@visa/cli 2.6.1-rc.1 → 2.7.0-rc.3

package/native/build-win.bat

@@ -0,0 +1,42 @@
+@echo off
+REM build-win.bat — compile visa-keychain-win.exe
+REM Requires Visual Studio Build Tools 2019+ (cl.exe in PATH)
+REM Invoke from Developer Command Prompt or after running vcvarsall.bat
+REM
+REM Usage:
+REM   build-win.bat              (builds to .\bin\win32-x64\)
+REM   build-win.bat --ci         (also computes SHA-256 hash file)
+
+setlocal enabledelayedexpansion
+
+set "SRC=%~dp0visa-keychain-win.cpp"
+set "OUT_DIR=%~dp0bin\win32-x64"
+set "OUT=%OUT_DIR%\visa-keychain-win.exe"
+
+if not exist "%OUT_DIR%" mkdir "%OUT_DIR%"
+
+echo [visa-cli] Compiling visa-keychain-win.exe...
+
+cl /nologo /EHsc /std:c++17 /O2 /DNDEBUG /W3 ^
+   "%SRC%" ^
+   /Fe:"%OUT%" ^
+   /link /SUBSYSTEM:CONSOLE bcrypt.lib ncrypt.lib ole32.lib
+
+if %ERRORLEVEL% neq 0 (
+    echo ERROR: Compilation failed. Ensure Visual Studio Build Tools are installed.
+    echo        Install from: https://visualstudio.microsoft.com/visual-cpp-build-tools/
+    exit /b 1
+)
+
+REM Clean up intermediate files
+if exist "%~dp0visa-keychain-win.obj" del "%~dp0visa-keychain-win.obj"
+
+echo [visa-cli] Built: %OUT%
+
+REM Generate SHA-256 hash for integrity verification
+if "%1"=="--ci" (
+    certutil -hashfile "%OUT%" SHA256 | findstr /v ":" > "%OUT%.sha256"
+    echo [visa-cli] Hash:  %OUT%.sha256
+)
+
+echo [visa-cli] Done.

package/native/visa-keychain-win.cpp

@@ -0,0 +1,481 @@
+/**
+ * visa-keychain-win.cpp — Windows Hello attestation for Visa CLI.
+ *
+ * Mirrors the macOS visa-keychain.m CLI contract:
+ *   generate-key  → creates P-256 key in CNG store, returns SPKI DER public key
+ *   public-key    → returns SPKI DER public key for stored key
+ *   sign <chal>   → Windows Hello prompt, ECDSA-SHA256 signature
+ *   delete-key    → removes stored key
+ *   check         → verifies Windows Hello availability
+ *
+ * Build:
+ *   cl /EHsc /std:c++17 /O2 visa-keychain-win.cpp
+ *      /Fe:visa-keychain-win.exe /link bcrypt.lib ncrypt.lib ole32.lib
+ *
+ * Key storage: CNG persisted key (TPM-backed if available, software fallback).
+ * The private key never leaves the CNG store — signing happens in-place.
+ * Windows Hello provides user-presence verification (fingerprint/face/PIN).
