acp-runtime 0.1.0

package/dist/amqpTransport.d.ts

@@ -0,0 +1,17 @@
+import { JsonMap } from "./jsonSupport.js";
+export declare const DEFAULT_AMQP_EXCHANGE = "acp.exchange";
+export declare const DEFAULT_AMQP_EXCHANGE_TYPE = "direct";
+export type AmqpMessageHandler = (message: JsonMap) => boolean | Promise<boolean>;
+export declare class AmqpTransportClient {
+    readonly broker_url: string;
+    readonly exchange: string;
+    readonly exchange_type: string;
+    readonly timeout_seconds: number;
+    constructor(brokerUrl: string, exchange?: string, exchangeType?: string, timeoutSeconds?: number);
+    static agentIdentifierToken(agentId: string): string;
+    static queueNameForAgent(agentId: string): string;
+    static routingKeyForAgent(agentId: string): string;
+    static buildServiceHint(agentId: string, brokerUrl: string, exchange?: string): JsonMap;
+    publish(message: JsonMap, recipientAgentId: string, service?: JsonMap): Promise<void>;
+    consume(agentId: string, handler: AmqpMessageHandler, service?: JsonMap, maxMessages?: number): Promise<number>;
+}

package/dist/amqpTransport.js

@@ -0,0 +1,164 @@
+/*
+ * Copyright 2026 ACP Project
+ * Licensed under the Apache License, Version 2.0
+ * See LICENSE file for details.
+ */
+import { connect } from "amqplib";
+import { invalidArgument, transportError, validationError } from "./errors.js";
+export const DEFAULT_AMQP_EXCHANGE = "acp.exchange";
+export const DEFAULT_AMQP_EXCHANGE_TYPE = "direct";
+function pickString(service, key, fallback) {
+    const value = service?.[key];
+    if (typeof value === "string" && value.trim()) {
+        return value.trim();
+    }
+    return fallback;
+}
+function metadataHeaders(message) {
+    const envelope = message.envelope && typeof message.envelope === "object" && !Array.isArray(message.envelope)
+        ? message.envelope
+        : {};
+    const headers = {};
+    for (const [source, destination] of [
+        ["acp_version", "acp_version"],
+        ["message_class", "acp_message_class"],
+        ["message_id", "acp_message_id"],
+        ["operation_id", "acp_operation_id"],
+        ["sender", "acp_sender"]
+    ]) {
+        const value = envelope[source];
+        if (typeof value === "string" && value.trim()) {
+            headers[destination] = value.trim();
+        }
+    }
+    return headers;
+}
+export class AmqpTransportClient {
+    broker_url;
+    exchange;
+    exchange_type;
+    timeout_seconds;
+    constructor(brokerUrl, exchange, exchangeType, timeoutSeconds = 10) {
+        if (!brokerUrl.trim()) {
+            throw invalidArgument("broker_url must be provided");
+        }
+        this.broker_url = brokerUrl;
+        this.exchange = exchange?.trim() || DEFAULT_AMQP_EXCHANGE;
+        this.exchange_type = exchangeType?.trim() || DEFAULT_AMQP_EXCHANGE_TYPE;
+        this.timeout_seconds = Math.max(1, timeoutSeconds);
+    }
+    static agentIdentifierToken(agentId) {
+        const match = /^agent:(?<name>[^@]+)(?:@(?<domain>.+))?$/.exec(agentId);
+        if (!match?.groups?.name) {
+            throw validationError(`Invalid agent identifier: ${agentId}`);
+        }
+        const base = match.groups.domain ? `${match.groups.name}.${match.groups.domain}` : match.groups.name;
+        const normalized = base
+            .split("")
+            .map((char) => (/^[A-Za-z0-9._-]$/.test(char) ? char : "."))
+            .join("")
+            .split(".")
+            .filter((segment) => segment.length > 0)
+            .join(".");
+        return normalized || "unknown";
+    }
+    static queueNameForAgent(agentId) {
+        return `acp.agent.${AmqpTransportClient.agentIdentifierToken(agentId)}`;
+    }
+    static routingKeyForAgent(agentId) {
+        return `agent.${AmqpTransportClient.agentIdentifierToken(agentId)}`;
+    }
+    static buildServiceHint(agentId, brokerUrl, exchange) {
+        return {
+            broker_url: brokerUrl,
+            exchange: exchange?.trim() || DEFAULT_AMQP_EXCHANGE,
+            queue: AmqpTransportClient.queueNameForAgent(agentId),
+            routing_key: AmqpTransportClient.routingKeyForAgent(agentId)
+        };
+    }
+    async publish(message, recipientAgentId, service) {
+        const brokerUrl = pickString(service, "broker_url", this.broker_url);
