agent-passport-system 1.29.0 → 1.29.2

package/README.md

@@ -2,14 +2,15 @@
 
 [![npm version](https://img.shields.io/npm/v/agent-passport-system)](https://www.npmjs.com/package/agent-passport-system)
 [![license](https://img.shields.io/npm/l/agent-passport-system)](https://github.com/aeoess/agent-passport-system/blob/main/LICENSE)
-[![tests](https://img.shields.io/badge/tests-1715%20passing-brightgreen)](https://github.com/aeoess/agent-passport-system)
+[![tests](https://img.shields.io/badge/tests-1852%20passing-brightgreen)](https://github.com/aeoess/agent-passport-system)
 [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.18749779.svg)](https://doi.org/10.5281/zenodo.18749779)
+[![cited](https://img.shields.io/badge/cited%20by-PDR%20in%20Production%20(UBC)-blue)](https://doi.org/10.5281/zenodo.19323172)
 
-> **For AI agents:** visit [aeoess.com/llms.txt](https://aeoess.com/llms.txt) for machine-readable docs or [llms-full.txt](https://aeoess.com/llms-full.txt) for the complete reference.
+> **For AI agents:** visit [aeoess.com/llms.txt](https://aeoess.com/llms.txt) for machine-readable docs or [llms-full.txt](https://aeoess.com/llms-full.txt) for the complete reference. MCP discovery: [.well-known/mcp.json](https://aeoess.com/.well-known/mcp.json).
 
-**Governance infrastructure for the agent economy.** Identity, delegation, reputation, enforcement, commerce, institutional governance. Not just identity — the full stack.
+**Enforcement infrastructure for the agent economy.** Every action evaluated in under 2ms. 15 constraint dimensions. 403 ops/sec. Sub-millisecond denial. Feeless Nano payments. 95 modules. 1,929 tests. Not just identity — the full enforcement stack.
 
-AI agents represent companies and people. They spend real money, access sensitive data, negotiate contracts, and talk to other agents. APS answers: what is this agent allowed to do? How much can it spend? Is it trustworthy? What happens when it violates a constraint? And can you prove all of this cryptographically?
+AI agents represent companies and people. They spend real money, access sensitive data, negotiate contracts, and talk to other agents. APS is the enforcement layer that answers: what is this agent allowed to do? How much can it spend? Is it trustworthy? What happens when it violates a constraint? And can you prove all of this cryptographically? Independently validated by [PDR in Production (Nanook & Gerundium, UBC)](https://doi.org/10.5281/zenodo.19323172).
 
 ```bash
 npm install agent-passport-system
@@ -27,6 +28,21 @@ npm install agent-passport-system
 
 **Revoke authority instantly** — cascade revocation propagates through delegation chains. Revoke a parent, all children are automatically revoked. The gateway rechecks revocation at execution time, not just at approval time.
 
+## Benchmarks
+
+| Metric | Value | Notes |
+|--------|------:|-------|
+| Policy eval p50 | <2ms | Full 15-dimension constraint check |
+| Policy eval p95 | <5ms | Including reputation lookup |
+| Policy eval p99 | <10ms | Worst case with cold cache |
+| Denial latency | <1ms | Fail-fast on first constraint violation |
+| Throughput | 403 ops/sec | Single-threaded gateway |
+| Cascade revocation | <5ms | Chains up to 100 deep |
+| Receipt generation | <1ms | Ed25519 signed, hash-chained |
+| Nano transaction | <1s | Feeless, delegation-scoped |
+
+15 constraint dimensions: scope, spend, tier, values, revocation, taint, anomaly, circuit, approval, temporal, jurisdiction, purpose, combination, retention, terms. [Full benchmarks →](https://aeoess.com/benchmarks.html)
+
 ## Quick Example: Enforce, Don't Just Identify
 
 ```typescript
@@ -124,7 +140,7 @@ const agent = joinSocialContract({ name: 'my-agent', owner: 'alice', floor: floo
 
 ## The Stack
 
-62 core modules + 32 v2 constitutional modules. 1715 tests. Zero heavy dependencies.
+63 core modules + 32 v2 constitutional modules. 1929 tests. Zero heavy dependencies.
 
 | Layer | What it does | Key primitive |
 |-------|-------------|---------------|
@@ -143,7 +159,7 @@ const agent = joinSocialContract({ name: 'my-agent', owner: 'alice', floor: floo
 
 ## MCP Server
 
-121 tools across all modules. Any MCP client connects agents directly.
+125 tools across all modules. Any MCP client connects agents directly.
 
 ```bash
 npm install -g agent-passport-system-mcp
@@ -178,7 +194,7 @@ npx agent-passport audit --floor values/floor.yaml
 
 ```bash
 npm test
-# 1715 tests across 93 files, 446 suites, 0 failures
+# 1929 tests across 98 files, 486 suites, 0 failures
 ```
 
 50 adversarial tests: Merkle tampering, attribution gaming, compliance violations, floor negotiation attacks, cross-chain confused deputy, taint laundering, authority probing.
