@vess-id/ai-identity 0.2.0 → 0.3.1

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAA;AAC/E,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACjE,OAAO,EACL,aAAa,EACb,cAAc,EACd,WAAW,EACX,iBAAiB,GAClB,MAAM,yBAAyB,CAAA;AAGhC,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,eAAe,GAChB,MAAM,qCAAqC,CAAA;AAC5C,OAAO,EACL,uBAAuB,EACvB,4BAA4B,EAC5B,0BAA0B,GAC3B,MAAM,0CAA0C,CAAA;AAGjD,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAA;AAC5F,OAAO,EACL,iBAAiB,EACjB,cAAc,EACd,mBAAmB,EACnB,oBAAoB,GACrB,MAAM,iCAAiC,CAAA;AAGxC,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,0BAA0B,EAC1B,mBAAmB,EACpB,MAAM,mCAAmC,CAAA;AAG1C,cAAc,WAAW,CAAA;AAGzB,YAAY,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAA;AAGzD,OAAO,EACL,aAAa,EACb,YAAY,GACb,MAAM,0BAA0B,CAAA;AACjC,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AACnD,YAAY,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAErD,cAAc,YAAY,CAAA;AAG1B,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAGlD,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACvB,aAAa,EACb,eAAe,GAChB,MAAM,iBAAiB,CAAA;AAGxB,cAAc,4BAA4B,CAAA;AAG1C,eAAO,MAAM,OAAO,UAAU,CAAA"}

package/dist/index.js

@@ -37,11 +37,16 @@ __export(index_exports, {
   AgentDIDManager: () => AgentDIDManager,
   AgentManager: () => AgentManager,
   AllowAllAbac: () => AllowAllAbac,
+  AuthProvider: () => AuthProvider,
   ConstraintEvaluator: () => ConstraintEvaluator,
+  DeviceEnrollManager: () => DeviceEnrollManager,
   DisclosureConfigManager: () => DisclosureConfigManager,
   DummyCreds: () => DummyCreds,
   DummyVpVerifier: () => DummyVpVerifier,
   FilesystemKeyStorage: () => FilesystemKeyStorage,
+  GatewayClient: () => GatewayClient,
+  GatewayError: () => GatewayError,
+  JsonStateStore: () => JsonStateStore,
   KeyManager: () => KeyManager,
   KeyRotationManager: () => KeyRotationManager,
   MemoryKeyStorage: () => MemoryKeyStorage,
@@ -99,26 +104,26 @@ function configure(config) {
 function getConfig() {
   return globalConfig;
 }
-function getDidApiUrl(path3) {
+function getDidApiUrl(path4) {
   const baseUrl = globalConfig.didApi?.baseUrl || process.env.DID_API_BASE_URL;
   if (!baseUrl) {
     throw new Error("DID API base URL not configured");
   }
-  return `${baseUrl}${path3}`;
+  return `${baseUrl}${path4}`;
 }
-function getIssuerApiUrl(path3) {
+function getIssuerApiUrl(path4) {
   const baseUrl = globalConfig.issuerApi?.baseUrl || process.env.ISSUER_API_BASE_URL;
   if (!baseUrl) {
     throw new Error("Issuer API base URL not configured");
   }
-  return `${baseUrl}${path3}`;
+  return `${baseUrl}${path4}`;
 }
-function getVerifierApiUrl(path3) {
+function getVerifierApiUrl(path4) {
   const baseUrl = globalConfig.verifierApi?.baseUrl || process.env.VERIFIER_API_BASE_URL;
   if (!baseUrl) {
     throw new Error("Verifier API base URL not configured");
   }
-  return `${baseUrl}${path3}`;
+  return `${baseUrl}${path4}`;
 }
 function getApiHeaders(apiType) {
   const headers = {
@@ -965,12 +970,12 @@ var AgentDIDManager = class {
    * List all agent DIDs
    */
   async listAgentDIDs() {
-    const fs3 = await import("fs/promises");
-    const path3 = await import("path");
-    const os2 = await import("os");
-    const mappingDir = path3.join(os2.homedir(), ".vess-aidentity", "agent-dids");
+    const fs4 = await import("fs/promises");
+    const path4 = await import("path");
+    const os3 = await import("os");
+    const mappingDir = path4.join(os3.homedir(), ".vess-aidentity", "agent-dids");
     try {
-      const files = await fs3.readdir(mappingDir);
