agents-chain 0.0.1

package/dist/crypto/ed25519.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Ed25519 key operations and JWT construction using only node:crypto.
+ *
+ * - Zero external JWT library dependency
+ * - All signing uses EdDSA (Ed25519) via crypto.subtle
+ * - Never pass Buffer directly to crypto.subtle — always Uint8Array
+ */
+import { type JwtTyp } from "./utils.js";
+export type JwtHeader = {
+    alg: "EdDSA";
+    typ: JwtTyp;
+    kid?: string;
+};
+export type JwtPayload = {
+    iss?: string;
+    sub?: string;
+    aud?: string;
+    exp?: number;
+    iat?: number;
+    jti?: string;
+    [key: string]: unknown;
+};
+export type DecodedJwt<T extends JwtPayload = JwtPayload> = {
+    header: JwtHeader;
+    payload: T;
+    signingInput: string;
+    signature: string;
+};
+export type VerifyJwtOptions = {
+    expectedTyp: JwtTyp;
+};
+export type JwksResponse = {
+    keys: JsonWebKey[];
+};
+export declare function generateKeyPair(): Promise<{
+    publicKey: CryptoKey;
+    privateKey: CryptoKey;
+}>;
+export declare function exportPublicKeyJwk(key: CryptoKey): Promise<JsonWebKey>;
+export declare function exportPrivateKeyJwk(key: CryptoKey): Promise<JsonWebKey>;
+export declare function importPublicKeyJwk(jwk: JsonWebKey): Promise<CryptoKey>;
+export declare function importPrivateKeyJwk(jwk: JsonWebKey): Promise<CryptoKey>;
+/**
+ * Compute the SHA-256 JWK thumbprint of an Ed25519 public key.
+ * Canonical JSON: only crv, kty, x — sorted lexicographically.
+ */
+export declare function computeJwkThumbprint(jwk: JsonWebKey): string;
+/**
+ * Sign a compact JWT using Ed25519.
+ * The private key signs header.payload — signature covers both parts.
+ */
+export declare function signJwt<T extends JwtPayload>(payload: T, privateKey: CryptoKey, typ: JwtTyp): Promise<string>;
+/**
+ * Decode a JWT without verifying its signature.
+ * Used to extract claims before key lookup. Never trust these claims for auth.
+ */
+export declare function decodeJwtUnsafe<T extends JwtPayload = JwtPayload>(token: string): DecodedJwt<T>;
+/**
+ * Verify an Ed25519 JWT signature and confirm typ matches.
+ * Does NOT check exp/iat/jti — TokenVerifier handles those.
+ */
+export declare function verifyJwtSignature<T extends JwtPayload = JwtPayload>(token: string, publicKey: CryptoKey, opts: VerifyJwtOptions): Promise<DecodedJwt<T>>;
+//# sourceMappingURL=ed25519.d.ts.map

package/dist/crypto/ed25519.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ed25519.d.ts","sourceRoot":"","sources":["../../src/crypto/ed25519.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAyD,KAAK,MAAM,EAAE,MAAM,YAAY,CAAC;AAIhG,MAAM,MAAM,SAAS,GAAG;IACpB,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,UAAU,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,IAAI;IACxD,MAAM,EAAE,SAAS,CAAC;IAClB,OAAO,EAAE,CAAC,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC3B,WAAW,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACvB,IAAI,EAAE,UAAU,EAAE,CAAC;CACtB,CAAC;AAIF,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAC7C,SAAS,EAAE,SAAS,CAAC;IACrB,UAAU,EAAE,SAAS,CAAC;CACzB,CAAC,CAOD;AAID,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAE5E;AAED,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAE7E;AAED,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAW5E;AAED,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAW7E;AAID;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,UAAU,GAAG,MAAM,CAO5D;AAQD;;;GAGG;AACH,wBAAsB,OAAO,CAAC,CAAC,SAAS,UAAU,EAC9C,OAAO,EAAE,CAAC,EACV,UAAU,EAAE,SAAS,EACrB,GAAG,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,CAcjB;AASD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EAC7D,KAAK,EAAE,MAAM,GACd,UAAU,CAAC,CAAC,CAAC,CAwBf;AAID;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EACtE,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,SAAS,EACpB,IAAI,EAAE,gBAAgB,GACvB,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAyBxB"}

