agents-chain 0.0.2 → 0.0.3

package/dist/chain.js

@@ -23,6 +23,9 @@ import { TokenVerifier } from "./auth/token-verifier.js";
 import { AuditLog } from "./audit/audit-log.js";
 import { wrapOpenAI } from "./wrappers/openai-wrapper.js";
 import { wrapAnthropic } from "./wrappers/anthropic-wrapper.js";
+import { HostIdentity } from "./host/host-identity.js";
+import { CapabilityRegistry } from "./app/capability-registry.js";
+import { wrapApp, attachRegistry } from "./app/app-wrapper.js";
 export class AgentsChain {
     constructor(store, identity, builder, verifier, log) {
         this.store = store;
@@ -87,4 +90,116 @@ export class AgentsChain {
         };
     }
 }
+// ─── AppChain ─────────────────────────────────────────────────────────────────
+/**
+ * AppChain — wraps any app object with capability-gated security.
+ *
+ * Unlike AgentsChain (which wraps AI SDKs), AppChain wraps your own service
+ * objects or any external app, enforcing agent identity, permission grants,
+ * constraint validation, and an audit trail on every capability call.
+ *
+ * Usage:
+ *   const chain = await AppChain.create({
+ *     providerName: "billing-service",
+ *     issuer: "https://billing.mycompany.com",
+ *     capabilities: [invoiceCapability, refundCapability],
+ *   });
+ *
+ *   // Wrap your service — every call is identity-bound and audited
+ *   const secured = chain.wrap(billingService, agentGrants);
+ *   const invoice = await secured.createInvoice({ customerId: "c1", amount: 500 });
+ *
+ *   // Serve well-known for agent discovery
+ *   app.get("/.well-known/agent-configuration", (req, res) => res.json(chain.getWellKnownConfig()));
+ *
+ *   // Flush audit on shutdown
+ *   process.on("SIGTERM", () => chain.drain());
+ */
+export class AppChain {
+    constructor(host, registry, identity, builder, verifier, log, exporter) {
+        this.host = host;
+        this.registry = registry;
+        this.identity = identity;
+        this.builder = builder;
+        this.verifier = verifier;
+        this.log = log;
+        this.exporter = exporter;
+    }
+    static async create(config) {
+        const store = EncryptedStore.create(config.encryptionKey);
+        const jtiCache = new JtiCache(config.jtiAdapter);
+        // Create a synthetic agent identity for this app chain instance
+        const identity = await AgentIdentity.create({
+            agentName: config.providerName,
+            hostname: config.providerName,
+            capabilities: config.capabilities.map((c) => c.name),
+            encryptionKey: config.encryptionKey,
+        }, store);
+        const builder = new TokenBuilder(identity);
+        const verifier = new TokenVerifier(identity, jtiCache, {
+            grantResolver: config.grantResolver,
+        });
+        const log = new AuditLog(store);
+        // Build capability registry
+        const registry = new CapabilityRegistry();
+        for (const cap of config.capabilities) {
+            registry.register(cap);
+        }
+        // Create Host identity for signing agent registration JWTs
+        const host = await HostIdentity.create({
+            name: config.host?.name ?? config.providerName,
+            issuerUrl: config.host?.issuerUrl ?? config.issuer,
+            encryptionKey: config.encryptionKey,
+        });
+        return new AppChain(host, registry, identity, builder, verifier, log, config.auditExporter);
+    }
+    /**
+     * Wrap any object with capability-gated security.
+     *
+     * @param target  The service object to wrap
+     * @param grants  The resolved grants for the agent making calls
+     * @returns       A Proxy with the same type as target
+     */
+    wrap(target, grants) {
+        const ctx = {
+            identity: this.identity,
+            builder: this.builder,
+            verifier: this.verifier,
+            log: this.log,
+            grants,
+        };
+        attachRegistry(ctx, this.registry);
+        return wrapApp(target, this.registry, ctx);
+    }
+    /**
+     * Get the well-known configuration object.
+     * Serve this at GET /.well-known/agent-configuration.
+     */
+    getWellKnownConfig(endpointPrefix) {
+        return this.registry.buildWellKnownConfig(this.host.getRegistration().issuerUrl, this.host.getRegistration().name, endpointPrefix);
+    }
+    getAuditLog() {
+        return this.log.getAll();
+    }
+    getStats() {
+        const entries = this.log.getAll();
+        return {
+            agentId: this.identity.agentId,
+            agentName: this.identity.registration.agentName,
+            hostname: this.identity.registration.hostname,
+            totalCalls: entries.length,
+            successfulCalls: entries.filter((e) => e.result === "success").length,
+            deniedCalls: entries.filter((e) => e.result === "denied").length,
+            errorCalls: entries.filter((e) => e.result === "error").length,
+            registeredAt: this.identity.registration.registeredAt,
+        };
+    }
+    /**
+     * Export all audit entries via the configured exporter, then clear the log.
+     * If no exporter configured, the log is just cleared.
+     */
+    async drain(exporter) {
+        return this.log.drain(exporter ?? this.exporter);
+    }
+}
 //# sourceMappingURL=chain.js.map