+ */
+
+#ifndef UNICODE
+#define UNICODE
+#endif
+#ifndef _UNICODE
+#define _UNICODE
+#endif
+
+#include <windows.h>
+#include <bcrypt.h>
+#include <ncrypt.h>
+#include <wincred.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <string>
+#include <vector>
+
+#pragma comment(lib, "bcrypt.lib")
+#pragma comment(lib, "ncrypt.lib")
+#pragma comment(lib, "ole32.lib")
+
+static const wchar_t* KEY_NAME = L"visa-cli-attestation";
+
+// P-256 SPKI DER header (26 bytes) — wraps a 65-byte uncompressed EC point
+static const unsigned char SPKI_HEADER[] = {
+    0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86,
+    0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A,
+    0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03,
+    0x42, 0x00
+};
+
+// ── Base64 encode/decode ────────────────────────────────────────────────────
+
+static const char B64_TABLE[] =
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+std::string base64_encode(const unsigned char* data, size_t len) {
+    std::string out;
+    out.reserve(((len + 2) / 3) * 4);
+    for (size_t i = 0; i < len; i += 3) {
+        unsigned int n = ((unsigned int)data[i]) << 16;
+        if (i + 1 < len) n |= ((unsigned int)data[i + 1]) << 8;
+        if (i + 2 < len) n |= (unsigned int)data[i + 2];
+        out.push_back(B64_TABLE[(n >> 18) & 0x3F]);
+        out.push_back(B64_TABLE[(n >> 12) & 0x3F]);
+        out.push_back((i + 1 < len) ? B64_TABLE[(n >> 6) & 0x3F] : '=');
+        out.push_back((i + 2 < len) ? B64_TABLE[n & 0x3F] : '=');
+    }
+    return out;
+}
+
+static int b64_decode_char(char c) {
+    if (c >= 'A' && c <= 'Z') return c - 'A';
+    if (c >= 'a' && c <= 'z') return c - 'a' + 26;
+    if (c >= '0' && c <= '9') return c - '0' + 52;
+    if (c == '+') return 62;
+    if (c == '/') return 63;
+    return -1;
+}
+
+std::vector<unsigned char> base64_decode(const char* input) {
+    std::vector<unsigned char> out;
+    size_t len = strlen(input);
+    if (len == 0) return out;
+    out.reserve((len / 4) * 3);
+    for (size_t i = 0; i < len; i += 4) {
+        int a = b64_decode_char(input[i]);
+        int b = (i + 1 < len) ? b64_decode_char(input[i + 1]) : 0;
+        int c = (i + 2 < len) ? b64_decode_char(input[i + 2]) : 0;
+        int d = (i + 3 < len) ? b64_decode_char(input[i + 3]) : 0;
+        if (a < 0) a = 0;
+        if (b < 0) b = 0;
+        unsigned int triple = (a << 18) | (b << 12) | (c << 6) | d;
+        out.push_back((triple >> 16) & 0xFF);
+        if (i + 2 < len && input[i + 2] != '=')
+            out.push_back((triple >> 8) & 0xFF);
+        if (i + 3 < len && input[i + 3] != '=')
+            out.push_back(triple & 0xFF);
+    }
+    return out;
+}
+
+// ── CNG helpers ─────────────────────────────────────────────────────────────
+
+/**
+ * Open the best available key storage provider.
+ * Tries TPM (MS_PLATFORM_CRYPTO_PROVIDER) first, falls back to software.
+ */
+static SECURITY_STATUS open_provider(NCRYPT_PROV_HANDLE* phProv) {
+    SECURITY_STATUS s = NCryptOpenStorageProvider(phProv,
+        MS_PLATFORM_CRYPTO_PROVIDER, 0);
+    if (s == ERROR_SUCCESS) return s;
+    return NCryptOpenStorageProvider(phProv, MS_KEY_STORAGE_PROVIDER, 0);
+}
+
+/**
+ * Export the public key portion of a CNG key handle as SPKI DER bytes.
+ * Returns empty vector on failure.
