holosphere 2.0.0-alpha21 → 2.0.0-alpha23

package/src/crypto/nostr-utils.js

@@ -9,7 +9,7 @@
  * @module crypto/nostr-utils
  */
 
-import { nip04, nip44, nip19, getPublicKey as nostrGetPublicKey, finalizeEvent, verifyEvent as nostrVerifyEvent } from 'nostr-tools';
+import { nip04, nip44, nip19, getPublicKey as nostrGetPublicKey, finalizeEvent, verifyEvent as nostrVerifyEvent, generateSecretKey } from 'nostr-tools';
 
 // Re-export NDK types for consumers who want to use NDK directly
 export { default as NDK, NDKEvent, NDKPrivateKeySigner, NDKUser, NDKSubscriptionCacheUsage } from '@nostr-dev-kit/ndk';
@@ -113,6 +113,103 @@ export function npubToHex(npub) {
   }
 }
 
+/**
+ * Convert a hex private key to nsec format.
+ * @param {string} hexPrivKey - Hex private key (64 characters)
+ * @returns {string} nsec-encoded private key (nsec1...)
+ */
+export function hexToNsec(hexPrivKey) {
+  try {
+    return nip19.nsecEncode(hexToBytes(hexPrivKey));
+  } catch (e) {
+    console.error('Failed to encode hex to nsec:', e);
+    return hexPrivKey; // Return original on error
+  }
+}
+
+/**
+ * Convert nsec to hex private key.
+ * @param {string} nsec - nsec-encoded private key string
+ * @returns {string|null} 64-character hex private key or null if invalid
+ */
+export function nsecToHex(nsec) {
+  try {
+    const decoded = nip19.decode(nsec);
+    if (decoded.type === 'nsec') {
+      return bytesToHex(decoded.data);
+    }
+    return null;
+  } catch (e) {
+    return null;
+  }
+}
+
+/**
+ * Parse an nsec or hex private key string into hex format.
+ * Handles nostr: URI prefix and validates both nsec and hex formats.
+ * @param {string} input - nsec string (nsec1...) or 64-character hex private key
+ * @returns {Object} Validation result with valid, hexPrivKey (if valid), error (if invalid)
+ */
+export function parseNsecOrHex(input) {
+  const trimmed = input?.trim();
+
+  if (!trimmed) {
+    return { valid: false, error: 'Private key is required' };
+  }
+
+  // Check if it's already hex (64 characters)
+  if (/^[0-9a-fA-F]{64}$/.test(trimmed)) {
+    return { valid: true, hexPrivKey: trimmed.toLowerCase() };
+  }
+
+  // Handle nostr: URI prefix
+  let nsecString = trimmed;
+  if (nsecString.startsWith('nostr:')) {
+    nsecString = nsecString.slice(6);
+  }
+
+  // Try to decode as nsec
+  if (nsecString.startsWith('nsec1')) {
+    try {
+      const decoded = nip19.decode(nsecString);
+      if (decoded.type === 'nsec') {
+        return { valid: true, hexPrivKey: bytesToHex(decoded.data) };
+      }
+      return { valid: false, error: 'Invalid nsec format' };
+    } catch (e) {
+      return { valid: false, error: 'Invalid nsec: unable to decode' };
+    }
+  }
+
+  return { valid: false, error: 'Enter a valid nsec (nsec1...) or 64-character hex private key' };
+}
+
+/**
+ * Check if a string is a valid nsec (starts with nsec1 and decodes correctly).
+ * @param {string} str - String to validate
+ * @returns {boolean} True if valid nsec format
+ */
+export function isValidNsec(str) {
+  if (typeof str !== 'string' || !str.startsWith('nsec1')) {
+    return false;
+  }
+  try {
+    const decoded = nip19.decode(str);
+    return decoded.type === 'nsec';
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Generate a new random private key.
+ * @returns {string} 64-character hex private key
+ */
+export function generatePrivateKey() {
+  const secretKey = generateSecretKey();
+  return bytesToHex(secretKey);
+}
+
 /**
  * Shorten a public key for display (first 8 and last 8 chars).
  * @param {string} pubKey - Public key in hex or npub format