+        const exchange = pickString(service, "exchange", this.exchange);
+        const queue = pickString(service, "queue", AmqpTransportClient.queueNameForAgent(recipientAgentId));
+        const routingKey = pickString(service, "routing_key", AmqpTransportClient.routingKeyForAgent(recipientAgentId));
+        const body = JSON.stringify(message);
+        const headers = metadataHeaders(message);
+        let connection;
+        let channel;
+        try {
+            connection = await connect(brokerUrl);
+            channel = await connection.createChannel();
+            await channel.assertExchange(exchange, this.exchange_type, { durable: true });
+            await channel.assertQueue(queue, { durable: true });
+            await channel.bindQueue(queue, exchange, routingKey);
+            channel.publish(exchange, routingKey, Buffer.from(body, "utf-8"), {
+                contentType: "application/json",
+                deliveryMode: 2,
+                headers
+            });
+            await channel.close();
+            await connection.close();
+        }
+        catch (error) {
+            if (channel) {
+                await channel.close().catch(() => undefined);
+            }
+            if (connection) {
+                await connection.close().catch(() => undefined);
+            }
+            throw transportError(`amqp publish failed: ${String(error)}`);
+        }
+    }
+    async consume(agentId, handler, service, maxMessages = 0) {
+        const brokerUrl = pickString(service, "broker_url", this.broker_url);
+        const exchange = pickString(service, "exchange", this.exchange);
+        const queue = pickString(service, "queue", AmqpTransportClient.queueNameForAgent(agentId));
+        const routingKey = pickString(service, "routing_key", AmqpTransportClient.routingKeyForAgent(agentId));
+        const limit = maxMessages === 0 ? Number.MAX_SAFE_INTEGER : maxMessages;
+        let processed = 0;
+        let connection;
+        let channel;
+        try {
+            connection = await connect(brokerUrl);
+            channel = await connection.createChannel();
+            await channel.assertExchange(exchange, this.exchange_type, { durable: true });
+            await channel.assertQueue(queue, { durable: true });
+            await channel.bindQueue(queue, exchange, routingKey);
+            while (processed < limit) {
+                const result = await channel.get(queue, { noAck: false });
+                if (!result) {
+                    break;
+                }
+                let shouldAck = false;
+                try {
+                    const parsed = JSON.parse(result.content.toString("utf-8"));
+                    if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+                        shouldAck = await handler(parsed);
+                    }
+                }
+                catch {
+                    shouldAck = false;
+                }
+                if (shouldAck) {
+                    channel.ack(result);
+                }
+                else {
+                    channel.nack(result, false, true);
+                }
+                processed += 1;
+            }
+            await channel.close();
+            await connection.close();
+            return processed;
+        }
+        catch (error) {
+            if (channel) {
+                await channel.close().catch(() => undefined);
+            }
+            if (connection) {
+                await connection.close().catch(() => undefined);
+            }
+            throw transportError(`amqp consume failed: ${String(error)}`);
+        }
+    }
+}

package/dist/capabilities.d.ts

@@ -0,0 +1,16 @@
+import { JsonMap } from "./jsonSupport.js";
+export interface CapabilityMatch {
+    compatible: boolean;
+    reason?: string;
+}
+export declare class AgentCapabilities {
+    agent_id: string;
+    protocol_versions: string[];
+    crypto_suites: string[];
+    transports: string[];
+    supports: Record<string, boolean>;
+    constructor(agentId: string);
+    toMap(): JsonMap;
+    static fromMap(map: JsonMap | undefined, fallbackAgentId: string): AgentCapabilities;
+    chooseCompatible(remote: AgentCapabilities): CapabilityMatch;
+}

