connectonion 0.0.3 → 0.0.5

package/README.md

@@ -218,6 +218,26 @@ your-project/
 └── tsconfig.json
 ```
 
+---
+
+## 💬 Join the Community
+
+[![Discord](https://img.shields.io/discord/1234567890?color=7289da&label=Join%20Discord&logo=discord&logoColor=white&style=for-the-badge)](https://discord.gg/4xfD9k8AUF)
+
+Get help, share agents, and discuss with 1000+ builders in our active community.
+
+---
+
+## ⭐ Show Your Support
+
+If ConnectOnion helps you build better agents, **give it a star!** ⭐
+
+It helps others discover the framework and motivates us to keep improving it.
+
+[⭐ Star on GitHub](https://github.com/openonion/connectonion-ts)
+
+---
+
 ## 🤝 Contributing
 
 We love contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.

package/dist/address-browser.d.ts

@@ -0,0 +1,94 @@
+/**
+ * @purpose Browser-only Ed25519 key generation and signing using tweetnacl (lightweight alternative to Node.js crypto module)
+ * @llm-note
+ *   Dependencies: imports from [tweetnacl (npm package)] | imported by [oo-chat/components/chat/use-agent-stream.ts, oo-chat/app/api/chat/route.ts (via dist)] | tested by manual browser testing
+ *   Data flow: generateBrowser() → nacl.sign.keyPair() → converts to hex address → returns AddressData | signBrowser(addressData, message) → TextEncoder → nacl.sign.detached() → returns hex signature | saveBrowser(keys) → JSON.stringify → localStorage.setItem | loadBrowser() → localStorage.getItem → JSON.parse → hex to Uint8Array
+ *   State/Effects: reads/writes localStorage key 'connectonion_keys' | uses window.localStorage directly | mutates browser storage | keys persist across browser sessions (until localStorage cleared)
+ *   Integration: exposes generateBrowser(), saveBrowser(keys), loadBrowser(), signBrowser(addressData, message), createSignedPayloadBrowser(addressData, prompt, toAddress), AddressData type | browser-only (checks typeof window) | canonical JSON with sorted keys for consistent signatures
+ *   Performance: tweetnacl Ed25519 (faster than WASM alternatives) | localStorage persistence (synchronous) | hex string encoding/decoding | ~1ms for key generation, <1ms for signing
+ *   Errors: returns early if typeof window === 'undefined' | throws JSON.parse errors on invalid localStorage data | no key validation on signBrowser()
+ *
+ * Architecture:
+ *   - Browser-only alternative to address.ts (which uses Node.js crypto)
+ *   - Uses tweetnacl instead of Node.js crypto module (smaller bundle, browser-native)
+ *   - localStorage for persistence instead of filesystem
+ *   - Canonical JSON for signature consistency (sorted keys prevent signature drift)
+ *
+ * Browser Ed25519 Authentication Flow:
+ *   1. First Visit (no keys):
+ *      loadBrowser() → returns null
+ *      → generateBrowser() creates new keypair
+ *      → saveBrowser() stores to localStorage['connectonion_keys']
+ *
+ *   2. Subsequent Visits:
+ *      loadBrowser() → retrieves from localStorage
+ *      → returns same AddressData (persistent identity)
+ *
+ *   3. Signing Messages:
+ *      createSignedPayloadBrowser(keys, prompt, agentAddress)
+ *      → creates payload: {prompt, to, timestamp}
+ *      → canonicalJSON() sorts keys for consistent message
+ *      → signBrowser() creates Ed25519 signature
+ *      → returns {payload, from: publicKey, signature}
+ *
+ *   4. Agent Verification (remote):
+ *      Agent receives {payload, from, signature}
+ *      → Extracts public key from 'from' address
+ *      → Verifies signature matches canonical payload
+ *      → If valid: process request
+ *      → If invalid: reject (tampered or wrong sender)
+ *
+ * Why Ed25519:
+ *   - Fast: <1ms signing, verification
+ *   - Small: 32-byte public keys, 64-byte signatures
+ *   - Secure: Industry-standard elliptic curve cryptography
+ *   - Deterministic: Same message + key = same signature
+ *
+ * Storage Format (localStorage):
+ *   {
+ *     "address": "0x<64 hex chars>",           // Public key as hex (agent identifier)
+ *     "shortAddress": "0x<6 chars>...<4>",     // Display-friendly shortened version
+ *     "publicKey": "<hex string>",             // 32 bytes as hex
+ *     "privateKey": "<hex string>"             // 64 bytes (seed + pubkey) as hex
+ *   }
+ *
+ * Related Files:
+ *   - src/address.ts: Node.js version (uses crypto module, saves to filesystem)
+ *   - oo-chat/components/chat/use-agent-stream.ts: Uses this for WebSocket auth
+ *   - oo-chat/app/api/chat/route.ts: Server uses address.ts, but imports this via dist for types
+ */
+export interface AddressData {
+    address: string;
+    shortAddress: string;
+    publicKey: Uint8Array;
+    privateKey: Uint8Array;
+}
+/**
+ * Generate Ed25519 key pair for browser.
