@voidly/agent-sdk 1.3.0 → 1.4.0

package/dist/index.d.mts

@@ -239,6 +239,217 @@ declare class VoidlyAgent {
         messages: any[];
         count: number;
     }>;
+    /**
+     * Deactivate this agent identity. Removes from channels, disables webhooks.
+     * This is a soft delete — messages expire per TTL. Re-register for a new identity.
+     */
+    deactivate(): Promise<void>;
+    /**
+     * Register a capability this agent can perform.
+     * Other agents can search for your capabilities and send tasks.
+     *
+     * @example
+     * ```ts
+     * await agent.registerCapability({
+     *   name: 'dns-analysis',
+     *   description: 'Analyze DNS for censorship evidence',
+     * });
+     * ```
+     */
+    registerCapability(options: {
+        name: string;
+        description?: string;
+        inputSchema?: Record<string, unknown>;
+        outputSchema?: Record<string, unknown>;
+        version?: string;
+    }): Promise<{
+        id: string;
+        name: string;
+    }>;
+    /**
+     * List this agent's registered capabilities.
+     */
+    listCapabilities(): Promise<any[]>;
+    /**
+     * Search all agents' capabilities. Public — no auth required.
+     *
+     * @example
+     * ```ts
+     * // Find agents that can analyze DNS
+     * const results = await agent.searchCapabilities({ query: 'dns' });
+     * console.log(results[0].agent.did); // did:voidly:...
+     * ```
+     */
+    searchCapabilities(options?: {
+        query?: string;
+        name?: string;
+        limit?: number;
+    }): Promise<any[]>;
+    /**
+     * Remove a capability.
+     */
+    deleteCapability(capabilityId: string): Promise<void>;
+    /**
+     * Create a task for another agent. The input is E2E encrypted using NaCl box.
+     *
+     * @example
+     * ```ts
+     * // Find an agent with dns-analysis capability, then create a task
+     * const agents = await agent.searchCapabilities({ name: 'dns-analysis' });
+     * const task = await agent.createTask({
+     *   to: agents[0].agent.did,
+     *   capability: 'dns-analysis',
+     *   input: { domain: 'twitter.com', country: 'IR' },
+     * });
+     * ```
+     */
+    createTask(options: {
+        to: string;
+        capability?: string;
+        input: Record<string, unknown>;
+        priority?: 'low' | 'normal' | 'high' | 'urgent';
+        expiresIn?: number;
+    }): Promise<{
+        id: string;
+        status: string;
+    }>;
+    /**
+     * List tasks assigned to this agent or created by this agent.
+     */
+    listTasks(options?: {
+        role?: 'assignee' | 'requester';
+        status?: string;
+        capability?: string;
+        limit?: number;
+    }): Promise<any[]>;
+    /**
+     * Get task detail. Includes encrypted input/output (only visible to participants).
+     */
+    getTask(taskId: string): Promise<any>;
+    /**
+     * Accept, complete, or cancel a task.
+     *
+     * @example
+     * ```ts
+     * // Accept a pending task
+     * await agent.updateTask(taskId, { status: 'accepted' });
+     *
+     * // Complete with encrypted output
+     * await agent.updateTask(taskId, {
+     *   status: 'completed',
+     *   output: { blocked: true, method: 'dns-poisoning' },
+     * });
+     * ```
+     */
+    updateTask(taskId: string, update: {
+        status?: 'accepted' | 'in_progress' | 'completed' | 'failed' | 'cancelled';
+        output?: Record<string, unknown>;
+        rating?: number;
+        ratingComment?: string;
+    }): Promise<{
+        updated: boolean;
+    }>;
+    /**
+     * Decrypt a task's encrypted input (when you're the assignee).
+     */
+    decryptTaskInput(task: {
+        encrypted_input: string;
+        input_nonce: string;
+        from: string;
+    }, senderPubKey: Uint8Array): Record<string, unknown> | null;
+    /**
+     * Decrypt a task's encrypted output (when you're the requester).
+     */
+    decryptTaskOutput(task: {
+        encrypted_output: string;
+        output_nonce: string;
+        to: string;
+    }, assigneePubKey: Uint8Array): Record<string, unknown> | null;
+    /**
+     * Create a signed attestation — a verifiable claim about the internet.
+     * The signature is verified by the relay and can be verified by ANYONE
+     * using your public signing key. This builds a decentralized evidence chain.
+     *
+     * @example
+     * ```ts
+     * // Attest that twitter.com is DNS-blocked in Iran
+     * const att = await agent.attest({
+     *   claimType: 'domain-blocked',
+     *   claimData: {
+     *     domain: 'twitter.com',
+     *     country: 'IR',
+     *     method: 'dns-poisoning',
+     *     isp: 'AS12880',
+     *   },
+     *   country: 'IR',
+     *   domain: 'twitter.com',
+     *   confidence: 0.95,
+     * });
+     * ```
+     */
+    attest(options: {
+        claimType: string;
+        claimData: Record<string, unknown>;
+        country?: string;
+        domain?: string;
+        confidence?: number;
+        expiresIn?: number;
+        timestamp?: string;
+    }): Promise<{
+        id: string;
+        consensus_score: number;
+    }>;
+    /**
+     * Corroborate or refute another agent's attestation.
+     * Your vote is Ed25519-signed and publicly verifiable.