package/dist/capabilities.js

@@ -0,0 +1,81 @@
+/*
+ * Copyright 2026 ACP Project
+ * Licensed under the Apache License, Version 2.0
+ * See LICENSE file for details.
+ */
+import { ACP_VERSION, DEFAULT_CRYPTO_SUITE } from "./constants.js";
+export class AgentCapabilities {
+    agent_id;
+    protocol_versions;
+    crypto_suites;
+    transports;
+    supports;
+    constructor(agentId) {
+        this.agent_id = agentId;
+        this.protocol_versions = [ACP_VERSION];
+        this.crypto_suites = [DEFAULT_CRYPTO_SUITE];
+        this.transports = ["https", "http", "relay", "amqp", "mqtt"];
+        this.supports = {
+            capabilities: true,
+            compensate: true,
+            amqp: true,
+            mqtt: true,
+            overlay: true
+        };
+    }
+    toMap() {
+        return {
+            agent_id: this.agent_id,
+            protocol_versions: [...this.protocol_versions],
+            crypto_suites: [...this.crypto_suites],
+            transports: [...this.transports],
+            supports: { ...this.supports }
+        };
+    }
+    static fromMap(map, fallbackAgentId) {
+        const capabilities = new AgentCapabilities(fallbackAgentId);
+        if (!map) {
+            return capabilities;
+        }
+        const agentId = typeof map.agent_id === "string" ? map.agent_id : fallbackAgentId;
+        capabilities.agent_id = agentId;
+        if (Array.isArray(map.protocol_versions)) {
+            capabilities.protocol_versions = map.protocol_versions
+                .filter((item) => typeof item === "string")
+                .map((item) => item.trim())
+                .filter((item) => item.length > 0);
+        }
+        if (Array.isArray(map.crypto_suites)) {
+            capabilities.crypto_suites = map.crypto_suites
+                .filter((item) => typeof item === "string")
+                .map((item) => item.trim())
+                .filter((item) => item.length > 0);
+        }
+        if (Array.isArray(map.transports)) {
+            capabilities.transports = map.transports
+                .filter((item) => typeof item === "string")
+                .map((item) => item.trim().toLowerCase())
+                .filter((item) => item.length > 0);
+        }
+        if (map.supports && typeof map.supports === "object" && !Array.isArray(map.supports)) {
+            const supports = {};
+            for (const [key, value] of Object.entries(map.supports)) {
+                supports[key] = Boolean(value);
+            }
+            capabilities.supports = supports;
+        }
+        return capabilities;
+    }
+    chooseCompatible(remote) {
+        if (!this.protocol_versions.some((version) => remote.protocol_versions.includes(version))) {
+            return { compatible: false, reason: "No compatible protocol version" };
+        }
+        if (!this.crypto_suites.some((suite) => remote.crypto_suites.includes(suite))) {
+            return { compatible: false, reason: "No compatible crypto suite" };
+        }
+        if (!this.transports.some((transport) => remote.transports.includes(transport))) {
+            return { compatible: false, reason: "No compatible transport" };
+        }
+        return { compatible: true };
+    }
+}

package/dist/constants.d.ts

@@ -0,0 +1,7 @@
+export declare const ACP_VERSION = "1.0";
+export declare const ACP_IDENTITY_VERSION = "1.0";
+export declare const DEFAULT_CRYPTO_SUITE = "ACP-AES256-GCM+X25519+ED25519";
+export declare const DEFAULT_IDENTITY_DOCUMENT_PATH = "/api/v1/acp/identity";
+export declare const TRUST_PROFILES: readonly ["self_asserted", "domain_verified"];
+export type TrustProfile = (typeof TRUST_PROFILES)[number];
+export declare function isSupportedTrustProfile(value: string): value is TrustProfile;

