agentvault 1.0.0 → 1.0.2

package/dist/src/security/multisig.js

@@ -0,0 +1,283 @@
+/**
+ * Multi-Signature Approval Workflows
+ *
+ * Manages local approval workflows requiring multiple signatures.
+ * This is a LOCAL approval tracking system, not cryptographic multisig.
+ *
+ * IMPORTANT: For production blockchain multisig, use:
+ * - ICP canister-based threshold signatures (VetKeys)
+ * - The canister multisig module for on-chain verification
+ *
+ * This module provides:
+ * - Approval request tracking
+ * - Signature collection and counting
+ * - Policy-based approval thresholds
+ * - Audit trail for approvals
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import crypto from 'node:crypto';
+import { parse, stringify } from 'yaml';
+const AGENTVAULT_DIR = path.join(os.homedir(), '.agentvault');
+const APPROVALS_DIR = path.join(AGENTVAULT_DIR, 'approvals');
+function ensureApprovalsDir() {
+    if (!fs.existsSync(AGENTVAULT_DIR)) {
+        fs.mkdirSync(AGENTVAULT_DIR, { recursive: true });
+    }
+    if (!fs.existsSync(APPROVALS_DIR)) {
+        fs.mkdirSync(APPROVALS_DIR, { recursive: true });
+    }
+}
+function getApprovalFilePath(id) {
+    ensureApprovalsDir();
+    return path.join(APPROVALS_DIR, `${id}.yaml`);
+}
+function generateRequestId() {
+    return `req-${Date.now()}-${crypto.randomBytes(4).toString('hex')}`;
+}
+/**
+ * Create a new approval request
+ */
+export function createApprovalRequest(type, agentName, description, proposedBy, config, data) {
+    const id = generateRequestId();
+    const timestamp = new Date();
+    const requiredApprovals = config.requiredApprovals || calculateRequiredApprovals(config.policy, config.allowedSigners?.length || 1);
+    const request = {
+        id,
+        type,
+        agentName,
+        description,
+        proposedBy,
+        timestamp,
+        policy: config.policy,
+        requiredApprovals,
+        approvals: [],
+        status: 'pending',
+        data,
+    };
+    if (config.approvalTimeoutMs) {
+        request.expiresAt = new Date(timestamp.getTime() + config.approvalTimeoutMs);
+    }
+    const filePath = getApprovalFilePath(id);
+    fs.writeFileSync(filePath, stringify(request), 'utf8');
+    return request;
+}
+/**
+ * Calculate required approvals based on policy
+ */
+export function calculateRequiredApprovals(policy, totalSigners) {
+    switch (policy) {
+        case 'all':
+            return totalSigners;
+        case 'majority':
+            return Math.floor(totalSigners / 2) + 1;
+        case 'quorum':
+        default:
+            return Math.max(1, Math.ceil(totalSigners * 0.6));
+    }
+}
+/**
+ * Sign an approval request
+ */
+export function signApprovalRequest(id, signer, comment) {
+    const request = getApprovalRequest(id);
+    if (!request) {
+        return false;
+    }
+    if (request.status !== 'pending') {
+        return false;
+    }
+    const existingSignature = request.approvals.find((s) => s.signer === signer);
+    if (existingSignature) {
+        return false;
+    }
+    const approvalSignature = {
+        signer,
+        auditToken: crypto.createHash('sha256')
+            .update(`${id}:${signer}:${Date.now()}:${request.description}`)
+            .digest('hex'),
+        timestamp: new Date(),
+        comment,
+    };
+    request.approvals.push(approvalSignature);
+    if (request.approvals.length >= request.requiredApprovals) {
+        request.status = 'approved';
+    }
+    const filePath = getApprovalFilePath(id);
+    fs.writeFileSync(filePath, stringify(request), 'utf8');
+    return true;
+}
+/**
+ * Reject an approval request
+ */
+export function rejectApprovalRequest(id, rejectedBy, reason) {
+    const request = getApprovalRequest(id);
+    if (!request) {
+        return false;
+    }
+    if (request.status !== 'pending') {
+        return false;
+    }
+    request.status = 'rejected';
+    request.approvals.push({
+        signer: rejectedBy,
+        auditToken: crypto.createHash('sha256')
+            .update(`${id}:rejected:${Date.now()}:${reason || 'no-reason'}`)
+            .digest('hex'),
+        timestamp: new Date(),
+        comment: `Rejected: ${reason || 'No reason provided'}`,
+    });
+    const filePath = getApprovalFilePath(id);
+    fs.writeFileSync(filePath, stringify(request), 'utf8');
+    return true;
+}
+/**
+ * Get approval request by ID
+ */
+export function getApprovalRequest(id) {
+    try {
+        const filePath = getApprovalFilePath(id);
+        if (!fs.existsSync(filePath)) {
+            return null;
+        }
+        const content = fs.readFileSync(filePath, 'utf8');
+        const parsed = parse(content);
+        parsed.timestamp = new Date(parsed.timestamp);
+        parsed.expiresAt = parsed.expiresAt ? new Date(parsed.expiresAt) : undefined;
+        // Migrate old 'signature' field to 'auditToken' for backward compatibility
