@viewportai/daemon 0.1.0 → 0.2.1

package/node_modules/@viewportai/context-engine/src/cli.js

@@ -0,0 +1,177 @@
+#!/usr/bin/env node
+const path = require('node:path');
+const { ContextVault } = require('./index');
+
+function parseArgs(argv) {
+  const args = { _: [] };
+  for (let i = 0; i < argv.length; i += 1) {
+    const value = argv[i];
+    if (!value.startsWith('--')) {
+      args._.push(value);
+      continue;
+    }
+
+    const key = value.slice(2);
+    const next = argv[i + 1];
+    if (!next || next.startsWith('--')) {
+      args[key] = true;
+      continue;
+    }
+
+    args[key] = next;
+    i += 1;
+  }
+  return args;
+}
+
+function print(value) {
+  process.stdout.write(`${JSON.stringify(value, null, 2)}\n`);
+}
+
+function requireArg(args, name) {
+  if (!args[name]) {
+    throw new Error(`Missing --${name}`);
+  }
+  return args[name];
+}
+
+function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const [resource, action] = args._;
+  const home = path.resolve(args.home || process.env.VAULT_HOME || '.vault-home');
+  const vault = new ContextVault(home);
+
+  if (resource === 'identity' && action === 'create') {
+    print(vault.createIdentity(requireArg(args, 'name')));
+    return;
+  }
+
+  if (resource === 'identity' && action === 'export-public') {
+    print(vault.exportPublicIdentity(requireArg(args, 'name')));
+    return;
+  }
+
+  if (resource === 'identity' && action === 'import-public') {
+    vault.importPublicIdentity(JSON.parse(requireArg(args, 'json')));
+    print({ ok: true });
+    return;
+  }
+
+  if (resource === 'repo' && action === 'create') {
+    print(vault.createRepo(requireArg(args, 'repo'), requireArg(args, 'owner')));
+    return;
+  }
+
+  if (resource === 'repo' && action === 'grant') {
+    print(vault.grantRepo({
+      repoId: requireArg(args, 'repo'),
+      actorName: requireArg(args, 'actor'),
+      recipientName: requireArg(args, 'to'),
+    }));
+    return;
+  }
+
+  if (resource === 'repo' && action === 'revoke') {
+    print(vault.revokeRepo({
+      repoId: requireArg(args, 'repo'),
+      actorName: requireArg(args, 'actor'),
+      recipientName: requireArg(args, 'from'),
+    }));
+    return;
+  }
+
+  if (resource === 'entry' && action === 'add') {
+    print(vault.addEntry({
+      repoId: requireArg(args, 'repo'),
+      actorName: requireArg(args, 'actor'),
+      scope: args.scope || 'resource',
+      title: requireArg(args, 'title'),
+      body: requireArg(args, 'body'),
+      source: args.source,
+      sourceKind: args['source-kind'],
+      trustState: args.trust || 'approved',
+    }));
+    return;
+  }
+
+  if (resource === 'entry' && action === 'propose') {
+    print(vault.proposeEntry({
+      repoId: requireArg(args, 'repo'),
+      actorName: requireArg(args, 'actor'),
+      title: requireArg(args, 'title'),
+      body: requireArg(args, 'body'),
+      source: args.source,
+      sourceKind: args['source-kind'],
+    }));
+    return;
+  }
+
+  if (resource === 'entry' && action === 'approve-candidate') {
+    print(vault.approveCandidate({
+      repoId: requireArg(args, 'repo'),
+      actorName: requireArg(args, 'actor'),
+      candidateId: requireArg(args, 'candidate'),
+      title: requireArg(args, 'title'),
+      body: requireArg(args, 'body'),
+      source: args.source,
+    }));
+    return;
+  }
+
+  if (resource === 'entry' && action === 'supersede') {
+    print(vault.supersedeEntry({
+      repoId: requireArg(args, 'repo'),
+      actorName: requireArg(args, 'actor'),
+      entryId: requireArg(args, 'entry'),
+      title: requireArg(args, 'title'),
+      body: requireArg(args, 'body'),
+    }));
+    return;
+  }
+
+  if (resource === 'sync' && action === 'export') {
+    print(vault.exportSync({
+      repoId: requireArg(args, 'repo'),
+      outDir: path.resolve(requireArg(args, 'out')),
+    }));
+    return;
+  }
+
+  if (resource === 'sync' && action === 'import') {
+    print(vault.importSync({
+      repoId: requireArg(args, 'repo'),
+      actorName: requireArg(args, 'actor'),
+      inDir: path.resolve(requireArg(args, 'in')),
+    }));
+    return;
+  }
+
+  if (resource === 'search') {
+    print(vault.search({
+      repoId: requireArg(args, 'repo'),
+      actorName: requireArg(args, 'actor'),
+      query: requireArg(args, 'query'),
+    }));
+    return;
+  }
+
+  if (resource === 'bundle' && action === 'resolve') {
+    print(vault.resolveBundle({
+      repoId: requireArg(args, 'repo'),
+      actorName: requireArg(args, 'actor'),
+      packs: String(args.packs || '').split(',').filter(Boolean),
+      target: args.target ? { ref: args.target } : {},
+      includePrivate: Boolean(args['include-private']),
+    }));
+    return;
+  }
+
+  throw new Error(`Unknown command: ${args._.join(' ')}`);
+}
+
+try {
+  main();
+} catch (error) {
+  process.stderr.write(`${error.message}\n`);
+  process.exit(1);
+}