package/src/crypto/secp256k1.js

@@ -1,16 +1,15 @@
 /**
  * @fileoverview Cryptographic Operations using secp256k1.
  *
- * Provides signing, verification, and capability token operations using
- * the secp256k1 elliptic curve (same curve used by Bitcoin and Nostr).
- * Uses lazy loading for the crypto module to improve startup performance.
+ * Provides signing and verification using the secp256k1 elliptic curve
+ * (same curve used by Bitcoin and Nostr).
  *
  * @module crypto/secp256k1
  */
 
 import { sha256 } from '@noble/hashes/sha256';
-import { bytesToHex, hexToBytes } from '@noble/hashes/utils';
-import { secp256k1, schnorr } from '@noble/curves/secp256k1';
+import { bytesToHex } from '@noble/hashes/utils';
+import { schnorr } from '@noble/curves/secp256k1';
 
 /**
  * Check if a string is a 64-char hex public key (x-only schnorr format).
@@ -83,394 +82,6 @@ export async function verify(content, signature, publicKey) {
   }
 }
 
-/**
- * Normalize a capability token to a plain string.
- * Handles: object wrappers ({ token: "..." }), Buffer serialization, comma-separated byte strings.
- * @param {string|Object} token - Token in any supported format
- * @returns {string|null} Normalized token string, or null if invalid
- */
-export function normalizeTokenString(token) {
-  // Handle capability object wrapper { token, scope, permissions }
-  if (token && typeof token === 'object' && token.token) {
-    token = token.token;
-  }
-
-  // Handle Buffer serialization format {"type":"Buffer","data":[...]}
-  if (token && typeof token === 'object' && token.type === 'Buffer' && Array.isArray(token.data)) {
-    try {
-      token = String.fromCharCode.apply(null, token.data);
-    } catch (e) {
-      return null;
-    }
-  }
-
-  // Handle comma-separated byte string (e.g., "123,34,116,...")
-  if (typeof token === 'string' && /^\d+(,\d+)+$/.test(token.substring(0, 50))) {
-    try {
-      const bytes = token.split(',').map(Number);
-      token = String.fromCharCode.apply(null, bytes);
-    } catch (e) {
-      return null;
-    }
-  }
-
-  if (typeof token === 'string') {
-    return token;
-  }
-
-  return null;
-}
-
-/**
- * Parse a capability token string into its components.
- * Handles base64-encoded, signed (payload.signature), and raw JSON formats.
- * @private
- * @param {string} token - Normalized token string
- * @returns {{ tokenObj: Object, payload: string, signature: string|null }|null} Parsed token or null
- */
-function _parseToken(token) {
-  try {
-    if (typeof token !== 'string') return null;
-
-    let payload;
-    let signature = null;
-    let tokenObj;
-
-    if (token.startsWith('ey') || (!token.includes('.') && !token.startsWith('{'))) {
-      // Base64 encoded (with or without signature)
-      if (token.includes('.')) {
-        const parts = token.split('.');
-        signature = parts[1];
-        const decoded = typeof atob === 'function'
-          ? atob(parts[0])
-          : Buffer.from(parts[0], 'base64').toString('utf8');
-        payload = decoded;
-      } else {
-        const decoded = typeof atob === 'function'
-          ? atob(token)
-          : Buffer.from(token, 'base64').toString('utf8');
-        payload = decoded;
-      }
-      tokenObj = JSON.parse(payload);
-    } else if (token.startsWith('{')) {
-      payload = token;
-      tokenObj = JSON.parse(token);
-    } else {
-      return null;
-    }
-
-    return { tokenObj, payload, signature };
-  } catch (e) {
-    return null;
-  }
-}
-
-/**
- * Hash a capability token using SHA-256.
- * @param {string} token - Capability token string
- * @returns {string} Hex-encoded SHA-256 hash
- */
-export function hashToken(token) {