package/dist/constants.js

@@ -0,0 +1,13 @@
+/*
+ * Copyright 2026 ACP Project
+ * Licensed under the Apache License, Version 2.0
+ * See LICENSE file for details.
+ */
+export const ACP_VERSION = "1.0";
+export const ACP_IDENTITY_VERSION = "1.0";
+export const DEFAULT_CRYPTO_SUITE = "ACP-AES256-GCM+X25519+ED25519";
+export const DEFAULT_IDENTITY_DOCUMENT_PATH = "/api/v1/acp/identity";
+export const TRUST_PROFILES = ["self_asserted", "domain_verified"];
+export function isSupportedTrustProfile(value) {
+    return TRUST_PROFILES.includes(value);
+}

package/dist/crypto.d.ts

@@ -0,0 +1,20 @@
+import { JsonMap } from "./jsonSupport.js";
+import { Envelope, ProtectedPayload } from "./messages.js";
+export declare function sha256Hex(input: Uint8Array): string;
+export declare function generateEd25519Keypair(): {
+    private_key: string;
+    public_key: string;
+};
+export declare function ed25519PublicFromPrivate(signingPrivateKeyB64: string): string;
+export declare function generateX25519Keypair(): {
+    private_key: string;
+    public_key: string;
+};
+export declare function x25519PublicFromPrivate(encryptionPrivateKeyB64: string): string;
+export declare function signBytes(data: Uint8Array, signingPrivateKeyB64: string): string;
+export declare function verifySignature(data: Uint8Array, signatureB64: string, signingPublicKeyB64: string): boolean;
+export declare function envelopeAad(envelope: Envelope): Uint8Array;
+export declare function encryptForRecipients(payload: JsonMap, envelope: Envelope, recipientEncryptionPublicKeys: Record<string, string>): ProtectedPayload;
+export declare function signProtectedPayload(envelope: Envelope, protectedPayload: ProtectedPayload, signingPrivateKeyB64: string, signatureKid: string): ProtectedPayload;
+export declare function verifyProtectedPayloadSignature(envelope: Envelope, protectedPayload: ProtectedPayload, senderSigningPublicKeyB64: string): boolean;
+export declare function decryptForRecipient(envelope: Envelope, protectedPayload: ProtectedPayload, recipientId: string, recipientEncryptionPrivateKeyB64: string): JsonMap;