package/node_modules/@viewportai/context-engine/src/crypto/canonical.js

@@ -0,0 +1,21 @@
+function canonicalize(value) {
+  if (value === undefined) {
+    return undefined;
+  }
+
+  if (value === null || typeof value !== 'object') {
+    return JSON.stringify(value);
+  }
+
+  if (Array.isArray(value)) {
+    return `[${value.map((item) => canonicalize(item) ?? 'null').join(',')}]`;
+  }
+
+  return `{${Object.keys(value)
+    .filter((key) => value[key] !== undefined)
+    .sort()
+    .map((key) => `${JSON.stringify(key)}:${canonicalize(value[key])}`)
+    .join(',')}}`;
+}
+
+module.exports = { canonicalize };

package/node_modules/@viewportai/context-engine/src/crypto/envelope.js

@@ -0,0 +1,37 @@
+const crypto = require('node:crypto');
+
+function encryptJson(payload, key) {
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+  const plaintext = Buffer.from(JSON.stringify(payload), 'utf8');
+  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+
+  return {
+    alg: 'aes-256-gcm',
+    iv: iv.toString('base64'),
+    ciphertext: ciphertext.toString('base64'),
+    tag: cipher.getAuthTag().toString('base64'),
+  };
+}
+
+function decryptJson(encrypted, key) {
+  const decipher = crypto.createDecipheriv(
+    'aes-256-gcm',
+    key,
+    Buffer.from(encrypted.iv, 'base64'),
+  );
+
+  decipher.setAuthTag(Buffer.from(encrypted.tag, 'base64'));
+  const plaintext = Buffer.concat([
+    decipher.update(Buffer.from(encrypted.ciphertext, 'base64')),
+    decipher.final(),
+  ]);
+
+  return JSON.parse(plaintext.toString('utf8'));
+}
+
+function digest(value) {
+  return `sha256:${crypto.createHash('sha256').update(value).digest('hex')}`;
+}
+
+module.exports = { decryptJson, digest, encryptJson };