package/dist/crypto/ed25519.js

@@ -0,0 +1,118 @@
+/**
+ * Ed25519 key operations and JWT construction using only node:crypto.
+ *
+ * - Zero external JWT library dependency
+ * - All signing uses EdDSA (Ed25519) via crypto.subtle
+ * - Never pass Buffer directly to crypto.subtle — always Uint8Array
+ */
+import { createHash } from "node:crypto";
+import { base64UrlDecode, base64UrlEncode, isObject, parseJson } from "./utils.js";
+// ─── Key Generation ───────────────────────────────────────────────────────────
+export async function generateKeyPair() {
+    const keypair = await crypto.subtle.generateKey("Ed25519", true, ["sign", "verify"]);
+    return { publicKey: keypair.publicKey, privateKey: keypair.privateKey };
+}
+// ─── JWK Export / Import ──────────────────────────────────────────────────────
+export async function exportPublicKeyJwk(key) {
+    return crypto.subtle.exportKey("jwk", key);
+}
+export async function exportPrivateKeyJwk(key) {
+    return crypto.subtle.exportKey("jwk", key);
+}
+export async function importPublicKeyJwk(jwk) {
+    if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519" || !jwk.x) {
+        throw new Error("Invalid Ed25519 public JWK: must be OKP/Ed25519 with x field");
+    }
+    return crypto.subtle.importKey("jwk", jwk, { name: "Ed25519" }, true, ["verify"]);
+}
+export async function importPrivateKeyJwk(jwk) {
+    if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519" || !jwk.x || !jwk.d) {
+        throw new Error("Invalid Ed25519 private JWK: must be OKP/Ed25519 with x and d fields");
+    }
+    return crypto.subtle.importKey("jwk", jwk, { name: "Ed25519" }, true, ["sign"]);
+}
+// ─── JWK Thumbprint (RFC 7638) ────────────────────────────────────────────────
+/**
+ * Compute the SHA-256 JWK thumbprint of an Ed25519 public key.
+ * Canonical JSON: only crv, kty, x — sorted lexicographically.
+ */
+export function computeJwkThumbprint(jwk) {
+    if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519" || !jwk.x) {
+        throw new Error("Invalid Ed25519 JWK for thumbprint computation");
+    }
+    const canonical = JSON.stringify({ crv: jwk.crv, kty: jwk.kty, x: jwk.x });
+    const hash = createHash("sha256").update(canonical).digest();
+    return base64UrlEncode(hash);
+}
+// ─── JWT Construction ─────────────────────────────────────────────────────────
+function encodeJwtPart(obj) {
+    return base64UrlEncode(Buffer.from(JSON.stringify(obj)));
+}
+/**
+ * Sign a compact JWT using Ed25519.
+ * The private key signs header.payload — signature covers both parts.
+ */
+export async function signJwt(payload, privateKey, typ) {
+    const header = { alg: "EdDSA", typ };
+    const encodedHeader = encodeJwtPart(header);
+    const encodedPayload = encodeJwtPart(payload);
+    const signingInput = `${encodedHeader}.${encodedPayload}`;
+    const sigBytes = await crypto.subtle.sign("Ed25519", privateKey, new TextEncoder().encode(signingInput) // Uint8Array — NOT Buffer
+    );
+    const sig = base64UrlEncode(new Uint8Array(sigBytes));
+    return `${signingInput}.${sig}`;
+}
+// ─── JWT Decoding (without verification) ─────────────────────────────────────
+function isJwtHeader(value) {
+    if (!isObject(value))
+        return false;
+    return value["alg"] === "EdDSA" && value["typ"] === "agent+jwt";
+}
+/**
+ * Decode a JWT without verifying its signature.
+ * Used to extract claims before key lookup. Never trust these claims for auth.
+ */
+export function decodeJwtUnsafe(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+        throw new Error("Invalid JWT format: expected 3 dot-separated parts");
+    }
+    const [headerB64, payloadB64, signature] = parts;
+    const rawHeader = parseJson(base64UrlDecode(headerB64).toString("utf8"));
+    if (!isJwtHeader(rawHeader)) {
+        throw new Error("Invalid JWT header: expected alg=EdDSA, typ=agent+jwt");
+    }
+    const rawPayload = parseJson(base64UrlDecode(payloadB64).toString("utf8"));
+    if (!isObject(rawPayload)) {
+        throw new Error("Invalid JWT payload: not a JSON object");
+    }
+    return {
+        header: rawHeader,
+        payload: rawPayload,
+        signingInput: `${headerB64}.${payloadB64}`,
+        signature,
+    };
+}
+// ─── JWT Verification ─────────────────────────────────────────────────────────
+/**
+ * Verify an Ed25519 JWT signature and confirm typ matches.
+ * Does NOT check exp/iat/jti — TokenVerifier handles those.
+ */
+export async function verifyJwtSignature(token, publicKey, opts) {
+    const decoded = decodeJwtUnsafe(token);
+    if (decoded.header.typ !== opts.expectedTyp) {
+        throw new Error(`JWT typ mismatch: expected "${opts.expectedTyp}", got "${decoded.header.typ}"`);
+    }
+    if (decoded.header.alg !== "EdDSA") {
+        throw new Error(`JWT alg mismatch: expected "EdDSA", got "${decoded.header.alg}"`);
+    }
+    const sigBytes = new Uint8Array(base64UrlDecode(decoded.signature));
+    const inputBytes = new TextEncoder().encode(decoded.signingInput);
+    const valid = await crypto.subtle.verify("Ed25519", publicKey, sigBytes, inputBytes // Uint8Array — NOT Buffer
+    );
+    if (!valid) {
+        throw new Error("JWT signature verification failed: signature does not match");
+    }
+    return decoded;
+}
+//# sourceMappingURL=ed25519.js.map