-  const encoder = new TextEncoder();
-  return bytesToHex(sha256(encoder.encode(token)));
-}
-
-/**
- * Match token scope against requested scope with wildcard support
- * Supports:
- * - Exact match: { holonId: "abc", lensName: "quests" }
- * - Item-level: { holonId: "abc", lensName: "quests", dataId: "quest-001" }
- * - Wildcards: { holonId: "*", lensName: "*" } matches everything
- * @param {Object} tokenScope - Scope from capability token
- * @param {Object} requestedScope - Scope being requested
- * @returns {boolean} True if token scope covers requested scope
- */
-export function matchScope(tokenScope, requestedScope) {
-  // Handle string scopes (legacy support)
-  if (typeof tokenScope === 'string' || typeof requestedScope === 'string') {
-    const tokenStr = typeof tokenScope === 'string' ? tokenScope : JSON.stringify(tokenScope);
-    const reqStr = typeof requestedScope === 'string' ? requestedScope : JSON.stringify(requestedScope);
-    return tokenStr === reqStr;
-  }
-
-  // Handle holonId
-  if (tokenScope.holonId !== '*' && tokenScope.holonId !== requestedScope.holonId) {
-    return false;
-  }
-
-  // Handle lensName
-  if (tokenScope.lensName !== '*' && tokenScope.lensName !== requestedScope.lensName) {
-    return false;
-  }
-
-  // Handle optional dataId (item-level scope)
-  // If token has specific dataId (not wildcard), it must match requested dataId
-  if (tokenScope.dataId && tokenScope.dataId !== '*') {
-    if (requestedScope.dataId && tokenScope.dataId !== requestedScope.dataId) {
-      return false;
-    }
-  }
-
-  return true;
-}
-
-/**
- * Issue capability token - UNIFIED MODEL
- *
- * Supports both self-capabilities (issuer === recipient) and cross-capabilities.
- * Self-capabilities are used for same-author federation, providing consistent
- * security model across all federation types.
- *
- * @param {string[]} permissions - Permissions array (e.g., ['read', 'write', 'delete'])
- * @param {Object|string} scope - Scope (holon/lens path or object). Supports wildcards: { holonId: "*", lensName: "*" }
- * @param {string} recipient - Recipient public key (can be same as issuer for self-capability)
- * @param {Object} options - Options
- * @param {number} options.expiresIn - Expiration in milliseconds (default: 1 hour, longer for self-caps)
- * @param {string} options.issuer - Issuer ID/public key
- * @param {string} options.issuerKey - Issuer private key for signing
- * @param {boolean} options.isSelfCapability - If true, marks as self-capability (auto-detected if issuer === recipient)
- * @returns {Promise<string>} Capability token (base64-encoded JWT-like)
- */
-export async function issueCapability(permissions, scope, recipient, options = {}) {
-  const { expiresIn = 3600000, issuer = 'holosphere', issuerKey, isSelfCapability } = options;
-
-  // Validate permissions
-  if (!Array.isArray(permissions) || permissions.length === 0) {
-    throw new Error('Permissions array cannot be empty');
-  }
-
-  // Validate scope - now supports wildcards
-  if (typeof scope === 'object') {
-    // holonId is required (can be '*' for wildcard)
-    if (scope.holonId === undefined || scope.holonId === '') {
-      throw new Error('Invalid scope: holonId is required (use "*" for wildcard)');
-    }
-    // lensName is required (can be '*' for wildcard)
-    if (scope.lensName === undefined || scope.lensName === '') {
-      throw new Error('Invalid scope: lensName is required (use "*" for wildcard)');
-    }
-    // dataId is optional (can be specific value, '*', or omitted)
-  } else if (typeof scope === 'string' && scope === '') {
-    throw new Error('Invalid scope: cannot be empty string');
-  }
-
-  // Validate issuerKey if provided