package/node_modules/@viewportai/context-engine/src/crypto/hpke-grants.js

@@ -0,0 +1,298 @@
+const crypto = require('node:crypto');
+
+const HPKE_KEY_GRANT_VERSION = 'viewport.context_key_grant/hpke-draft-01';
+const HPKE_SUITE = Object.freeze({
+  kem: 'DHKEM_X25519_HKDF_SHA256',
+  kdf: 'HKDF_SHA256',
+  aead: 'AES_256_GCM',
+});
+
+let cachedSuite;
+
+function toBase64(value) {
+  return Buffer.from(value).toString('base64');
+}
+
+function fromBase64(value) {
+  return Buffer.from(value, 'base64');
+}
+
+function stableJson(value) {
+  if (Array.isArray(value)) {
+    return `[${value.map((item) => stableJson(item)).join(',')}]`;
+  }
+
+  if (value && typeof value === 'object') {
+    return `{${Object.keys(value).sort().map((key) => `${JSON.stringify(key)}:${stableJson(value[key])}`).join(',')}}`;
+  }
+
+  return JSON.stringify(value);
+}
+
+async function loadSuite() {
+  if (cachedSuite) {
+    return cachedSuite;
+  }
+
+  const { Aes256Gcm, CipherSuite, HkdfSha256 } = await import('@hpke/core');
+  const { DhkemX25519HkdfSha256 } = await import('@hpke/dhkem-x25519');
+
+  cachedSuite = new CipherSuite({
+    kem: new DhkemX25519HkdfSha256(),
+    kdf: new HkdfSha256(),
+    aead: new Aes256Gcm(),
+  });
+
+  return cachedSuite;
+}
+
+function grantInfo({ recipientName, repoId = 'unknown-repo', keyEpoch = 1 }) {
+  return Buffer.from(stableJson({
+    purpose: 'viewport-context-repo-key-grant',
+    version: HPKE_KEY_GRANT_VERSION,
+    recipientName,
+    repoId,
+    keyEpoch,
+    suite: HPKE_SUITE,
+  }), 'utf8');
+}
+
+function grantAad({ recipientName, repoId = 'unknown-repo', keyEpoch = 1 }) {
+  return Buffer.from(stableJson({
+    version: HPKE_KEY_GRANT_VERSION,
+    recipientName,
+    repoId,
+    keyEpoch,
+  }), 'utf8');
+}
+
+function genericAad({ purpose, recipientName, context = {} }) {
+  return Buffer.from(stableJson({
+    purpose,
+    recipientName,
+    context,
+  }), 'utf8');
+}
+
+function assertSupportedSuite(grant) {
+  if (stableJson(grant.suite) !== stableJson(HPKE_SUITE)) {
+    throw new Error(`Unsupported HPKE suite: ${stableJson(grant.suite)}`);
+  }
+}
+
+async function createHpkeIdentity(name) {
+  const suite = await loadSuite();
+  const keyPair = await suite.kem.generateKeyPair();
+
+  return {
+    name,
+    hpkePublicKey: toBase64(await suite.kem.serializePublicKey(keyPair.publicKey)),
+    hpkePrivateKey: toBase64(await suite.kem.serializePrivateKey(keyPair.privateKey)),
+  };
+}
+
+async function wrapRepoKeyWithHpke(repoKey, recipient, options = {}) {
+  if (!Buffer.isBuffer(repoKey) || repoKey.byteLength !== 32) {
+    throw new Error('HPKE repo key grants require a 32-byte repo key');
+  }
+
+  if (!recipient.hpkePublicKey) {
+    throw new Error(`Missing HPKE public key for ${recipient.name}`);
+  }
+
+  const suite = await loadSuite();
+  const recipientPublicKey = await suite.kem.deserializePublicKey(fromBase64(recipient.hpkePublicKey));
+  const recipientName = recipient.name;
+  const repoId = options.repoId ?? 'unknown-repo';
+  const keyEpoch = options.keyEpoch ?? 1;
+  const info = grantInfo({ recipientName, repoId, keyEpoch });
+  const aad = grantAad({ recipientName, repoId, keyEpoch });