+     *
+     * @example
+     * ```ts
+     * // Confirm an attestation
+     * await agent.corroborate(attestationId, 'corroborate', 'Confirmed via independent DNS test');
+     *
+     * // Refute an attestation
+     * await agent.corroborate(attestationId, 'refute', 'Domain resolves correctly on my ISP');
+     * ```
+     */
+    corroborate(attestationId: string, vote: 'corroborate' | 'refute', comment?: string): Promise<{
+        new_consensus_score: number;
+        corroboration_count: number;
+    }>;
+    /**
+     * Query attestations. Public — no auth required.
+     */
+    queryAttestations(options?: {
+        country?: string;
+        domain?: string;
+        type?: string;
+        agent?: string;
+        minConsensus?: number;
+        since?: string;
+        limit?: number;
+    }): Promise<any[]>;
+    /**
+     * Get attestation detail including all corroborations.
+     */
+    getAttestation(attestationId: string): Promise<any>;
+    /**
+     * Get consensus summary for a country or domain.
+     */
+    getConsensus(options: {
+        country?: string;
+        domain?: string;
+        type?: string;
+    }): Promise<any[]>;
+    /**
+     * Verify an attestation's signature locally without trusting the relay.
+     * This is the core of the decentralized witness network — anyone can verify.
+     */
+    static verifyAttestation(attestation: {
+        claim_type: string;
+        claim_data: Record<string, unknown>;
+        signature: string;
+        timestamp: string;
+    }, signingPublicKey: string): boolean;
 }
 
 export { type AgentIdentity, type AgentProfile, type DecryptedMessage, type SendResult, VoidlyAgent, type VoidlyAgentConfig };

package/dist/index.d.ts

@@ -239,6 +239,217 @@ declare class VoidlyAgent {
         messages: any[];
         count: number;
     }>;
+    /**
+     * Deactivate this agent identity. Removes from channels, disables webhooks.
+     * This is a soft delete — messages expire per TTL. Re-register for a new identity.
+     */
+    deactivate(): Promise<void>;
+    /**
+     * Register a capability this agent can perform.
+     * Other agents can search for your capabilities and send tasks.
+     *
+     * @example
+     * ```ts
+     * await agent.registerCapability({
+     *   name: 'dns-analysis',
+     *   description: 'Analyze DNS for censorship evidence',
+     * });
+     * ```
+     */
+    registerCapability(options: {
+        name: string;
+        description?: string;
+        inputSchema?: Record<string, unknown>;
+        outputSchema?: Record<string, unknown>;
+        version?: string;
+    }): Promise<{
+        id: string;
+        name: string;
+    }>;
+    /**
+     * List this agent's registered capabilities.
+     */
+    listCapabilities(): Promise<any[]>;
+    /**
+     * Search all agents' capabilities. Public — no auth required.
+     *
+     * @example
+     * ```ts
+     * // Find agents that can analyze DNS
+     * const results = await agent.searchCapabilities({ query: 'dns' });
+     * console.log(results[0].agent.did); // did:voidly:...
+     * ```
+     */
+    searchCapabilities(options?: {
+        query?: string;
+        name?: string;
+        limit?: number;
+    }): Promise<any[]>;
+    /**
+     * Remove a capability.
+     */
+    deleteCapability(capabilityId: string): Promise<void>;
+    /**
+     * Create a task for another agent. The input is E2E encrypted using NaCl box.
+     *
+     * @example
+     * ```ts
+     * // Find an agent with dns-analysis capability, then create a task
+     * const agents = await agent.searchCapabilities({ name: 'dns-analysis' });
+     * const task = await agent.createTask({
+     *   to: agents[0].agent.did,
+     *   capability: 'dns-analysis',
+     *   input: { domain: 'twitter.com', country: 'IR' },
+     * });
+     * ```
+     */
+    createTask(options: {
+        to: string;
+        capability?: string;
+        input: Record<string, unknown>;
+        priority?: 'low' | 'normal' | 'high' | 'urgent';
+        expiresIn?: number;
+    }): Promise<{
+        id: string;
+        status: string;
+    }>;
+    /**
+     * List tasks assigned to this agent or created by this agent.
+     */
+    listTasks(options?: {
+        role?: 'assignee' | 'requester';
+        status?: string;
+        capability?: string;
+        limit?: number;
+    }): Promise<any[]>;
+    /**
+     * Get task detail. Includes encrypted input/output (only visible to participants).
+     */
+    getTask(taskId: string): Promise<any>;
+    /**
+     * Accept, complete, or cancel a task.
+     *
+     * @example
+     * ```ts
+     * // Accept a pending task
+     * await agent.updateTask(taskId, { status: 'accepted' });
+     *
+     * // Complete with encrypted output
+     * await agent.updateTask(taskId, {
+     *   status: 'completed',
+     *   output: { blocked: true, method: 'dns-poisoning' },
+     * });
+     * ```
+     */
+    updateTask(taskId: string, update: {
+        status?: 'accepted' | 'in_progress' | 'completed' | 'failed' | 'cancelled';
+        output?: Record<string, unknown>;
+        rating?: number;
+        ratingComment?: string;
+    }): Promise<{
+        updated: boolean;
+    }>;
+    /**
+     * Decrypt a task's encrypted input (when you're the assignee).
+     */
+    decryptTaskInput(task: {
+        encrypted_input: string;
+        input_nonce: string;
+        from: string;
+    }, senderPubKey: Uint8Array): Record<string, unknown> | null;
+    /**
+     * Decrypt a task's encrypted output (when you're the requester).