+ */
+export declare function generateBrowser(): AddressData;
+/**
+ * Save keys to browser localStorage.
+ */
+export declare function saveBrowser(keys: AddressData): void;
+/**
+ * Load keys from browser localStorage.
+ */
+export declare function loadBrowser(): AddressData | null;
+/**
+ * Sign a message using tweetnacl.
+ */
+export declare function signBrowser(addressData: AddressData, message: string): string;
+/**
+ * Create a signed request payload for browser.
+ */
+export declare function createSignedPayloadBrowser(addressData: AddressData, prompt: string, toAddress: string): {
+    payload: {
+        prompt: string;
+        to: string;
+        timestamp: number;
+    };
+    from: string;
+    signature: string;
+};
+//# sourceMappingURL=address-browser.d.ts.map

package/dist/address-browser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"address-browser.d.ts","sourceRoot":"","sources":["../src/address-browser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0DG;AAaH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,UAAU,CAAC;IACtB,UAAU,EAAE,UAAU,CAAC;CACxB;AAcD;;GAEG;AACH,wBAAgB,eAAe,IAAI,WAAW,CAY7C;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,WAAW,GAAG,IAAI,CAWnD;AAED;;GAEG;AACH,wBAAgB,WAAW,IAAI,WAAW,GAAG,IAAI,CA6BhD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAK7E;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB;IACD,OAAO,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAC3D,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACnB,CAgBA"}

package/dist/address-browser.js

@@ -0,0 +1,159 @@
+"use strict";
+/**
+ * @purpose Browser-only Ed25519 key generation and signing using tweetnacl (lightweight alternative to Node.js crypto module)
+ * @llm-note
+ *   Dependencies: imports from [tweetnacl (npm package)] | imported by [oo-chat/components/chat/use-agent-stream.ts, oo-chat/app/api/chat/route.ts (via dist)] | tested by manual browser testing
+ *   Data flow: generateBrowser() → nacl.sign.keyPair() → converts to hex address → returns AddressData | signBrowser(addressData, message) → TextEncoder → nacl.sign.detached() → returns hex signature | saveBrowser(keys) → JSON.stringify → localStorage.setItem | loadBrowser() → localStorage.getItem → JSON.parse → hex to Uint8Array
+ *   State/Effects: reads/writes localStorage key 'connectonion_keys' | uses window.localStorage directly | mutates browser storage | keys persist across browser sessions (until localStorage cleared)
+ *   Integration: exposes generateBrowser(), saveBrowser(keys), loadBrowser(), signBrowser(addressData, message), createSignedPayloadBrowser(addressData, prompt, toAddress), AddressData type | browser-only (checks typeof window) | canonical JSON with sorted keys for consistent signatures
+ *   Performance: tweetnacl Ed25519 (faster than WASM alternatives) | localStorage persistence (synchronous) | hex string encoding/decoding | ~1ms for key generation, <1ms for signing
+ *   Errors: returns early if typeof window === 'undefined' | throws JSON.parse errors on invalid localStorage data | no key validation on signBrowser()
+ *
+ * Architecture:
+ *   - Browser-only alternative to address.ts (which uses Node.js crypto)
+ *   - Uses tweetnacl instead of Node.js crypto module (smaller bundle, browser-native)
+ *   - localStorage for persistence instead of filesystem
+ *   - Canonical JSON for signature consistency (sorted keys prevent signature drift)
+ *
+ * Browser Ed25519 Authentication Flow:
+ *   1. First Visit (no keys):
