@vess-id/ai-identity 0.2.0 → 0.3.0

package/dist/index.d.mts

@@ -3009,6 +3009,70 @@ declare function isValidDidJwk(did: string): boolean;
  */
 declare function getKeyIdFromDid(did: string): string;
 
+interface DeviceEnrollStartParams {
+  rootDid: string;
+  publicKeyJwk: {
+    kty: string;
+    crv: string;
+    x: string;
+    y?: string;
+    use?: string;
+    alg?: string;
+  };
+  clientInfo?: {
+    deviceName?: string;
+    os?: string;
+    appVersion?: string;
+    hostname?: string;
+    [key: string]: any;
+  };
+  purpose?: string;
+}
+
+interface DeviceEnrollServerSideParams {
+  clientInfo?: {
+    deviceName?: string;
+    os?: string;
+    appVersion?: string;
+    hostname?: string;
+    [key: string]: any;
+  };
+  purpose?: string;
+}
+
+interface DeviceEnrollStartResult {
+  requestId: string;
+  userCode: string;
+  verificationUrl: string;
+  expiresAt: string;
+}
+
+interface DeviceEnrollPollResult {
+  status: 'pending' | 'approved' | 'expired' | 'denied';
+  deviceSessionToken?: string;
+  expiresAt?: string;
+  rootDid?: string;
+}
+
+declare class DeviceEnrollManager {
+  constructor(baseUrl: string);
+  startDeviceEnrollment(params: DeviceEnrollStartParams): Promise<DeviceEnrollStartResult>;
+  startServerSideEnrollment(params: DeviceEnrollServerSideParams): Promise<DeviceEnrollStartResult>;
+  pollDeviceEnrollment(requestId: string): Promise<DeviceEnrollPollResult>;
+  enrollAndWait(
+    params: DeviceEnrollStartParams,
+    onUserCode: (info: DeviceEnrollStartResult) => void,
+    pollIntervalMs?: number,
+    maxPolls?: number
+  ): Promise<DeviceEnrollPollResult>;
+  enrollServerSideAndWait(
+    params: DeviceEnrollServerSideParams,
+    onUserCode: (info: DeviceEnrollStartResult) => void,
+    pollIntervalMs?: number,
+    maxPolls?: number
+  ): Promise<DeviceEnrollPollResult>;
+}
+
 declare const version = "0.0.1";
 
-export { type ABACPolicyEngine, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, APIVCManager, type AbacDecision, type AbacInput, type ActionMeta, type ActionRegistry, AgentDIDManager, AgentManager, AllowAllAbac, type CapabilityMeta, type CheckPermissionInput, type CheckPermissionResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type CredentialDisclosureConfig, type CredentialRef, type CredentialStatusInfo, type CredentialStore, type DecisionTrace, DisclosureConfigManager, DummyCreds, DummyVpVerifier, FilesystemKeyStorage, type JsonSchema, KeyManager, type KeyPairGenerationResult, type KeyRotationConfig, type KeyRotationInfo, KeyRotationManager, type KeyStorageConfig, type KeyStorageProvider, type MemoryDocument, MemoryKeyStorage, MemoryManager, type MemoryQuery, type MemoryQueryResult, MetricsManager, type OperationMetric, type OrganizationDisclosureConfig, type PlanDelegationInput, type PlanDelegationResult, type Provider, type ReBACChecker, type Relation, type ResourceRef, type ResourceScope, type ResourceType, type RevocationList, type RevocationListEntry, RevocationManager, type SDJWTMetrics, SDJwtClient, SimpleRebac, type ToolDefinition, ToolManager, UserIdentityManager, UserKeyPairManager, VCManager, VPManager, type VerifiedVcClaims, type VpVerifier, checkPermissionWithVP, configure, createAjv, createDidJwk, defaultConstraintEvaluator, evaluateConstraints, extractPublicKey, extractPublicKeyFromDid, generateKeyPair, generateNonce, getClient, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, indexActions, indexCapabilities, isValidDidJwk, loadActionRegistryFromFile, loadActionRegistryFromObject, planDelegationForVC, resolveActionsFromSelection, signJWT, validateRegistryObject, verifyJWT, version };
+export { type ABACPolicyEngine, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, APIVCManager, type AbacDecision, type AbacInput, type ActionMeta, type ActionRegistry, AgentDIDManager, AgentManager, AllowAllAbac, type CapabilityMeta, type CheckPermissionInput, type CheckPermissionResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type CredentialDisclosureConfig, type CredentialRef, type CredentialStatusInfo, type CredentialStore, type DecisionTrace, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, DisclosureConfigManager, DummyCreds, DummyVpVerifier, FilesystemKeyStorage, type JsonSchema, KeyManager, type KeyPairGenerationResult, type KeyRotationConfig, type KeyRotationInfo, KeyRotationManager, type KeyStorageConfig, type KeyStorageProvider, type MemoryDocument, MemoryKeyStorage, MemoryManager, type MemoryQuery, type MemoryQueryResult, MetricsManager, type OperationMetric, type OrganizationDisclosureConfig, type PlanDelegationInput, type PlanDelegationResult, type Provider, type ReBACChecker, type Relation, type ResourceRef, type ResourceScope, type ResourceType, type RevocationList, type RevocationListEntry, RevocationManager, type SDJWTMetrics, SDJwtClient, SimpleRebac, type ToolDefinition, ToolManager, UserIdentityManager, UserKeyPairManager, VCManager, VPManager, type VerifiedVcClaims, type VpVerifier, checkPermissionWithVP, configure, createAjv, createDidJwk, defaultConstraintEvaluator, evaluateConstraints, extractPublicKey, extractPublicKeyFromDid, generateKeyPair, generateNonce, getClient, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, indexActions, indexCapabilities, isValidDidJwk, loadActionRegistryFromFile, loadActionRegistryFromObject, planDelegationForVC, resolveActionsFromSelection, signJWT, validateRegistryObject, verifyJWT, version };