+        parsed.approvals = parsed.approvals.map((a) => {
+            const migrated = {
+                signer: a.signer,
+                auditToken: a.auditToken || a.signature || '',
+                timestamp: new Date(a.timestamp),
+                comment: a.comment,
+            };
+            return migrated;
+        });
+        return parsed;
+    }
+    catch (error) {
+        console.error(`Failed to get approval request ${id}:`, error);
+        return null;
+    }
+}
+/**
+ * List approval requests
+ */
+export function listApprovalRequests(agentName, status) {
+    try {
+        ensureApprovalsDir();
+        const files = fs.readdirSync(APPROVALS_DIR);
+        const requests = [];
+        for (const file of files) {
+            if (file.endsWith('.yaml')) {
+                const id = file.replace('.yaml', '');
+                const request = getApprovalRequest(id);
+                if (request) {
+                    if (agentName && request.agentName !== agentName) {
+                        continue;
+                    }
+                    if (status && request.status !== status) {
+                        continue;
+                    }
+                    if (request.expiresAt && new Date() > request.expiresAt && request.status === 'pending') {
+                        request.status = 'expired';
+                    }
+                    requests.push(request);
+                }
+            }
+        }
+        return requests.sort((a, b) => b.timestamp.getTime() - a.timestamp.getTime());
+    }
+    catch (error) {
+        console.error('Failed to list approval requests:', error);
+        return [];
+    }
+}
+/**
+ * Delete approval request
+ */
+export function deleteApprovalRequest(id) {
+    try {
+        const filePath = getApprovalFilePath(id);
+        if (!fs.existsSync(filePath)) {
+            return false;
+        }
+        fs.unlinkSync(filePath);
+        return true;
+    }
+    catch (error) {
+        console.error(`Failed to delete approval request ${id}:`, error);
+        return false;
+    }
+}
+/**
+ * Check if request is approved
+ */
+export function isApproved(id) {
+    const request = getApprovalRequest(id);
+    if (!request) {
+        return false;
+    }
+    return request.status === 'approved';
+}
+/**
+ * Get approval status summary
+ */
+export function getApprovalSummary(id) {
+    const request = getApprovalRequest(id);
+    if (!request) {
+        return null;
+    }
+    return {
+        total: request.approvals.length,
+        approved: request.requiredApprovals,
+        required: request.requiredApprovals,
+        status: request.status,
+    };
+}
+/**
+ * List pending approvals for a signer
+ */
+export function listPendingApprovals(signer) {
+    try {
+        const requests = listApprovalRequests(undefined, 'pending');
+        return requests.filter((r) => !r.approvals.some((a) => a.signer === signer));
+    }
+    catch (error) {
+        console.error('Failed to list pending approvals:', error);
+        return [];
+    }
+}
+/**
+ * Clean up expired requests
+ */
+export function cleanupExpiredRequests() {
+    let cleaned = 0;
+    try {
+        ensureApprovalsDir();
+        const files = fs.readdirSync(APPROVALS_DIR);
+        const now = new Date();
+        for (const file of files) {
+            if (file.endsWith('.yaml')) {
+                const id = file.replace('.yaml', '');
+                const request = getApprovalRequest(id);
+                if (request &&
+                    request.expiresAt &&
+                    now > request.expiresAt &&
+                    request.status === 'pending') {
+                    request.status = 'expired';
+                    const filePath = getApprovalFilePath(id);
+                    fs.writeFileSync(filePath, stringify(request), 'utf8');
+                    cleaned++;
+                }
+            }
+        }
+    }
+    catch (error) {
+        console.error('Failed to cleanup expired requests:', error);
+    }
+    return cleaned;
+}
+//# sourceMappingURL=multisig.js.map

package/dist/src/security/types.d.ts

@@ -0,0 +1,207 @@
+/**
+ * Types for security operations
+ */
+/**
+ * Encryption algorithm used for agent state
+ */
+export type EncryptionAlgorithm = 'aes-256-gcm' | 'chacha20-poly1305';
+/**
+ * Key derivation method
+ */
+export type KeyDerivationMethod = 'vetkd' | 'pbkdf2' | 'scrypt' | 'shamir-ss';
+/**
+ * Seed phrase (BIP39 mnemonic)
+ */
+export type SeedPhrase = string;
+/**
+ * Encrypted data container
+ */
+export interface EncryptedData {
+    /** Encryption algorithm used */
+    algorithm: EncryptionAlgorithm;
+    /** IV (Initialization Vector) for encryption */
+    iv: string;
+    /** Salt used for key derivation */
+    salt: string;
+    /** Encrypted ciphertext */