+ *      loadBrowser() → returns null
+ *      → generateBrowser() creates new keypair
+ *      → saveBrowser() stores to localStorage['connectonion_keys']
+ *
+ *   2. Subsequent Visits:
+ *      loadBrowser() → retrieves from localStorage
+ *      → returns same AddressData (persistent identity)
+ *
+ *   3. Signing Messages:
+ *      createSignedPayloadBrowser(keys, prompt, agentAddress)
+ *      → creates payload: {prompt, to, timestamp}
+ *      → canonicalJSON() sorts keys for consistent message
+ *      → signBrowser() creates Ed25519 signature
+ *      → returns {payload, from: publicKey, signature}
+ *
+ *   4. Agent Verification (remote):
+ *      Agent receives {payload, from, signature}
+ *      → Extracts public key from 'from' address
+ *      → Verifies signature matches canonical payload
+ *      → If valid: process request
+ *      → If invalid: reject (tampered or wrong sender)
+ *
+ * Why Ed25519:
+ *   - Fast: <1ms signing, verification
+ *   - Small: 32-byte public keys, 64-byte signatures
+ *   - Secure: Industry-standard elliptic curve cryptography
+ *   - Deterministic: Same message + key = same signature
+ *
+ * Storage Format (localStorage):
+ *   {
+ *     "address": "0x<64 hex chars>",           // Public key as hex (agent identifier)
+ *     "shortAddress": "0x<6 chars>...<4>",     // Display-friendly shortened version
+ *     "publicKey": "<hex string>",             // 32 bytes as hex
+ *     "privateKey": "<hex string>"             // 64 bytes (seed + pubkey) as hex
+ *   }
+ *
+ * Related Files:
+ *   - src/address.ts: Node.js version (uses crypto module, saves to filesystem)
+ *   - oo-chat/components/chat/use-agent-stream.ts: Uses this for WebSocket auth
+ *   - oo-chat/app/api/chat/route.ts: Server uses address.ts, but imports this via dist for types
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateBrowser = generateBrowser;
+exports.saveBrowser = saveBrowser;
+exports.loadBrowser = loadBrowser;
+exports.signBrowser = signBrowser;
+exports.createSignedPayloadBrowser = createSignedPayloadBrowser;
+// eslint-disable-next-line @typescript-eslint/no-require-imports
+const nacl = require('tweetnacl');
+/**
+ * Canonical JSON with sorted keys for consistent signatures.
+ */
+function canonicalJSON(obj) {
+    const sortedKeys = Object.keys(obj).sort();
+    const sortedObj = {};
+    for (const key of sortedKeys) {
+        sortedObj[key] = obj[key];
+    }
+    return JSON.stringify(sortedObj);
+}
+/**
+ * Generate Ed25519 key pair for browser.
+ */
+function generateBrowser() {
+    const keyPair = nacl.sign.keyPair();
+    const address = '0x' + Array.from(keyPair.publicKey).map(b => b.toString(16).padStart(2, '0')).join('');
+    const shortAddress = `${address.slice(0, 6)}...${address.slice(-4)}`;
+    return {
+        address,
+        shortAddress,
+        publicKey: keyPair.publicKey,
+        privateKey: keyPair.secretKey, // 64 bytes: seed + public key
+    };
+}
+/**
+ * Save keys to browser localStorage.
+ */
+function saveBrowser(keys) {
+    if (typeof window === 'undefined')
+        return;
+    const data = {
+        address: keys.address,
+        shortAddress: keys.shortAddress,
+        publicKey: Array.from(keys.publicKey).map(b => b.toString(16).padStart(2, '0')).join(''),
+        privateKey: Array.from(keys.privateKey).map(b => b.toString(16).padStart(2, '0')).join(''),
+    };
+    window.localStorage.setItem('connectonion_keys', JSON.stringify(data));
+}
+/**
+ * Load keys from browser localStorage.