+  const sender = await suite.createSenderContext({ recipientPublicKey, info });
+  const ciphertext = await sender.seal(Buffer.from(repoKey), aad);
+
+  return {
+    version: HPKE_KEY_GRANT_VERSION,
+    recipientName,
+    repoId,
+    keyEpoch,
+    suite: HPKE_SUITE,
+    enc: toBase64(sender.enc),
+    ciphertext: toBase64(ciphertext),
+    aadDigest: `sha256:${crypto.createHash('sha256').update(aad).digest('hex')}`,
+  };
+}
+
+async function sealBytesWithHpke(plaintext, recipient, options = {}) {
+  if (!Buffer.isBuffer(plaintext)) {
+    throw new Error('HPKE byte sealing requires a Buffer plaintext');
+  }
+
+  if (!recipient.hpkePublicKey) {
+    throw new Error(`Missing HPKE public key for ${recipient.name}`);
+  }
+
+  const suite = await loadSuite();
+  const recipientPublicKey = await suite.kem.deserializePublicKey(fromBase64(recipient.hpkePublicKey));
+  const recipientName = recipient.name;
+  const purpose = options.purpose ?? 'viewport-context-sealed-bytes';
+  const context = options.context ?? {};
+  const info = Buffer.from(stableJson({
+    purpose,
+    version: 'viewport.hpke_sealed_bytes/draft-01',
+    recipientName,
+    suite: HPKE_SUITE,
+  }), 'utf8');
+  const aad = genericAad({ purpose, recipientName, context });
+  const sender = await suite.createSenderContext({ recipientPublicKey, info });
+  const ciphertext = await sender.seal(plaintext, aad);
+
+  return {
+    version: 'viewport.hpke_sealed_bytes/draft-01',
+    recipientName,
+    purpose,
+    context,
+    suite: HPKE_SUITE,
+    enc: toBase64(sender.enc),
+    ciphertext: toBase64(ciphertext),
+    aadDigest: `sha256:${crypto.createHash('sha256').update(aad).digest('hex')}`,
+  };
+}
+
+async function unwrapRepoKeyWithHpke(grant, recipient, options = {}) {
+  if (!recipient.hpkePrivateKey) {
+    throw new Error(`Missing HPKE private key for ${recipient.name}`);
+  }
+
+  if (grant.version !== HPKE_KEY_GRANT_VERSION) {
+    throw new Error(`Unsupported HPKE key grant version: ${grant.version}`);
+  }
+
+  if (grant.recipientName !== recipient.name) {
+    throw new Error(`HPKE key grant belongs to ${grant.recipientName}, not ${recipient.name}`);
+  }
+
+  if (options.expectedRepoId && grant.repoId !== options.expectedRepoId) {
+    throw new Error(`HPKE key grant belongs to repo ${grant.repoId}, not ${options.expectedRepoId}`);
+  }
+
+  if (options.expectedKeyEpoch && grant.keyEpoch !== options.expectedKeyEpoch) {
+    throw new Error(`HPKE key grant belongs to epoch ${grant.keyEpoch}, not ${options.expectedKeyEpoch}`);
+  }
+
+  assertSupportedSuite(grant);
+
+  const suite = await loadSuite();
+  const recipientPrivateKey = await suite.kem.deserializePrivateKey(fromBase64(recipient.hpkePrivateKey));
+  const info = grantInfo({
+    recipientName: grant.recipientName,
+    repoId: grant.repoId,
+    keyEpoch: grant.keyEpoch,
+  });
+  const aad = grantAad({
+    recipientName: grant.recipientName,
+    repoId: grant.repoId,
+    keyEpoch: grant.keyEpoch,
+  });
+  const expectedAadDigest = `sha256:${crypto.createHash('sha256').update(aad).digest('hex')}`;
+  if (grant.aadDigest !== expectedAadDigest) {
+    throw new Error('HPKE key grant AAD digest mismatch');
+  }
+  const recipientContext = await suite.createRecipientContext({