package/dist/chain.js.map

@@ -1 +1 @@
-{"version":3,"file":"chain.js","sourceRoot":"","sources":["../src/chain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAIhE,MAAM,OAAO,WAAW;IAOpB,YACI,KAAqB,EACrB,QAAuB,EACvB,OAAqB,EACrB,QAAuB,EACvB,GAAa;QAEb,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACnB,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAmB;QACnC,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,IAAI,QAAQ,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACvD,MAAM,GAAG,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEhC,OAAO,IAAI,WAAW,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;IACpE,CAAC;IAED,6EAA6E;IAE7E,MAAM,CAAmB,MAAS;QAC9B,OAAO,UAAU,CAAC,MAAM,EAAE;YACtB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,GAAG,EAAE,IAAI,CAAC,GAAG;SAChB,CAAC,CAAC;IACP,CAAC;IAED,SAAS,CAAmB,MAAS;QACjC,OAAO,aAAa,CAAC,MAAM,EAAE;YACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,GAAG,EAAE,IAAI,CAAC,GAAG;SAChB,CAAC,CAAC;IACP,CAAC;IAED,IAAI,OAAO;QACP,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;IACjC,CAAC;IACD,IAAI,YAAY;QACZ,OAAO,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC;IACzC,CAAC;IACD,WAAW;QACP,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;IAC7B,CAAC;IACD,WAAW;QACP,OAAO;YACH,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO;YAC9B,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE;YAC1B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;SACzB,CAAC;IACN,CAAC;IACD,QAAQ;QACJ,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAClC,OAAO;YACH,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO;YAC9B,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,SAAS;YAC/C,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,QAAQ;YAC7C,UAAU,EAAE,OAAO,CAAC,MAAM;YAC1B,eAAe,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;YACrE,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,MAAM;YAChE,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,MAAM;YAC9D,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,YAAY;SACxD,CAAC;IACN,CAAC;CACJ"}
+{"version":3,"file":"chain.js","sourceRoot":"","sources":["../src/chain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAChE,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAO/D,MAAM,OAAO,WAAW;IAOpB,YACI,KAAqB,EACrB,QAAuB,EACvB,OAAqB,EACrB,QAAuB,EACvB,GAAa;QAEb,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACnB,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAmB;QACnC,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,IAAI,QAAQ,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACvD,MAAM,GAAG,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEhC,OAAO,IAAI,WAAW,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;IACpE,CAAC;IAED,6EAA6E;IAE7E,MAAM,CAAmB,MAAS;QAC9B,OAAO,UAAU,CAAC,MAAM,EAAE;YACtB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,GAAG,EAAE,IAAI,CAAC,GAAG;SAChB,CAAC,CAAC;IACP,CAAC;IAED,SAAS,CAAmB,MAAS;QACjC,OAAO,aAAa,CAAC,MAAM,EAAE;YACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,GAAG,EAAE,IAAI,CAAC,GAAG;SAChB,CAAC,CAAC;IACP,CAAC;IAED,IAAI,OAAO;QACP,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;IACjC,CAAC;IACD,IAAI,YAAY;QACZ,OAAO,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC;IACzC,CAAC;IACD,WAAW;QACP,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;IAC7B,CAAC;IACD,WAAW;QACP,OAAO;YACH,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO;YAC9B,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE;YAC1B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;SACzB,CAAC;IACN,CAAC;IACD,QAAQ;QACJ,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAClC,OAAO;YACH,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO;YAC9B,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,SAAS;YAC/C,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,QAAQ;YAC7C,UAAU,EAAE,OAAO,CAAC,MAAM;YAC1B,eAAe,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;YACrE,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,MAAM;YAChE,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,MAAM;YAC9D,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,YAAY;SACxD,CAAC;IACN,CAAC;CACJ;AAED,iFAAiF;AAEjF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,OAAO,QAAQ;IAUjB,YACI,IAAkB,EAClB,QAA4B,EAC5B,QAAuB,EACvB,OAAqB,EACrB,QAAuB,EACvB,GAAa,EACb,QAAwB;QAExB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC7B,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAsB;QACtC,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAEjD,gEAAgE;QAChE,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,MAAM,CACvC;YACI,SAAS,EAAE,MAAM,CAAC,YAAY;YAC9B,QAAQ,EAAE,MAAM,CAAC,YAAY;YAC7B,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;YACpD,aAAa,EAAE,MAAM,CAAC,aAAa;SACtC,EACD,KAAK,CACR,CAAC;QAEF,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,QAAQ,EAAE,QAAQ,EAAE;YACnD,aAAa,EAAE,MAAM,CAAC,aAAa;SACtC,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEhC,4BAA4B;QAC5B,MAAM,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;QAC1C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACpC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QAED,2DAA2D;QAC3D,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC;YACnC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,IAAI,MAAM,CAAC,YAAY;YAC9C,SAAS,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,IAAI,MAAM,CAAC,MAAM;YAClD,aAAa,EAAE,MAAM,CAAC,aAAa;SACtC,CAAC,CAAC;QAEH,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IAChG,CAAC;IAED;;;;;;OAMG;IACH,IAAI,CAAmB,MAAS,EAAE,MAAuB;QACrD,MAAM,GAAG,GAAwB;YAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,MAAM;SACT,CAAC;QACF,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,OAAO,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC/C,CAAC;IAED;;;OAGG;IACH,kBAAkB,CAAC,cAAuB;QACtC,OAAO,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CACrC,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,SAAS,EACrC,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,IAAI,EAChC,cAAc,CACjB,CAAC;IACN,CAAC;IAED,WAAW;QACP,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;IAC7B,CAAC;IAED,QAAQ;QACJ,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAClC,OAAO;YACH,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO;YAC9B,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,SAAS;YAC/C,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,QAAQ;YAC7C,UAAU,EAAE,OAAO,CAAC,MAAM;YAC1B,eAAe,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;YACrE,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,MAAM;YAChE,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,MAAM;YAC9D,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,YAAY;SACxD,CAAC;IACN,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,KAAK,CAAC,QAAwB;QAChC,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrD,CAAC;CACJ"}