+ */
+static std::vector<unsigned char> export_spki(NCRYPT_KEY_HANDLE hKey) {
+    std::vector<unsigned char> result;
+
+    // Export as ECC public blob
+    DWORD cbBlob = 0;
+    SECURITY_STATUS s = NCryptExportKey(hKey, 0, BCRYPT_ECCPUBLIC_BLOB,
+        NULL, NULL, 0, &cbBlob, 0);
+    if (s != ERROR_SUCCESS || cbBlob == 0) return result;
+
+    std::vector<unsigned char> blob(cbBlob);
+    s = NCryptExportKey(hKey, 0, BCRYPT_ECCPUBLIC_BLOB,
+        NULL, blob.data(), cbBlob, &cbBlob, 0);
+    if (s != ERROR_SUCCESS) return result;
+
+    // BCRYPT_ECCPUBLIC_BLOB layout:
+    //   BCRYPT_ECCKEY_BLOB header (8 bytes): magic(4) + cbKey(4)
+    //   X coordinate (cbKey bytes)
+    //   Y coordinate (cbKey bytes)
+    BCRYPT_ECCKEY_BLOB* pHeader = (BCRYPT_ECCKEY_BLOB*)blob.data();
+    DWORD cbKey = pHeader->cbKey;  // 32 for P-256
+
+    if (cbKey != 32) return result;  // Only P-256 supported
+
+    // Build uncompressed EC point: 0x04 || X || Y (65 bytes)
+    unsigned char* pX = blob.data() + sizeof(BCRYPT_ECCKEY_BLOB);
+    unsigned char* pY = pX + cbKey;
+
+    // SPKI DER = header (26 bytes) + uncompressed point (65 bytes) = 91 bytes
+    result.resize(sizeof(SPKI_HEADER) + 1 + 2 * cbKey);
+    memcpy(result.data(), SPKI_HEADER, sizeof(SPKI_HEADER));
+    result[sizeof(SPKI_HEADER)] = 0x04;  // uncompressed point marker
+    memcpy(result.data() + sizeof(SPKI_HEADER) + 1, pX, cbKey);
+    memcpy(result.data() + sizeof(SPKI_HEADER) + 1 + cbKey, pY, cbKey);
+
+    return result;
+}
+
+/**
+ * Convert raw r||s signature (64 bytes for P-256) to DER-encoded ECDSA-Sig-Value.
+ * Node.js crypto.createVerify expects DER format.
+ */
+static std::vector<unsigned char> raw_sig_to_der(const unsigned char* sig, DWORD sigLen) {
+    std::vector<unsigned char> der;
+    if (sigLen != 64) return der;
+
+    const unsigned char* r = sig;
+    const unsigned char* s = sig + 32;
+
+    // Each integer: skip leading zeros, add 0x00 padding if high bit set
+    auto encode_int = [](const unsigned char* val, int len) -> std::vector<unsigned char> {
+        std::vector<unsigned char> out;
+        int start = 0;
+        while (start < len - 1 && val[start] == 0) start++;
+        bool pad = (val[start] & 0x80) != 0;
+        out.push_back(0x02);  // INTEGER tag
+        out.push_back((unsigned char)(len - start + (pad ? 1 : 0)));
+        if (pad) out.push_back(0x00);
+        for (int i = start; i < len; i++) out.push_back(val[i]);
+        return out;
+    };
+
+    auto r_der = encode_int(r, 32);
+    auto s_der = encode_int(s, 32);
+
+    // SEQUENCE tag + length + r + s
+    der.push_back(0x30);
+    der.push_back((unsigned char)(r_der.size() + s_der.size()));
+    der.insert(der.end(), r_der.begin(), r_der.end());
+    der.insert(der.end(), s_der.begin(), s_der.end());
+
+    return der;
+}
+
+// ── Commands ────────────────────────────────────────────────────────────────
+
+/**
+ * check — verify Windows Hello / CNG availability.
+ * Outputs "OK" if key storage is available, "ERROR:<msg>" otherwise.
+ */
+static int cmd_check() {
+    NCRYPT_PROV_HANDLE hProv = 0;
+    SECURITY_STATUS s = open_provider(&hProv);
+    if (s != ERROR_SUCCESS) {
+        printf("ERROR:Key storage provider unavailable (0x%08lx)\n", s);
+        return 1;
+    }
+    NCryptFreeObject(hProv);
+    printf("OK\n");
+    return 0;
+}
+
+/**
+ * generate-key — create P-256 key in CNG store.
+ * Output: "OK:<public-spki-b64>"
+ * The key is persisted under KEY_NAME with UI protection (Windows Hello consent).
