@vaultysclaw/agent-runtime 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +38 -0
- package/dist/base-agent.d.ts +182 -0
- package/dist/base-agent.d.ts.map +1 -0
- package/dist/base-agent.js +1003 -0
- package/dist/base-agent.js.map +1 -0
- package/dist/config.d.ts +13 -0
- package/dist/config.d.ts.map +1 -0
- package/dist/config.js +2 -0
- package/dist/config.js.map +1 -0
- package/dist/index.d.ts +9 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +5 -0
- package/dist/index.js.map +1 -0
- package/dist/intent-verify.d.ts +30 -0
- package/dist/intent-verify.d.ts.map +1 -0
- package/dist/intent-verify.js +55 -0
- package/dist/intent-verify.js.map +1 -0
- package/dist/peer-grant-verify.d.ts +16 -0
- package/dist/peer-grant-verify.d.ts.map +1 -0
- package/dist/peer-grant-verify.js +39 -0
- package/dist/peer-grant-verify.js.map +1 -0
- package/dist/peer-manager.d.ts +63 -0
- package/dist/peer-manager.d.ts.map +1 -0
- package/dist/peer-manager.js +448 -0
- package/dist/peer-manager.js.map +1 -0
- package/package.json +42 -0
- package/src/base-agent.ts +1332 -0
- package/src/config.ts +13 -0
- package/src/index.ts +8 -0
- package/src/intent-verify.ts +72 -0
- package/src/peer-grant-verify.ts +58 -0
- package/src/peer-manager.ts +696 -0
package/src/config.ts
ADDED
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import type { AgentCapability } from "@vaultysclaw/shared";
|
|
2
|
+
|
|
3
|
+
export interface AgentRuntimeConfig {
|
|
4
|
+
name: string;
|
|
5
|
+
controlPlaneUrl: string;
|
|
6
|
+
controlPlaneWsUrl?: string;
|
|
7
|
+
peerjsControlPlaneId?: string;
|
|
8
|
+
peerjsServerUrl?: string;
|
|
9
|
+
peerjsServer?: string;
|
|
10
|
+
vaultysIdPath: string;
|
|
11
|
+
requestedCapabilities: AgentCapability[];
|
|
12
|
+
workspaceRoot?: string;
|
|
13
|
+
}
|
package/src/index.ts
ADDED
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
export { BaseAgentRuntime } from "./base-agent.js";
|
|
2
|
+
export type { AgentRuntimeConfig } from "./config.js";
|
|
3
|
+
export type { AgentStatus, LogEntry, IntentEntry, AgentInfo } from "./base-agent.js";
|
|
4
|
+
export { PeerManager, peerIdForDid } from "./peer-manager.js";
|
|
5
|
+
export { verifyIntentMessage } from "./intent-verify.js";
|
|
6
|
+
export type { IntentSigningBody } from "./intent-verify.js";
|
|
7
|
+
export { verifyPeerGrant } from "./peer-grant-verify.js";
|
|
8
|
+
export type { PeerGrantPayload } from "./peer-grant-verify.js";
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Intent signature verification for the agent controller.
|
|
3
|
+
*
|
|
4
|
+
* Agents call verifyIntentMessage() on every incoming intent to confirm it was
|
|
5
|
+
* signed by the control plane they authenticated against.
|
|
6
|
+
*
|
|
7
|
+
* Wire format (identical to delegation certs produced by control-plane):
|
|
8
|
+
* base64( 4-byte-LE-bodyLen | msgpack(body) | raw-signature )
|
|
9
|
+
*
|
|
10
|
+
* Body:
|
|
11
|
+
* { type: "intent", id: string, action: string, agentId: string, timestamp: number }
|
|
12
|
+
*/
|
|
13
|
+
|
|
14
|
+
import { VaultysId, crypto } from "@vaultys/id";
|
|
15
|
+
import { decode as msgpackDecode } from "@msgpack/msgpack";
|
|
16
|
+
import type { WSMessage } from "@vaultysclaw/shared";
|
|
17
|
+
|
|
18
|
+
const Buf = crypto.Buffer;
|
|
19
|
+
|
|
20
|
+
export interface IntentSigningBody {
|
|
21
|
+
type: string;
|
|
22
|
+
id: string;
|
|
23
|
+
action: string;
|
|
24
|
+
agentId: string;
|
|
25
|
+
timestamp: number;
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
/**
|
|
29
|
+
* Verify a signed WSMessage of type "intent".
|
|
30
|
+
*
|
|
31
|
+
* @param message The incoming WSMessage (must have `.signature`).
|
|
32
|
+
* @param serverPublicKey Raw public key bytes from the Challenger auth cert (pk1).
|
|
33
|
+
* @returns `true` if the signature is valid and the body matches the envelope,
|
|
34
|
+
* `false` otherwise.