package/dist/crypto.js

@@ -0,0 +1,173 @@
+/*
+ * Copyright 2026 ACP Project
+ * Licensed under the Apache License, Version 2.0
+ * See LICENSE file for details.
+ */
+import { createCipheriv, createDecipheriv, createHash, hkdfSync, randomBytes } from "node:crypto";
+import nacl from "tweetnacl";
+import { cryptoError } from "./errors.js";
+import { canonicalJsonBytes, parseJsonMap } from "./jsonSupport.js";
+function toBase64Url(bytes) {
+    return Buffer.from(bytes).toString("base64url");
+}
+function fromBase64Url(value) {
+    try {
+        return Buffer.from(value, "base64url");
+    }
+    catch (error) {
+        throw cryptoError(`invalid base64 value: ${String(error)}`);
+    }
+}
+function asFixedBytes(value, length, label) {
+    if (value.length !== length) {
+        throw cryptoError(`invalid ${label} length`);
+    }
+    return value;
+}
+export function sha256Hex(input) {
+    return createHash("sha256").update(input).digest("hex");
+}
+export function generateEd25519Keypair() {
+    const seed = randomBytes(32);
+    const keypair = nacl.sign.keyPair.fromSeed(seed);
+    return {
+        private_key: toBase64Url(seed),
+        public_key: toBase64Url(keypair.publicKey)
+    };
+}
+export function ed25519PublicFromPrivate(signingPrivateKeyB64) {
+    const seed = asFixedBytes(fromBase64Url(signingPrivateKeyB64), 32, "Ed25519 private key");
+    return toBase64Url(nacl.sign.keyPair.fromSeed(seed).publicKey);
+}
+export function generateX25519Keypair() {
+    const keypair = nacl.box.keyPair();
+    return {
+        private_key: toBase64Url(keypair.secretKey),
+        public_key: toBase64Url(keypair.publicKey)
+    };
+}
+export function x25519PublicFromPrivate(encryptionPrivateKeyB64) {
+    const privateKey = asFixedBytes(fromBase64Url(encryptionPrivateKeyB64), 32, "X25519 private key");
+    const keypair = nacl.box.keyPair.fromSecretKey(privateKey);
+    return toBase64Url(keypair.publicKey);
+}
+export function signBytes(data, signingPrivateKeyB64) {
+    const seed = asFixedBytes(fromBase64Url(signingPrivateKeyB64), 32, "Ed25519 private key");
+    const signingKeypair = nacl.sign.keyPair.fromSeed(seed);
+    const signature = nacl.sign.detached(data, signingKeypair.secretKey);
+    return toBase64Url(signature);
+}
+export function verifySignature(data, signatureB64, signingPublicKeyB64) {
+    const signature = fromBase64Url(signatureB64);
+    const publicKey = fromBase64Url(signingPublicKeyB64);
+    if (signature.length !== nacl.sign.signatureLength || publicKey.length !== nacl.sign.publicKeyLength) {
+        return false;
+    }
+    return nacl.sign.detached.verify(data, signature, publicKey);
+}
+export function envelopeAad(envelope) {
+    return canonicalJsonBytes({
+        acp_version: envelope.acp_version,
+        message_id: envelope.message_id,
+        operation_id: envelope.operation_id,
+        sender: envelope.sender,
+        recipients: envelope.recipients
+    });
+}
+function deriveWrapKey(sharedSecret, recipient) {
+    const derived = hkdfSync("sha256", sharedSecret, Buffer.alloc(0), `acp-v1-wrap:${recipient}`, 32);
+    return new Uint8Array(derived);
+}
+function encryptAesGcm(key, nonce, plaintext, aad) {
+    const cipher = createCipheriv("aes-256-gcm", key, nonce);
+    cipher.setAAD(aad);
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return Buffer.concat([ciphertext, authTag]);
+}
+function decryptAesGcm(key, nonce, ciphertextWithTag, aad) {
+    if (ciphertextWithTag.length < 16) {
+        throw cryptoError("ciphertext is too short");
+    }
+    const ciphertext = ciphertextWithTag.subarray(0, ciphertextWithTag.length - 16);
+    const tag = ciphertextWithTag.subarray(ciphertextWithTag.length - 16);
+    const decipher = createDecipheriv("aes-256-gcm", key, nonce);
+    decipher.setAAD(aad);
+    decipher.setAuthTag(tag);
+    return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+}
+export function encryptForRecipients(payload, envelope, recipientEncryptionPublicKeys) {
+    const plaintext = canonicalJsonBytes(payload);
+    const contentKey = randomBytes(32);
+    const payloadNonce = randomBytes(12);
+    const payloadCiphertext = encryptAesGcm(contentKey, payloadNonce, plaintext, envelopeAad(envelope));
+    const ephemeral = nacl.box.keyPair();
+    const wrappedContentKeys = [];
+    for (const [recipient, recipientPublicKeyB64] of Object.entries(recipientEncryptionPublicKeys)) {
+        const recipientPublicKey = asFixedBytes(fromBase64Url(recipientPublicKeyB64), 32, "X25519 public key");
+        const sharedSecret = nacl.scalarMult(ephemeral.secretKey, recipientPublicKey);