package/dist/crypto/ed25519.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ed25519.js","sourceRoot":"","sources":["../../src/crypto/ed25519.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,QAAQ,EAAE,SAAS,EAAe,MAAM,YAAY,CAAC;AAmChG,iFAAiF;AAEjF,MAAM,CAAC,KAAK,UAAU,eAAe;IAIjC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAC3C,SAAgC,EAChC,IAAI,EACJ,CAAC,MAAM,EAAE,QAAQ,CAAC,CACJ,CAAC;IACnB,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC;AAC5E,CAAC;AAED,iFAAiF;AAEjF,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAc;IACnD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,GAAc;IACpD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAe;IACpD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1B,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,SAAS,EAAyB,EAC1C,IAAI,EACJ,CAAC,QAAQ,CAAC,CACb,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,GAAe;IACrD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;IAC5F,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1B,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,SAAS,EAAyB,EAC1C,IAAI,EACJ,CAAC,MAAM,CAAC,CACX,CAAC;AACN,CAAC;AAED,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAe;IAChD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACtE,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC;IAC3E,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;IAC7D,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AACjC,CAAC;AAED,iFAAiF;AAEjF,SAAS,aAAa,CAAC,GAAW;IAC9B,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CACzB,OAAU,EACV,UAAqB,EACrB,GAAW;IAEX,MAAM,MAAM,GAAc,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAChD,MAAM,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,cAAc,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,YAAY,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;IAE1D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACrC,SAAgC,EAChC,UAAU,EACV,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,0BAA0B;KACpE,CAAC;IAEF,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;IACtD,OAAO,GAAG,YAAY,IAAI,GAAG,EAAE,CAAC;AACpC,CAAC;AAED,gFAAgF;AAEhF,SAAS,WAAW,CAAC,KAAc;IAC/B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACnC,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,OAAO,IAAI,KAAK,CAAC,KAAK,CAAC,KAAK,WAAW,CAAC;AACpE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAC3B,KAAa;IAEb,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,CAAC,GAAG,KAAiC,CAAC;IAE7E,MAAM,SAAS,GAAG,SAAS,CAAU,eAAe,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAClF,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC7E,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAU,eAAe,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACpF,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC9D,CAAC;IAED,OAAO;QACH,MAAM,EAAE,SAAS;QACjB,OAAO,EAAE,UAAe;QACxB,YAAY,EAAE,GAAG,SAAS,IAAI,UAAU,EAAE;QAC1C,SAAS;KACZ,CAAC;AACN,CAAC;AAED,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACpC,KAAa,EACb,SAAoB,EACpB,IAAsB;IAEtB,MAAM,OAAO,GAAG,eAAe,CAAI,KAAK,CAAC,CAAC;IAE1C,IAAI,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,+BAA+B,IAAI,CAAC,WAAW,WAAW,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;IACrG,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,4CAA4C,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,eAAe,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;IACpE,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAElE,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACpC,SAAgC,EAChC,SAAS,EACT,QAAQ,EACR,UAAU,CAAC,0BAA0B;KACxC,CAAC;IAEF,IAAI,CAAC,KAAK,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACnF,CAAC;IAED,OAAO,OAAO,CAAC;AACnB,CAAC"}

package/dist/crypto/utils.d.ts

@@ -0,0 +1,18 @@
+export type JwtTyp = "agent+jwt";
+export declare function base64UrlEncode(buffer: Buffer | Uint8Array): string;
+export declare function base64UrlDecode(str: string): Buffer;
+/**
+ * Generate a cryptographically random ID.
+ * Format: <prefix>_<22 base64url chars> (128-bit entropy).
+ * When a hostname is provided the format is: <hostname>-<suffix>-<22chars>
+ */
+export declare function generateId(prefix: string): string;
+/**
+ * Build a host-scoped agent ID.
+ * Format: <hostname>-agent-<32 hex chars>
+ * The 32 hex chars = 128-bit random, making collision negligible.
+ */
+export declare function generateAgentId(hostname: string): string;
+export declare function isObject(value: unknown): value is Record<string, unknown>;
+export declare function parseJson<T>(value: string): T;
+//# sourceMappingURL=utils.d.ts.map