+      const files = await fs4.readdir(mappingDir);
       const results = [];
       for (const file of files) {
         if (file.endsWith(".did")) {
@@ -991,24 +996,24 @@ var AgentDIDManager = class {
    * Save agent ID -> DID mapping to persistent storage
    */
   async saveAgentDIDMapping(agentId, did) {
-    const fs3 = await import("fs/promises");
-    const path3 = await import("path");
-    const os2 = await import("os");
-    const mappingDir = path3.join(os2.homedir(), ".vess-aidentity", "agent-dids");
-    await fs3.mkdir(mappingDir, { recursive: true });
-    const mappingFile = path3.join(mappingDir, `${agentId}.did`);
-    await fs3.writeFile(mappingFile, did, "utf-8");
+    const fs4 = await import("fs/promises");
+    const path4 = await import("path");
+    const os3 = await import("os");
+    const mappingDir = path4.join(os3.homedir(), ".vess-aidentity", "agent-dids");
+    await fs4.mkdir(mappingDir, { recursive: true });
+    const mappingFile = path4.join(mappingDir, `${agentId}.did`);
+    await fs4.writeFile(mappingFile, did, "utf-8");
   }
   /**
    * Load agent ID -> DID mapping from persistent storage
    */
   async loadAgentDIDMapping(agentId) {
-    const fs3 = await import("fs/promises");
-    const path3 = await import("path");
-    const os2 = await import("os");
-    const mappingFile = path3.join(os2.homedir(), ".vess", "agent-dids", `${agentId}.did`);
+    const fs4 = await import("fs/promises");
+    const path4 = await import("path");
+    const os3 = await import("os");
+    const mappingFile = path4.join(os3.homedir(), ".vess", "agent-dids", `${agentId}.did`);
     try {
-      return await fs3.readFile(mappingFile, "utf-8");
+      return await fs4.readFile(mappingFile, "utf-8");
     } catch {
       return null;
     }
@@ -1017,12 +1022,12 @@ var AgentDIDManager = class {
    * Delete agent ID -> DID mapping from persistent storage
    */
   async deleteAgentDIDMapping(agentId) {
-    const fs3 = await import("fs/promises");
-    const path3 = await import("path");
-    const os2 = await import("os");
-    const mappingFile = path3.join(os2.homedir(), ".vess", "agent-dids", `${agentId}.did`);
+    const fs4 = await import("fs/promises");
+    const path4 = await import("path");
+    const os3 = await import("os");
+    const mappingFile = path4.join(os3.homedir(), ".vess", "agent-dids", `${agentId}.did`);
     try {
-      await fs3.unlink(mappingFile);
+      await fs4.unlink(mappingFile);
     } catch {
     }
   }
@@ -1294,24 +1299,24 @@ var UserIdentityManager = class {
    * Save current user DID to persistent storage
    */
   async saveUserDID(did) {
-    const fs3 = await import("fs/promises");
-    const path3 = await import("path");
-    const os2 = await import("os");
-    const configDir = path3.join(os2.homedir(), ".vess-aidentity");
-    await fs3.mkdir(configDir, { recursive: true });
-    const userDIDFile = path3.join(configDir, "user-did.txt");
-    await fs3.writeFile(userDIDFile, did, "utf-8");
+    const fs4 = await import("fs/promises");
+    const path4 = await import("path");
+    const os3 = await import("os");
+    const configDir = path4.join(os3.homedir(), ".vess-aidentity");
+    await fs4.mkdir(configDir, { recursive: true });
+    const userDIDFile = path4.join(configDir, "user-did.txt");
+    await fs4.writeFile(userDIDFile, did, "utf-8");
   }
   /**
    * Load current user DID from persistent storage
    */
   async loadUserDID() {
-    const fs3 = await import("fs/promises");
-    const path3 = await import("path");
-    const os2 = await import("os");