-  if (issuerKey && (typeof issuerKey !== 'string' || issuerKey.length < 32)) {
-    throw new Error('Invalid issuer key');
-  }
-
-  // Detect self-capability (issuer === recipient)
-  const selfCap = isSelfCapability !== undefined ? isSelfCapability : (issuer === recipient);
-
-  const token = {
-    type: 'capability',
-    permissions,
-    scope,
-    recipient,
-    issuer,
-    isSelfCapability: selfCap,  // Mark self-capabilities for clarity
-    nonce: generateNonce(),
-    issued: Date.now(),
-    expires: expiresIn != null ? Date.now() + expiresIn : null,
-  };
-
-  // Encode token as base64
-  // Use browser-native btoa when available to avoid Buffer serialization issues
-  // (Buffer can serialize to {"type":"Buffer","data":[...]} in JSON)
-  const payload = JSON.stringify(token);
-  const encoded = typeof btoa === 'function'
-    ? btoa(payload)
-    : Buffer.from(payload).toString('base64');
-
-  // If issuerKey provided, sign the token
-  if (issuerKey) {
-    const signature = await sign(payload, issuerKey);
-    return `${encoded}.${signature}`;
-  }
-
-  return encoded;
-}
-
-/**
- * Issue a self-capability token - UNIFIED MODEL
- *
- * Convenience method for creating self-capabilities (same author federation).
- * Self-capabilities have longer expiration by default (1 year).
- *
- * @param {string[]} permissions - Permissions array
- * @param {Object} scope - Scope object { holonId, lensName, dataId? }
- * @param {string} authorPubKey - Author's public key (both issuer and recipient)
- * @param {Object} options - Options
- * @param {string} options.privateKey - Author's private key for signing
- * @param {number} [options.expiresIn=31536000000] - Expiration in ms (default: 1 year)
- * @returns {Promise<string>} Self-capability token
- */
-export async function issueSelfCapability(permissions, scope, authorPubKey, options = {}) {
-  const { privateKey, expiresIn = 365 * 24 * 60 * 60 * 1000 } = options; // 1 year default
-
-  return issueCapability(permissions, scope, authorPubKey, {
-    expiresIn,
-    issuer: authorPubKey,
-    issuerKey: privateKey,
-    isSelfCapability: true,
-  });
-}
-
-/**
- * Verify capability token
- * @param {string|Object} token - Capability token (string or object)
- * @param {string} requiredPermission - Required permission
- * @param {Object|string} scope - Scope to check (supports wildcards in token scope)
- * @returns {Promise<boolean>} True if valid
- */
-export async function verifyCapability(token, requiredPermission, scope) {
-  try {
-    const normalized = normalizeTokenString(token);
-    if (!normalized) {
-      console.log('[verifyCapability] ❌ Failed to normalize token');
-      return false;
-    }
-
-    let tokenObj;
-
-    // If it's a string, parse it
-    if (typeof normalized === 'string') {
-      const parsed = _parseToken(normalized);
-      if (!parsed) {
-        console.log('[verifyCapability] ❌ Failed to parse token');
-        return false;
-      }
-      tokenObj = parsed.tokenObj;
-    } else if (normalized && typeof normalized === 'object') {
-      tokenObj = normalized;
-    } else {
-      console.log('[verifyCapability] ❌ Invalid token:', typeof normalized);
-      return false;
-    }
-
-    if (!tokenObj || tokenObj.type !== 'capability') {
-      console.log('[verifyCapability] ❌ Invalid token type:', { type: tokenObj?.type, tokenObj });
-      return false;
-    }
-
-    // Check expiration (null/undefined expires = no expiration)
-    if (tokenObj.expires != null && Date.now() > tokenObj.expires) {
-      console.log('[verifyCapability] ❌ Token expired:', {
-        expires: tokenObj.expires,
-        now: Date.now(),