package/dist/crypto/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/crypto/utils.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,MAAM,GAAG,WAAW,CAAC;AAEjC,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,MAAM,CAMnE;AAED,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAGjD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAIxD;AAED,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAEzE;AAED,wBAAgB,SAAS,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,CAE7C"}

package/dist/crypto/utils.js

@@ -0,0 +1,38 @@
+import { randomBytes } from "node:crypto";
+export function base64UrlEncode(buffer) {
+    return Buffer.from(buffer)
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=/g, "");
+}
+export function base64UrlDecode(str) {
+    const padded = str + "=".repeat((4 - (str.length % 4)) % 4);
+    return Buffer.from(padded.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+}
+/**
+ * Generate a cryptographically random ID.
+ * Format: <prefix>_<22 base64url chars> (128-bit entropy).
+ * When a hostname is provided the format is: <hostname>-<suffix>-<22chars>
+ */
+export function generateId(prefix) {
+    const suffix = base64UrlEncode(randomBytes(16));
+    return `${prefix}_${suffix}`;
+}
+/**
+ * Build a host-scoped agent ID.
+ * Format: <hostname>-agent-<32 hex chars>
+ * The 32 hex chars = 128-bit random, making collision negligible.
+ */
+export function generateAgentId(hostname) {
+    const random = randomBytes(16).toString("hex"); // 32 hex chars
+    const safe = hostname.toLowerCase().replace(/[^a-z0-9]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+    return `${safe}-agent-${random}`;
+}
+export function isObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+export function parseJson(value) {
+    return JSON.parse(value);
+}
+//# sourceMappingURL=utils.js.map

package/dist/crypto/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/crypto/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAI1C,MAAM,UAAU,eAAe,CAAC,MAA2B;IACvD,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;SACrB,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,GAAW;IACvC,MAAM,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC/E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,MAAc;IACrC,MAAM,MAAM,GAAG,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAChD,OAAO,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC;AACjC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB;IAC5C,MAAM,MAAM,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,eAAe;IAC/D,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IACzG,OAAO,GAAG,IAAI,UAAU,MAAM,EAAE,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,KAAc;IACnC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAChF,CAAC;AAED,MAAM,UAAU,SAAS,CAAI,KAAa;IACtC,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAM,CAAC;AAClC,CAAC"}

package/dist/errors/chain-error.d.ts

@@ -0,0 +1,18 @@
+/**
+ * ChainAuthError — thrown when an agent call is blocked by agents-chain.
+ *
+ * error codes:
+ *   "capability_denied"   — agent does not hold a grant for this capability
+ *   "constraint_violated" — capability args violate a constraint
+ *   "token_replayed"      — JWT ID has already been used (replay attack)
+ *   "token_expired"       — JWT exp has passed
+ *   "token_invalid"       — JWT is structurally or cryptographically invalid
+ *   "agent_not_found"     — agentId in the JWT does not match registered agent
+ */
+export type ChainErrorCode = "capability_denied" | "constraint_violated" | "token_replayed" | "token_expired" | "token_invalid" | "agent_not_found";
+export declare class ChainAuthError extends Error {
+    readonly code: ChainErrorCode;
+    readonly violations?: string[];
+    constructor(code: ChainErrorCode, message: string, violations?: string[]);
+}
+//# sourceMappingURL=chain-error.d.ts.map

package/dist/errors/chain-error.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain-error.d.ts","sourceRoot":"","sources":["../../src/errors/chain-error.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,MAAM,MAAM,cAAc,GACpB,mBAAmB,GACnB,qBAAqB,GACrB,gBAAgB,GAChB,eAAe,GACf,eAAe,GACf,iBAAiB,CAAC;AAExB,qBAAa,cAAe,SAAQ,KAAK;IACrC,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;gBAEnB,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE;CAQ3E"}