|
|
35
|
+
*/
|
|
36
|
+
export function verifyIntentMessage(
|
|
37
|
+
message: WSMessage,
|
|
38
|
+
serverPublicKey: Buffer
|
|
39
|
+
): boolean {
|
|
40
|
+
console.log("boom");
|
|
41
|
+
if (!message.signature) return false;
|
|
42
|
+
|
|
43
|
+
try {
|
|
44
|
+
const combined = Buf.from(message.signature, "base64");
|
|
45
|
+
if (combined.length < 5) return false;
|
|
46
|
+
|
|
47
|
+
const bodyLen = combined.readUInt32LE(0);
|
|
48
|
+
if (combined.length < 4 + bodyLen) return false;
|
|
49
|
+
|
|
50
|
+
const body = combined.subarray(4, 4 + bodyLen);
|
|
51
|
+
const sig = combined.subarray(4 + bodyLen);
|
|
52
|
+
|
|
53
|
+
|
|
54
|
+
const serverVid = VaultysId.fromId(serverPublicKey);
|
|
55
|
+
console.log("Verifying intent signature with server public key:", serverVid.did);
|
|
56
|
+
const valid = serverVid.verifyChallenge(
|
|
57
|
+
Buf.from(body),
|
|
58
|
+
Buf.from(sig),
|
|
59
|
+
false
|
|
60
|
+
);
|
|
61
|
+
if (!valid) return false;
|
|
62
|
+
|
|
63
|
+
const payload = msgpackDecode(body) as IntentSigningBody;
|
|
64
|
+
if (payload.type !== "intent") return false;
|
|
65
|
+
if (payload.id !== message.messageId) return false;
|
|
66
|
+
if (payload.agentId !== message.agentId) return false;
|
|
67
|
+
|
|
68
|
+
return true;
|
|
69
|
+
} catch {
|
|
70
|
+
return false;
|
|
71
|
+
}
|
|
72
|
+
}
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Peer grant certificate verification for the agent controller.
|
|
3
|
+
*
|
|
4
|
+
* Mirrors the control-plane's peer-grant.ts but uses only the agent's
|
|
5
|
+
* available imports (no server-side dependencies).
|
|
6
|
+
*/
|
|
7
|
+
import { decode as msgpackDecode } from "@msgpack/msgpack";
|
|
8
|
+
import { VaultysId, crypto } from "@vaultys/id";
|
|
9
|
+
|
|
10
|
+
const Buffer = crypto.Buffer;
|
|
11
|
+
|
|
12
|
+
export interface PeerGrantPayload {
|
|
13
|
+
type: "peer_grant";
|
|
14
|
+
sourceDid: string;
|
|
15
|
+
targetDid: string;
|
|
16
|
+
targetName: string;
|
|
17
|
+
skillDescription: string;
|
|
18
|
+
capabilities: string[];
|
|
19
|
+
issuedAt: number;
|
|
20
|
+
expiresAt?: number;
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
/**
|
|
24
|
+
* Verify a peer grant certificate using the server's raw public key bytes.
|
|
25
|
+
* Returns the decoded payload if valid and not expired, null otherwise.
|
|
26
|
+
*/
|
|
27
|
+
export async function verifyPeerGrant(
|
|
28
|
+
cert: string,
|
|
29
|
+
serverPublicKey: Buffer
|
|
30
|
+
): Promise<PeerGrantPayload | null> {
|
|
31
|
+
try {
|
|
32
|
+
const combined = Buffer.from(cert, "base64");
|
|
33
|
+
if (combined.length < 5) return null;
|
|
34
|
+
|
|
35
|
+
const bodyLen = combined.readUInt32LE(0);
|
|
36
|
+
if (combined.length < 4 + bodyLen) return null;
|
|
37
|
+
|
|
38
|
+
const body = combined.subarray(4, 4 + bodyLen);
|
|
39
|
+
const signature = combined.subarray(4 + bodyLen);
|
|
40
|
+
|
|
41
|
+
const serverVid = VaultysId.fromId(serverPublicKey);
|
|
42
|
+
const valid = serverVid.verifyChallenge(
|
|
43
|
+
Buffer.from(body),
|
|
44
|
+
Buffer.from(signature),
|
|
45
|
+
false
|
|
46
|
+
);
|
|
47
|
+
if (!valid) return null;
|
|
48
|
+
|
|
49
|
+
const payload = msgpackDecode(body) as PeerGrantPayload;
|
|
50
|
+
if (payload.type !== "peer_grant") return null;
|
|
51
|
+
|
|
52
|
+
if (payload.expiresAt && payload.expiresAt < Date.now()) return null;
|
|
53
|
+
|
|
54
|
+
return payload;
|
|
55
|
+
} catch {
|
|
56
|
+
return null;
|
|
57
|
+
}
|
|
58
|
+
}
|