+ */
+static int cmd_generate_key() {
+    NCRYPT_PROV_HANDLE hProv = 0;
+    NCRYPT_KEY_HANDLE hKey = 0;
+    SECURITY_STATUS s;
+
+    s = open_provider(&hProv);
+    if (s != ERROR_SUCCESS) {
+        printf("ERROR:Cannot open key storage provider (0x%08lx)\n", s);
+        return 1;
+    }
+
+    // Delete existing key if present (fresh start, like macOS delete-then-add)
+    NCRYPT_KEY_HANDLE hOld = 0;
+    if (NCryptOpenKey(hProv, &hOld, KEY_NAME, 0, 0) == ERROR_SUCCESS) {
+        NCryptDeleteKey(hOld, 0);
+    }
+
+    // Create P-256 key with user-consent requirement
+    s = NCryptCreatePersistedKey(hProv, &hKey,
+        BCRYPT_ECDSA_P256_ALGORITHM, KEY_NAME, 0,
+        NCRYPT_OVERWRITE_KEY_FLAG);
+    if (s != ERROR_SUCCESS) {
+        printf("ERROR:Key creation failed (0x%08lx)\n", s);
+        NCryptFreeObject(hProv);
+        return 1;
+    }
+
+    // Require Windows Hello consent for sign operations
+    NCRYPT_UI_POLICY uiPolicy = {};
+    uiPolicy.dwVersion = 1;
+    uiPolicy.dwFlags = NCRYPT_UI_PROTECT_KEY_FLAG;
+    uiPolicy.pszCreationTitle = L"Visa CLI";
+    uiPolicy.pszDescription = L"Biometric key for payment attestation";
+    s = NCryptSetProperty(hKey, NCRYPT_UI_POLICY_PROPERTY,
+        (PBYTE)&uiPolicy, sizeof(uiPolicy), 0);
+    if (s != ERROR_SUCCESS) {
+        // Non-fatal: key works without UI protection (CI/headless scenarios)
+    }
+
+    // Finalize (persist to store)
+    s = NCryptFinalizeKey(hKey, 0);
+    if (s != ERROR_SUCCESS) {
+        printf("ERROR:Key finalization failed (0x%08lx)\n", s);
+        NCryptFreeObject(hKey);
+        NCryptFreeObject(hProv);
+        return 1;
+    }
+
+    // Export public key as SPKI DER
+    auto spki = export_spki(hKey);
+    if (spki.empty()) {
+        printf("ERROR:Failed to export public key\n");
+        NCryptFreeObject(hKey);
+        NCryptFreeObject(hProv);
+        return 1;
+    }
+
+    std::string pub_b64 = base64_encode(spki.data(), spki.size());
+    printf("OK:%s\n", pub_b64.c_str());
+
+    NCryptFreeObject(hKey);
+    NCryptFreeObject(hProv);
+    return 0;
+}
+
+/**
+ * public-key — export SPKI DER public key for the stored attestation key.
+ * Does NOT require Windows Hello consent (read-only metadata export).
+ * Output: "OK:<public-spki-b64>"
+ */
+static int cmd_public_key() {
+    NCRYPT_PROV_HANDLE hProv = 0;
+    NCRYPT_KEY_HANDLE hKey = 0;
+    SECURITY_STATUS s;
+
+    s = open_provider(&hProv);
+    if (s != ERROR_SUCCESS) {
+        printf("ERROR:Cannot open key storage provider (0x%08lx)\n", s);
+        return 1;
+    }
+
+    s = NCryptOpenKey(hProv, &hKey, KEY_NAME, 0, 0);
+    if (s != ERROR_SUCCESS) {
+        printf("ERROR:Attestation key not found. Run setup to generate a new key.\n");
+        NCryptFreeObject(hProv);
+        return 1;
+    }
+
+    auto spki = export_spki(hKey);
+    if (spki.empty()) {
+        printf("ERROR:Failed to export public key\n");
+        NCryptFreeObject(hKey);
+        NCryptFreeObject(hProv);
+        return 1;
+    }
+
+    std::string pub_b64 = base64_encode(spki.data(), spki.size());
+    printf("OK:%s\n", pub_b64.c_str());
+
+    NCryptFreeObject(hKey);
+    NCryptFreeObject(hProv);
+    return 0;
+}
+
+/**
+ * sign <challenge> [reason] — hash + sign with Windows Hello consent.