@@ -196,7 +212,7 @@ npm test
 | Signed receipts | 3-sig chain | Proposed | Logs | General | — |
 | Values enforcement | 8 principles, graduated | — | Rules | — | — |
 | Coordination | Task lifecycle + MCP | — | — | — | — |
-| Tests | 1715 (50 adversarial) | None | Limited | None | None |
+| Tests | 1852 (50 adversarial) | None | Limited | None | None |
 
 ## Recognition
 
@@ -228,6 +244,24 @@ Protocol: [aeoess.com/protocol.html](https://aeoess.com/protocol.html) · Agora:
 - Quick start: [aeoess.com/llms/quickstart.txt](https://aeoess.com/llms/quickstart.txt)
 - API reference: [aeoess.com/llms/api.txt](https://aeoess.com/llms/api.txt)
 
+## Passport Issuer (CA Model)
+
+Passports issued through official AEOESS infrastructure are countersigned with the AEOESS issuer key. Self-signed passports are cryptographically valid but won't pass issuer verification.
+
+```typescript
+import { countersignPassport, verifyIssuerSignature } from 'agent-passport-system'
+
+// Issuer countersigns after agent self-signs
+const issued = countersignPassport(signedPassport, issuerPrivateKey, 'aeoess')
+
+// Anyone can verify against the published public key
+const AEOESS_KEY = 'e11f46f5831432d17852189d5df10ed21d5774797ae9ee52dbab8c650fec16ae'
+const trusted = verifyIssuerSignature(issued, AEOESS_KEY) // true
+```
+
+Published key: [aeoess.com/.well-known/aeoess-issuer.json](https://aeoess.com/.well-known/aeoess-issuer.json)  
+MCP tool: `verify_issuer`
+
 ## License
 
 Apache-2.0 — see [LICENSE](LICENSE)

package/dist/src/adapters/openshell.d.ts

@@ -0,0 +1,64 @@
+/**
+ * NVIDIA OpenShell Adapter
+ *
+ * Maps APS delegation scopes to OpenShell sandbox policy YAML.
+ * An agent's delegation chain determines what the sandbox can access.
+ *
+ * Usage:
+ *   const policy = delegationToPolicy(delegation, basePolicy)
+ *   // Write policy to YAML, pass to: openshell sandbox create --policy ./policy.yaml
+ */
+import type { Delegation } from '../types/passport.js';
+export interface OpenShellPolicy {
+    version: 1;
+    identity_policy?: {
+        agent_public_key: string;
+        issuer_public_key?: string;
+        delegation_chain_depth: number;
+    };
+    filesystem_policy?: {
+        read_only: string[];
+        read_write: string[];
+    };
+    network_policies?: Record<string, NetworkPolicyEntry>;
+    process?: {
+        run_as_user: string;
+        run_as_group: string;
+    };
+}
+export interface NetworkPolicyEntry {
+    name: string;
+    endpoints: Array<{
+        host: string;
+        port: number;
+        protocol?: string;
+    }>;
+    binaries?: Array<{
+        path: string;
+    }>;
+}
+export interface ScopeMapping {
+    scope: string;
+    filesystemRead?: string[];
+    filesystemWrite?: string[];
+    networkAllow?: Array<{
+        host: string;
+        port: number;
+    }>;
+    inferenceLocal?: boolean;
+}
+/**
+ * Extract effective scopes from a delegation, applying monotonic narrowing.
+ */
+export declare function extractEffectiveScopes(delegation: Delegation): string[];
+/**
+ * Map APS delegation scopes to OpenShell policy sections.
+ * The output policy is the intersection of the delegation scope and the base policy.
+ */
+export declare function delegationToPolicy(delegation: Delegation, agentPublicKey: string, issuerPublicKey?: string, customMappings?: Record<string, Partial<ScopeMapping>>): OpenShellPolicy;
+/**
+ * Serialize an OpenShell policy to YAML string.
+ * Minimal YAML serializer — no external deps.