+        const wrapKey = deriveWrapKey(sharedSecret, recipient);
+        const wrapNonce = randomBytes(12);
+        const wrappedContentKey = encryptAesGcm(wrapKey, wrapNonce, contentKey, new TextEncoder().encode(envelope.message_id));
+        wrappedContentKeys.push({
+            recipient,
+            ephemeral_public_key: toBase64Url(ephemeral.publicKey),
+            nonce: toBase64Url(wrapNonce),
+            ciphertext: toBase64Url(wrappedContentKey)
+        });
+    }
+    return {
+        nonce: toBase64Url(payloadNonce),
+        ciphertext: toBase64Url(payloadCiphertext),
+        wrapped_content_keys: wrappedContentKeys,
+        payload_hash: sha256Hex(payloadCiphertext),
+        signature_kid: "",
+        signature: ""
+    };
+}
+function messageSignatureInput(envelope, protectedPayload) {
+    const signableProtected = {
+        nonce: protectedPayload.nonce,
+        ciphertext: protectedPayload.ciphertext,
+        wrapped_content_keys: [...protectedPayload.wrapped_content_keys].sort((a, b) => a.recipient.localeCompare(b.recipient)),
+        payload_hash: protectedPayload.payload_hash,
+        signature_kid: protectedPayload.signature_kid
+    };
+    return canonicalJsonBytes({
+        envelope,
+        protected: signableProtected
+    });
+}
+export function signProtectedPayload(envelope, protectedPayload, signingPrivateKeyB64, signatureKid) {
+    const signedPayload = {
+        ...protectedPayload,
+        signature_kid: signatureKid
+    };
+    const signatureInput = messageSignatureInput(envelope, signedPayload);
+    signedPayload.signature = signBytes(signatureInput, signingPrivateKeyB64);
+    return signedPayload;
+}
+export function verifyProtectedPayloadSignature(envelope, protectedPayload, senderSigningPublicKeyB64) {
+    if (!protectedPayload.signature.trim()) {
+        return false;
+    }
+    const signatureInput = messageSignatureInput(envelope, protectedPayload);
+    return verifySignature(signatureInput, protectedPayload.signature, senderSigningPublicKeyB64);
+}
+export function decryptForRecipient(envelope, protectedPayload, recipientId, recipientEncryptionPrivateKeyB64) {
+    const wrapped = protectedPayload.wrapped_content_keys.find((item) => item.recipient === recipientId);
+    if (!wrapped) {
+        throw cryptoError(`No wrapped content key available for recipient ${recipientId}`);
+    }
+    const recipientPrivateKey = asFixedBytes(fromBase64Url(recipientEncryptionPrivateKeyB64), 32, "X25519 private key");
+    const ephemeralPublicKey = asFixedBytes(fromBase64Url(wrapped.ephemeral_public_key), 32, "X25519 public key");
+    const sharedSecret = nacl.scalarMult(recipientPrivateKey, ephemeralPublicKey);
+    const wrapKey = deriveWrapKey(sharedSecret, recipientId);
+    const wrappedNonce = asFixedBytes(fromBase64Url(wrapped.nonce), 12, "wrapped nonce");
+    const wrappedCiphertext = fromBase64Url(wrapped.ciphertext);
+    const contentKey = decryptAesGcm(wrapKey, wrappedNonce, wrappedCiphertext, new TextEncoder().encode(envelope.message_id));
+    const payloadNonce = asFixedBytes(fromBase64Url(protectedPayload.nonce), 12, "payload nonce");
+    const payloadCiphertext = fromBase64Url(protectedPayload.ciphertext);
+    const plaintext = decryptAesGcm(contentKey, payloadNonce, payloadCiphertext, envelopeAad(envelope));
+    return parseJsonMap(new TextDecoder().decode(plaintext));
+}

package/dist/discovery.d.ts

@@ -0,0 +1,26 @@
+import { HttpSecurityPolicy } from "./httpSecurity.js";
+import { JsonMap } from "./jsonSupport.js";
+export declare class DiscoveryClient {
+    private readonly cache_path;
+    private readonly default_scheme;
+    private readonly relay_hints;
+    private readonly enterprise_directory_hints;
+    private readonly timeout_seconds;
+    private readonly policy;
+    private readonly cache;
+    private readonly registry;
+    private readonly fetchOptions;
+    constructor(cache_path: string | undefined, default_scheme?: string, relay_hints?: string[], enterprise_directory_hints?: string[], timeout_seconds?: number, policy?: HttpSecurityPolicy);
+    seed(identityDocument: JsonMap): void;
+    registerIdentityDocument(identityDocument: JsonMap): void;
+    resolve(agentId: string): Promise<JsonMap>;
+    resolveWellKnown(baseUrl: string, expectedAgentId?: string): Promise<JsonMap>;
+    private tryCache;
+    private tryWellKnown;
+    private tryHintLookups;
+    private resolveWellKnownUrl;
+    private fetchJson;
+    private cacheIdentity;
+    private loadCache;
+    private persistCache;
+}