package/dist/errors/chain-error.js

@@ -0,0 +1,22 @@
+/**
+ * ChainAuthError — thrown when an agent call is blocked by agents-chain.
+ *
+ * error codes:
+ *   "capability_denied"   — agent does not hold a grant for this capability
+ *   "constraint_violated" — capability args violate a constraint
+ *   "token_replayed"      — JWT ID has already been used (replay attack)
+ *   "token_expired"       — JWT exp has passed
+ *   "token_invalid"       — JWT is structurally or cryptographically invalid
+ *   "agent_not_found"     — agentId in the JWT does not match registered agent
+ */
+export class ChainAuthError extends Error {
+    constructor(code, message, violations) {
+        super(message);
+        this.name = "ChainAuthError";
+        this.code = code;
+        this.violations = violations;
+        // Maintain proper prototype chain for instanceof checks
+        Object.setPrototypeOf(this, ChainAuthError.prototype);
+    }
+}
+//# sourceMappingURL=chain-error.js.map

package/dist/errors/chain-error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain-error.js","sourceRoot":"","sources":["../../src/errors/chain-error.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAUH,MAAM,OAAO,cAAe,SAAQ,KAAK;IAIrC,YAAY,IAAoB,EAAE,OAAe,EAAE,UAAqB;QACpE,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;QAC7B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,wDAAwD;QACxD,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,cAAc,CAAC,SAAS,CAAC,CAAC;IAC1D,CAAC;CACJ"}

package/dist/identity/agent-identity.d.ts

@@ -0,0 +1,33 @@
+/**
+ * AgentIdentity — holds the Ed25519 keypair and registration record for one agent.
+ *
+ * The private key is held exclusively in memory as a non-exportable CryptoKey
+ * after the initial setup. The public key is stored (encrypted) in the
+ * EncryptedStore as a JWK for verification during token checks.
+ *
+ * Agent ID format: <hostname>-agent-<32 hex chars>
+ * Example: myapp-agent-a3f9bc1d2e4f6789abcdef0123456789
+ */
+import type { AgentConfig, CapabilityGrant, RegisteredAgent } from "../types/identity.js";
+import type { EncryptedStore } from "../memory/encrypted-store.js";
+export declare class AgentIdentity {
+    readonly privateKey: CryptoKey;
+    readonly registration: RegisteredAgent;
+    private constructor();
+    /**
+     * Create a new agent identity:
+     * 1. Generate an Ed25519 keypair
+     * 2. Derive the agentId from hostname
+     * 3. Compute the public key thumbprint (used as the JWT `iss`)
+     * 4. Store the registration (encrypted) in the provided store
+     */
+    static create(config: AgentConfig, store: EncryptedStore): Promise<AgentIdentity>;
+    static restore(privateKey: CryptoKey, store: EncryptedStore): Promise<AgentIdentity>;
+    get agentId(): string;
+    get thumbprint(): string;
+    get capabilityNames(): string[];
+    hasCapability(name: string): boolean;
+    getGrant(name: string): CapabilityGrant | undefined;
+    getPublicKey(): Promise<CryptoKey>;
+}
+//# sourceMappingURL=agent-identity.d.ts.map

package/dist/identity/agent-identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-identity.d.ts","sourceRoot":"","sources":["../../src/identity/agent-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AASH,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC1F,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAInE,qBAAa,aAAa;IACtB,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,eAAe,CAAC;IAEvC,OAAO;IAKP;;;;;;OAMG;WACU,MAAM,CAAC,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;WA0B1E,OAAO,CAAC,UAAU,EAAE,SAAS,EAAE,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;IAS1F,IAAI,OAAO,IAAI,MAAM,CAEpB;IAED,IAAI,UAAU,IAAI,MAAM,CAEvB;IAGD,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIpC,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;IAI7C,YAAY,IAAI,OAAO,CAAC,SAAS,CAAC;CAG3C"}