+     */
+    decryptTaskOutput(task: {
+        encrypted_output: string;
+        output_nonce: string;
+        to: string;
+    }, assigneePubKey: Uint8Array): Record<string, unknown> | null;
+    /**
+     * Create a signed attestation — a verifiable claim about the internet.
+     * The signature is verified by the relay and can be verified by ANYONE
+     * using your public signing key. This builds a decentralized evidence chain.
+     *
+     * @example
+     * ```ts
+     * // Attest that twitter.com is DNS-blocked in Iran
+     * const att = await agent.attest({
+     *   claimType: 'domain-blocked',
+     *   claimData: {
+     *     domain: 'twitter.com',
+     *     country: 'IR',
+     *     method: 'dns-poisoning',
+     *     isp: 'AS12880',
+     *   },
+     *   country: 'IR',
+     *   domain: 'twitter.com',
+     *   confidence: 0.95,
+     * });
+     * ```
+     */
+    attest(options: {
+        claimType: string;
+        claimData: Record<string, unknown>;
+        country?: string;
+        domain?: string;
+        confidence?: number;
+        expiresIn?: number;
+        timestamp?: string;
+    }): Promise<{
+        id: string;
+        consensus_score: number;
+    }>;
+    /**
+     * Corroborate or refute another agent's attestation.
+     * Your vote is Ed25519-signed and publicly verifiable.
+     *
+     * @example
+     * ```ts
+     * // Confirm an attestation
+     * await agent.corroborate(attestationId, 'corroborate', 'Confirmed via independent DNS test');
+     *
+     * // Refute an attestation
+     * await agent.corroborate(attestationId, 'refute', 'Domain resolves correctly on my ISP');
+     * ```
+     */
+    corroborate(attestationId: string, vote: 'corroborate' | 'refute', comment?: string): Promise<{
+        new_consensus_score: number;
+        corroboration_count: number;
+    }>;
+    /**
+     * Query attestations. Public — no auth required.
+     */
+    queryAttestations(options?: {
+        country?: string;
+        domain?: string;
+        type?: string;
+        agent?: string;
+        minConsensus?: number;
+        since?: string;
+        limit?: number;
+    }): Promise<any[]>;
+    /**
+     * Get attestation detail including all corroborations.
+     */
+    getAttestation(attestationId: string): Promise<any>;
+    /**
+     * Get consensus summary for a country or domain.
+     */
+    getConsensus(options: {
+        country?: string;
+        domain?: string;
+        type?: string;
+    }): Promise<any[]>;
+    /**
+     * Verify an attestation's signature locally without trusting the relay.
+     * This is the core of the decentralized witness network — anyone can verify.
+     */
+    static verifyAttestation(attestation: {
+        claim_type: string;
+        claim_data: Record<string, unknown>;
+        signature: string;
+        timestamp: string;
+    }, signingPublicKey: string): boolean;
 }
 
 export { type AgentIdentity, type AgentProfile, type DecryptedMessage, type SendResult, VoidlyAgent, type VoidlyAgentConfig };

package/dist/index.js

@@ -2654,12 +2654,18 @@ var VoidlyAgent = class _VoidlyAgent {
         ["sign"]
       );
       const sig = await globalThis.crypto.subtle.sign("HMAC", key, encoder.encode(payload));
-      const expectedSig2 = `sha256=${Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("")}`;
-      return signature === expectedSig2;
+      const expectedSig2 = `sha256=${Array.from(new Uint8Array(sig)).map((b2) => b2.toString(16).padStart(2, "0")).join("")}`;
+      if (signature.length !== expectedSig2.length) return false;
+      const a = encoder.encode(signature);
+      const b = encoder.encode(expectedSig2);
+      let diff = 0;
+      for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+      return diff === 0;
     }
-    const { createHmac } = await import("crypto");
+    const { createHmac, timingSafeEqual } = await import("crypto");
     const expectedSig = `sha256=${createHmac("sha256", secret).update(payload).digest("hex")}`;
-    return signature === expectedSig;
+    if (signature.length !== expectedSig.length) return false;
+    return timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSig));
   }
   // ─── Key Management ───────────────────────────────────────────────────────
   /**
@@ -2777,6 +2783,372 @@ var VoidlyAgent = class _VoidlyAgent {
     }
     return await res.json();
   }
+  /**
+   * Deactivate this agent identity. Removes from channels, disables webhooks.
+   * This is a soft delete — messages expire per TTL. Re-register for a new identity.
+   */
+  async deactivate() {
+    const res = await fetch(`${this.baseUrl}/v1/agent/deactivate`, {
+      method: "DELETE",
+      headers: { "X-Agent-Key": this.apiKey }
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Deactivate failed: ${err.error || res.statusText}`);
+    }
+  }
+  // ─── Capability Registry (Agent Service Mesh) ──────────────────────────────
+  /**
+   * Register a capability this agent can perform.
+   * Other agents can search for your capabilities and send tasks.
+   *
+   * @example
+   * ```ts
+   * await agent.registerCapability({
+   *   name: 'dns-analysis',
+   *   description: 'Analyze DNS for censorship evidence',
+   * });
+   * ```
+   */
+  async registerCapability(options) {
+    const res = await fetch(`${this.baseUrl}/v1/agent/capabilities`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-Agent-Key": this.apiKey },
+      body: JSON.stringify({
+        name: options.name,
+        description: options.description,
+        input_schema: options.inputSchema,
+        output_schema: options.outputSchema,
+        version: options.version
+      })
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Capability registration failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * List this agent's registered capabilities.