-    const userDIDFile = path3.join(os2.homedir(), ".vess-aidentity", "user-did.txt");
+    const fs4 = await import("fs/promises");
+    const path4 = await import("path");
+    const os3 = await import("os");
+    const userDIDFile = path4.join(os3.homedir(), ".vess-aidentity", "user-did.txt");
     try {
-      return await fs3.readFile(userDIDFile, "utf-8");
+      return await fs4.readFile(userDIDFile, "utf-8");
     } catch {
       return null;
     }
@@ -1320,12 +1325,12 @@ var UserIdentityManager = class {
    * Clear saved user DID
    */
   async clearUserDID() {
-    const fs3 = await import("fs/promises");
-    const path3 = await import("path");
-    const os2 = await import("os");
-    const userDIDFile = path3.join(os2.homedir(), ".vess-aidentity", "user-did.txt");
+    const fs4 = await import("fs/promises");
+    const path4 = await import("path");
+    const os3 = await import("os");
+    const userDIDFile = path4.join(os3.homedir(), ".vess-aidentity", "user-did.txt");
     try {
-      await fs3.unlink(userDIDFile);
+      await fs4.unlink(userDIDFile);
     } catch {
     }
   }
@@ -2838,6 +2843,137 @@ var UserKeyPairManager = class {
   }
 };
 
+// src/identity/device-enroll-manager.ts
+var DeviceEnrollManager = class {
+  baseUrl;
+  constructor(baseUrl) {
+    this.baseUrl = baseUrl.replace(/\/+$/, "");
+  }
+  /**
+   * Start the device enrollment flow.
+   * Sends the root DID public key to the Gateway and gets a user code.
+   *
+   * @param params - Root DID public info and client metadata
+   * @returns Request ID, user code, and verification URL
+   */
+  async startDeviceEnrollment(params) {
+    const response = await fetch(`${this.baseUrl}/api/v1/device/start`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        rootDid: params.rootDid,
+        publicKeyJwk: params.publicKeyJwk,
+        clientInfo: params.clientInfo,
+        purpose: params.purpose || "root_did_enrollment"
+      })
+    });
+    if (!response.ok) {
+      const errorBody = await response.text();
+      throw new Error(
+        `Failed to start device enrollment: ${response.status} - ${errorBody}`
+      );
+    }
+    const body = await response.json();
+    if (!body.success) {
+      throw new Error(`Failed to start device enrollment: ${JSON.stringify(body)}`);
+    }
+    return body.data;
+  }
+  /**
+   * Start the device enrollment flow with server-side DID generation.
+   * The server generates the real key pair on approval (not at start time).
+   * Use this for remote/cloud-managed mode.
+   *
+   * @param params - Client metadata (no DID or key needed)
+   * @returns Request ID, user code, and verification URL
+   */
+  async startServerSideEnrollment(params) {
+    const response = await fetch(`${this.baseUrl}/api/v1/device/start`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        generateServerSide: true,
+        clientInfo: params.clientInfo,
+        purpose: params.purpose || "root_did_enrollment"
+      })
+    });
+    if (!response.ok) {
+      const errorBody = await response.text();
+      throw new Error(
+        `Failed to start device enrollment: ${response.status} - ${errorBody}`
+      );
+    }
+    const body = await response.json();
+    if (!body.success) {
+      throw new Error(`Failed to start device enrollment: ${JSON.stringify(body)}`);
+    }
+    return body.data;
+  }
+  /**
+   * Poll for enrollment status.
+   * Call this periodically after startDeviceEnrollment() to check if
+   * the user has approved the enrollment in the web UI.