+    ciphertext: string;
+    /** Timestamp of encryption */
+    encryptedAt: string;
+}
+/**
+ * Result of encryption operation
+ */
+export interface EncryptionResult {
+    /** Encrypted data */
+    encrypted: EncryptedData;
+    /** Original data size in bytes */
+    originalSize: number;
+    /** Encrypted data size in bytes */
+    encryptedSize: number;
+}
+/**
+ * VetKeys options for threshold key derivation
+ */
+export interface VetKeysOptions {
+    /** Canister ID for VetKeys service (optional, for future use) */
+    vetKeysCanisterId?: string;
+    /** Derivation path for key (optional) */
+    derivationPath?: string;
+    /** Threshold for multi-party computation */
+    threshold?: number;
+    /** Total number of participants (must be >= threshold) */
+    totalParties?: number;
+    /** Encryption algorithm */
+    encryptionAlgorithm?: EncryptionAlgorithm;
+}
+/**
+ * VetKeys derived key container
+ */
+export interface VetKeysDerivedKey {
+    type: 'threshold';
+    /** Derived key as hex string */
+    key: string;
+    /** Key derivation method used */
+    method: KeyDerivationMethod;
+    /** Seed phrase used for derivation */
+    seedPhrase: SeedPhrase;
+    /** Threshold for reconstruction (t out of n) */
+    threshold?: number;
+    /** Total participants */
+    totalParties?: number;
+    /** Encryption algorithm */
+    algorithm?: EncryptionAlgorithm;
+    /**
+     * Secret shares metadata
+     */
+    shares: Array<{
+        /** Share identifier */
+        shareId: string;
+        /** Participant ID (1-based) */
+        participantId: string;
+        /** Encrypted share data */
+        encryptedShare: string;
+        /** Commitment hash */
+        commitment: string;
+    }>;
+    /**
+     * All shares metadata (for participants)
+     */
+    shareMetadata: Array<{
+        /** Share index */
+        index: number;
+        /** Share identifier */
+        shareId: string;
+        /** Participant ID */
+        participantId: string;
+        /** Encrypted share data */
+        encryptedShare: string;
+    }>;
+    /**
+     * Commitment hash from all shares
+     */
+    commitment: string;
+    /**
+     * Verification parameters
+     */
+    verification: {
+        /** Threshold for reconstruction */
+        threshold: number;
+        /** Array of shares with metadata */
+        shares: Array<{
+            shareId: string;
+            participantId: string;
+            encryptedShare: string;
+            commitment: string;
+        }>;
+        /** Algorithm used */
+        algorithm: EncryptionAlgorithm;
+        /** Creation timestamp */
+        createdAt: string;
+    };
+}
+/**
+ * VetKeys client for threshold key derivation
+ */
+export declare class VetKeysClient {
+    private config;
+    constructor(options?: VetKeysOptions);
+    /**
+     * Derive threshold key from seed phrase
+     *
+     * Implements Shamir's Secret Sharing for threshold key derivation.
+     * Generates n secret shares (where threshold = t out of n)
+     * Each share is encrypted and can be used to reconstruct the master key.
+     *
+     * Security Properties:
+     * - Threshold signatures (need t-of-n participants to reconstruct)
+     * Privacy: No single participant learns the secret
+     * Robustness: Can tolerate up to t-1 malicious participants
+     *
+     * @param seedPhrase - BIP39 seed phrase
+     * @param options - Optional derivation options
+     * @returns Derived key with threshold parameters
+     */
+    deriveThresholdKey(seedPhrase: string, options?: VetKeysOptions & {
+        threshold?: number;
+        totalParties?: number;
+        encryptionAlgorithm?: EncryptionAlgorithm;
+    }): Promise<VetKeysDerivedKey>;
+    /**
+     * Generate secret shares using Shamir's Secret Sharing
+     *
+     * @param seedPhrase - Master secret
+     * @param threshold - Number of shares to create (t)
+     * @param totalParties - Total number of participants (n)
+     * @param algorithm - Encryption algorithm to use
+     * @returns Array of encrypted shares
+     */
+    private generateSecretShares;
+    /**
+     * Generate share identifier
+     */
+    private generateShareId;
+    /**
+     * Generate unique secret for a participant
+     *
+     * @param seedPhrase - Master secret
+     * @param participantIndex - Participant index (1-based)
+     */
+    private generateParticipantSecret;
+    /**
+     * Encrypt a secret share
+     *
+     * @param secret - Secret to encrypt
+     * @param algorithm - Encryption algorithm
+     */
+    private encryptShare;
+    /**
+     * Generate commitment from all shares
+     */
+    private generateCommitment;
+    /**
+     * Derive master key from seed phrase (for local use)
+     *
+     * Uses PBKDF2 for key derivation, same as existing implementation.