+   */
+  async listCapabilities() {
+    const res = await fetch(`${this.baseUrl}/v1/agent/capabilities`, {
+      headers: { "X-Agent-Key": this.apiKey }
+    });
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.capabilities;
+  }
+  /**
+   * Search all agents' capabilities. Public — no auth required.
+   *
+   * @example
+   * ```ts
+   * // Find agents that can analyze DNS
+   * const results = await agent.searchCapabilities({ query: 'dns' });
+   * console.log(results[0].agent.did); // did:voidly:...
+   * ```
+   */
+  async searchCapabilities(options = {}) {
+    const params = new URLSearchParams();
+    if (options.query) params.set("q", options.query);
+    if (options.name) params.set("name", options.name);
+    if (options.limit) params.set("limit", String(options.limit));
+    const res = await fetch(`${this.baseUrl}/v1/agent/capabilities/search?${params}`);
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.results;
+  }
+  /**
+   * Remove a capability.
+   */
+  async deleteCapability(capabilityId) {
+    const res = await fetch(`${this.baseUrl}/v1/agent/capabilities/${capabilityId}`, {
+      method: "DELETE",
+      headers: { "X-Agent-Key": this.apiKey }
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Delete failed: ${err.error || res.statusText}`);
+    }
+  }
+  // ─── Task Protocol (Encrypted Agent Collaboration) ─────────────────────────
+  /**
+   * Create a task for another agent. The input is E2E encrypted using NaCl box.
+   *
+   * @example
+   * ```ts
+   * // Find an agent with dns-analysis capability, then create a task
+   * const agents = await agent.searchCapabilities({ name: 'dns-analysis' });
+   * const task = await agent.createTask({
+   *   to: agents[0].agent.did,
+   *   capability: 'dns-analysis',
+   *   input: { domain: 'twitter.com', country: 'IR' },
+   * });
+   * ```
+   */
+  async createTask(options) {
+    const identityRes = await fetch(`${this.baseUrl}/v1/agent/identity/${options.to}`);
+    if (!identityRes.ok) throw new Error("Recipient agent not found");
+    const identity = await identityRes.json();
+    const recipientPubKey = (0, import_tweetnacl_util.decodeBase64)(identity.encryption_public_key);
+    const plaintext = (0, import_tweetnacl_util.decodeUTF8)(JSON.stringify(options.input));
+    const nonce = import_tweetnacl.default.randomBytes(import_tweetnacl.default.box.nonceLength);
+    const encrypted = import_tweetnacl.default.box(plaintext, nonce, recipientPubKey, this.encryptionKeyPair.secretKey);
+    const res = await fetch(`${this.baseUrl}/v1/agent/tasks`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-Agent-Key": this.apiKey },
+      body: JSON.stringify({
+        to: options.to,
+        capability: options.capability,
+        encrypted_input: (0, import_tweetnacl_util.encodeBase64)(encrypted),
+        input_nonce: (0, import_tweetnacl_util.encodeBase64)(nonce),
+        priority: options.priority || "normal",
+        expires_in: options.expiresIn
+      })
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Task creation failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * List tasks assigned to this agent or created by this agent.
+   */
+  async listTasks(options = {}) {
+    const params = new URLSearchParams();
+    if (options.role) params.set("role", options.role);
+    if (options.status) params.set("status", options.status);
+    if (options.capability) params.set("capability", options.capability);
+    if (options.limit) params.set("limit", String(options.limit));
+    const res = await fetch(`${this.baseUrl}/v1/agent/tasks?${params}`, {
+      headers: { "X-Agent-Key": this.apiKey }
+    });
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.tasks;
+  }
+  /**
+   * Get task detail. Includes encrypted input/output (only visible to participants).
+   */
+  async getTask(taskId) {
+    const res = await fetch(`${this.baseUrl}/v1/agent/tasks/${taskId}`, {
+      headers: { "X-Agent-Key": this.apiKey }
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Get task failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * Accept, complete, or cancel a task.
+   *
+   * @example
+   * ```ts
+   * // Accept a pending task
+   * await agent.updateTask(taskId, { status: 'accepted' });
+   *
+   * // Complete with encrypted output
+   * await agent.updateTask(taskId, {
+   *   status: 'completed',
+   *   output: { blocked: true, method: 'dns-poisoning' },
+   * });
+   * ```
+   */
+  async updateTask(taskId, update) {
+    const body = {};
+    if (update.status) body.status = update.status;
+    if (update.rating !== void 0) body.rating = update.rating;
+    if (update.ratingComment) body.rating_comment = update.ratingComment;
+    if (update.output && (update.status === "completed" || update.status === "failed")) {
+      const task = await this.getTask(taskId);
+      const requesterDid = task.from;
+      const identityRes = await fetch(`${this.baseUrl}/v1/agent/identity/${requesterDid}`);
+      if (identityRes.ok) {
+        const identity = await identityRes.json();
+        const requesterPubKey = (0, import_tweetnacl_util.decodeBase64)(identity.encryption_public_key);
+        const plaintext = (0, import_tweetnacl_util.decodeUTF8)(JSON.stringify(update.output));
+        const nonce = import_tweetnacl.default.randomBytes(import_tweetnacl.default.box.nonceLength);
+        const encrypted = import_tweetnacl.default.box(plaintext, nonce, requesterPubKey, this.encryptionKeyPair.secretKey);
+        const signature = import_tweetnacl.default.sign.detached(plaintext, this.signingKeyPair.secretKey);
+        body.encrypted_output = (0, import_tweetnacl_util.encodeBase64)(encrypted);
+        body.output_nonce = (0, import_tweetnacl_util.encodeBase64)(nonce);
+        body.output_signature = (0, import_tweetnacl_util.encodeBase64)(signature);
+      }
+    }
+    const res = await fetch(`${this.baseUrl}/v1/agent/tasks/${taskId}`, {
+      method: "PATCH",
+      headers: { "Content-Type": "application/json", "X-Agent-Key": this.apiKey },
+      body: JSON.stringify(body)
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Task update failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * Decrypt a task's encrypted input (when you're the assignee).