+ * The challenge string is SHA-256 hashed, then signed with ECDSA P-256.
+ * Windows Hello UI blocks until user confirms (fingerprint/face/PIN).
+ * Output: "OK:<der-signature-b64>"
+ */
+static int cmd_sign(const char* challenge, const char* reason) {
+    NCRYPT_PROV_HANDLE hProv = 0;
+    NCRYPT_KEY_HANDLE hKey = 0;
+    SECURITY_STATUS s;
+
+    s = open_provider(&hProv);
+    if (s != ERROR_SUCCESS) {
+        printf("ERROR:Cannot open key storage provider (0x%08lx)\n", s);
+        return 1;
+    }
+
+    s = NCryptOpenKey(hProv, &hKey, KEY_NAME, 0, 0);
+    if (s != ERROR_SUCCESS) {
+        printf("ERROR:Attestation key not found. Run setup to generate a new key.\n");
+        NCryptFreeObject(hProv);
+        return 1;
+    }
+
+    // Hash the challenge with SHA-256
+    BCRYPT_ALG_HANDLE hAlg = 0;
+    NTSTATUS ns = BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_SHA256_ALGORITHM,
+        NULL, 0);
+    if (ns != 0) {
+        printf("ERROR:Cannot open SHA-256 provider\n");
+        NCryptFreeObject(hKey);
+        NCryptFreeObject(hProv);
+        return 1;
+    }
+
+    unsigned char hash[32];
+    ns = BCryptHash(hAlg, NULL, 0,
+        (PUCHAR)challenge, (ULONG)strlen(challenge),
+        hash, sizeof(hash));
+    BCryptCloseAlgorithmProvider(hAlg, 0);
+
+    if (ns != 0) {
+        printf("ERROR:SHA-256 hash failed\n");
+        NCryptFreeObject(hKey);
+        NCryptFreeObject(hProv);
+        return 1;
+    }
+
+    // Sign the hash — this triggers the Windows Hello consent UI.
+    // NCryptSignHash with a UI-protected key will show the biometric prompt.
+    DWORD cbSig = 0;
+    s = NCryptSignHash(hKey, NULL, hash, sizeof(hash),
+        NULL, 0, &cbSig, 0);
+    if (s != ERROR_SUCCESS || cbSig == 0) {
+        printf("ERROR:Cannot determine signature size (0x%08lx)\n", s);
+        NCryptFreeObject(hKey);
+        NCryptFreeObject(hProv);
+        return 1;
+    }
+
+    std::vector<unsigned char> sig(cbSig);
+    s = NCryptSignHash(hKey, NULL, hash, sizeof(hash),
+        sig.data(), cbSig, &cbSig, 0);
+
+    if (s == (SECURITY_STATUS)NTE_USER_CANCELLED) {
+        printf("ERROR:Authentication cancelled by user\n");
+        NCryptFreeObject(hKey);
+        NCryptFreeObject(hProv);
+        return 1;
+    }
+    if (s != ERROR_SUCCESS) {
+        printf("ERROR:Signing failed (0x%08lx)\n", s);
+        NCryptFreeObject(hKey);
+        NCryptFreeObject(hProv);
+        return 1;
+    }
+
+    // CNG outputs raw r||s (64 bytes for P-256). Convert to DER for Node.js.
+    auto der_sig = raw_sig_to_der(sig.data(), cbSig);
+    if (der_sig.empty()) {
+        printf("ERROR:Signature DER encoding failed\n");
+        NCryptFreeObject(hKey);
+        NCryptFreeObject(hProv);
+        return 1;
+    }
+
+    std::string sig_b64 = base64_encode(der_sig.data(), der_sig.size());
+    printf("OK:%s\n", sig_b64.c_str());
+
+    NCryptFreeObject(hKey);
+    NCryptFreeObject(hProv);
+    return 0;
+}
+
+/**
+ * delete-key — remove the stored attestation key from CNG.