+   *
+   * @param requestId - The request ID from startDeviceEnrollment()
+   * @returns Current status and token if approved
+   */
+  async pollDeviceEnrollment(requestId) {
+    const response = await fetch(`${this.baseUrl}/api/v1/device/poll`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ requestId })
+    });
+    if (!response.ok) {
+      const errorBody = await response.text();
+      throw new Error(
+        `Failed to poll device enrollment: ${response.status} - ${errorBody}`
+      );
+    }
+    const body = await response.json();
+    if (!body.success) {
+      throw new Error(`Failed to poll device enrollment: ${JSON.stringify(body)}`);
+    }
+    return body.data;
+  }
+  /**
+   * Convenience method: Start enrollment and poll until completion.
+   * Returns the final result (approved, expired, or denied).
+   *
+   * @param params - Enrollment parameters (client-generated mode)
+   * @param onUserCode - Callback when user code is available (present to user)
+   * @param pollIntervalMs - Polling interval in ms (default: 3000)
+   * @param maxPolls - Maximum number of poll attempts (default: 120)
+   */
+  async enrollAndWait(params, onUserCode, pollIntervalMs = 3e3, maxPolls = 120) {
+    const startResult = await this.startDeviceEnrollment(params);
+    return this.pollUntilComplete(startResult, onUserCode, pollIntervalMs, maxPolls);
+  }
+  /**
+   * Convenience method: Start server-side enrollment and poll until completion.
+   * Returns the final result including the server-generated rootDid on approval.
+   *
+   * @param params - Client metadata (server-generated mode)
+   * @param onUserCode - Callback when user code is available (present to user)
+   * @param pollIntervalMs - Polling interval in ms (default: 3000)
+   * @param maxPolls - Maximum number of poll attempts (default: 120)
+   */
+  async enrollServerSideAndWait(params, onUserCode, pollIntervalMs = 3e3, maxPolls = 120) {
+    const startResult = await this.startServerSideEnrollment(params);
+    return this.pollUntilComplete(startResult, onUserCode, pollIntervalMs, maxPolls);
+  }
+  async pollUntilComplete(startResult, onUserCode, pollIntervalMs, maxPolls) {
+    onUserCode(startResult);
+    for (let i = 0; i < maxPolls; i++) {
+      await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+      const pollResult = await this.pollDeviceEnrollment(startResult.requestId);
+      if (pollResult.status !== "pending") {
+        return pollResult;
+      }
+    }
+    return { status: "expired" };
+  }
+};
+
 // src/vc/api-vc-manager.ts
 var import_ai_identity_types2 = require("@vess-id/ai-identity-types");
 
@@ -3895,6 +4031,303 @@ function evaluateConstraints(constraints, context, currentInvocations, expiresAt
   return defaultConstraintEvaluator.evaluate(constraints, context, currentInvocations, expiresAt);
 }
 
+// src/state/json-state-store.ts
+var fs2 = __toESM(require("fs/promises"));
+var path2 = __toESM(require("path"));
+var os2 = __toESM(require("os"));
+var JsonStateStore = class {
+  filePath;
+  data = null;
+  constructor(filePath) {
+    this.filePath = filePath || path2.join(os2.homedir(), ".vess", "state.json");
+  }
+  async get(key) {
+    const data = await this.load();
+    return getNestedValue(data, key);
+  }
+  async set(key, value) {
+    const data = await this.load();
+    setNestedValue(data, key, value);
+    await this.save(data);
+  }
+  async delete(key) {
+    const data = await this.load();
+    const existed = getNestedValue(data, key) !== void 0;
+    if (existed) {
+      deleteNestedValue(data, key);
+      await this.save(data);
+    }
+    return existed;
+  }
+  async has(key) {
+    const data = await this.load();
+    return getNestedValue(data, key) !== void 0;
+  }
+  async getAll() {
+    return { ...await this.load() };
+  }
+  async clear() {
+    this.data = {};