+ */
+function loadBrowser() {
+    if (typeof window === 'undefined')
+        return null;
+    const stored = window.localStorage.getItem('connectonion_keys');
+    if (!stored) {
+        return null;
+    }
+    try {
+        const data = JSON.parse(stored);
+        // Convert hex strings back to Uint8Array
+        const publicKey = new Uint8Array(data.publicKey.match(/.{2}/g).map(b => parseInt(b, 16)));
+        const privateKey = new Uint8Array(data.privateKey.match(/.{2}/g).map(b => parseInt(b, 16)));
+        return {
+            address: data.address,
+            shortAddress: data.shortAddress,
+            publicKey,
+            privateKey,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Sign a message using tweetnacl.
+ */
+function signBrowser(addressData, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const signature = nacl.sign.detached(msgBytes, addressData.privateKey);
+    return Array.from(signature).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+/**
+ * Create a signed request payload for browser.
+ */
+function createSignedPayloadBrowser(addressData, prompt, toAddress) {
+    const timestamp = Math.floor(Date.now() / 1000);
+    const payload = {
+        prompt,
+        to: toAddress,
+        timestamp,
+    };
+    const canonicalMessage = canonicalJSON(payload);
+    const signature = signBrowser(addressData, canonicalMessage);
+    return {
+        payload,
+        from: addressData.address,
+        signature,
+    };
+}

package/dist/address.d.ts

@@ -0,0 +1,82 @@
+/**
+ * @purpose Agent address/identity management with Ed25519 key generation, signing, and verification (Python address.py parity)
+ * @llm-note
+ *   Dependencies: imports from [crypto, fs, path (Node.js built-ins, conditional)] | imported by [src/connect.ts, src/index.ts, tests/connect.test.ts, tests/address.test.ts, tests/e2e/signedAgent.test.ts] | tested by [tests/address.test.ts]
+ *   Data flow: generate() → creates Ed25519 keypair → exports to raw buffers → returns AddressData{address: 0x..., publicKey, privateKey} | sign(addressData, message) → recreates privateKey from buffer → signs with crypto.sign() → returns hex signature | verify(address, message, signature) → recreates publicKey from address → verifies with crypto.verify() → returns boolean
+ *   State/Effects: reads/writes .co/keys/agent.key (Node.js) | reads/writes localStorage connectonion_keys (browser) | conditional require() for Node.js modules | detects environment via globalThis.window check
+ *   Integration: exposes generate(), load(coDir), save(), sign(addressData, message), verify(address, message, signature), createSignedPayload(addressData, prompt, toAddress), AddressData type | browser variants: generateBrowser(), loadBrowser(), saveBrowser(), signBrowser() | canonical JSON with sorted keys for consistent signatures
+ *   Performance: Ed25519 keypair generation (crypto.generateKeyPairSync) | PKCS#8/SPKI DER encoding for key export | synchronous fs operations | localStorage for browser persistence
+ *   Errors: throws if generate() called in browser (requires Node.js crypto) | throws if sign()/verify() called in browser (use signBrowser/verifyBrowser) | returns null if load() finds no keys | returns false on verify() failure
+ *
+ * Architecture:
+ *   - Node.js: crypto module for Ed25519, fs for .co/keys/agent.key persistence
+ *   - Browser: tweetnacl for Ed25519, localStorage for key persistence
+ *   - Dual exports: regular functions (Node.js) and *Browser functions (browser)
+ *   - Canonical JSON: sorted keys for consistent signature verification
+ */
+export interface AddressData {
+    address: string;
+    shortAddress: string;
+    publicKey: Buffer | Uint8Array;
+    privateKey: Buffer | Uint8Array;
+}
+/**
+ * Generate a new agent address with Ed25519 keys (Node.js only).
+ */
+export declare function generate(): AddressData;
+/**
+ * Load existing agent keys from .co/keys/ directory (Node.js only).
+ */
+export declare function load(coDir?: string): AddressData | null;
+/**
+ * Save keys to browser localStorage.
+ */
+export declare function saveBrowser(keys: AddressData): void;
+/**
+ * Load keys from browser localStorage.
+ */
+export declare function loadBrowser(): AddressData | null;
+/**
+ * Generate keys in browser using tweetnacl Ed25519.
+ */
+export declare function generateBrowser(): AddressData;
+/**
+ * Sign a message in browser using tweetnacl.
+ */
+export declare function signBrowser(addressData: AddressData, message: string): string;
+/**
+ * Create a signed request payload for browser.