+ * Output: "OK" on success, "ERROR:<msg>" on failure.
+ */
+static int cmd_delete_key() {
+    NCRYPT_PROV_HANDLE hProv = 0;
+    NCRYPT_KEY_HANDLE hKey = 0;
+    SECURITY_STATUS s;
+
+    s = open_provider(&hProv);
+    if (s != ERROR_SUCCESS) {
+        printf("OK\n");  // No provider = no key = success
+        return 0;
+    }
+
+    s = NCryptOpenKey(hProv, &hKey, KEY_NAME, 0, 0);
+    if (s != ERROR_SUCCESS) {
+        NCryptFreeObject(hProv);
+        printf("OK\n");  // Key doesn't exist = success
+        return 0;
+    }
+
+    s = NCryptDeleteKey(hKey, 0);
+    NCryptFreeObject(hProv);
+
+    if (s != ERROR_SUCCESS) {
+        printf("ERROR:Failed to delete key (0x%08lx)\n", s);
+        return 1;
+    }
+
+    printf("OK\n");
+    return 0;
+}
+
+// ── Main ────────────────────────────────────────────────────────────────────
+
+int main(int argc, char* argv[]) {
+    if (argc < 2) {
+        fprintf(stderr, "Usage: visa-keychain-win <command> [args...]\n");
+        fprintf(stderr, "Commands: check, generate-key, public-key, sign, delete-key\n");
+        return 1;
+    }
+
+    const char* cmd = argv[1];
+
+    if (strcmp(cmd, "check") == 0) {
+        return cmd_check();
+    }
+    if (strcmp(cmd, "generate-key") == 0) {
+        return cmd_generate_key();
+    }
+    if (strcmp(cmd, "public-key") == 0) {
+        return cmd_public_key();
+    }
+    if (strcmp(cmd, "sign") == 0) {
+        if (argc < 3) {
+            printf("ERROR:Usage: sign <challenge> [reason]\n");
+            return 1;
+        }
+        const char* reason = (argc >= 4) ? argv[3] : NULL;
+        return cmd_sign(argv[2], reason);
+    }
+    if (strcmp(cmd, "delete-key") == 0) {
+        return cmd_delete_key();
+    }
+
+    fprintf(stderr, "ERROR:Unknown command: %s\n", cmd);
+    return 1;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@visa/cli",
-  "version": "2.6.1-rc.1",
+  "version": "2.7.0-rc.3",
   "description": "AI-powered payments for Claude Code",
   "bin": {
     "visa-cli": "./bin/visa-cli.js"
@@ -75,6 +75,9 @@
     "install.ps1",
     "install.sh",
     "native/visa-keychain.m",
+    "native/visa-keychain-win.cpp",
+    "native/build-win.bat",
+    "native/bin/win32-x64/visa-keychain-win.exe",
     "server.json",
     "README.md",
     "LICENSE"

package/server.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://static.modelcontextprotocol.io/schemas/2025-10-17/server.schema.json",
   "name": "io.github.visa-crypto-labs/visa-cli",
-  "version": "2.6.1-rc.1",
+  "version": "2.7.0-rc.3",
   "title": "Visa CLI",
   "description": "AI-powered payments and creative tools for coding agents. Generate images, music, video, query crypto prices, and make purchases — all from your AI coding assistant.",
   "websiteUrl": "https://github.com/Visa-Crypto-Labs/Visa-mono/tree/main/packages/cli#readme",
@@ -9,7 +9,7 @@
     {
       "registryType": "npm",
       "identifier": "@visa/cli",
-      "version": "2.6.1-rc.1",
+      "version": "2.7.0-rc.3",
       "transport": {
         "type": "stdio"
       },