+   */
+  decryptTaskInput(task, senderPubKey) {
+    try {
+      const ciphertext = (0, import_tweetnacl_util.decodeBase64)(task.encrypted_input);
+      const nonce = (0, import_tweetnacl_util.decodeBase64)(task.input_nonce);
+      const plaintext = import_tweetnacl.default.box.open(ciphertext, nonce, senderPubKey, this.encryptionKeyPair.secretKey);
+      if (!plaintext) return null;
+      return JSON.parse((0, import_tweetnacl_util.encodeUTF8)(plaintext));
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Decrypt a task's encrypted output (when you're the requester).
+   */
+  decryptTaskOutput(task, assigneePubKey) {
+    try {
+      const ciphertext = (0, import_tweetnacl_util.decodeBase64)(task.encrypted_output);
+      const nonce = (0, import_tweetnacl_util.decodeBase64)(task.output_nonce);
+      const plaintext = import_tweetnacl.default.box.open(ciphertext, nonce, assigneePubKey, this.encryptionKeyPair.secretKey);
+      if (!plaintext) return null;
+      return JSON.parse((0, import_tweetnacl_util.encodeUTF8)(plaintext));
+    } catch {
+      return null;
+    }
+  }
+  // ─── Attestations (Decentralized Witness Network) ──────────────────────────
+  /**
+   * Create a signed attestation — a verifiable claim about the internet.
+   * The signature is verified by the relay and can be verified by ANYONE
+   * using your public signing key. This builds a decentralized evidence chain.
+   *
+   * @example
+   * ```ts
+   * // Attest that twitter.com is DNS-blocked in Iran
+   * const att = await agent.attest({
+   *   claimType: 'domain-blocked',
+   *   claimData: {
+   *     domain: 'twitter.com',
+   *     country: 'IR',
+   *     method: 'dns-poisoning',
+   *     isp: 'AS12880',
+   *   },
+   *   country: 'IR',
+   *   domain: 'twitter.com',
+   *   confidence: 0.95,
+   * });
+   * ```
+   */
+  async attest(options) {
+    const timestamp = options.timestamp || (/* @__PURE__ */ new Date()).toISOString();
+    const payload = options.claimType + JSON.stringify(options.claimData) + timestamp;
+    const payloadBytes = (0, import_tweetnacl_util.decodeUTF8)(payload);
+    const signature = import_tweetnacl.default.sign.detached(payloadBytes, this.signingKeyPair.secretKey);
+    const res = await fetch(`${this.baseUrl}/v1/agent/attestations`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-Agent-Key": this.apiKey },
+      body: JSON.stringify({
+        claim_type: options.claimType,
+        claim_data: options.claimData,
+        signature: (0, import_tweetnacl_util.encodeBase64)(signature),
+        timestamp,
+        country: options.country,
+        domain: options.domain,
+        confidence: options.confidence,
+        expires_in: options.expiresIn
+      })
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Attestation failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * Corroborate or refute another agent's attestation.
+   * Your vote is Ed25519-signed and publicly verifiable.
+   *
+   * @example
+   * ```ts
+   * // Confirm an attestation
+   * await agent.corroborate(attestationId, 'corroborate', 'Confirmed via independent DNS test');
+   *
+   * // Refute an attestation
+   * await agent.corroborate(attestationId, 'refute', 'Domain resolves correctly on my ISP');
+   * ```
+   */
+  async corroborate(attestationId, vote, comment) {
+    const payload = attestationId + vote;
+    const payloadBytes = (0, import_tweetnacl_util.decodeUTF8)(payload);
+    const signature = import_tweetnacl.default.sign.detached(payloadBytes, this.signingKeyPair.secretKey);
+    const res = await fetch(`${this.baseUrl}/v1/agent/attestations/${attestationId}/corroborate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-Agent-Key": this.apiKey },
+      body: JSON.stringify({ vote, signature: (0, import_tweetnacl_util.encodeBase64)(signature), comment })
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Corroboration failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * Query attestations. Public — no auth required.
+   */
+  async queryAttestations(options = {}) {
+    const params = new URLSearchParams();
+    if (options.country) params.set("country", options.country);
+    if (options.domain) params.set("domain", options.domain);
+    if (options.type) params.set("type", options.type);
+    if (options.agent) params.set("agent", options.agent);
+    if (options.minConsensus !== void 0) params.set("min_consensus", String(options.minConsensus));
+    if (options.since) params.set("since", options.since);
+    if (options.limit) params.set("limit", String(options.limit));
+    const res = await fetch(`${this.baseUrl}/v1/agent/attestations?${params}`);
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.attestations;
+  }
+  /**
+   * Get attestation detail including all corroborations.
+   */
+  async getAttestation(attestationId) {
+    const res = await fetch(`${this.baseUrl}/v1/agent/attestations/${attestationId}`);
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Get attestation failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * Get consensus summary for a country or domain.