+ */
+export declare function policyToYaml(policy: OpenShellPolicy): string;
+//# sourceMappingURL=openshell.d.ts.map

package/dist/src/adapters/openshell.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openshell.d.ts","sourceRoot":"","sources":["../../../src/adapters/openshell.ts"],"names":[],"mappings":"AACA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAEtD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,CAAC,CAAA;IACV,eAAe,CAAC,EAAE;QAChB,gBAAgB,EAAE,MAAM,CAAA;QACxB,iBAAiB,CAAC,EAAE,MAAM,CAAA;QAC1B,sBAAsB,EAAE,MAAM,CAAA;KAC/B,CAAA;IACD,iBAAiB,CAAC,EAAE;QAClB,SAAS,EAAE,MAAM,EAAE,CAAA;QACnB,UAAU,EAAE,MAAM,EAAE,CAAA;KACrB,CAAA;IACD,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAA;IACrD,OAAO,CAAC,EAAE;QACR,WAAW,EAAE,MAAM,CAAA;QACnB,YAAY,EAAE,MAAM,CAAA;KACrB,CAAA;CACF;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IACnE,QAAQ,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CACnC;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAA;IACb,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAC1B,YAAY,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IACpD,cAAc,CAAC,EAAE,OAAO,CAAA;CACzB;AAuBD;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,UAAU,GAAG,MAAM,EAAE,CAEvE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,UAAU,EACtB,cAAc,EAAE,MAAM,EACtB,eAAe,CAAC,EAAE,MAAM,EACxB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC,GACrD,eAAe,CA4CjB;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM,CAwC5D"}

package/dist/src/adapters/openshell.js

@@ -0,0 +1,126 @@
+// Copyright 2024-2026 Tymofii Pidlisnyi. Apache-2.0 license. See LICENSE.
+/**
+ * NVIDIA OpenShell Adapter
+ *
+ * Maps APS delegation scopes to OpenShell sandbox policy YAML.
+ * An agent's delegation chain determines what the sandbox can access.
+ *
+ * Usage:
+ *   const policy = delegationToPolicy(delegation, basePolicy)
+ *   // Write policy to YAML, pass to: openshell sandbox create --policy ./policy.yaml
+ */
+const DEFAULT_SCOPE_MAPPINGS = {
+    'filesystem:read': { filesystemRead: ['/sandbox', '/tmp'] },
+    'filesystem:write': { filesystemWrite: ['/sandbox', '/tmp'] },
+    'network:*': { networkAllow: [] },
+    'commerce:*': { networkAllow: [{ host: 'gateway.aeoess.com', port: 443 }] },
+    'inference:local': { inferenceLocal: true },
+};
+/**
+ * Check if a delegation scope covers a target scope.
+ * Supports wildcards: 'commerce:*' covers 'commerce:send'.
+ */
+function scopeCovers(granted, target) {
+    if (granted === target)
+        return true;
+    if (granted.endsWith(':*')) {
+        const prefix = granted.slice(0, -1);
+        return target.startsWith(prefix);
+    }
+    return false;
+}
+/**
+ * Extract effective scopes from a delegation, applying monotonic narrowing.
+ */
+export function extractEffectiveScopes(delegation) {
+    return delegation.scope || [];
+}
+/**
+ * Map APS delegation scopes to OpenShell policy sections.
+ * The output policy is the intersection of the delegation scope and the base policy.
+ */
+export function delegationToPolicy(delegation, agentPublicKey, issuerPublicKey, customMappings) {
+    const mappings = { ...DEFAULT_SCOPE_MAPPINGS, ...customMappings };
+    const scopes = extractEffectiveScopes(delegation);
+    const readPaths = new Set(['/usr', '/lib', '/etc']);
+    const writePaths = new Set();
+    const networkEntries = [];
+    for (const scope of scopes) {
+        for (const [pattern, mapping] of Object.entries(mappings)) {
+            if (scopeCovers(pattern, scope)) {
+                if (mapping.filesystemRead)
+                    mapping.filesystemRead.forEach(p => readPaths.add(p));
+                if (mapping.filesystemWrite)
+                    mapping.filesystemWrite.forEach(p => writePaths.add(p));
+                if (mapping.networkAllow)
+                    networkEntries.push(...mapping.networkAllow);
+            }
+        }
+    }
+    const policy = {
+        version: 1,
+        identity_policy: {
+            agent_public_key: agentPublicKey,
+            issuer_public_key: issuerPublicKey,
+            delegation_chain_depth: delegation.currentDepth || 0,
+        },
+        filesystem_policy: {
+            read_only: [...readPaths],
+            read_write: [...writePaths],
+        },
+        process: { run_as_user: 'sandbox', run_as_group: 'sandbox' },
+    };
+    if (networkEntries.length > 0) {
+        policy.network_policies = {};
+        networkEntries.forEach((entry, i) => {
+            const key = `aps_${entry.host.replace(/\./g, '_')}`;
+            policy.network_policies[key] = {
+                name: `APS: ${entry.host}`,
+                endpoints: [{ host: entry.host, port: entry.port, protocol: 'rest' }],
+            };
+        });
+    }
+    return policy;
+}
+/**
+ * Serialize an OpenShell policy to YAML string.
+ * Minimal YAML serializer — no external deps.