package/dist/index.d.ts

@@ -3009,6 +3009,70 @@ declare function isValidDidJwk(did: string): boolean;
  */
 declare function getKeyIdFromDid(did: string): string;
 
+interface DeviceEnrollStartParams {
+  rootDid: string;
+  publicKeyJwk: {
+    kty: string;
+    crv: string;
+    x: string;
+    y?: string;
+    use?: string;
+    alg?: string;
+  };
+  clientInfo?: {
+    deviceName?: string;
+    os?: string;
+    appVersion?: string;
+    hostname?: string;
+    [key: string]: any;
+  };
+  purpose?: string;
+}
+
+interface DeviceEnrollServerSideParams {
+  clientInfo?: {
+    deviceName?: string;
+    os?: string;
+    appVersion?: string;
+    hostname?: string;
+    [key: string]: any;
+  };
+  purpose?: string;
+}
+
+interface DeviceEnrollStartResult {
+  requestId: string;
+  userCode: string;
+  verificationUrl: string;
+  expiresAt: string;
+}
+
+interface DeviceEnrollPollResult {
+  status: 'pending' | 'approved' | 'expired' | 'denied';
+  deviceSessionToken?: string;
+  expiresAt?: string;
+  rootDid?: string;
+}
+
+declare class DeviceEnrollManager {
+  constructor(baseUrl: string);
+  startDeviceEnrollment(params: DeviceEnrollStartParams): Promise<DeviceEnrollStartResult>;
+  startServerSideEnrollment(params: DeviceEnrollServerSideParams): Promise<DeviceEnrollStartResult>;
+  pollDeviceEnrollment(requestId: string): Promise<DeviceEnrollPollResult>;
+  enrollAndWait(
+    params: DeviceEnrollStartParams,
+    onUserCode: (info: DeviceEnrollStartResult) => void,
+    pollIntervalMs?: number,
+    maxPolls?: number
+  ): Promise<DeviceEnrollPollResult>;
+  enrollServerSideAndWait(
+    params: DeviceEnrollServerSideParams,
+    onUserCode: (info: DeviceEnrollStartResult) => void,
+    pollIntervalMs?: number,
+    maxPolls?: number
+  ): Promise<DeviceEnrollPollResult>;
+}
+
 declare const version = "0.0.1";
 