+ */
+export declare function createSignedPayloadBrowser(addressData: AddressData, prompt: string, toAddress: string): {
+    payload: {
+        prompt: string;
+        to: string;
+        timestamp: number;
+    };
+    from: string;
+    signature: string;
+};
+/**
+ * Sign a message with the agent's private key (Node.js only).
+ */
+export declare function sign(addressData: AddressData, message: string | Buffer): string;
+/**
+ * Verify a signature using an agent's address (public key).
+ */
+export declare function verify(address: string, message: string | Buffer, signature: string): boolean;
+/**
+ * Create a signed request payload for agent requests.
+ * Always sign when keys are available (works with all trust levels).
+ *
+ * Uses canonical JSON (sorted keys) for consistent signatures.
+ */
+export declare function createSignedPayload(addressData: AddressData, prompt: string, toAddress: string): {
+    payload: {
+        prompt: string;
+        to: string;
+        timestamp: number;
+    };
+    from: string;
+    signature: string;
+};
+//# sourceMappingURL=address.d.ts.map

package/dist/address.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"address.d.ts","sourceRoot":"","sources":["../src/address.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAgBH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,GAAG,UAAU,CAAC;IAC/B,UAAU,EAAE,MAAM,GAAG,UAAU,CAAC;CACjC;AAwCD;;GAEG;AACH,wBAAgB,QAAQ,IAAI,WAAW,CAoBtC;AAED;;GAEG;AACH,wBAAgB,IAAI,CAAC,KAAK,GAAE,MAAc,GAAG,WAAW,GAAG,IAAI,CAuC9D;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,WAAW,GAAG,IAAI,CAcnD;AAED;;GAEG;AACH,wBAAgB,WAAW,IAAI,WAAW,GAAG,IAAI,CA2BhD;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,WAAW,CAgB7C;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAQ7E;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB;IACD,OAAO,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAC3D,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACnB,CAgBA;AAED;;GAEG;AACH,wBAAgB,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAmB/E;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CA4B5F;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB;IACD,OAAO,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAC3D,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACnB,CAiBA"}

package/dist/address.js

@@ -0,0 +1,283 @@
+"use strict";
+/**
+ * @purpose Agent address/identity management with Ed25519 key generation, signing, and verification (Python address.py parity)
+ * @llm-note
+ *   Dependencies: imports from [crypto, fs, path (Node.js built-ins, conditional)] | imported by [src/connect.ts, src/index.ts, tests/connect.test.ts, tests/address.test.ts, tests/e2e/signedAgent.test.ts] | tested by [tests/address.test.ts]
+ *   Data flow: generate() → creates Ed25519 keypair → exports to raw buffers → returns AddressData{address: 0x..., publicKey, privateKey} | sign(addressData, message) → recreates privateKey from buffer → signs with crypto.sign() → returns hex signature | verify(address, message, signature) → recreates publicKey from address → verifies with crypto.verify() → returns boolean
+ *   State/Effects: reads/writes .co/keys/agent.key (Node.js) | reads/writes localStorage connectonion_keys (browser) | conditional require() for Node.js modules | detects environment via globalThis.window check
+ *   Integration: exposes generate(), load(coDir), save(), sign(addressData, message), verify(address, message, signature), createSignedPayload(addressData, prompt, toAddress), AddressData type | browser variants: generateBrowser(), loadBrowser(), saveBrowser(), signBrowser() | canonical JSON with sorted keys for consistent signatures
+ *   Performance: Ed25519 keypair generation (crypto.generateKeyPairSync) | PKCS#8/SPKI DER encoding for key export | synchronous fs operations | localStorage for browser persistence
+ *   Errors: throws if generate() called in browser (requires Node.js crypto) | throws if sign()/verify() called in browser (use signBrowser/verifyBrowser) | returns null if load() finds no keys | returns false on verify() failure
+ *
+ * Architecture:
+ *   - Node.js: crypto module for Ed25519, fs for .co/keys/agent.key persistence
+ *   - Browser: tweetnacl for Ed25519, localStorage for key persistence
+ *   - Dual exports: regular functions (Node.js) and *Browser functions (browser)
+ *   - Canonical JSON: sorted keys for consistent signature verification
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generate = generate;
+exports.load = load;
+exports.saveBrowser = saveBrowser;
+exports.loadBrowser = loadBrowser;
+exports.generateBrowser = generateBrowser;
+exports.signBrowser = signBrowser;
+exports.createSignedPayloadBrowser = createSignedPayloadBrowser;
+exports.sign = sign;
+exports.verify = verify;
+exports.createSignedPayload = createSignedPayload;
+// Use dynamic imports for Node.js modules to support browser builds
+let crypto = null;
+let fs = null;
+let path = null;
+// Try to load Node.js modules (will fail in browser)
+try {
+    crypto = require('crypto');
+    fs = require('fs');
+    path = require('path');
+}
+catch {
+    // Browser environment - crypto/fs not available
+}
+/**
+ * Check if running in browser environment.