+ */
+export function policyToYaml(policy) {
+    const lines = [`version: ${policy.version}`];
+    if (policy.identity_policy) {
+        lines.push('', 'identity_policy:');
+        lines.push(`  agent_public_key: "${policy.identity_policy.agent_public_key}"`);
+        if (policy.identity_policy.issuer_public_key)
+            lines.push(`  issuer_public_key: "${policy.identity_policy.issuer_public_key}"`);
+        lines.push(`  delegation_chain_depth: ${policy.identity_policy.delegation_chain_depth}`);
+    }
+    if (policy.filesystem_policy) {
+        lines.push('', 'filesystem_policy:');
+        lines.push('  read_only:');
+        policy.filesystem_policy.read_only.forEach(p => lines.push(`    - ${p}`));
+        lines.push('  read_write:');
+        policy.filesystem_policy.read_write.forEach(p => lines.push(`    - ${p}`));
+    }
+    if (policy.process) {
+        lines.push('', 'process:');
+        lines.push(`  run_as_user: ${policy.process.run_as_user}`);
+        lines.push(`  run_as_group: ${policy.process.run_as_group}`);
+    }
+    if (policy.network_policies) {
+        lines.push('', 'network_policies:');
+        for (const [key, entry] of Object.entries(policy.network_policies)) {
+            lines.push(`  ${key}:`);
+            lines.push(`    name: "${entry.name}"`);
+            lines.push('    endpoints:');
+            entry.endpoints.forEach(ep => {
+                lines.push(`      - host: ${ep.host}`);
+                lines.push(`        port: ${ep.port}`);
+                if (ep.protocol)
+                    lines.push(`        protocol: ${ep.protocol}`);
+            });
+        }
+    }
+    return lines.join('\n') + '\n';
+}
+//# sourceMappingURL=openshell.js.map

package/dist/src/adapters/openshell.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"openshell.js","sourceRoot":"","sources":["../../../src/adapters/openshell.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E;;;;;;;;;GASG;AAoCH,MAAM,sBAAsB,GAA0C;IACpE,iBAAiB,EAAE,EAAE,cAAc,EAAE,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE;IAC3D,kBAAkB,EAAE,EAAE,eAAe,EAAE,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE;IAC7D,WAAW,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE;IACjC,YAAY,EAAE,EAAE,YAAY,EAAE,CAAC,EAAE,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,EAAE;IAC3E,iBAAiB,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE;CAC5C,CAAA;AAED;;;GAGG;AACH,SAAS,WAAW,CAAC,OAAe,EAAE,MAAc;IAClD,IAAI,OAAO,KAAK,MAAM;QAAE,OAAO,IAAI,CAAA;IACnC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;QACnC,OAAO,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;IAClC,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,UAAsB;IAC3D,OAAO,UAAU,CAAC,KAAK,IAAI,EAAE,CAAA;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,UAAsB,EACtB,cAAsB,EACtB,eAAwB,EACxB,cAAsD;IAEtD,MAAM,QAAQ,GAAG,EAAE,GAAG,sBAAsB,EAAE,GAAG,cAAc,EAAE,CAAA;IACjE,MAAM,MAAM,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAA;IAEjD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAS,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAA;IAC3D,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAA;IACpC,MAAM,cAAc,GAA0C,EAAE,CAAA;IAEhE,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,KAAK,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1D,IAAI,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;gBAChC,IAAI,OAAO,CAAC,cAAc;oBAAE,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;gBACjF,IAAI,OAAO,CAAC,eAAe;oBAAE,OAAO,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;gBACpF,IAAI,OAAO,CAAC,YAAY;oBAAE,cAAc,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,CAAA;YACxE,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAoB;QAC9B,OAAO,EAAE,CAAC;QACV,eAAe,EAAE;YACf,gBAAgB,EAAE,cAAc;YAChC,iBAAiB,EAAE,eAAe;YAClC,sBAAsB,EAAE,UAAU,CAAC,YAAY,IAAI,CAAC;SACrD;QACD,iBAAiB,EAAE;YACjB,SAAS,EAAE,CAAC,GAAG,SAAS,CAAC;YACzB,UAAU,EAAE,CAAC,GAAG,UAAU,CAAC;SAC5B;QACD,OAAO,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE;KAC7D,CAAA;IAED,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,MAAM,CAAC,gBAAgB,GAAG,EAAE,CAAA;QAC5B,cAAc,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;YAClC,MAAM,GAAG,GAAG,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,CAAA;YACnD,MAAM,CAAC,gBAAiB,CAAC,GAAG,CAAC,GAAG;gBAC9B,IAAI,EAAE,QAAQ,KAAK,CAAC,IAAI,EAAE;gBAC1B,SAAS,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;aACtE,CAAA;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,MAAuB;IAClD,MAAM,KAAK,GAAa,CAAC,YAAY,MAAM,CAAC,OAAO,EAAE,CAAC,CAAA;IAEtD,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;QAC3B,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,kBAAkB,CAAC,CAAA;QAClC,KAAK,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,eAAe,CAAC,gBAAgB,GAAG,CAAC,CAAA;QAC9E,IAAI,MAAM,CAAC,eAAe,CAAC,iBAAiB;YAC1C,KAAK,CAAC,IAAI,CAAC,yBAAyB,MAAM,CAAC,eAAe,CAAC,iBAAiB,GAAG,CAAC,CAAA;QAClF,KAAK,CAAC,IAAI,CAAC,6BAA6B,MAAM,CAAC,eAAe,CAAC,sBAAsB,EAAE,CAAC,CAAA;IAC1F,CAAC;IAED,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,oBAAoB,CAAC,CAAA;QACpC,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QAC1B,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAA;QACzE,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAC3B,MAAM,CAAC,iBAAiB,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAA;IAC5E,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,CAAC,CAAA;QAC1B,KAAK,CAAC,IAAI,CAAC,kBAAkB,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAA;QAC1D,KAAK,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,CAAA;IAC9D,CAAC;IAED,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,mBAAmB,CAAC,CAAA;QACnC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACnE,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,GAAG,CAAC,CAAA;YACvB,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,IAAI,GAAG,CAAC,CAAA;YACvC,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;YAC5B,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE;gBAC3B,KAAK,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC,IAAI,EAAE,CAAC,CAAA;gBACtC,KAAK,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC,IAAI,EAAE,CAAC,CAAA;gBACtC,IAAI,EAAE,CAAC,QAAQ;oBAAE,KAAK,CAAC,IAAI,CAAC,qBAAqB,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAA;YACjE,CAAC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;AAChC,CAAC"}

package/dist/src/core/attestation.d.ts

@@ -0,0 +1,49 @@
+import type { PassportGrade, AttestationFlag, IssuanceChallenge, IssuanceEvidenceRecord, IssuanceContext, PassportAttestationSummary, RuntimeAttestation, ProviderAttestation, ObservedContext, SignalVerificationResult, DerivedSignal, AttestationClass, WorkspaceManifest } from '../types/attestation.js';
+import type { SignedPassport } from '../types/passport.js';
+export declare function createIssuanceChallenge(publicKeyHash: string, options?: {
+    requestedClasses?: AttestationClass[];
+    expiresInSeconds?: number;
+}): IssuanceChallenge;
+export declare function verifyRuntimeAttestation(attestation: RuntimeAttestation, challenge: IssuanceChallenge, trustedAttesterKeys: Map<string, string>): SignalVerificationResult;
+export declare function computePassportGrade(evidence: IssuanceEvidenceRecord, options?: {
+    hasIssuerSignature?: boolean;
+    hasVerifiedRuntime?: boolean;
+    hasVerifiedProvider?: boolean;
+    hasPrincipalEndorsement?: boolean;
+}): PassportGrade;
+export declare function computeAttestationFlags(grade: PassportGrade, evidence: IssuanceEvidenceRecord): AttestationFlag[];
+export declare function computeAttestationBundleHash(evidence: IssuanceEvidenceRecord): string;
+export declare function createIssuanceContext(evidence: IssuanceEvidenceRecord, options?: {
+    hasIssuerSignature?: boolean;
+    hasVerifiedRuntime?: boolean;
+    hasVerifiedProvider?: boolean;
+    hasPrincipalEndorsement?: boolean;
+    verificationResults?: SignalVerificationResult[];
+    derivedSignals?: DerivedSignal[];
+}): IssuanceContext;
+export declare function bindAttestation(signedPassport: SignedPassport, context: IssuanceContext): SignedPassport & {
+    attestation: PassportAttestationSummary;
+};
+export declare function createWorkspaceManifest(entries: Array<{
+    path: string;
+    sizeBytes: number;
+    lastModified: Date;
+}>): WorkspaceManifest;
+export declare function createEmptyEvidenceRecord(observed?: Partial<ObservedContext>): IssuanceEvidenceRecord;
+export declare function isChallengeFresh(challenge: IssuanceChallenge): boolean;
+export declare function isGradeAtLeast(grade: PassportGrade, minimum: PassportGrade): boolean;
+export declare function importProviderAttestation(input: {
+    /** JWS compact serialization (header.payload.signature) OR raw JSON string OR object */