+    await this.save(this.data);
+  }
+  /**
+   * Get the file path used by this store (useful for diagnostics)
+   */
+  getFilePath() {
+    return this.filePath;
+  }
+  async load() {
+    if (this.data !== null) {
+      return this.data;
+    }
+    try {
+      const raw = await fs2.readFile(this.filePath, "utf-8");
+      this.data = JSON.parse(raw);
+    } catch (err) {
+      if (err.code === "ENOENT") {
+        this.data = {};
+      } else if (err instanceof SyntaxError) {
+        this.data = {};
+      } else {
+        throw err;
+      }
+    }
+    return this.data;
+  }
+  async save(data) {
+    this.data = data;
+    const dir = path2.dirname(this.filePath);
+    await fs2.mkdir(dir, { recursive: true, mode: 448 });
+    const tmpPath = this.filePath + ".tmp";
+    await fs2.writeFile(tmpPath, JSON.stringify(data, null, 2), { encoding: "utf-8", mode: 384 });
+    await fs2.rename(tmpPath, this.filePath);
+  }
+};
+function getNestedValue(obj, key) {
+  const parts = key.split(".");
+  let current = obj;
+  for (const part of parts) {
+    if (current === null || current === void 0 || typeof current !== "object") {
+      return void 0;
+    }
+    current = current[part];
+  }
+  return current;
+}
+function setNestedValue(obj, key, value) {
+  const parts = key.split(".");
+  let current = obj;
+  for (let i = 0; i < parts.length - 1; i++) {
+    const part = parts[i];
+    if (current[part] === void 0 || current[part] === null || typeof current[part] !== "object") {
+      current[part] = {};
+    }
+    current = current[part];
+  }
+  current[parts[parts.length - 1]] = value;
+}
+function deleteNestedValue(obj, key) {
+  const parts = key.split(".");
+  let current = obj;
+  for (let i = 0; i < parts.length - 1; i++) {
+    const part = parts[i];
+    if (current[part] === void 0 || typeof current[part] !== "object") {
+      return;
+    }
+    current = current[part];
+  }
+  delete current[parts[parts.length - 1]];
+}
+
+// src/gateway/gateway-client.ts
+var GatewayClient = class {
+  baseUrl;
+  stateStore;
+  apiKey;
+  sessionToken;
+  constructor(options) {
+    this.baseUrl = options.baseUrl.replace(/\/+$/, "").replace(/\/v1$/, "");
+    this.stateStore = options.stateStore;
+    this.apiKey = options.apiKey;
+    this.sessionToken = options.sessionToken;
+  }
+  /**
+   * Set session token for authenticated requests
+   */
+  setSessionToken(token) {
+    this.sessionToken = token;
+  }
+  /**
+   * Fetch events from the Gateway.
+   * If cursor is not provided, attempts to load it from StateStore.
+   *
+   * NOTE: The /events long-poll endpoint may not be implemented on the API server yet.
+   * This client is designed to work once the endpoint is available.
+   */
+  async getEvents(options = {}) {
+    let cursor = options.cursor;
+    if (!cursor && this.stateStore) {
+      cursor = await this.stateStore.get("events.cursor");
+    }
+    const params = new URLSearchParams();
+    if (cursor) params.set("cursor", cursor);
+    if (options.limit) params.set("limit", String(options.limit));
+    if (options.waitSeconds !== void 0) params.set("wait", String(options.waitSeconds));
+    const url = `${this.baseUrl}/api/v1/events?${params.toString()}`;
+    const response = await fetch(url, {
+      method: "GET",
+      headers: this.buildHeaders()
+    });
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      throw new GatewayError(
+        `getEvents failed: ${response.status} ${response.statusText}`,
+        response.status,
+        body
+      );
+    }
+    const result = await response.json();
+    if (result.cursor && this.stateStore) {
+      await this.stateStore.set("events.cursor", result.cursor);
+    }
+    return result;
+  }
+  /**
+   * Acknowledge an event (mark as processed).
+   *
+   * NOTE: The /events/:id/ack endpoint may not be implemented on the API server yet.