package/dist/crypto/ed25519.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ed25519.d.ts","sourceRoot":"","sources":["../../src/crypto/ed25519.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAyD,KAAK,MAAM,EAAE,MAAM,YAAY,CAAC;AAIhG,MAAM,MAAM,SAAS,GAAG;IACpB,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,UAAU,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,IAAI;IACxD,MAAM,EAAE,SAAS,CAAC;IAClB,OAAO,EAAE,CAAC,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC3B,WAAW,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACvB,IAAI,EAAE,UAAU,EAAE,CAAC;CACtB,CAAC;AAIF,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAC7C,SAAS,EAAE,SAAS,CAAC;IACrB,UAAU,EAAE,SAAS,CAAC;CACzB,CAAC,CAOD;AAID,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAE5E;AAED,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAE7E;AAED,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAW5E;AAED,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAW7E;AAID;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,UAAU,GAAG,MAAM,CAO5D;AAQD;;;GAGG;AACH,wBAAsB,OAAO,CAAC,CAAC,SAAS,UAAU,EAC9C,OAAO,EAAE,CAAC,EACV,UAAU,EAAE,SAAS,EACrB,GAAG,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,CAcjB;AASD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EAC7D,KAAK,EAAE,MAAM,GACd,UAAU,CAAC,CAAC,CAAC,CAwBf;AAID;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EACtE,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,SAAS,EACpB,IAAI,EAAE,gBAAgB,GACvB,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAyBxB"}
+{"version":3,"file":"ed25519.d.ts","sourceRoot":"","sources":["../../src/crypto/ed25519.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAyD,KAAK,MAAM,EAAE,MAAM,YAAY,CAAC;AAIhG,MAAM,MAAM,SAAS,GAAG;IACpB,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,UAAU,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,IAAI;IACxD,MAAM,EAAE,SAAS,CAAC;IAClB,OAAO,EAAE,CAAC,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC3B,WAAW,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACvB,IAAI,EAAE,UAAU,EAAE,CAAC;CACtB,CAAC;AAIF,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAC7C,SAAS,EAAE,SAAS,CAAC;IACrB,UAAU,EAAE,SAAS,CAAC;CACzB,CAAC,CAOD;AAID,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAE5E;AAED,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAE7E;AAED,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAW5E;AAED,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAW7E;AAID;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,UAAU,GAAG,MAAM,CAO5D;AAQD;;;GAGG;AACH,wBAAsB,OAAO,CAAC,CAAC,SAAS,UAAU,EAC9C,OAAO,EAAE,CAAC,EACV,UAAU,EAAE,SAAS,EACrB,GAAG,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,CAcjB;AAUD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EAC7D,KAAK,EAAE,MAAM,GACd,UAAU,CAAC,CAAC,CAAC,CAwBf;AAID;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,EACtE,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,SAAS,EACpB,IAAI,EAAE,gBAAgB,GACvB,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAyBxB"}

package/dist/crypto/ed25519.js

@@ -66,7 +66,8 @@ export async function signJwt(payload, privateKey, typ) {
 function isJwtHeader(value) {
     if (!isObject(value))
         return false;
-    return value["alg"] === "EdDSA" && value["typ"] === "agent+jwt";
+    const typ = value["typ"];
+    return value["alg"] === "EdDSA" && (typ === "agent+jwt" || typ === "host+jwt");
 }
 /**
  * Decode a JWT without verifying its signature.

package/dist/crypto/ed25519.js.map

@@ -1 +1 @@
-{"version":3,"file":"ed25519.js","sourceRoot":"","sources":["../../src/crypto/ed25519.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,QAAQ,EAAE,SAAS,EAAe,MAAM,YAAY,CAAC;AAmChG,iFAAiF;AAEjF,MAAM,CAAC,KAAK,UAAU,eAAe;IAIjC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAC3C,SAAgC,EAChC,IAAI,EACJ,CAAC,MAAM,EAAE,QAAQ,CAAC,CACJ,CAAC;IACnB,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC;AAC5E,CAAC;AAED,iFAAiF;AAEjF,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAc;IACnD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,GAAc;IACpD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAe;IACpD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1B,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,SAAS,EAAyB,EAC1C,IAAI,EACJ,CAAC,QAAQ,CAAC,CACb,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,GAAe;IACrD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;IAC5F,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1B,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,SAAS,EAAyB,EAC1C,IAAI,EACJ,CAAC,MAAM,CAAC,CACX,CAAC;AACN,CAAC;AAED,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAe;IAChD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACtE,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC;IAC3E,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;IAC7D,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AACjC,CAAC;AAED,iFAAiF;AAEjF,SAAS,aAAa,CAAC,GAAW;IAC9B,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CACzB,OAAU,EACV,UAAqB,EACrB,GAAW;IAEX,MAAM,MAAM,GAAc,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAChD,MAAM,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,cAAc,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,YAAY,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;IAE1D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACrC,SAAgC,EAChC,UAAU,EACV,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,0BAA0B;KACpE,CAAC;IAEF,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;IACtD,OAAO,GAAG,YAAY,IAAI,GAAG,EAAE,CAAC;AACpC,CAAC;AAED,gFAAgF;AAEhF,SAAS,WAAW,CAAC,KAAc;IAC/B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACnC,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,OAAO,IAAI,KAAK,CAAC,KAAK,CAAC,KAAK,WAAW,CAAC;AACpE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAC3B,KAAa;IAEb,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,CAAC,GAAG,KAAiC,CAAC;IAE7E,MAAM,SAAS,GAAG,SAAS,CAAU,eAAe,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAClF,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC7E,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAU,eAAe,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACpF,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC9D,CAAC;IAED,OAAO;QACH,MAAM,EAAE,SAAS;QACjB,OAAO,EAAE,UAAe;QACxB,YAAY,EAAE,GAAG,SAAS,IAAI,UAAU,EAAE;QAC1C,SAAS;KACZ,CAAC;AACN,CAAC;AAED,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACpC,KAAa,EACb,SAAoB,EACpB,IAAsB;IAEtB,MAAM,OAAO,GAAG,eAAe,CAAI,KAAK,CAAC,CAAC;IAE1C,IAAI,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,+BAA+B,IAAI,CAAC,WAAW,WAAW,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;IACrG,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,4CAA4C,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,eAAe,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;IACpE,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAElE,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACpC,SAAgC,EAChC,SAAS,EACT,QAAQ,EACR,UAAU,CAAC,0BAA0B;KACxC,CAAC;IAEF,IAAI,CAAC,KAAK,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACnF,CAAC;IAED,OAAO,OAAO,CAAC;AACnB,CAAC"}
+{"version":3,"file":"ed25519.js","sourceRoot":"","sources":["../../src/crypto/ed25519.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,QAAQ,EAAE,SAAS,EAAe,MAAM,YAAY,CAAC;AAmChG,iFAAiF;AAEjF,MAAM,CAAC,KAAK,UAAU,eAAe;IAIjC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAC3C,SAAgC,EAChC,IAAI,EACJ,CAAC,MAAM,EAAE,QAAQ,CAAC,CACJ,CAAC;IACnB,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC;AAC5E,CAAC;AAED,iFAAiF;AAEjF,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAc;IACnD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,GAAc;IACpD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAe;IACpD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1B,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,SAAS,EAAyB,EAC1C,IAAI,EACJ,CAAC,QAAQ,CAAC,CACb,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,GAAe;IACrD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;IAC5F,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC1B,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,SAAS,EAAyB,EAC1C,IAAI,EACJ,CAAC,MAAM,CAAC,CACX,CAAC;AACN,CAAC;AAED,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAe;IAChD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACtE,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC;IAC3E,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;IAC7D,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AACjC,CAAC;AAED,iFAAiF;AAEjF,SAAS,aAAa,CAAC,GAAW;IAC9B,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CACzB,OAAU,EACV,UAAqB,EACrB,GAAW;IAEX,MAAM,MAAM,GAAc,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAChD,MAAM,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,cAAc,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,YAAY,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;IAE1D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACrC,SAAgC,EAChC,UAAU,EACV,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,0BAA0B;KACpE,CAAC;IAEF,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;IACtD,OAAO,GAAG,YAAY,IAAI,GAAG,EAAE,CAAC;AACpC,CAAC;AAED,gFAAgF;AAEhF,SAAS,WAAW,CAAC,KAAc;IAC/B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACnC,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IACzB,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,OAAO,IAAI,CAAC,GAAG,KAAK,WAAW,IAAI,GAAG,KAAK,UAAU,CAAC,CAAC;AACnF,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAC3B,KAAa;IAEb,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,CAAC,GAAG,KAAiC,CAAC;IAE7E,MAAM,SAAS,GAAG,SAAS,CAAU,eAAe,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAClF,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC7E,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAU,eAAe,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACpF,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC9D,CAAC;IAED,OAAO;QACH,MAAM,EAAE,SAAS;QACjB,OAAO,EAAE,UAAe;QACxB,YAAY,EAAE,GAAG,SAAS,IAAI,UAAU,EAAE;QAC1C,SAAS;KACZ,CAAC;AACN,CAAC;AAED,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACpC,KAAa,EACb,SAAoB,EACpB,IAAsB;IAEtB,MAAM,OAAO,GAAG,eAAe,CAAI,KAAK,CAAC,CAAC;IAE1C,IAAI,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,+BAA+B,IAAI,CAAC,WAAW,WAAW,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;IACrG,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,4CAA4C,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,eAAe,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;IACpE,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAElE,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACpC,SAAgC,EAChC,SAAS,EACT,QAAQ,EACR,UAAU,CAAC,0BAA0B;KACxC,CAAC;IAEF,IAAI,CAAC,KAAK,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACnF,CAAC;IAED,OAAO,OAAO,CAAC;AACnB,CAAC"}