-        expiredAgo: `${(Date.now() - tokenObj.expires) / 1000}s ago`
-      });
-      return false;
-    }
-
-    // Check scope using matchScope (supports wildcards)
-    if (!matchScope(tokenObj.scope, scope)) {
-      console.log('[verifyCapability] ❌ Scope mismatch:', {
-        tokenScope: tokenObj.scope,
-        requestedScope: scope
-      });
-      return false;
-    }
-
-    // Check permission
-    if (!tokenObj.permissions.includes(requiredPermission)) {
-      console.log('[verifyCapability] ❌ Permission denied:', {
-        required: requiredPermission,
-        has: tokenObj.permissions
-      });
-      return false;
-    }
-
-    console.log('[verifyCapability] ✅ Capability valid');
-    return true;
-  } catch (error) {
-    console.log('[verifyCapability] ❌ Error:', error.message);
-    return false;
-  }
-}
-
-/**
- * Verify that a capability token was issued by the expected author.
- * This is the core security check for the object-capability model.
- * A hologram should only be resolvable if the capability issuer matches
- * the claimed data author AND the signature was made by that author's key.
- *
- * @param {string} token - Capability token
- * @param {string} expectedIssuer - Expected issuer public key (data author)
- * @returns {Promise<boolean>} True if issuer matches expected AND signature is valid
- */
-export async function verifyCapabilityIssuer(token, expectedIssuer) {
-  try {
-    const normalized = normalizeTokenString(token);
-    if (!normalized) {
-      console.log('[verifyCapabilityIssuer] ❌ Failed to normalize token');
-      return false;
-    }
-
-    const parsed = _parseToken(normalized);
-    if (!parsed) {
-      console.log('[verifyCapabilityIssuer] ❌ Failed to parse token');
-      return false;
-    }
-
-    const { tokenObj, payload, signature } = parsed;
-
-    // Verify issuer field matches expected
-    if (tokenObj.issuer !== expectedIssuer) {
-      console.log('[verifyCapabilityIssuer] ❌ Issuer mismatch:', {
-        tokenIssuer: tokenObj.issuer?.slice(0, 12) + '...',
-        expectedIssuer: expectedIssuer?.slice(0, 12) + '...',
-      });
-      return false;
-    }
-
-    // CRITICAL: Verify signature was made by the claimed issuer's private key
-    // This prevents forged capabilities where someone claims a different issuer
-    if (signature) {
-      const signatureValid = await verify(payload, signature, expectedIssuer);
-      if (!signatureValid) {
-        console.log('[verifyCapabilityIssuer] ❌ Signature verification failed - capability not signed by claimed issuer');
-        return false;
-      }
-    } else {
-      // No signature - cannot cryptographically verify issuer identity
-      console.log('[verifyCapabilityIssuer] ❌ Token has no signature - cannot verify issuer');
-      return false;
-    }
-
-    console.log('[verifyCapabilityIssuer] ✅ Issuer verified');
-    return true;
-  } catch (error) {
-    console.log('[verifyCapabilityIssuer] ❌ Error:', error.message);
-    return false;
-  }
-}
-
-/**
- * Decode a capability token to extract its payload.
- * Useful for inspecting capability contents without full verification.
- *
- * @param {string} token - Capability token
- * @returns {Object|null} Decoded token payload or null if invalid
- */
-export function decodeCapability(token) {
-  const normalized = normalizeTokenString(token);
-  if (!normalized) return null;
-
-  const parsed = _parseToken(normalized);
-  return parsed ? parsed.tokenObj : null;
-}
-
-/**
- * Generate unique nonce
- * @private
- */
-function generateNonce() {
-  return (
-    Date.now().toString(36) + Math.random().toString(36).substring(2, 15)
-  );
-}
-
 /**
  * Hash content using SHA-256
  * @private