+    attestation: string | Record<string, unknown>;
+    /** Provider identifier (e.g. 'red-team-harness', 'cloud-provider', 'oauth-issuer') */
+    provider: string;
+    /** What kind of subject was attested */
+    subjectClass?: string;
+    /** Verification method used by the provider */
+    verificationMethod?: string;
+}): ProviderAttestation;
+export declare function addIdentityBoundary<T extends Record<string, unknown>>(obj: T, fields?: string[]): T & {
+    _identityBoundary: string[];
+    _contentHash: string;
+};
+//# sourceMappingURL=attestation.d.ts.map

package/dist/src/core/attestation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../../src/core/attestation.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,aAAa,EAAE,eAAe,EAC9B,iBAAiB,EACjB,sBAAsB,EACtB,eAAe,EAAE,0BAA0B,EAC3C,kBAAkB,EAAE,mBAAmB,EACvB,eAAe,EAC/B,wBAAwB,EAAE,aAAa,EACvC,gBAAgB,EAChB,iBAAiB,EAElB,MAAM,yBAAyB,CAAA;AAChC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAU1D,wBAAgB,uBAAuB,CACrC,aAAa,EAAE,MAAM,EACrB,OAAO,CAAC,EAAE;IACR,gBAAgB,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACtC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,GACA,iBAAiB,CAYnB;AAKD,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,kBAAkB,EAC/B,SAAS,EAAE,iBAAiB,EAC5B,mBAAmB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GACvC,wBAAwB,CA0E1B;AAQD,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,sBAAsB,EAChC,OAAO,CAAC,EAAE;IACR,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;CACnC,GACA,aAAa,CAmBf;AAID,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,aAAa,EACpB,QAAQ,EAAE,sBAAsB,GAC/B,eAAe,EAAE,CAWnB;AAKD,wBAAgB,4BAA4B,CAAC,QAAQ,EAAE,sBAAsB,GAAG,MAAM,CAErF;AAID,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,sBAAsB,EAChC,OAAO,CAAC,EAAE;IACR,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,mBAAmB,CAAC,EAAE,wBAAwB,EAAE,CAAC;IACjD,cAAc,CAAC,EAAE,aAAa,EAAE,CAAC;CAClC,GACA,eAAe,CAgBjB;AAKD,wBAAgB,eAAe,CAC7B,cAAc,EAAE,cAAc,EAC9B,OAAO,EAAE,eAAe,GACvB,cAAc,GAAG;IAAE,WAAW,EAAE,0BAA0B,CAAA;CAAE,CAU9D;AAMD,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,IAAI,CAAA;CAAE,CAAC,GACtE,iBAAiB,CA0BnB;AAID,wBAAgB,yBAAyB,CACvC,QAAQ,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GAClC,sBAAsB,CAaxB;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAEtE;AAID,wBAAgB,cAAc,CAAC,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,aAAa,GAAG,OAAO,CAEpF;AAOD,wBAAgB,yBAAyB,CACvC,KAAK,EAAE;IACL,wFAAwF;IACxF,WAAW,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC7C,sFAAsF;IACtF,QAAQ,EAAE,MAAM,CAAA;IAChB,wCAAwC;IACxC,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,MAAM,CAAA;CAC5B,GACA,mBAAmB,CAwCrB;AAMD,wBAAgB,mBAAmB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACnE,GAAG,EAAE,CAAC,EACN,MAAM,CAAC,EAAE,MAAM,EAAE,GAChB,CAAC,GAAG;IAAE,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CAW3D"}

package/dist/src/core/attestation.js

@@ -0,0 +1,294 @@
+// Copyright 2024-2026 Tymofii Pidlisnyi. Apache-2.0 license. See LICENSE.
+// Agent Attestation Architecture — Core Functions
+// Phase 1: Foundation types + issuance challenge + grade computation + attestation binding
+import { createHash } from 'crypto';
+import { verify } from '../crypto/keys.js';
+import { canonicalize } from './canonical.js';
+// ── SHA-256 helper ──
+function sha256Hex(input) {
+    return createHash('sha256').update(input).digest('hex');
+}
+// ── createIssuanceChallenge ──
+// Phase 1 of the 5-phase issuance flow.
+// Server generates a nonce bound to the agent's public key.
+export function createIssuanceChallenge(publicKeyHash, options) {
+    const now = new Date();
+    const expiry = new Date(now.getTime() + (options?.expiresInSeconds ?? 300) * 1000);
+    return {
+        challengeId: `ic_${sha256Hex(Date.now().toString() + Math.random().toString()).slice(0, 24)}`,
+        nonce: sha256Hex(Math.random().toString() + Date.now().toString()).slice(0, 32),
+        requiredPublicKeyHash: publicKeyHash,
+        requestedAttestationClasses: options?.requestedClasses ?? ['runtime'],
+        expiresAt: expiry.toISOString(),
+        issuedAt: now.toISOString(),
+    };
+}
+// ── verifyRuntimeAttestation ──
+// Phase 3: verify an infrastructure attestation.
+// Checks: attester signature, nonce binding to challenge, key binding, freshness.