package/dist/crypto/utils.d.ts

@@ -1,4 +1,4 @@
-export type JwtTyp = "agent+jwt";
+export type JwtTyp = "agent+jwt" | "host+jwt";
 export declare function base64UrlEncode(buffer: Buffer | Uint8Array): string;
 export declare function base64UrlDecode(str: string): Buffer;
 /**

package/dist/crypto/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/crypto/utils.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,MAAM,GAAG,WAAW,CAAC;AAEjC,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,MAAM,CAMnE;AAED,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAGjD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAIxD;AAED,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAEzE;AAED,wBAAgB,SAAS,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,CAE7C"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/crypto/utils.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,MAAM,GAAG,WAAW,GAAG,UAAU,CAAC;AAE9C,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,MAAM,CAMnE;AAED,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAGjD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAIxD;AAED,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAEzE;AAED,wBAAgB,SAAS,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,CAE7C"}

package/dist/host/host-identity.d.ts

@@ -0,0 +1,66 @@
+/**
+ * HostIdentity — the user's identity anchor for one app.
+ *
+ * A Host holds an Ed25519 keypair. Its JWK thumbprint is the stable Host ID.
+ * It signs host+jwt tokens for management operations (registering agents,
+ * revoking, rotating keys) against an agent-auth compliant server.
+ *
+ * Security properties:
+ * - Private key is non-extractable by default (stays in process memory)
+ * - Thumbprint (Host ID) is derived from the public key — cryptographically stable
+ * - On process restart, a new keypair is generated → new Host ID (key rotation)
+ * - If the user needs a stable identity across restarts, they persist and reload
+ *   the private key via HostIdentity.fromPrivateKeyJwk()
+ */
+import type { HostJwtClaims } from "../types/protocol.js";
+export type HostConfig = {
+    name: string;
+    issuerUrl: string;
+    encryptionKey?: string;
+};
+export type HostRegistration = {
+    hostId: string;
+    name: string;
+    issuerUrl: string;
+    publicKeyJwk: JsonWebKey;
+    thumbprint: string;
+    createdAt: number;
+};
+export declare class HostIdentity {
+    private readonly privateKey;
+    private readonly registration;
+    private readonly store;
+    /** The stable Host ID — the SHA-256 JWK thumbprint of the public key. */
+    readonly hostId: string;
+    private constructor();
+    /**
+     * Create a new HostIdentity with a freshly generated Ed25519 keypair.
+     * Each call produces a different keypair (and therefore a different hostId).
+     */
+    static create(config: HostConfig): Promise<HostIdentity>;
+    /**
+     * Restore a HostIdentity from both private and public key JWKs.
+     * Use this for stable identity across restarts.
+     */
+    static fromKeyPair(privateKeyJwk: JsonWebKey, publicKeyJwk: JsonWebKey, config: HostConfig): Promise<HostIdentity>;
+    /**
+     * Export the private key as JWK so the caller can persist it.
+     * The caller is responsible for securing this value.
+     */
+    exportPrivateKeyJwk(): Promise<JsonWebKey>;
+    /**
+     * Sign a 60-second host+jwt for management operations.
+     *
+     * @param extra  Optional additional claims to include (e.g. agent_public_key for registration)
+     */
+    signJwt(extra?: Partial<HostJwtClaims>): Promise<string>;
+    /**
+     * Sign a host+jwt that embeds the agent's public key.
+     * Used when calling POST /agent/register on an agent-auth server.
+     */
+    signAgentRegistrationJwt(agentPublicKeyJwk: JsonWebKey): Promise<string>;
+    getPublicKeyJwk(): JsonWebKey;
+    getRegistration(): HostRegistration;
+    get thumbprint(): string;
+}
+//# sourceMappingURL=host-identity.d.ts.map