package/dist/identity/agent-identity.js

@@ -0,0 +1,73 @@
+/**
+ * AgentIdentity — holds the Ed25519 keypair and registration record for one agent.
+ *
+ * The private key is held exclusively in memory as a non-exportable CryptoKey
+ * after the initial setup. The public key is stored (encrypted) in the
+ * EncryptedStore as a JWK for verification during token checks.
+ *
+ * Agent ID format: <hostname>-agent-<32 hex chars>
+ * Example: myapp-agent-a3f9bc1d2e4f6789abcdef0123456789
+ */
+import { generateKeyPair, exportPublicKeyJwk, computeJwkThumbprint, importPublicKeyJwk, } from "../crypto/ed25519.js";
+import { generateAgentId } from "../crypto/utils.js";
+const STORE_KEY_IDENTITY = "agent:identity";
+export class AgentIdentity {
+    constructor(privateKey, registration) {
+        this.privateKey = privateKey;
+        this.registration = registration;
+    }
+    /**
+     * Create a new agent identity:
+     * 1. Generate an Ed25519 keypair
+     * 2. Derive the agentId from hostname
+     * 3. Compute the public key thumbprint (used as the JWT `iss`)
+     * 4. Store the registration (encrypted) in the provided store
+     */
+    static async create(config, store) {
+        const { publicKey, privateKey } = await generateKeyPair();
+        const publicKeyJwk = await exportPublicKeyJwk(publicKey);
+        const thumbprint = computeJwkThumbprint(publicKeyJwk);
+        const agentId = generateAgentId(config.hostname);
+        const grants = config.capabilities.map((cap) => ({
+            capability: cap,
+            grantedAt: Date.now(),
+        }));
+        const registration = {
+            agentId,
+            agentName: config.agentName,
+            hostname: config.hostname,
+            publicKeyJwk,
+            thumbprint,
+            capabilities: grants,
+            registeredAt: Date.now(),
+        };
+        store.set(STORE_KEY_IDENTITY, registration);
+        return new AgentIdentity(privateKey, registration);
+    }
+    static async restore(privateKey, store) {
+        const registration = store.get(STORE_KEY_IDENTITY);
+        if (!registration) {
+            throw new Error("AgentIdentity.restore: no identity found in store");
+        }
+        return new AgentIdentity(privateKey, registration);
+    }
+    get agentId() {
+        return this.registration.agentId;
+    }
+    get thumbprint() {
+        return this.registration.thumbprint;
+    }
+    get capabilityNames() {
+        return this.registration.capabilities.map((g) => g.capability);
+    }
+    hasCapability(name) {
+        return this.registration.capabilities.some((g) => g.capability === name);
+    }
+    getGrant(name) {
+        return this.registration.capabilities.find((g) => g.capability === name);
+    }
+    async getPublicKey() {
+        return importPublicKeyJwk(this.registration.publicKeyJwk);
+    }
+}
+//# sourceMappingURL=agent-identity.js.map

package/dist/identity/agent-identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-identity.js","sourceRoot":"","sources":["../../src/identity/agent-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACH,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,GACrB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAIrD,MAAM,kBAAkB,GAAG,gBAAgB,CAAC;AAE5C,MAAM,OAAO,aAAa;IAItB,YAAoB,UAAqB,EAAE,YAA6B;QACpE,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACrC,CAAC;IAED;;;;;;OAMG;IACH,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAmB,EAAE,KAAqB;QAC1D,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,eAAe,EAAE,CAAC;QAC1D,MAAM,YAAY,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;QACzD,MAAM,UAAU,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;QACtD,MAAM,OAAO,GAAG,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEjD,MAAM,MAAM,GAAsB,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YAChE,UAAU,EAAE,GAAG;YACf,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACxB,CAAC,CAAC,CAAC;QAEJ,MAAM,YAAY,GAAoB;YAClC,OAAO;YACP,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY;YACZ,UAAU;YACV,YAAY,EAAE,MAAM;YACpB,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE;SAC3B,CAAC;QAEF,KAAK,CAAC,GAAG,CAAC,kBAAkB,EAAE,YAAY,CAAC,CAAC;QAE5C,OAAO,IAAI,aAAa,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,UAAqB,EAAE,KAAqB;QAC7D,MAAM,YAAY,GAAG,KAAK,CAAC,GAAG,CAAkB,kBAAkB,CAAC,CAAC;QACpE,IAAI,CAAC,YAAY,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACzE,CAAC;QACD,OAAO,IAAI,aAAa,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IACvD,CAAC;IAGD,IAAI,OAAO;QACP,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC;IACrC,CAAC;IAED,IAAI,UAAU;QACV,OAAO,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC;IACxC,CAAC;IAGD,IAAI,eAAe;QACf,OAAO,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IACnE,CAAC;IAED,aAAa,CAAC,IAAY;QACtB,OAAO,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,IAAI,CAAC,CAAC;IAC7E,CAAC;IAED,QAAQ,CAAC,IAAY;QACjB,OAAO,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,IAAI,CAAC,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,YAAY;QACd,OAAO,kBAAkB,CAAC,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC;IAC9D,CAAC;CACJ"}