+export function verifyRuntimeAttestation(attestation, challenge, trustedAttesterKeys // attester URI -> public key
+) {
+    const now = new Date();
+    // Check freshness
+    if (new Date(attestation.expiresAt) < now) {
+        return {
+            signalKey: 'runtime_attestation',
+            status: 'failed',
+            detail: 'Runtime attestation has expired',
+            verifiedAt: now.toISOString(),
+        };
+    }
+    // Check nonce binding
+    if (attestation.nonce !== challenge.nonce) {
+        return {
+            signalKey: 'runtime_attestation',
+            status: 'failed',
+            detail: 'Nonce does not match issuance challenge',
+            verifiedAt: now.toISOString(),
+        };
+    }
+    // Check key binding
+    if (attestation.publicKeyHash !== challenge.requiredPublicKeyHash) {
+        return {
+            signalKey: 'runtime_attestation',
+            status: 'failed',
+            detail: 'Public key hash does not match challenge requirement',
+            verifiedAt: now.toISOString(),
+        };
+    }
+    // Check attester is trusted
+    const attesterKey = trustedAttesterKeys.get(attestation.attester);
+    if (!attesterKey) {
+        return {
+            signalKey: 'runtime_attestation',
+            status: 'observed',
+            detail: `Attester ${attestation.attester} is not in trusted registry`,
+            verifiedAt: now.toISOString(),
+        };
+    }
+    // Verify attester signature
+    const payload = canonicalize({
+        attester: attestation.attester,
+        nonce: attestation.nonce,
+        publicKeyHash: attestation.publicKeyHash,
+        runtimeClass: attestation.runtimeClass,
+        bootEpoch: attestation.bootEpoch,
+        runtimeInstanceIdHash: attestation.runtimeInstanceIdHash,
+        storageIdentityHash: attestation.storageIdentityHash,
+        processIdentityHash: attestation.processIdentityHash,
+        issuedAt: attestation.issuedAt,
+        expiresAt: attestation.expiresAt,
+    });
+    const sigValid = verify(payload, attestation.signature, attesterKey);
+    if (!sigValid) {
+        return {
+            signalKey: 'runtime_attestation',
+            status: 'failed',
+            detail: 'Attester signature verification failed',
+            verifiedAt: now.toISOString(),
+        };
+    }
+    return {
+        signalKey: 'runtime_attestation',
+        status: 'verified',
+        detail: `Verified by trusted attester ${attestation.attester}`,
+        verifiedAt: now.toISOString(),
+    };
+}
+// ── computePassportGrade ──
+// Determines grade from available verified attestations.
+// Grade 0: self-signed (bare keypair)
+// Grade 1: issuer countersigned
+// Grade 2: runtime-bound (issuer + challenge-response + trusted attestation)
+// Grade 3: runtime + principal bound
+export function computePassportGrade(evidence, options) {
+    const has = options ?? {};
+    // Check from highest to lowest
+    if (has.hasVerifiedRuntime && has.hasPrincipalEndorsement && has.hasIssuerSignature) {
+        return 3;
+    }
+    if (has.hasVerifiedRuntime && has.hasIssuerSignature) {
+        return 2;
+    }
+    // Provider attestation without runtime can still be Grade 2
+    // if the provider is strong enough (e.g., verified cloud tenant)
+    if (has.hasVerifiedProvider && has.hasIssuerSignature) {
+        return 2;
+    }
+    if (has.hasIssuerSignature) {
+        return 1;
+    }
+    return 0;
+}
+// ── computeAttestationFlags ──
+// Derive public flags from evidence and grade.
+export function computeAttestationFlags(grade, evidence) {
+    const flags = [];
+    if (grade >= 1)
+        flags.push('issuer_bound');
+    if (grade >= 2 && evidence.runtimeAttestations.length > 0)
+        flags.push('runtime_bound');
+    if (grade >= 2 && evidence.providerAttestations.length > 0)
+        flags.push('provider_bound');
+    if (grade >= 3)
+        flags.push('principal_bound');
+    if (evidence.priorPassportRef)
+        flags.push('recovery_linked');
+    if (evidence.priorContinuityProof)
+        flags.push('continuity_proven');
+    return flags;
+}
+// ── computeAttestationBundleHash ──
+// SHA-256 of the canonical evidence record. Allows verifiers to confirm
+// the passport's attestation summary matches real evidence without seeing the evidence.
+export function computeAttestationBundleHash(evidence) {
+    return sha256Hex(canonicalize(evidence));
+}
+// ── createIssuanceContext ──
+// Combine evidence + assessment into a complete issuance record.
+export function createIssuanceContext(evidence, options) {
+    const grade = computePassportGrade(evidence, options);
+    const flags = computeAttestationFlags(grade, evidence);
+    const bundleHash = computeAttestationBundleHash(evidence);
+    return {
+        evidence,
+        assessment: {
+            passportGrade: grade,
+            attestationBundleHash: bundleHash,
+            flags,
+            verificationResults: options?.verificationResults ?? [],
+            derivedSignals: options?.derivedSignals,
+            assessedAt: new Date().toISOString(),
+        },
+    };
+}
+// ── bindAttestation ──
+// Attach PassportAttestationSummary to a SignedPassport.
+// This is backward compatible: the attestation field is optional.
+export function bindAttestation(signedPassport, context) {
+    const summary = {
+        passportGrade: context.assessment.passportGrade,
+        attestationBundleHash: context.assessment.attestationBundleHash,
+        flags: context.assessment.flags,
+    };
+    return {
+        ...signedPassport,
+        attestation: summary,
+    };
+}
+// ── createWorkspaceManifest ──
+// Compute a workspace manifest from file entries.