+   */
+  async ackEvent(eventId) {
+    const url = `${this.baseUrl}/api/v1/events/${encodeURIComponent(eventId)}/ack`;
+    const response = await fetch(url, {
+      method: "POST",
+      headers: this.buildHeaders()
+    });
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      throw new GatewayError(
+        `ackEvent failed: ${response.status} ${response.statusText}`,
+        response.status,
+        body
+      );
+    }
+    return await response.json();
+  }
+  /**
+   * Validate an API key against the Gateway.
+   *
+   * @param apiKey       API key to validate
+   * @param projectId    Optional project scope
+   * @param requiredScopes Scopes the caller needs — callers should pass the
+   *                       scopes relevant to their context (e.g. MCP passes
+   *                       ['mcp:tools:*', 'mcp:memory:*']).
+   */
+  async validateApiKey(apiKey, projectId, requiredScopes) {
+    const url = `${this.baseUrl}/api/mcp/api-keys/validate`;
+    const body = { projectId };
+    if (requiredScopes && requiredScopes.length > 0) {
+      body.requiredScopes = requiredScopes;
+    }
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-API-Key": apiKey
+      },
+      body: JSON.stringify(body)
+    });
+    if (!response.ok) {
+      return { valid: false };
+    }
+    return await response.json();
+  }
+  buildHeaders() {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (this.apiKey) {
+      headers["X-API-Key"] = this.apiKey;
+    }
+    if (this.sessionToken) {
+      headers["Authorization"] = `Bearer ${this.sessionToken}`;
+    }
+    return headers;
+  }
+};
+var GatewayError = class extends Error {
+  constructor(message, statusCode, responseBody) {
+    super(message);
+    this.statusCode = statusCode;
+    this.responseBody = responseBody;
+    this.name = "GatewayError";
+  }
+};
+
+// src/auth/auth-provider.ts
+var AuthProvider = class {
+  stateStore;
+  gatewayClient;
+  constructor(stateStore, gatewayClient) {
+    this.stateStore = stateStore;
+    this.gatewayClient = gatewayClient;
+  }
+  /**
+   * Authenticate with an API key. Validates against the Gateway and
+   * persists the result in the StateStore.
+   *
+   * @returns The validation result
+   */
+  async login(apiKey, apiUrl, projectId) {
+    const result = await this.gatewayClient.validateApiKey(apiKey, projectId);
+    if (result.valid) {
+      const authState = {
+        apiKey,
+        apiUrl,
+        userId: result.userId,
+        projectId: result.projectId || projectId,
+        scopes: result.scopes,
+        authenticatedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      await this.stateStore.set("auth", authState);
+    }
+    return result;
+  }
+  /**
+   * Get the current auth state from the StateStore.
+   * Returns undefined if not authenticated.
+   */
+  async getAuthState() {
+    return this.stateStore.get("auth");
+  }
+  /**
+   * Check if we have stored auth credentials
+   */
+  async isAuthenticated() {
+    const auth = await this.getAuthState();
+    return auth !== void 0 && auth.apiKey !== void 0;
+  }
+  /**
+   * Clear auth state (logout)
+   */
+  async logout() {
+    await this.stateStore.delete("auth");
+  }
+  /**
+   * Get the stored API key, or undefined if not authenticated
+   */
+  async getApiKey() {
+    const auth = await this.getAuthState();
+    return auth?.apiKey;
+  }
+  /**
+   * Get the stored API URL, or undefined if not authenticated
+   */
+  async getApiUrl() {
+    const auth = await this.getAuthState();
+    return auth?.apiUrl;
+  }
+};
+
 // src/registry/action-registry.ts
 var import_ajv = __toESM(require("ajv"));
 var import_ajv_formats = __toESM(require("ajv-formats"));
@@ -4765,11 +5198,16 @@ var version = "0.0.1";
   AgentDIDManager,
   AgentManager,
   AllowAllAbac,
+  AuthProvider,
   ConstraintEvaluator,
+  DeviceEnrollManager,
   DisclosureConfigManager,
   DummyCreds,
   DummyVpVerifier,
   FilesystemKeyStorage,
+  GatewayClient,
+  GatewayError,
+  JsonStateStore,
   KeyManager,
   KeyRotationManager,
   MemoryKeyStorage,