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+export { AgentsChain } from "./chain.js";
+export { ChainAuthError } from "./errors/chain-error.js";
+export type { ChainErrorCode } from "./errors/chain-error.js";
+export type { AgentConfig, ChainStats, AuditSnapshot } from "./types/chain.js";
+export type { AuditEntry, AuditResult } from "./types/audit.js";
+export type { RegisteredAgent, CapabilityGrant, CapabilityConstraints, ConstraintOperator, ConstraintValue, ConstraintPrimitive, } from "./types/identity.js";
+export { generateKeyPair, exportPublicKeyJwk, exportPrivateKeyJwk, importPublicKeyJwk, computeJwkThumbprint, signJwt, verifyJwtSignature, decodeJwtUnsafe, } from "./crypto/ed25519.js";
+export { generateId, generateAgentId, base64UrlEncode, base64UrlDecode } from "./crypto/utils.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,YAAY,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAC/E,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAChE,YAAY,EACR,eAAe,EACf,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,eAAe,EACf,mBAAmB,GACtB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACH,eAAe,EACf,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,oBAAoB,EACpB,OAAO,EACP,kBAAkB,EAClB,eAAe,GAClB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/index.js

@@ -0,0 +1,5 @@
+export { AgentsChain } from "./chain.js";
+export { ChainAuthError } from "./errors/chain-error.js";
+export { generateKeyPair, exportPublicKeyJwk, exportPrivateKeyJwk, importPublicKeyJwk, computeJwkThumbprint, signJwt, verifyJwtSignature, decodeJwtUnsafe, } from "./crypto/ed25519.js";
+export { generateId, generateAgentId, base64UrlEncode, base64UrlDecode } from "./crypto/utils.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAazD,OAAO,EACH,eAAe,EACf,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,oBAAoB,EACpB,OAAO,EACP,kBAAkB,EAClB,eAAe,GAClB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/lib/utils.d.ts

@@ -0,0 +1,6 @@
+export declare function base64UrlEncode(buffer: Buffer | Uint8Array): string;
+export declare function base64UrlDecode(str: string): Buffer;
+export declare function generateId(prefix: string): string;
+export declare function isObject(value: unknown): value is Record<string, unknown>;
+export declare function parseJson<T>(value: string): T;
+//# sourceMappingURL=utils.d.ts.map

package/dist/lib/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/lib/utils.ts"],"names":[],"mappings":"AAEA,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,MAAM,CAMnE;AAGD,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAInD;AAID,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAIjD;AAID,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAEzE;AAGD,wBAAgB,SAAS,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,CAE7C"}

package/dist/lib/utils.js

@@ -0,0 +1,25 @@
+import { randomBytes } from "node:crypto";
+export function base64UrlEncode(buffer) {
+    return Buffer.from(buffer)
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=/g, "");
+}
+export function base64UrlDecode(str) {
+    // Pad to multiple of 4
+    const padded = str + "=".repeat((4 - (str.length % 4)) % 4);
+    return Buffer.from(padded.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+}
+export function generateId(prefix) {
+    // 128-bit random, base64url encoded (~22 chars). Collision risk is negligible.
+    const suffix = base64UrlEncode(randomBytes(16));
+    return `${prefix}_${suffix}`;
+}
+export function isObject(value) {
+    return typeof value === "object" && value !== null;
+}
+export function parseJson(value) {
+    return JSON.parse(value);
+}
+//# sourceMappingURL=utils.js.map

package/dist/lib/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/lib/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,MAAM,UAAU,eAAe,CAAC,MAA2B;IACvD,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;SACrB,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC3B,CAAC;AAGD,MAAM,UAAU,eAAe,CAAC,GAAW;IACvC,uBAAuB;IACvB,MAAM,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC/E,CAAC;AAID,MAAM,UAAU,UAAU,CAAC,MAAc;IACrC,+EAA+E;IAC/E,MAAM,MAAM,GAAG,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAChD,OAAO,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC;AACjC,CAAC;AAID,MAAM,UAAU,QAAQ,CAAC,KAAc;IACnC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,CAAC;AACvD,CAAC;AAGD,MAAM,UAAU,SAAS,CAAI,KAAa;IACtC,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAM,CAAC;AAClC,CAAC"}

package/dist/memory/encrypted-store.d.ts

@@ -0,0 +1,29 @@
+/**
+ * EncryptedStore — AES-256-GCM in-memory key-value store.
+ *
+ * Security properties:
+ * - Every value is independently encrypted with a fresh random IV.
+ * - The encryption key never leaves this module after init.
+ * - Plaintext is never held in a variable after encryption/before decryption.
+ * - Store is process-local; there is no persistence to disk.
+ *
+ * Format: "iv:authTag:ciphertext" (all base64, colon-separated)
+ */
+export declare class EncryptedStore {
+    private readonly key;
+    private readonly store;
+    private constructor();
+    /**
+     * Create a new EncryptedStore.
+     * @param hexKey Optional 64-char hex string (32 bytes). Generated randomly if omitted.
+     */
+    static create(hexKey?: string): EncryptedStore;
+    set(key: string, value: unknown): void;
+    get<T>(key: string): T | undefined;
+    append<T>(key: string, item: T): void;
+    has(key: string): boolean;
+    delete(key: string): void;
+    get size(): number;
+    clear(): void;
+}
+//# sourceMappingURL=encrypted-store.d.ts.map

