
+        };
+    }
+    // Bind proof.address to proof.publicKey — derive expected address from the public key
+    // and verify it matches proof.address. This prevents signer-address spoofing.
+    const expectedAddress = addressFromPkDigest(proof.publicKey);
+    if (expectedAddress === null) {
+        return {
+            valid: false,
+            reason: 'could not derive address from proof.publicKey',
+            signerAddress: proof.address,
+        };
+    }
+    if (expectedAddress !== proof.address) {
+        return {
+            valid: false,
+            reason: `proof.address '${proof.address}' does not match address derived from proof.publicKey '${expectedAddress}'`,
+            signerAddress: proof.address,
+        };
+    }
+    const digest = claimDigest(claim);
+    let sigValid;
+    try {
+        sigValid = wotsVerifyDigest(sigBytes, digest, pkDigest);
+    }
+    catch (e) {
+        return {
+            valid: false,
+            reason: `WOTS verify threw: ${String(e)}`,
+            signerAddress: proof.address,
+        };
+    }
+    if (!sigValid) {
+        return {
+            valid: false,
+            reason: 'WOTS signature invalid',
+            signerAddress: proof.address,
+        };
+    }
+    return {
+        valid: true,
+        signerAddress: proof.address,
+    };
+}

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@totemsdk/identity",
+  "version": "0.1.0",
+  "description": "Canonical identity and claims layer for Totem Edge — who controls a manifest, device, or agent",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "src"
+  ],
+  "dependencies": {
+    "@totemsdk/core": "1.0.9",
+    "@totemsdk/manifest": "0.1.0"
+  },
+  "peerDependencies": {
+    "@noble/hashes": ">=1.3.0 <2.0.0"
+  },
+  "peerDependenciesMeta": {
+    "@noble/hashes": {
+      "optional": false
+    }
+  },
+  "devDependencies": {
+    "@noble/hashes": "^1.3.0",
+    "@types/jest": "^29.0.0",
+    "@types/node": "^20.0.0",
+    "jest": "^29.0.0",
+    "ts-jest": "^29.0.0",
+    "typescript": "^5.0.0",
+    "@totemsdk/root-identity": "1.0.5"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "license": "MIT",
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf dist",
+    "test": "jest --passWithNoTests"
+  }
+}