package/dist/host/host-identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"host-identity.d.ts","sourceRoot":"","sources":["../../src/host/host-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAaH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAK1D,MAAM,MAAM,UAAU,GAAG;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,UAAU,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,qBAAa,YAAY;IAKjB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,YAAY;IAC7B,OAAO,CAAC,QAAQ,CAAC,KAAK;IAN1B,yEAAyE;IACzE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IAExB,OAAO;IAQP;;;OAGG;WACU,MAAM,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC;IAmB9D;;;OAGG;WACU,WAAW,CACpB,aAAa,EAAE,UAAU,EACzB,YAAY,EAAE,UAAU,EACxB,MAAM,EAAE,UAAU,GACnB,OAAO,CAAC,YAAY,CAAC;IAkBxB;;;OAGG;IACG,mBAAmB,IAAI,OAAO,CAAC,UAAU,CAAC;IAIhD;;;;OAIG;IACG,OAAO,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;IAgB9D;;;OAGG;IACG,wBAAwB,CAAC,iBAAiB,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC;IAI9E,eAAe,IAAI,UAAU;IAI7B,eAAe,IAAI,gBAAgB;IAInC,IAAI,UAAU,IAAI,MAAM,CAEvB;CACJ"}

package/dist/host/host-identity.js

@@ -0,0 +1,109 @@
+/**
+ * HostIdentity — the user's identity anchor for one app.
+ *
+ * A Host holds an Ed25519 keypair. Its JWK thumbprint is the stable Host ID.
+ * It signs host+jwt tokens for management operations (registering agents,
+ * revoking, rotating keys) against an agent-auth compliant server.
+ *
+ * Security properties:
+ * - Private key is non-extractable by default (stays in process memory)
+ * - Thumbprint (Host ID) is derived from the public key — cryptographically stable
+ * - On process restart, a new keypair is generated → new Host ID (key rotation)
+ * - If the user needs a stable identity across restarts, they persist and reload
+ *   the private key via HostIdentity.fromPrivateKeyJwk()
+ */
+import { randomBytes } from "node:crypto";
+import { generateKeyPair, exportPublicKeyJwk, exportPrivateKeyJwk, importPrivateKeyJwk, computeJwkThumbprint, signJwt, } from "../crypto/ed25519.js";
+import { base64UrlEncode } from "../crypto/utils.js";
+import { EncryptedStore } from "../memory/encrypted-store.js";
+const TOKEN_TTL_SECONDS = 60;
+const STORE_KEY = "host:identity";
+export class HostIdentity {
+    constructor(privateKey, registration, store) {
+        this.privateKey = privateKey;
+        this.registration = registration;
+        this.store = store;
+        this.hostId = registration.hostId;
+    }
+    /**
+     * Create a new HostIdentity with a freshly generated Ed25519 keypair.
+     * Each call produces a different keypair (and therefore a different hostId).
+     */
+    static async create(config) {
+        const store = EncryptedStore.create(config.encryptionKey);
+        const { publicKey, privateKey } = await generateKeyPair();
+        const publicKeyJwk = await exportPublicKeyJwk(publicKey);
+        const thumbprint = computeJwkThumbprint(publicKeyJwk);
+        const registration = {
+            hostId: thumbprint,
+            name: config.name,
+            issuerUrl: config.issuerUrl,
+            publicKeyJwk,
+            thumbprint,
+            createdAt: Date.now(),
+        };
+        store.set(STORE_KEY, registration);
+        return new HostIdentity(privateKey, registration, store);
+    }
+    /**
+     * Restore a HostIdentity from both private and public key JWKs.
+     * Use this for stable identity across restarts.
+     */
+    static async fromKeyPair(privateKeyJwk, publicKeyJwk, config) {
+        const store = EncryptedStore.create(config.encryptionKey);
+        const privateKey = await importPrivateKeyJwk(privateKeyJwk);
+        const thumbprint = computeJwkThumbprint(publicKeyJwk);
+        const registration = {
+            hostId: thumbprint,
+            name: config.name,
+            issuerUrl: config.issuerUrl,
+            publicKeyJwk,
+            thumbprint,
+            createdAt: Date.now(),
+        };
+        store.set(STORE_KEY, registration);
+        return new HostIdentity(privateKey, registration, store);
+    }
+    /**
+     * Export the private key as JWK so the caller can persist it.
+     * The caller is responsible for securing this value.
+     */
+    async exportPrivateKeyJwk() {
+        return exportPrivateKeyJwk(this.privateKey);
+    }
+    /**
+     * Sign a 60-second host+jwt for management operations.
+     *
+     * @param extra  Optional additional claims to include (e.g. agent_public_key for registration)
+     */
+    async signJwt(extra) {
+        const nowSeconds = Math.floor(Date.now() / 1000);
+        const jti = base64UrlEncode(randomBytes(16));
+        const claims = {
+            iss: this.registration.thumbprint,
+            aud: this.registration.issuerUrl,
+            iat: nowSeconds,
+            exp: nowSeconds + TOKEN_TTL_SECONDS,
+            jti,
+            ...extra,
+        };
+        return signJwt(claims, this.privateKey, "host+jwt");
+    }
+    /**
+     * Sign a host+jwt that embeds the agent's public key.
+     * Used when calling POST /agent/register on an agent-auth server.
+     */
+    async signAgentRegistrationJwt(agentPublicKeyJwk) {
+        return this.signJwt({ agent_public_key: agentPublicKeyJwk });
+    }
+    getPublicKeyJwk() {
+        return this.registration.publicKeyJwk;
+    }
+    getRegistration() {
+        return this.registration;
+    }
+    get thumbprint() {
+        return this.registration.thumbprint;
+    }
+}
+//# sourceMappingURL=host-identity.js.map