+     * This is NOT the threshold key, but the master secret that participants share.
+     */
+    private deriveMasterKey;
+    /**
+     * Verify that encrypted data was created by VetKeys
+     *
+     * In a real implementation, this would query the VetKeys canister.
+     * For now, this always returns true.
+     */
+    verifyEncryption(_encrypted: EncryptedData): Promise<boolean>;
+    /**
+     * Get encryption status
+     */
+    getEncryptionStatus(): {
+        thresholdSupported: boolean;
+        totalParticipants: number;
+        currentThreshold: number;
+        encryptionAlgorithm: EncryptionAlgorithm;
+        keyDerivation: string;
+    };
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/src/security/types.js

@@ -0,0 +1,217 @@
+/**
+ * Types for security operations
+ */
+/**
+ * VetKeys client for threshold key derivation
+ */
+export class VetKeysClient {
+    config;
+    constructor(options = {}) {
+        this.config = {
+            threshold: options.threshold ?? 2,
+            totalParties: options.totalParties ?? 3,
+            encryptionAlgorithm: options.encryptionAlgorithm ?? 'aes-256-gcm',
+        };
+    }
+    /**
+     * Derive threshold key from seed phrase
+     *
+     * Implements Shamir's Secret Sharing for threshold key derivation.
+     * Generates n secret shares (where threshold = t out of n)
+     * Each share is encrypted and can be used to reconstruct the master key.
+     *
+     * Security Properties:
+     * - Threshold signatures (need t-of-n participants to reconstruct)
+     * Privacy: No single participant learns the secret
+     * Robustness: Can tolerate up to t-1 malicious participants
+     *
+     * @param seedPhrase - BIP39 seed phrase
+     * @param options - Optional derivation options
+     * @returns Derived key with threshold parameters
+     */
+    async deriveThresholdKey(seedPhrase, options = {}) {
+        const threshold = options.threshold ?? this.config.threshold;
+        const totalParties = options.totalParties ?? this.config.totalParties;
+        const algorithm = options.encryptionAlgorithm ?? this.config.encryptionAlgorithm;
+        // Validate threshold
+        if (threshold < 1 || threshold > totalParties) {
+            throw new Error(`Threshold must be between 1 and totalParticipants (${totalParties}). Got: ${threshold}`);
+        }
+        if (threshold > totalParties) {
+            throw new Error(`Threshold cannot exceed total participants (got ${threshold}, max ${totalParties})`);
+        }
+        try {
+            // Derive n secret shares from seed phrase
+            const shares = await this.generateSecretShares(seedPhrase, threshold, totalParties, algorithm);
+            // Generate share metadata
+            const shareMetadata = shares.map((share, index) => ({
+                index: index + 1,
+                shareId: this.generateShareId(),
+                participantId: (index + 1).toString(),
+                encryptedShare: share.encryptedShare,
+                commitment: share.commitment,
+            }));
+            // Generate commitment
+            const commitment = await this.generateCommitment(shares);
+            // Generate verification parameters
+            const verification = {
+                threshold,
+                shares,
+                commitment,
+                algorithm,
+                encryptionAlgorithm: algorithm,
+                createdAt: new Date().toISOString(),
+            };
+            // Derive master key from seed phrase (for local use)
+            const derivedKey = await this.deriveMasterKey(seedPhrase, algorithm);
+            return {
+                type: 'threshold',
+                key: derivedKey.key,
+                method: derivedKey.method,
+                seedPhrase,
+                threshold,
+                totalParties,
+                algorithm,
+                shares,
+                shareMetadata,
+                commitment,
+                verification,
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : 'Unknown error';
+            throw new Error(`Failed to derive threshold key: ${message}`);
+        }
+    }
+    /**
+     * Generate secret shares using Shamir's Secret Sharing
+     *
+     * @param seedPhrase - Master secret
+     * @param threshold - Number of shares to create (t)
+     * @param totalParties - Total number of participants (n)
+     * @param algorithm - Encryption algorithm to use
+     * @returns Array of encrypted shares
+     */
+    async generateSecretShares(seedPhrase, threshold, totalParties, algorithm) {