+    recipientKey: recipientPrivateKey,
+    enc: fromBase64(grant.enc),
+    info,
+  });
+
+  return Buffer.from(await recipientContext.open(fromBase64(grant.ciphertext), aad));
+}
+
+async function openBytesWithHpke(envelope, recipient, options = {}) {
+  if (!recipient.hpkePrivateKey) {
+    throw new Error(`Missing HPKE private key for ${recipient.name}`);
+  }
+
+  if (envelope.version !== 'viewport.hpke_sealed_bytes/draft-01') {
+    throw new Error(`Unsupported HPKE sealed bytes version: ${envelope.version}`);
+  }
+
+  if (envelope.recipientName !== recipient.name) {
+    throw new Error(`HPKE sealed bytes belong to ${envelope.recipientName}, not ${recipient.name}`);
+  }
+
+  if (options.expectedPurpose && envelope.purpose !== options.expectedPurpose) {
+    throw new Error(`HPKE sealed bytes purpose is ${envelope.purpose}, not ${options.expectedPurpose}`);
+  }
+
+  assertSupportedSuite(envelope);
+
+  const suite = await loadSuite();
+  const recipientPrivateKey = await suite.kem.deserializePrivateKey(fromBase64(recipient.hpkePrivateKey));
+  const purpose = envelope.purpose;
+  const recipientName = envelope.recipientName;
+  const info = Buffer.from(stableJson({
+    purpose,
+    version: envelope.version,
+    recipientName,
+    suite: envelope.suite,
+  }), 'utf8');
+  const aad = genericAad({ purpose, recipientName, context: envelope.context ?? {} });
+  const expectedAadDigest = `sha256:${crypto.createHash('sha256').update(aad).digest('hex')}`;
+  if (envelope.aadDigest !== expectedAadDigest) {
+    throw new Error('HPKE sealed bytes AAD digest mismatch');
+  }
+
+  const recipientContext = await suite.createRecipientContext({
+    recipientKey: recipientPrivateKey,
+    enc: fromBase64(envelope.enc),
+    info,
+  });
+
+  return Buffer.from(await recipientContext.open(fromBase64(envelope.ciphertext), aad));
+}
+
+async function runHpkeGrantProof() {
+  const bob = await createHpkeIdentity('bob');
+  const carol = await createHpkeIdentity('carol');
+  const repoKey = crypto.randomBytes(32);
+  const grant = await wrapRepoKeyWithHpke(repoKey, bob, {
+    repoId: 'project-api',
+    keyEpoch: 7,
+  });
+  const recovered = await unwrapRepoKeyWithHpke(grant, bob);
+  let wrongRecipientRejected = false;
+  try {
+    await unwrapRepoKeyWithHpke(grant, carol);
+  } catch {
+    wrongRecipientRejected = true;
+  }
+
+  const tampered = structuredClone(grant);
+  tampered.ciphertext = `${tampered.ciphertext.slice(0, -1)}${tampered.ciphertext.endsWith('A') ? 'B' : 'A'}`;
+  let tamperRejected = false;
+  try {
+    await unwrapRepoKeyWithHpke(tampered, bob);
+  } catch {
+    tamperRejected = true;
+  }
+
+  return {
+    grant,
+    recipient: bob,
+    expectedRepoKeyDigest: `sha256:${crypto.createHash('sha256').update(repoKey).digest('hex')}`,
+    intendedRecipientRecovered: recovered.equals(repoKey),
+    wrongRecipientRejected,
+    tamperRejected,
+    pass: recovered.equals(repoKey) && wrongRecipientRejected && tamperRejected,
+  };
+}
+
+module.exports = {
+  HPKE_KEY_GRANT_VERSION,
+  HPKE_SUITE,
+  createHpkeIdentity,
+  openBytesWithHpke,
+  runHpkeGrantProof,
+  sealBytesWithHpke,
+  unwrapRepoKeyWithHpke,
+  wrapRepoKeyWithHpke,
+};