package/dist/memory/encrypted-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-store.d.ts","sourceRoot":"","sources":["../../src/memory/encrypted-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAQH,qBAAa,cAAc;IACvB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAC7B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA6B;IAEnD,OAAO;IAIP;;;OAGG;IACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,cAAc;IAa9C,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI;IAoBtC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,GAAG,CAAC,GAAG,SAAS;IAmClC,MAAM,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI;IAMrC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAIzB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAIzB,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,KAAK,IAAI,IAAI;CAGhB"}

package/dist/memory/encrypted-store.js

@@ -0,0 +1,102 @@
+/**
+ * EncryptedStore — AES-256-GCM in-memory key-value store.
+ *
+ * Security properties:
+ * - Every value is independently encrypted with a fresh random IV.
+ * - The encryption key never leaves this module after init.
+ * - Plaintext is never held in a variable after encryption/before decryption.
+ * - Store is process-local; there is no persistence to disk.
+ *
+ * Format: "iv:authTag:ciphertext" (all base64, colon-separated)
+ */
+import { randomBytes, createCipheriv, createDecipheriv } from "node:crypto";
+const ALGORITHM = "aes-256-gcm";
+const IV_BYTES = 12; // 96-bit IV — GCM recommended
+const TAG_BYTES = 16; // 128-bit auth tag — maximum GCM strength
+export class EncryptedStore {
+    constructor(key) {
+        this.store = new Map();
+        this.key = key;
+    }
+    /**
+     * Create a new EncryptedStore.
+     * @param hexKey Optional 64-char hex string (32 bytes). Generated randomly if omitted.
+     */
+    static create(hexKey) {
+        let key;
+        if (hexKey) {
+            if (!/^[0-9a-fA-F]{64}$/.test(hexKey)) {
+                throw new Error("encryptionKey must be a 64-character hex string (32 bytes)");
+            }
+            key = Buffer.from(hexKey, "hex");
+        }
+        else {
+            key = randomBytes(32);
+        }
+        return new EncryptedStore(key);
+    }
+    set(key, value) {
+        const plaintext = JSON.stringify(value);
+        const iv = randomBytes(IV_BYTES);
+        const cipher = createCipheriv(ALGORITHM, this.key, iv);
+        const encrypted = Buffer.concat([
+            cipher.update(plaintext, "utf8"),
+            cipher.final(),
+        ]);
+        const tag = cipher.getAuthTag();
+        // Format: base64(iv):base64(tag):base64(ciphertext)
+        const encoded = [
+            iv.toString("base64"),
+            tag.toString("base64"),
+            encrypted.toString("base64"),
+        ].join(":");
+        this.store.set(key, encoded);
+    }
+    get(key) {
+        const encoded = this.store.get(key);
+        if (!encoded)
+            return undefined;
+        const parts = encoded.split(":");
+        if (parts.length !== 3) {
+            throw new Error(`EncryptedStore: corrupted entry at key "${key}"`);
+        }
+        const iv = Buffer.from(parts[0], "base64");
+        const tag = Buffer.from(parts[1], "base64");
+        const ciphertext = Buffer.from(parts[2], "base64");
+        if (iv.length !== IV_BYTES) {
+            throw new Error(`EncryptedStore: invalid IV length for key "${key}"`);
+        }
+        if (tag.length !== TAG_BYTES) {
+            throw new Error(`EncryptedStore: invalid auth tag length for key "${key}"`);
+        }
+        const decipher = createDecipheriv(ALGORITHM, this.key, iv);
+        decipher.setAuthTag(tag);
+        let plaintext;
+        try {
+            plaintext = decipher.update(ciphertext, undefined, "utf8") + decipher.final("utf8");
+        }
+        catch {
+            // GCM auth tag mismatch — data has been tampered with
+            throw new Error(`EncryptedStore: authentication failed for key "${key}" — possible tampering`);
+        }
+        return JSON.parse(plaintext);
+    }
+    append(key, item) {
+        const existing = this.get(key) ?? [];
+        existing.push(item);
+        this.set(key, existing);
+    }
+    has(key) {
+        return this.store.has(key);
+    }
+    delete(key) {
+        this.store.delete(key);
+    }
+    get size() {
+        return this.store.size;
+    }
+    clear() {
+        this.store.clear();
+    }
+}
+//# sourceMappingURL=encrypted-store.js.map