+   */
+  async getConsensus(options) {
+    const params = new URLSearchParams();
+    if (options.country) params.set("country", options.country);
+    if (options.domain) params.set("domain", options.domain);
+    if (options.type) params.set("type", options.type);
+    const res = await fetch(`${this.baseUrl}/v1/agent/attestations/consensus?${params}`);
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.consensus;
+  }
+  /**
+   * Verify an attestation's signature locally without trusting the relay.
+   * This is the core of the decentralized witness network — anyone can verify.
+   */
+  static verifyAttestation(attestation, signingPublicKey) {
+    try {
+      const payload = attestation.claim_type + JSON.stringify(attestation.claim_data) + attestation.timestamp;
+      const payloadBytes = (0, import_tweetnacl_util.decodeUTF8)(payload);
+      const signatureBytes = (0, import_tweetnacl_util.decodeBase64)(attestation.signature);
+      const pubKeyBytes = (0, import_tweetnacl_util.decodeBase64)(signingPublicKey);
+      return import_tweetnacl.default.sign.detached.verify(payloadBytes, signatureBytes, pubKeyBytes);
+    } catch {
+      return false;
+    }
+  }
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/index.mjs

@@ -2644,12 +2644,18 @@ var VoidlyAgent = class _VoidlyAgent {
         ["sign"]
       );
       const sig = await globalThis.crypto.subtle.sign("HMAC", key, encoder.encode(payload));
-      const expectedSig2 = `sha256=${Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("")}`;
-      return signature === expectedSig2;
+      const expectedSig2 = `sha256=${Array.from(new Uint8Array(sig)).map((b2) => b2.toString(16).padStart(2, "0")).join("")}`;
+      if (signature.length !== expectedSig2.length) return false;
+      const a = encoder.encode(signature);
+      const b = encoder.encode(expectedSig2);
+      let diff = 0;
+      for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+      return diff === 0;
     }
-    const { createHmac } = await import("crypto");
+    const { createHmac, timingSafeEqual } = await import("crypto");
     const expectedSig = `sha256=${createHmac("sha256", secret).update(payload).digest("hex")}`;
-    return signature === expectedSig;
+    if (signature.length !== expectedSig.length) return false;
+    return timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSig));
   }
   // ─── Key Management ───────────────────────────────────────────────────────
   /**
@@ -2767,6 +2773,372 @@ var VoidlyAgent = class _VoidlyAgent {
     }
     return await res.json();
   }
+  /**
+   * Deactivate this agent identity. Removes from channels, disables webhooks.
+   * This is a soft delete — messages expire per TTL. Re-register for a new identity.
+   */
+  async deactivate() {
+    const res = await fetch(`${this.baseUrl}/v1/agent/deactivate`, {
+      method: "DELETE",
+      headers: { "X-Agent-Key": this.apiKey }
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Deactivate failed: ${err.error || res.statusText}`);
+    }
+  }
+  // ─── Capability Registry (Agent Service Mesh) ──────────────────────────────
+  /**
+   * Register a capability this agent can perform.
+   * Other agents can search for your capabilities and send tasks.
+   *
+   * @example
+   * ```ts
+   * await agent.registerCapability({
+   *   name: 'dns-analysis',
+   *   description: 'Analyze DNS for censorship evidence',
+   * });
+   * ```
+   */
+  async registerCapability(options) {
+    const res = await fetch(`${this.baseUrl}/v1/agent/capabilities`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-Agent-Key": this.apiKey },
+      body: JSON.stringify({
+        name: options.name,
+        description: options.description,
+        input_schema: options.inputSchema,
+        output_schema: options.outputSchema,
+        version: options.version
+      })
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Capability registration failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * List this agent's registered capabilities.
+   */
+  async listCapabilities() {
+    const res = await fetch(`${this.baseUrl}/v1/agent/capabilities`, {
+      headers: { "X-Agent-Key": this.apiKey }
+    });
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.capabilities;
+  }
+  /**
+   * Search all agents' capabilities. Public — no auth required.
+   *
+   * @example
+   * ```ts
+   * // Find agents that can analyze DNS
+   * const results = await agent.searchCapabilities({ query: 'dns' });
+   * console.log(results[0].agent.did); // did:voidly:...
+   * ```
+   */
+  async searchCapabilities(options = {}) {
+    const params = new URLSearchParams();
+    if (options.query) params.set("q", options.query);
+    if (options.name) params.set("name", options.name);
+    if (options.limit) params.set("limit", String(options.limit));
+    const res = await fetch(`${this.baseUrl}/v1/agent/capabilities/search?${params}`);
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.results;
+  }
+  /**
+   * Remove a capability.
+   */
+  async deleteCapability(capabilityId) {
+    const res = await fetch(`${this.baseUrl}/v1/agent/capabilities/${capabilityId}`, {
+      method: "DELETE",
+      headers: { "X-Agent-Key": this.apiKey }
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Delete failed: ${err.error || res.statusText}`);
+    }
+  }
+  // ─── Task Protocol (Encrypted Agent Collaboration) ─────────────────────────
+  /**
+   * Create a task for another agent. The input is E2E encrypted using NaCl box.