package/node_modules/@viewportai/context-engine/src/crypto/keys.js

@@ -0,0 +1,122 @@
+const crypto = require('node:crypto');
+
+const KEY_WRAP_VERSION = 'viewport.context_key_grant/v1';
+const KEY_WRAP_ALG = 'x25519-hkdf-sha256+a256gcm';
+const KEY_WRAP_SALT = Buffer.from('viewport-context-vault-key-wrap-v1', 'utf8');
+
+function base64UrlToBase64(value) {
+  return value.replaceAll('-', '+').replaceAll('_', '/').padEnd(Math.ceil(value.length / 4) * 4, '=');
+}
+
+function createIdentity(name) {
+  const signing = crypto.generateKeyPairSync('ed25519', {
+    publicKeyEncoding: { type: 'spki', format: 'pem' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+  });
+  const encryption = crypto.generateKeyPairSync('x25519');
+  const encryptionPublicJwk = encryption.publicKey.export({ format: 'jwk' });
+  const encryptionPrivateJwk = encryption.privateKey.export({ format: 'jwk' });
+
+  return {
+    name,
+    publicKey: signing.publicKey,
+    privateKey: signing.privateKey,
+    signingPublicKey: signing.publicKey,
+    signingPrivateKey: signing.privateKey,
+    encryptionPublicKey: encryption.publicKey.export({ type: 'spki', format: 'pem' }),
+    encryptionPrivateKey: encryption.privateKey.export({ type: 'pkcs8', format: 'pem' }),
+    hpkePublicKey: base64UrlToBase64(encryptionPublicJwk.x),
+    hpkePrivateKey: base64UrlToBase64(encryptionPrivateJwk.d),
+    personalKey: crypto.randomBytes(32).toString('base64'),
+  };
+}
+
+function createRepoKey() {
+  return crypto.randomBytes(32);
+}
+
+function deriveWrapKey({ privateKeyPem, publicKeyPem, recipientName, ephemeralPublicKeyPem }) {
+  const sharedSecret = crypto.diffieHellman({
+    privateKey: crypto.createPrivateKey(privateKeyPem),
+    publicKey: crypto.createPublicKey(publicKeyPem),
+  });
+  const info = Buffer.from(`${KEY_WRAP_VERSION}:${recipientName}:${ephemeralPublicKeyPem}`, 'utf8');
+  return Buffer.from(crypto.hkdfSync('sha256', sharedSecret, KEY_WRAP_SALT, info, 32));
+}
+
+function encryptRepoKey(repoKey, wrapKey) {
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', wrapKey, iv);
+  const ciphertext = Buffer.concat([cipher.update(repoKey), cipher.final()]);
+  return {
+    alg: KEY_WRAP_ALG,
+    iv: iv.toString('base64'),
+    ciphertext: ciphertext.toString('base64'),
+    tag: cipher.getAuthTag().toString('base64'),
+  };
+}
+
+function decryptRepoKey(encrypted, wrapKey) {
+  const decipher = crypto.createDecipheriv('aes-256-gcm', wrapKey, Buffer.from(encrypted.iv, 'base64'));
+  decipher.setAuthTag(Buffer.from(encrypted.tag, 'base64'));
+  return Buffer.concat([
+    decipher.update(Buffer.from(encrypted.ciphertext, 'base64')),
+    decipher.final(),
+  ]);
+}
+
+function wrapKeyForIdentity(repoKey, identity) {
+  if (!identity.encryptionPublicKey) {
+    throw new Error(`Missing encryption public key for ${identity.name}`);
+  }
+
+  const ephemeral = crypto.generateKeyPairSync('x25519', {
+    publicKeyEncoding: { type: 'spki', format: 'pem' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+  });
+  const wrapKey = deriveWrapKey({
+    privateKeyPem: ephemeral.privateKey,
+    publicKeyPem: identity.encryptionPublicKey,
+    recipientName: identity.name,
+    ephemeralPublicKeyPem: ephemeral.publicKey,
+  });
+
+  return {
+    version: KEY_WRAP_VERSION,
+    recipientName: identity.name,
+    ephemeralPublicKey: ephemeral.publicKey,
+    encryptedRepoKey: encryptRepoKey(repoKey, wrapKey),
+  };
+}
+
+function unwrapKeyForIdentity(wrappedKey, identity) {
+  if (!identity.encryptionPrivateKey) {
+    throw new Error(`Missing encryption private key for ${identity.name}`);
+  }
+
+  if (wrappedKey.version !== KEY_WRAP_VERSION) {
+    throw new Error(`Unsupported key grant version: ${wrappedKey.version}`);
+  }
+
+  if (wrappedKey.recipientName !== identity.name) {
+    throw new Error(`Key grant belongs to ${wrappedKey.recipientName}, not ${identity.name}`);
+  }
+
+  const wrapKey = deriveWrapKey({
+    privateKeyPem: identity.encryptionPrivateKey,
+    publicKeyPem: wrappedKey.ephemeralPublicKey,
+    recipientName: identity.name,
+    ephemeralPublicKeyPem: wrappedKey.ephemeralPublicKey,
+  });
+
+  return decryptRepoKey(wrappedKey.encryptedRepoKey, wrapKey);
+}
+
+module.exports = {
+  KEY_WRAP_ALG,
+  KEY_WRAP_VERSION,
+  createIdentity,
+  createRepoKey,
+  unwrapKeyForIdentity,
+  wrapKeyForIdentity,
+};

package/node_modules/@viewportai/context-engine/src/crypto/signatures.js

@@ -0,0 +1,23 @@
+const crypto = require('node:crypto');
+const { canonicalize } = require('./canonical');
+
+function signEnvelope(unsignedEnvelope, identity) {
+  return crypto.sign(
+    null,
+    Buffer.from(canonicalize(unsignedEnvelope)),
+    identity.signingPrivateKey ?? identity.privateKey,
+  ).toString('base64');
+}
+
+function verifyEnvelope(envelope, publicKey) {
+  const { signature, ...unsignedEnvelope } = envelope;
+
+  return crypto.verify(
+    null,
+    Buffer.from(canonicalize(unsignedEnvelope)),
+    publicKey,
+    Buffer.from(signature, 'base64'),
+  );
+}
+
+module.exports = { signEnvelope, verifyEnvelope };

package/node_modules/@viewportai/context-engine/src/index.js

@@ -0,0 +1,12 @@
+const {
+  MacOsKeychainIdentitySecretStore,
+  MemoryIdentitySecretStore,
+} = require('./repo/key-store');
+const { ContextVault, ResolverPinMismatchError } = require('./repo/vault');
+
+module.exports = {
+  ContextVault,
+  MacOsKeychainIdentitySecretStore,
+  MemoryIdentitySecretStore,
+  ResolverPinMismatchError,
+};