+ */
+function isBrowser() {
+    return typeof globalThis !== 'undefined' &&
+        typeof globalThis.window !== 'undefined' &&
+        typeof globalThis.localStorage !== 'undefined';
+}
+/**
+ * Get localStorage safely (browser only).
+ */
+function getLocalStorage() {
+    if (isBrowser()) {
+        return globalThis.localStorage;
+    }
+    return null;
+}
+/**
+ * Canonical JSON with sorted keys for consistent signatures.
+ */
+function canonicalJSON(obj) {
+    const sortedKeys = Object.keys(obj).sort();
+    const sortedObj = {};
+    for (const key of sortedKeys) {
+        sortedObj[key] = obj[key];
+    }
+    return JSON.stringify(sortedObj);
+}
+/**
+ * Generate a new agent address with Ed25519 keys (Node.js only).
+ */
+function generate() {
+    if (!crypto) {
+        throw new Error('generate() requires Node.js environment with crypto module');
+    }
+    const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519');
+    // Export keys to raw buffers
+    const publicKeyBuffer = publicKey.export({ type: 'spki', format: 'der' }).slice(-32);
+    const privateKeyBuffer = privateKey.export({ type: 'pkcs8', format: 'der' }).slice(-32);
+    const address = '0x' + publicKeyBuffer.toString('hex');
+    const shortAddress = `${address.slice(0, 6)}...${address.slice(-4)}`;
+    return {
+        address,
+        shortAddress,
+        publicKey: publicKeyBuffer,
+        privateKey: privateKeyBuffer,
+    };
+}
+/**
+ * Load existing agent keys from .co/keys/ directory (Node.js only).
+ */
+function load(coDir = '.co') {
+    if (!crypto || !fs || !path) {
+        return null;
+    }
+    const keyFile = path.join(coDir, 'keys', 'agent.key');
+    if (!fs.existsSync(keyFile)) {
+        return null;
+    }
+    try {
+        const privateKeyBuffer = fs.readFileSync(keyFile);
+        // Recreate key objects from raw bytes
+        const privateKey = crypto.createPrivateKey({
+            key: Buffer.concat([
+                Buffer.from('302e020100300506032b657004220420', 'hex'), // PKCS#8 Ed25519 prefix
+                privateKeyBuffer,
+            ]),
+            format: 'der',
+            type: 'pkcs8',
+        });
+        const publicKey = crypto.createPublicKey(privateKey);
+        const publicKeyBuffer = publicKey.export({ type: 'spki', format: 'der' }).slice(-32);
+        const address = '0x' + publicKeyBuffer.toString('hex');
+        const shortAddress = `${address.slice(0, 6)}...${address.slice(-4)}`;
+        return {
+            address,
+            shortAddress,
+            publicKey: publicKeyBuffer,
+            privateKey: privateKeyBuffer,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Save keys to browser localStorage.
+ */
+function saveBrowser(keys) {
+    const storage = getLocalStorage();
+    if (!storage) {
+        throw new Error('saveBrowser() requires browser environment');
+    }
+    const data = {
+        address: keys.address,
+        shortAddress: keys.shortAddress,
+        publicKey: Buffer.from(keys.publicKey).toString('hex'),
+        privateKey: Buffer.from(keys.privateKey).toString('hex'),
+    };
+    storage.setItem('connectonion_keys', JSON.stringify(data));
+}
+/**
+ * Load keys from browser localStorage.