-export { type ABACPolicyEngine, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, APIVCManager, type AbacDecision, type AbacInput, type ActionMeta, type ActionRegistry, AgentDIDManager, AgentManager, AllowAllAbac, type CapabilityMeta, type CheckPermissionInput, type CheckPermissionResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type CredentialDisclosureConfig, type CredentialRef, type CredentialStatusInfo, type CredentialStore, type DecisionTrace, DisclosureConfigManager, DummyCreds, DummyVpVerifier, FilesystemKeyStorage, type JsonSchema, KeyManager, type KeyPairGenerationResult, type KeyRotationConfig, type KeyRotationInfo, KeyRotationManager, type KeyStorageConfig, type KeyStorageProvider, type MemoryDocument, MemoryKeyStorage, MemoryManager, type MemoryQuery, type MemoryQueryResult, MetricsManager, type OperationMetric, type OrganizationDisclosureConfig, type PlanDelegationInput, type PlanDelegationResult, type Provider, type ReBACChecker, type Relation, type ResourceRef, type ResourceScope, type ResourceType, type RevocationList, type RevocationListEntry, RevocationManager, type SDJWTMetrics, SDJwtClient, SimpleRebac, type ToolDefinition, ToolManager, UserIdentityManager, UserKeyPairManager, VCManager, VPManager, type VerifiedVcClaims, type VpVerifier, checkPermissionWithVP, configure, createAjv, createDidJwk, defaultConstraintEvaluator, evaluateConstraints, extractPublicKey, extractPublicKeyFromDid, generateKeyPair, generateNonce, getClient, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, indexActions, indexCapabilities, isValidDidJwk, loadActionRegistryFromFile, loadActionRegistryFromObject, planDelegationForVC, resolveActionsFromSelection, signJWT, validateRegistryObject, verifyJWT, version };
+export { type ABACPolicyEngine, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, APIVCManager, type AbacDecision, type AbacInput, type ActionMeta, type ActionRegistry, AgentDIDManager, AgentManager, AllowAllAbac, type CapabilityMeta, type CheckPermissionInput, type CheckPermissionResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type CredentialDisclosureConfig, type CredentialRef, type CredentialStatusInfo, type CredentialStore, type DecisionTrace, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, DisclosureConfigManager, DummyCreds, DummyVpVerifier, FilesystemKeyStorage, type JsonSchema, KeyManager, type KeyPairGenerationResult, type KeyRotationConfig, type KeyRotationInfo, KeyRotationManager, type KeyStorageConfig, type KeyStorageProvider, type MemoryDocument, MemoryKeyStorage, MemoryManager, type MemoryQuery, type MemoryQueryResult, MetricsManager, type OperationMetric, type OrganizationDisclosureConfig, type PlanDelegationInput, type PlanDelegationResult, type Provider, type ReBACChecker, type Relation, type ResourceRef, type ResourceScope, type ResourceType, type RevocationList, type RevocationListEntry, RevocationManager, type SDJWTMetrics, SDJwtClient, SimpleRebac, type ToolDefinition, ToolManager, UserIdentityManager, UserKeyPairManager, VCManager, VPManager, type VerifiedVcClaims, type VpVerifier, checkPermissionWithVP, configure, createAjv, createDidJwk, defaultConstraintEvaluator, evaluateConstraints, extractPublicKey, extractPublicKeyFromDid, generateKeyPair, generateNonce, getClient, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, indexActions, indexCapabilities, isValidDidJwk, loadActionRegistryFromFile, loadActionRegistryFromObject, planDelegationForVC, resolveActionsFromSelection, signJWT, validateRegistryObject, verifyJWT, version };

package/dist/index.js

@@ -38,6 +38,7 @@ __export(index_exports, {
   AgentManager: () => AgentManager,
   AllowAllAbac: () => AllowAllAbac,
   ConstraintEvaluator: () => ConstraintEvaluator,
+  DeviceEnrollManager: () => DeviceEnrollManager,
   DisclosureConfigManager: () => DisclosureConfigManager,
   DummyCreds: () => DummyCreds,
   DummyVpVerifier: () => DummyVpVerifier,
@@ -2838,6 +2839,137 @@ var UserKeyPairManager = class {
   }
 };
 