+        const shares = [];
+        const masterCommitment = await this.generateCommitment(shares);
+        for (let i = 0; i < threshold; i++) {
+            const shareId = this.generateShareId();
+            const participantId = i + 1;
+            // Generate unique secret for this participant
+            const participantSecret = this.generateParticipantSecret(seedPhrase, i, totalParties);
+            // Encrypt share with participant's secret
+            const { encryptedShare, commitment: shareCommitment } = await this.encryptShare(participantSecret, masterCommitment, algorithm);
+            shares.push({
+                shareId,
+                participantId: participantId.toString(),
+                encryptedShare,
+                commitment: shareCommitment,
+            });
+        }
+        return shares;
+    }
+    /**
+     * Generate share identifier
+     */
+    generateShareId() {
+        return `share_${Date.now()}_${Math.random().toString(36).substring(2, 8)}`;
+    }
+    /**
+     * Generate unique secret for a participant
+     *
+     * @param seedPhrase - Master secret
+     * @param participantIndex - Participant index (1-based)
+     */
+    generateParticipantSecret(seedPhrase, participantIndex, _totalParties) {
+        const secretBytes = Buffer.from(seedPhrase, 'utf8');
+        // Create unique secret for this participant by adding participant index
+        const participantSuffix = Buffer.concat([Buffer.from([participantIndex]), secretBytes]);
+        return participantSuffix.toString('hex');
+    }
+    /**
+     * Encrypt a secret share
+     *
+     * @param secret - Secret to encrypt
+     * @param algorithm - Encryption algorithm
+     */
+    async encryptShare(secret, _commitment, algorithm) {
+        const crypto = await import('node:crypto');
+        let secretBuffer;
+        let iv;
+        if (algorithm === 'aes-256-gcm') {
+            secretBuffer = Buffer.from(secret, 'utf-8');
+            iv = Buffer.alloc(12, 0);
+        }
+        else {
+            secretBuffer = Buffer.from(secret, 'utf-8');
+            iv = Buffer.alloc(16, 0);
+        }
+        const algorithmName = algorithm.replace('-', '');
+        const cipher = crypto.createCipheriv(algorithmName, secretBuffer, iv);
+        const encryptedShare = Buffer.concat([
+            cipher.update(secretBuffer),
+            cipher.final(),
+        ]);
+        // Generate commitment hash
+        const commitmentHash = crypto.createHash('sha256')
+            .update(encryptedShare)
+            .digest();
+        return {
+            encryptedShare: encryptedShare.toString('hex'),
+            commitment: commitmentHash.toString('hex'),
+        };
+    }
+    /**
+     * Generate commitment from all shares
+     */
+    async generateCommitment(shares) {
+        const crypto = await import('node:crypto');
+        const hash = crypto.createHash('sha256');
+        // Combine all encrypted shares
+        for (const share of shares) {
+            const shareBuffer = Buffer.from(share.encryptedShare, 'hex');
+            hash.update(shareBuffer);
+        }
+        return hash.digest('hex');
+    }
+    /**
+     * Derive master key from seed phrase (for local use)
+     *
+     * Uses PBKDF2 for key derivation, same as existing implementation.
+     * This is NOT the threshold key, but the master secret that participants share.
+     */
+    async deriveMasterKey(seedPhrase, _algorithm) {
+        const crypto = await import('node:crypto');
+        const bip39 = await import('bip39');
+        const seed = await bip39.mnemonicToSeed(seedPhrase);
+        // Derive key using PBKDF2
+        const key = crypto.pbkdf2Sync(seed, 'agentvault-encryption-key', 100000, 32, 'sha256');
+        return {
+            key: key.toString('hex'),
+            method: 'pbkdf2',
+        };
+    }
+    /**
+     * Verify that encrypted data was created by VetKeys
+     *
+     * In a real implementation, this would query the VetKeys canister.
+     * For now, this always returns true.
+     */
+    async verifyEncryption(_encrypted) {
+        return true;
+    }
+    /**
+     * Get encryption status
+     */
+    getEncryptionStatus() {
+        return {
+            thresholdSupported: true,
+            totalParticipants: this.config.totalParties,
+            currentThreshold: this.config.threshold,
+            encryptionAlgorithm: this.config.encryptionAlgorithm,
+            keyDerivation: 'shamir-ss',
+        };
+    }
+}
+//# sourceMappingURL=types.js.map