package/dist/host/host-identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"host-identity.js","sourceRoot":"","sources":["../../src/host/host-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACH,eAAe,EACf,kBAAkB,EAClB,mBAAmB,EACnB,mBAAmB,EACnB,oBAAoB,EACpB,OAAO,GACV,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAG9D,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAC7B,MAAM,SAAS,GAAG,eAAe,CAAC;AAiBlC,MAAM,OAAO,YAAY;IAIrB,YACqB,UAAqB,EACrB,YAA8B,EAC9B,KAAqB;QAFrB,eAAU,GAAV,UAAU,CAAW;QACrB,iBAAY,GAAZ,YAAY,CAAkB;QAC9B,UAAK,GAAL,KAAK,CAAgB;QAEtC,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC;IACtC,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAkB;QAClC,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAC1D,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,eAAe,EAAE,CAAC;QAC1D,MAAM,YAAY,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;QACzD,MAAM,UAAU,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;QAEtD,MAAM,YAAY,GAAqB;YACnC,MAAM,EAAE,UAAU;YAClB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,YAAY;YACZ,UAAU;YACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACxB,CAAC;QAEF,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QACnC,OAAO,IAAI,YAAY,CAAC,UAAU,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC;IAC7D,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,WAAW,CACpB,aAAyB,EACzB,YAAwB,EACxB,MAAkB;QAElB,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAC1D,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAAC,aAAa,CAAC,CAAC;QAC5D,MAAM,UAAU,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;QAEtD,MAAM,YAAY,GAAqB;YACnC,MAAM,EAAE,UAAU;YAClB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,YAAY;YACZ,UAAU;YACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACxB,CAAC;QAEF,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QACnC,OAAO,IAAI,YAAY,CAAC,UAAU,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC;IAC7D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,mBAAmB;QACrB,OAAO,mBAAmB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAChD,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,OAAO,CAAC,KAA8B;QACxC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QACjD,MAAM,GAAG,GAAG,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;QAE7C,MAAM,MAAM,GAAkB;YAC1B,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,UAAU;YACjC,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,SAAS;YAChC,GAAG,EAAE,UAAU;YACf,GAAG,EAAE,UAAU,GAAG,iBAAiB;YACnC,GAAG;YACH,GAAG,KAAK;SACX,CAAC;QAEF,OAAO,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IACxD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,wBAAwB,CAAC,iBAA6B;QACxD,OAAO,IAAI,CAAC,OAAO,CAAC,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,eAAe;QACX,OAAO,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC;IAC1C,CAAC;IAED,eAAe;QACX,OAAO,IAAI,CAAC,YAAY,CAAC;IAC7B,CAAC;IAED,IAAI,UAAU;QACV,OAAO,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC;IACxC,CAAC;CACJ"}

package/dist/index.d.ts

@@ -1,9 +1,22 @@
 export { AgentsChain } from "./chain.js";
+export { AppChain } from "./chain.js";
+export { HostIdentity } from "./host/host-identity.js";
+export type { HostConfig, HostRegistration } from "./host/host-identity.js";
+export { CapabilityRegistry } from "./app/capability-registry.js";
+export { wrapApp } from "./app/app-wrapper.js";
+export type { AppInterceptContext } from "./app/app-wrapper.js";
+export { ConsoleAuditExporter, HttpAuditExporter } from "./audit/audit-exporter.js";
+export type { AuditExporter, HttpAuditExporterConfig } from "./audit/audit-exporter.js";
 export { ChainAuthError } from "./errors/chain-error.js";
 export type { ChainErrorCode } from "./errors/chain-error.js";
-export type { AgentConfig, ChainStats, AuditSnapshot } from "./types/chain.js";
+export type { AgentConfig, ChainStats, AuditSnapshot, AppChainConfig } from "./types/chain.js";
 export type { AuditEntry, AuditResult } from "./types/audit.js";
 export type { RegisteredAgent, CapabilityGrant, CapabilityConstraints, ConstraintOperator, ConstraintValue, ConstraintPrimitive, } from "./types/identity.js";
+export type { Capability, AgentContext, GrantConstraints, JsonSchemaObject, } from "./types/capabilities.js";
+export type { ConstraintOperator as CapabilityConstraintOperator, ConstraintValue as CapabilityConstraintValue, ConstraintPrimitive as CapabilityConstraintPrimitive, } from "./types/capabilities.js";
+export type { HostJwtClaims, AgentJwtClaims, AgentConfiguration, GrantStatus, ResolvedGrant, } from "./types/protocol.js";
+export type { JtiPersistenceAdapter } from "./memory/jti-cache.js";
+export type { VerifierConfig, VerifiedCallContext } from "./auth/token-verifier.js";
 export { generateKeyPair, exportPublicKeyJwk, exportPrivateKeyJwk, importPublicKeyJwk, computeJwkThumbprint, signJwt, verifyJwtSignature, decodeJwtUnsafe, } from "./crypto/ed25519.js";
 export { generateId, generateAgentId, base64UrlEncode, base64UrlDecode } from "./crypto/utils.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,YAAY,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAC/E,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAChE,YAAY,EACR,eAAe,EACf,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,eAAe,EACf,mBAAmB,GACtB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACH,eAAe,EACf,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,oBAAoB,EACpB,OAAO,EACP,kBAAkB,EAClB,eAAe,GAClB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAItC,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,YAAY,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAI5E,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAC/C,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAIhE,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AACpF,YAAY,EAAE,aAAa,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAIxF,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,YAAY,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAI9D,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAI/F,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAIhE,YAAY,EACR,eAAe,EACf,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,eAAe,EACf,mBAAmB,GACtB,MAAM,qBAAqB,CAAC;AAI7B,YAAY,EACR,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,gBAAgB,GACnB,MAAM,yBAAyB,CAAC;AAGjC,YAAY,EACR,kBAAkB,IAAI,4BAA4B,EAClD,eAAe,IAAI,yBAAyB,EAC5C,mBAAmB,IAAI,6BAA6B,GACvD,MAAM,yBAAyB,CAAC;AAIjC,YAAY,EACR,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,WAAW,EACX,aAAa,GAChB,MAAM,qBAAqB,CAAC;AAI7B,YAAY,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAInE,YAAY,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAIpF,OAAO,EACH,eAAe,EACf,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,oBAAoB,EACpB,OAAO,EACP,kBAAkB,EAClB,eAAe,GAClB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/index.js