+   *
+   * @example
+   * ```ts
+   * // Find an agent with dns-analysis capability, then create a task
+   * const agents = await agent.searchCapabilities({ name: 'dns-analysis' });
+   * const task = await agent.createTask({
+   *   to: agents[0].agent.did,
+   *   capability: 'dns-analysis',
+   *   input: { domain: 'twitter.com', country: 'IR' },
+   * });
+   * ```
+   */
+  async createTask(options) {
+    const identityRes = await fetch(`${this.baseUrl}/v1/agent/identity/${options.to}`);
+    if (!identityRes.ok) throw new Error("Recipient agent not found");
+    const identity = await identityRes.json();
+    const recipientPubKey = (0, import_tweetnacl_util.decodeBase64)(identity.encryption_public_key);
+    const plaintext = (0, import_tweetnacl_util.decodeUTF8)(JSON.stringify(options.input));
+    const nonce = import_tweetnacl.default.randomBytes(import_tweetnacl.default.box.nonceLength);
+    const encrypted = import_tweetnacl.default.box(plaintext, nonce, recipientPubKey, this.encryptionKeyPair.secretKey);
+    const res = await fetch(`${this.baseUrl}/v1/agent/tasks`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-Agent-Key": this.apiKey },
+      body: JSON.stringify({
+        to: options.to,
+        capability: options.capability,
+        encrypted_input: (0, import_tweetnacl_util.encodeBase64)(encrypted),
+        input_nonce: (0, import_tweetnacl_util.encodeBase64)(nonce),
+        priority: options.priority || "normal",
+        expires_in: options.expiresIn
+      })
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Task creation failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * List tasks assigned to this agent or created by this agent.
+   */
+  async listTasks(options = {}) {
+    const params = new URLSearchParams();
+    if (options.role) params.set("role", options.role);
+    if (options.status) params.set("status", options.status);
+    if (options.capability) params.set("capability", options.capability);
+    if (options.limit) params.set("limit", String(options.limit));
+    const res = await fetch(`${this.baseUrl}/v1/agent/tasks?${params}`, {
+      headers: { "X-Agent-Key": this.apiKey }
+    });
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.tasks;
+  }
+  /**
+   * Get task detail. Includes encrypted input/output (only visible to participants).
+   */
+  async getTask(taskId) {
+    const res = await fetch(`${this.baseUrl}/v1/agent/tasks/${taskId}`, {
+      headers: { "X-Agent-Key": this.apiKey }
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Get task failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * Accept, complete, or cancel a task.
+   *
+   * @example
+   * ```ts
+   * // Accept a pending task
+   * await agent.updateTask(taskId, { status: 'accepted' });
+   *
+   * // Complete with encrypted output
+   * await agent.updateTask(taskId, {
+   *   status: 'completed',
+   *   output: { blocked: true, method: 'dns-poisoning' },
+   * });
+   * ```
+   */
+  async updateTask(taskId, update) {
+    const body = {};
+    if (update.status) body.status = update.status;
+    if (update.rating !== void 0) body.rating = update.rating;
+    if (update.ratingComment) body.rating_comment = update.ratingComment;
+    if (update.output && (update.status === "completed" || update.status === "failed")) {
+      const task = await this.getTask(taskId);
+      const requesterDid = task.from;
+      const identityRes = await fetch(`${this.baseUrl}/v1/agent/identity/${requesterDid}`);
+      if (identityRes.ok) {
+        const identity = await identityRes.json();
+        const requesterPubKey = (0, import_tweetnacl_util.decodeBase64)(identity.encryption_public_key);
+        const plaintext = (0, import_tweetnacl_util.decodeUTF8)(JSON.stringify(update.output));
+        const nonce = import_tweetnacl.default.randomBytes(import_tweetnacl.default.box.nonceLength);
+        const encrypted = import_tweetnacl.default.box(plaintext, nonce, requesterPubKey, this.encryptionKeyPair.secretKey);
+        const signature = import_tweetnacl.default.sign.detached(plaintext, this.signingKeyPair.secretKey);
+        body.encrypted_output = (0, import_tweetnacl_util.encodeBase64)(encrypted);
+        body.output_nonce = (0, import_tweetnacl_util.encodeBase64)(nonce);
+        body.output_signature = (0, import_tweetnacl_util.encodeBase64)(signature);
+      }
+    }
+    const res = await fetch(`${this.baseUrl}/v1/agent/tasks/${taskId}`, {
+      method: "PATCH",
+      headers: { "Content-Type": "application/json", "X-Agent-Key": this.apiKey },
+      body: JSON.stringify(body)
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Task update failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * Decrypt a task's encrypted input (when you're the assignee).
+   */
+  decryptTaskInput(task, senderPubKey) {
+    try {
+      const ciphertext = (0, import_tweetnacl_util.decodeBase64)(task.encrypted_input);
+      const nonce = (0, import_tweetnacl_util.decodeBase64)(task.input_nonce);
+      const plaintext = import_tweetnacl.default.box.open(ciphertext, nonce, senderPubKey, this.encryptionKeyPair.secretKey);
+      if (!plaintext) return null;
+      return JSON.parse((0, import_tweetnacl_util.encodeUTF8)(plaintext));
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Decrypt a task's encrypted output (when you're the requester).
+   */
+  decryptTaskOutput(task, assigneePubKey) {
+    try {
+      const ciphertext = (0, import_tweetnacl_util.decodeBase64)(task.encrypted_output);
+      const nonce = (0, import_tweetnacl_util.decodeBase64)(task.output_nonce);
+      const plaintext = import_tweetnacl.default.box.open(ciphertext, nonce, assigneePubKey, this.encryptionKeyPair.secretKey);
+      if (!plaintext) return null;
+      return JSON.parse((0, import_tweetnacl_util.encodeUTF8)(plaintext));
+    } catch {
+      return null;
+    }
+  }
+  // ─── Attestations (Decentralized Witness Network) ──────────────────────────
+  /**
+   * Create a signed attestation — a verifiable claim about the internet.