+ */
+function loadBrowser() {
+    const storage = getLocalStorage();
+    if (!storage) {
+        return null;
+    }
+    const stored = storage.getItem('connectonion_keys');
+    if (!stored) {
+        return null;
+    }
+    try {
+        const data = JSON.parse(stored);
+        return {
+            address: data.address,
+            shortAddress: data.shortAddress,
+            publicKey: Buffer.from(data.publicKey, 'hex'),
+            privateKey: Buffer.from(data.privateKey, 'hex'),
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Generate keys in browser using tweetnacl Ed25519.
+ */
+function generateBrowser() {
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const nacl = require('tweetnacl');
+    // Generate Ed25519 key pair
+    const keyPair = nacl.sign.keyPair();
+    const address = '0x' + Array.from(keyPair.publicKey).map(b => b.toString(16).padStart(2, '0')).join('');
+    const shortAddress = `${address.slice(0, 6)}...${address.slice(-4)}`;
+    return {
+        address,
+        shortAddress,
+        publicKey: keyPair.publicKey,
+        privateKey: keyPair.secretKey, // 64 bytes: seed + public key
+    };
+}
+/**
+ * Sign a message in browser using tweetnacl.
+ */
+function signBrowser(addressData, message) {
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const nacl = require('tweetnacl');
+    const msgBytes = new TextEncoder().encode(message);
+    const signature = nacl.sign.detached(msgBytes, addressData.privateKey);
+    return Array.from(signature).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+/**
+ * Create a signed request payload for browser.
+ */
+function createSignedPayloadBrowser(addressData, prompt, toAddress) {
+    const timestamp = Math.floor(Date.now() / 1000);
+    const payload = {
+        prompt,
+        to: toAddress,
+        timestamp,
+    };
+    const canonicalMessage = canonicalJSON(payload);
+    const signature = signBrowser(addressData, canonicalMessage);
+    return {
+        payload,
+        from: addressData.address,
+        signature,
+    };
+}
+/**
+ * Sign a message with the agent's private key (Node.js only).
+ */
+function sign(addressData, message) {
+    if (!crypto) {
+        throw new Error('sign() requires Node.js environment with crypto module');
+    }
+    const msgBuffer = typeof message === 'string' ? Buffer.from(message) : message;
+    // Recreate private key object
+    const privateKey = crypto.createPrivateKey({
+        key: Buffer.concat([
+            Buffer.from('302e020100300506032b657004220420', 'hex'),
+            Buffer.from(addressData.privateKey),
+        ]),
+        format: 'der',
+        type: 'pkcs8',
+    });
+    const signature = crypto.sign(null, msgBuffer, privateKey);
+    return signature.toString('hex');
+}
+/**
+ * Verify a signature using an agent's address (public key).
+ */
+function verify(address, message, signature) {
+    if (!crypto) {
+        return false;
+    }
+    try {
+        if (!address.startsWith('0x') || address.length !== 66) {
+            return false;
+        }
+        const publicKeyBuffer = Buffer.from(address.slice(2), 'hex');
+        const msgBuffer = typeof message === 'string' ? Buffer.from(message) : message;
+        const sigBuffer = Buffer.from(signature, 'hex');
+        // Recreate public key object
+        const publicKey = crypto.createPublicKey({
+            key: Buffer.concat([
+                Buffer.from('302a300506032b6570032100', 'hex'), // SPKI Ed25519 prefix
+                publicKeyBuffer,
+            ]),
+            format: 'der',
+            type: 'spki',
+        });
+        return crypto.verify(null, msgBuffer, publicKey, sigBuffer);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Create a signed request payload for agent requests.
+ * Always sign when keys are available (works with all trust levels).
+ *
+ * Uses canonical JSON (sorted keys) for consistent signatures.
+ */
+function createSignedPayload(addressData, prompt, toAddress) {
+    const timestamp = Math.floor(Date.now() / 1000);
+    const payload = {
+        prompt,
+        to: toAddress,
+        timestamp,
+    };
+    // Use canonical JSON with sorted keys for consistent signatures
+    const canonicalMessage = canonicalJSON(payload);
+    const signature = sign(addressData, canonicalMessage);
+    return {
+        payload,
+        from: addressData.address,
+        signature,
+    };
+}