@@ -1,5 +1,16 @@
+// ─── Main classes ─────────────────────────────────────────────────────────────
 export { AgentsChain } from "./chain.js";
+export { AppChain } from "./chain.js";
+// ─── Host layer ───────────────────────────────────────────────────────────────
+export { HostIdentity } from "./host/host-identity.js";
+// ─── App wrapper ──────────────────────────────────────────────────────────────
+export { CapabilityRegistry } from "./app/capability-registry.js";
+export { wrapApp } from "./app/app-wrapper.js";
+// ─── Audit exporters ─────────────────────────────────────────────────────────
+export { ConsoleAuditExporter, HttpAuditExporter } from "./audit/audit-exporter.js";
+// ─── Errors ───────────────────────────────────────────────────────────────────
 export { ChainAuthError } from "./errors/chain-error.js";
+// ─── Crypto utilities ─────────────────────────────────────────────────────────
 export { generateKeyPair, exportPublicKeyJwk, exportPrivateKeyJwk, importPublicKeyJwk, computeJwkThumbprint, signJwt, verifyJwtSignature, decodeJwtUnsafe, } from "./crypto/ed25519.js";
 export { generateId, generateAgentId, base64UrlEncode, base64UrlDecode } from "./crypto/utils.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAazD,OAAO,EACH,eAAe,EACf,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,oBAAoB,EACpB,OAAO,EACP,kBAAkB,EAClB,eAAe,GAClB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,iFAAiF;AAEjF,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAEtC,iFAAiF;AAEjF,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAGvD,iFAAiF;AAEjF,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAG/C,gFAAgF;AAEhF,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAGpF,iFAAiF;AAEjF,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAwDzD,iFAAiF;AAEjF,OAAO,EACH,eAAe,EACf,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,oBAAoB,EACpB,OAAO,EACP,kBAAkB,EAClB,eAAe,GAClB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/memory/jti-cache.d.ts

@@ -1,5 +1,5 @@
 /**
- * JtiCache — in-memory JWT ID replay protection.
+ * JtiCache — JWT ID replay protection with optional persistence adapter.
  *
  * Security properties:
  * - Every agent+jwt carries a unique `jti` (JWT ID).
@@ -10,13 +10,40 @@
  *
  * The window is 90 seconds to comfortably cover the 60-second token max TTL
  * plus clock skew tolerance.
+ *
+ * Persistence adapter (optional):
+ * By default, the cache is in-memory and resets on process restart (which is
+ * safe — a new keypair = new identity = old tokens invalid anyway).
+ *
+ * If you need replay protection to survive restarts (e.g. shared deployment),
+ * provide a JtiPersistenceAdapter backed by Redis or your DB.
+ * The package does NOT ship a Redis client — the user provides it.
+ *
+ * Example Redis adapter:
+ *   const adapter: JtiPersistenceAdapter = {
+ *     has: (key) => redis.exists(key).then(Boolean),
+ *     set: (key, ttlMs) => redis.set(key, "1", "PX", ttlMs).then(() => {}),
+ *   };
  */
+/**
+ * Interface for backing the JTI cache with a persistent store (e.g. Redis).
+ * Implement this interface and pass it to JtiCache to survive process restarts.
+ */
+export interface JtiPersistenceAdapter {
+    /** Returns true if the key exists (and has not expired). */
+    has(key: string): Promise<boolean>;
+    /** Store the key with the given TTL in milliseconds. */
+    set(key: string, ttlMs: number): Promise<void>;
+}
 export declare class JtiCache {
     /** Map of "<agentId>:<jti>" → expiry timestamp (Unix ms) */
-    private readonly cache;
-    assert(agentId: string, jti: string): void;
-    /** Remove all entries whose expiry has passed. */
+    private readonly inMemory;
+    private readonly adapter?;
+    constructor(adapter?: JtiPersistenceAdapter);
+    assert(agentId: string, jti: string): Promise<void>;
+    /** Remove all in-memory entries whose expiry has passed. */
     private evictExpired;
+    /** Number of in-memory entries (does not reflect persistent store). */
     get size(): number;
 }
 //# sourceMappingURL=jti-cache.d.ts.map

package/dist/memory/jti-cache.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jti-cache.d.ts","sourceRoot":"","sources":["../../src/memory/jti-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,qBAAa,QAAQ;IACjB,4DAA4D;IAC5D,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA6B;IAEnD,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;IAgB1C,kDAAkD;IAClD,OAAO,CAAC,YAAY;IASpB,IAAI,IAAI,IAAI,MAAM,CAEjB;CACJ"}
+{"version":3,"file":"jti-cache.d.ts","sourceRoot":"","sources":["../../src/memory/jti-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAMH;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IAClC,4DAA4D;IAC5D,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACnC,wDAAwD;IACxD,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAClD;AAED,qBAAa,QAAQ;IACjB,4DAA4D;IAC5D,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA6B;IACtD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAwB;gBAErC,OAAO,CAAC,EAAE,qBAAqB;IAIrC,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA2BzD,4DAA4D;IAC5D,OAAO,CAAC,YAAY;IASpB,uEAAuE;IACvE,IAAI,IAAI,IAAI,MAAM,CAEjB;CACJ"}