+   * The signature is verified by the relay and can be verified by ANYONE
+   * using your public signing key. This builds a decentralized evidence chain.
+   *
+   * @example
+   * ```ts
+   * // Attest that twitter.com is DNS-blocked in Iran
+   * const att = await agent.attest({
+   *   claimType: 'domain-blocked',
+   *   claimData: {
+   *     domain: 'twitter.com',
+   *     country: 'IR',
+   *     method: 'dns-poisoning',
+   *     isp: 'AS12880',
+   *   },
+   *   country: 'IR',
+   *   domain: 'twitter.com',
+   *   confidence: 0.95,
+   * });
+   * ```
+   */
+  async attest(options) {
+    const timestamp = options.timestamp || (/* @__PURE__ */ new Date()).toISOString();
+    const payload = options.claimType + JSON.stringify(options.claimData) + timestamp;
+    const payloadBytes = (0, import_tweetnacl_util.decodeUTF8)(payload);
+    const signature = import_tweetnacl.default.sign.detached(payloadBytes, this.signingKeyPair.secretKey);
+    const res = await fetch(`${this.baseUrl}/v1/agent/attestations`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-Agent-Key": this.apiKey },
+      body: JSON.stringify({
+        claim_type: options.claimType,
+        claim_data: options.claimData,
+        signature: (0, import_tweetnacl_util.encodeBase64)(signature),
+        timestamp,
+        country: options.country,
+        domain: options.domain,
+        confidence: options.confidence,
+        expires_in: options.expiresIn
+      })
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Attestation failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * Corroborate or refute another agent's attestation.
+   * Your vote is Ed25519-signed and publicly verifiable.
+   *
+   * @example
+   * ```ts
+   * // Confirm an attestation
+   * await agent.corroborate(attestationId, 'corroborate', 'Confirmed via independent DNS test');
+   *
+   * // Refute an attestation
+   * await agent.corroborate(attestationId, 'refute', 'Domain resolves correctly on my ISP');
+   * ```
+   */
+  async corroborate(attestationId, vote, comment) {
+    const payload = attestationId + vote;
+    const payloadBytes = (0, import_tweetnacl_util.decodeUTF8)(payload);
+    const signature = import_tweetnacl.default.sign.detached(payloadBytes, this.signingKeyPair.secretKey);
+    const res = await fetch(`${this.baseUrl}/v1/agent/attestations/${attestationId}/corroborate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-Agent-Key": this.apiKey },
+      body: JSON.stringify({ vote, signature: (0, import_tweetnacl_util.encodeBase64)(signature), comment })
+    });
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Corroboration failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * Query attestations. Public — no auth required.
+   */
+  async queryAttestations(options = {}) {
+    const params = new URLSearchParams();
+    if (options.country) params.set("country", options.country);
+    if (options.domain) params.set("domain", options.domain);
+    if (options.type) params.set("type", options.type);
+    if (options.agent) params.set("agent", options.agent);
+    if (options.minConsensus !== void 0) params.set("min_consensus", String(options.minConsensus));
+    if (options.since) params.set("since", options.since);
+    if (options.limit) params.set("limit", String(options.limit));
+    const res = await fetch(`${this.baseUrl}/v1/agent/attestations?${params}`);
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.attestations;
+  }
+  /**
+   * Get attestation detail including all corroborations.
+   */
+  async getAttestation(attestationId) {
+    const res = await fetch(`${this.baseUrl}/v1/agent/attestations/${attestationId}`);
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`Get attestation failed: ${err.error || res.statusText}`);
+    }
+    return await res.json();
+  }
+  /**
+   * Get consensus summary for a country or domain.
+   */
+  async getConsensus(options) {
+    const params = new URLSearchParams();
+    if (options.country) params.set("country", options.country);
+    if (options.domain) params.set("domain", options.domain);
+    if (options.type) params.set("type", options.type);
+    const res = await fetch(`${this.baseUrl}/v1/agent/attestations/consensus?${params}`);
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.consensus;
+  }
+  /**
+   * Verify an attestation's signature locally without trusting the relay.
+   * This is the core of the decentralized witness network — anyone can verify.
+   */
+  static verifyAttestation(attestation, signingPublicKey) {
+    try {
+      const payload = attestation.claim_type + JSON.stringify(attestation.claim_data) + attestation.timestamp;
+      const payloadBytes = (0, import_tweetnacl_util.decodeUTF8)(payload);
+      const signatureBytes = (0, import_tweetnacl_util.decodeBase64)(attestation.signature);
+      const pubKeyBytes = (0, import_tweetnacl_util.decodeBase64)(signingPublicKey);
+      return import_tweetnacl.default.sign.detached.verify(payloadBytes, signatureBytes, pubKeyBytes);
+    } catch {
+      return false;
+    }
+  }
 };
 var export_decodeBase64 = import_tweetnacl_util.decodeBase64;
 var export_decodeUTF8 = import_tweetnacl_util.decodeUTF8;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@voidly/agent-sdk",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "E2E encrypted agent-to-agent communication SDK — true client-side encryption",
   "main": "dist/index.js",
   "module": "dist/index.mjs",