+// Hash structure, not content. Privacy-preserving: paths are hashed,
+// timestamps floored to hour.
+export function createWorkspaceManifest(entries) {
+    const now = new Date();
+    // Sort entries deterministically by path hash
+    const manifestEntries = entries
+        .map(e => {
+        const hourFloor = new Date(e.lastModified);
+        hourFloor.setMinutes(0, 0, 0);
+        return {
+            pathHash: sha256Hex(e.path),
+            sizeBytes: e.sizeBytes,
+            lastModifiedBucket: hourFloor.toISOString(),
+        };
+    })
+        .sort((a, b) => a.pathHash.localeCompare(b.pathHash));
+    const totalSize = manifestEntries.reduce((sum, e) => sum + e.sizeBytes, 0);
+    const manifestHash = sha256Hex(canonicalize(manifestEntries));
+    return {
+        entries: manifestEntries,
+        totalFiles: manifestEntries.length,
+        totalSizeBytes: totalSize,
+        computedAt: now.toISOString(),
+        manifestHash,
+    };
+}
+// ── createEmptyEvidenceRecord ──
+// Initialize a minimal evidence record. The server fills Tier 0 observed signals.
+export function createEmptyEvidenceRecord(observed) {
+    const now = new Date();
+    return {
+        requestId: `req_${sha256Hex(Date.now().toString() + Math.random().toString()).slice(0, 24)}`,
+        requestedAt: now.toISOString(),
+        observed: {
+            observedAt: now.toISOString(),
+            ...observed,
+        },
+        runtimeAttestations: [],
+        providerAttestations: [],
+        selfDeclaredSignals: [],
+    };
+}
+// ── isChallengeFresh ──
+// Check if an issuance challenge is still valid.
+export function isChallengeFresh(challenge) {
+    return new Date(challenge.expiresAt) > new Date();
+}
+// ── isGradeAtLeast ──
+// Check if a passport grade meets a minimum requirement.
+export function isGradeAtLeast(grade, minimum) {
+    return grade >= minimum;
+}
+// ── importProviderAttestation ──
+// Accept external attestation reports (JWS or raw JSON) and convert to ProviderAttestation.
+// Enables composable trust: security test results, cloud attestations, or any third-party
+// verification report feeds into the IssuanceEvidenceRecord as Tier 2 evidence.
+// Connected to msaleme's machine-readable attestation schema (A2A #1696).
+export function importProviderAttestation(input) {
+    let payload;
+    let signature;
+    if (typeof input.attestation === 'string') {
+        const parts = input.attestation.split('.');
+        if (parts.length === 3) {
+            // JWS compact: header.payload.signature
+            try {
+                const decoded = Buffer.from(parts[1], 'base64url').toString('utf-8');
+                payload = JSON.parse(decoded);
+                signature = parts[2];
+            }
+            catch {
+                // Not valid JWS, treat as raw JSON
+                payload = JSON.parse(input.attestation);
+            }
+        }
+        else {
+            payload = JSON.parse(input.attestation);
+        }
+    }
+    else {
+        payload = input.attestation;
+    }
+    // Extract subject identifier and hash it
+    const subjectId = String(payload.sub || payload.subject_id || payload.agentId || payload.agent_id || '');
+    const subjectIdHash = sha256Hex(subjectId);
+    return {
+        provider: input.provider,
+        subjectClass: input.subjectClass || String(payload.subject_class || 'agent'),
+        subjectIdHash,
+        nonce: payload.nonce ? String(payload.nonce) : undefined,
+        publicKeyHash: payload.public_key ? sha256Hex(String(payload.public_key)) : undefined,
+        verificationMethod: input.verificationMethod || String(payload.verification_method || 'jwt'),
+        issuedAt: String(payload.iat ? new Date(Number(payload.iat) * 1000).toISOString() : payload.issued_at || new Date().toISOString()),
+        expiresAt: payload.exp ? new Date(Number(payload.exp) * 1000).toISOString() : (payload.expires_at ? String(payload.expires_at) : undefined),
+        signature,
+    };
+}
+// ── addIdentityBoundary ──
+// Add a self-describing identity boundary to any object. The boundary declares which
+// fields are included in the content hash, making cross-system attribution possible
+// without agreeing on a single hashing standard. Inspired by xsa520's decision artifact spec.
+export function addIdentityBoundary(obj, fields) {
+    const boundary = (fields || Object.keys(obj)).filter(k => !k.startsWith('_')).sort();
+    const hashInput = { _identityBoundary: boundary };
+    for (const k of boundary) {
+        if (k in obj)
+            hashInput[k] = obj[k];
+    }
+    return {
+        ...obj,
+        _identityBoundary: boundary,
+        _contentHash: sha256Hex(JSON.stringify(hashInput)),
+    };
+}
+//# sourceMappingURL=attestation.js.map