package/dist/memory/jti-cache.js

@@ -1,5 +1,5 @@
 /**
- * JtiCache — in-memory JWT ID replay protection.
+ * JtiCache — JWT ID replay protection with optional persistence adapter.
  *
  * Security properties:
  * - Every agent+jwt carries a unique `jti` (JWT ID).
@@ -10,34 +10,61 @@
  *
  * The window is 90 seconds to comfortably cover the 60-second token max TTL
  * plus clock skew tolerance.
+ *
+ * Persistence adapter (optional):
+ * By default, the cache is in-memory and resets on process restart (which is
+ * safe — a new keypair = new identity = old tokens invalid anyway).
+ *
+ * If you need replay protection to survive restarts (e.g. shared deployment),
+ * provide a JtiPersistenceAdapter backed by Redis or your DB.
+ * The package does NOT ship a Redis client — the user provides it.
+ *
+ * Example Redis adapter:
+ *   const adapter: JtiPersistenceAdapter = {
+ *     has: (key) => redis.exists(key).then(Boolean),
+ *     set: (key, ttlMs) => redis.set(key, "1", "PX", ttlMs).then(() => {}),
+ *   };
  */
 import { ChainAuthError } from "../errors/chain-error.js";
 const REPLAY_WINDOW_MS = 90000; // 90 seconds
 export class JtiCache {
-    constructor() {
+    constructor(adapter) {
         /** Map of "<agentId>:<jti>" → expiry timestamp (Unix ms) */
-        this.cache = new Map();
+        this.inMemory = new Map();
+        this.adapter = adapter;
     }
-    assert(agentId, jti) {
-        this.evictExpired();
+    async assert(agentId, jti) {
         const cacheKey = `${agentId}:${jti}`;
-        const existing = this.cache.get(cacheKey);
-        if (existing !== undefined) {
-            throw new ChainAuthError("token_replayed", `JWT has already been used (jti="${jti}") — replay attack detected`);
+        if (this.adapter) {
+            // Persistent path — delegate to adapter
+            const exists = await this.adapter.has(cacheKey);
+            if (exists) {
+                throw new ChainAuthError("token_replayed", `JWT has already been used (jti="${jti}") — replay attack detected`);
+            }
+            await this.adapter.set(cacheKey, REPLAY_WINDOW_MS);
+        }
+        else {
+            // In-memory path
+            this.evictExpired();
+            const existing = this.inMemory.get(cacheKey);
+            if (existing !== undefined) {
+                throw new ChainAuthError("token_replayed", `JWT has already been used (jti="${jti}") — replay attack detected`);
+            }
+            this.inMemory.set(cacheKey, Date.now() + REPLAY_WINDOW_MS);
         }
-        this.cache.set(cacheKey, Date.now() + REPLAY_WINDOW_MS);
     }
-    /** Remove all entries whose expiry has passed. */
+    /** Remove all in-memory entries whose expiry has passed. */
     evictExpired() {
         const now = Date.now();
-        for (const [key, expiry] of this.cache) {
+        for (const [key, expiry] of this.inMemory) {
             if (expiry < now) {
-                this.cache.delete(key);
+                this.inMemory.delete(key);
             }
         }
     }
+    /** Number of in-memory entries (does not reflect persistent store). */
     get size() {
-        return this.cache.size;
+        return this.inMemory.size;
     }
 }
 //# sourceMappingURL=jti-cache.js.map

package/dist/memory/jti-cache.js.map

@@ -1 +1 @@
-{"version":3,"file":"jti-cache.js","sourceRoot":"","sources":["../../src/memory/jti-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE1D,MAAM,gBAAgB,GAAG,KAAM,CAAC,CAAC,aAAa;AAE9C,MAAM,OAAO,QAAQ;IAArB;QACI,4DAA4D;QAC3C,UAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IA+BvD,CAAC;IA7BG,MAAM,CAAC,OAAe,EAAE,GAAW;QAC/B,IAAI,CAAC,YAAY,EAAE,CAAC;QAEpB,MAAM,QAAQ,GAAG,GAAG,OAAO,IAAI,GAAG,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAE1C,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,IAAI,cAAc,CACpB,gBAAgB,EAChB,mCAAmC,GAAG,6BAA6B,CACtE,CAAC;QACN,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,gBAAgB,CAAC,CAAC;IAC5D,CAAC;IAED,kDAAkD;IAC1C,YAAY;QAChB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACrC,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;gBACf,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;QACL,CAAC;IACL,CAAC;IAED,IAAI,IAAI;QACJ,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IAC3B,CAAC;CACJ"}
+{"version":3,"file":"jti-cache.js","sourceRoot":"","sources":["../../src/memory/jti-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE1D,MAAM,gBAAgB,GAAG,KAAM,CAAC,CAAC,aAAa;AAa9C,MAAM,OAAO,QAAQ;IAKjB,YAAY,OAA+B;QAJ3C,4DAA4D;QAC3C,aAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;QAIlD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAW;QACrC,MAAM,QAAQ,GAAG,GAAG,OAAO,IAAI,GAAG,EAAE,CAAC;QAErC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,wCAAwC;YACxC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAChD,IAAI,MAAM,EAAE,CAAC;gBACT,MAAM,IAAI,cAAc,CACpB,gBAAgB,EAChB,mCAAmC,GAAG,6BAA6B,CACtE,CAAC;YACN,CAAC;YACD,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;QACvD,CAAC;aAAM,CAAC;YACJ,iBAAiB;YACjB,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC7C,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAI,cAAc,CACpB,gBAAgB,EAChB,mCAAmC,GAAG,6BAA6B,CACtE,CAAC;YACN,CAAC;YACD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,gBAAgB,CAAC,CAAC;QAC/D,CAAC;IACL,CAAC;IAED,4DAA4D;IACpD,YAAY;QAChB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxC,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;gBACf,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC9B,CAAC;QACL,CAAC;IACL,CAAC;IAED,uEAAuE;IACvE,IAAI,IAAI;QACJ,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC9B,CAAC;CACJ"}