+// src/identity/device-enroll-manager.ts
+var DeviceEnrollManager = class {
+  baseUrl;
+  constructor(baseUrl) {
+    this.baseUrl = baseUrl.replace(/\/+$/, "");
+  }
+  /**
+   * Start the device enrollment flow.
+   * Sends the root DID public key to the Gateway and gets a user code.
+   *
+   * @param params - Root DID public info and client metadata
+   * @returns Request ID, user code, and verification URL
+   */
+  async startDeviceEnrollment(params) {
+    const response = await fetch(`${this.baseUrl}/api/v1/device/start`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        rootDid: params.rootDid,
+        publicKeyJwk: params.publicKeyJwk,
+        clientInfo: params.clientInfo,
+        purpose: params.purpose || "root_did_enrollment"
+      })
+    });
+    if (!response.ok) {
+      const errorBody = await response.text();
+      throw new Error(
+        `Failed to start device enrollment: ${response.status} - ${errorBody}`
+      );
+    }
+    const body = await response.json();
+    if (!body.success) {
+      throw new Error(`Failed to start device enrollment: ${JSON.stringify(body)}`);
+    }
+    return body.data;
+  }
+  /**
+   * Start the device enrollment flow with server-side DID generation.
+   * The server generates the real key pair on approval (not at start time).
+   * Use this for remote/cloud-managed mode.
+   *
+   * @param params - Client metadata (no DID or key needed)
+   * @returns Request ID, user code, and verification URL
+   */
+  async startServerSideEnrollment(params) {
+    const response = await fetch(`${this.baseUrl}/api/v1/device/start`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        generateServerSide: true,
+        clientInfo: params.clientInfo,
+        purpose: params.purpose || "root_did_enrollment"
+      })
+    });
+    if (!response.ok) {
+      const errorBody = await response.text();
+      throw new Error(
+        `Failed to start device enrollment: ${response.status} - ${errorBody}`
+      );
+    }
+    const body = await response.json();
+    if (!body.success) {
+      throw new Error(`Failed to start device enrollment: ${JSON.stringify(body)}`);
+    }
+    return body.data;
+  }
+  /**
+   * Poll for enrollment status.
+   * Call this periodically after startDeviceEnrollment() to check if
+   * the user has approved the enrollment in the web UI.
+   *
+   * @param requestId - The request ID from startDeviceEnrollment()
+   * @returns Current status and token if approved
+   */
+  async pollDeviceEnrollment(requestId) {
+    const response = await fetch(`${this.baseUrl}/api/v1/device/poll`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ requestId })
+    });
+    if (!response.ok) {
+      const errorBody = await response.text();
+      throw new Error(
+        `Failed to poll device enrollment: ${response.status} - ${errorBody}`
+      );
+    }
+    const body = await response.json();
+    if (!body.success) {
+      throw new Error(`Failed to poll device enrollment: ${JSON.stringify(body)}`);
+    }
+    return body.data;
+  }
+  /**
+   * Convenience method: Start enrollment and poll until completion.
+   * Returns the final result (approved, expired, or denied).
+   *
+   * @param params - Enrollment parameters (client-generated mode)
+   * @param onUserCode - Callback when user code is available (present to user)
+   * @param pollIntervalMs - Polling interval in ms (default: 3000)
+   * @param maxPolls - Maximum number of poll attempts (default: 120)
+   */
+  async enrollAndWait(params, onUserCode, pollIntervalMs = 3e3, maxPolls = 120) {
+    const startResult = await this.startDeviceEnrollment(params);
+    return this.pollUntilComplete(startResult, onUserCode, pollIntervalMs, maxPolls);
+  }
+  /**
+   * Convenience method: Start server-side enrollment and poll until completion.
+   * Returns the final result including the server-generated rootDid on approval.
+   *
+   * @param params - Client metadata (server-generated mode)
+   * @param onUserCode - Callback when user code is available (present to user)
+   * @param pollIntervalMs - Polling interval in ms (default: 3000)
+   * @param maxPolls - Maximum number of poll attempts (default: 120)
+   */
+  async enrollServerSideAndWait(params, onUserCode, pollIntervalMs = 3e3, maxPolls = 120) {
+    const startResult = await this.startServerSideEnrollment(params);
+    return this.pollUntilComplete(startResult, onUserCode, pollIntervalMs, maxPolls);
+  }
+  async pollUntilComplete(startResult, onUserCode, pollIntervalMs, maxPolls) {
+    onUserCode(startResult);
+    for (let i = 0; i < maxPolls; i++) {
+      await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+      const pollResult = await this.pollDeviceEnrollment(startResult.requestId);
+      if (pollResult.status !== "pending") {
+        return pollResult;
+      }
+    }
+    return { status: "expired" };
+  }
+};
+
 // src/vc/api-vc-manager.ts
 var import_ai_identity_types2 = require("@vess-id/ai-identity-types");
 
@@ -4766,6 +4898,7 @@ var version = "0.0.1";
   AgentManager,
   AllowAllAbac,
   ConstraintEvaluator,
+  DeviceEnrollManager,
   DisclosureConfigManager,
   DummyCreds,
   DummyVpVerifier,