livybolt 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 cozzyland
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/README.md ADDED
@@ -0,0 +1,54 @@
1
+ # livybolt (`livybolt`)
2
+
3
+ Accountless, self-custody, **end-to-end-encrypted** surveys over Lightning.
4
+
5
+ `livybolt` is the command-line client for [Livybolt](https://livybolt.com). You pay
6
+ one Lightning invoice to create a survey, respondents answer for free, and every
7
+ response is encrypted to a key only you hold. There are no accounts, and the server
8
+ can never read your data.
9
+
10
+ ## Install
11
+
12
+ ```bash
13
+ npm i -g livybolt # installs the `livybolt` command
14
+ livybolt --help
15
+ ```
16
+
17
+ Requires **Node.js ≥ 20**.
18
+
19
+ ## Quick start
20
+
21
+ ```bash
22
+ livybolt id new --password "<a strong passphrase>" # self-custody key, shown once
23
+ livybolt create survey.json # → Lightning invoice + handle
24
+ # ...pay the invoice with any wallet...
25
+ livybolt create --resume <handle> --preimage <hex> # → public URL, sealed to your vault
26
+ livybolt balance --survey <id> # prepaid-pool accounting
27
+ livybolt vault read --survey <id> # pull + decrypt responses locally
28
+ livybolt unlock --survey <id> --count <n> # pay to read overage responses
29
+ ```
30
+
31
+ A minimal `survey.json`:
32
+
33
+ ```json
34
+ {
35
+ "title": "Launch feedback",
36
+ "expected_responses": 100,
37
+ "per_response_sats": 50,
38
+ "questions": [
39
+ { "id": "q1", "text": "How did you hear about us?", "type": "short_text" },
40
+ { "id": "q2", "text": "How likely are you to recommend us?", "type": "rating" }
41
+ ]
42
+ }
43
+ ```
44
+
45
+ ## Self-custody
46
+
47
+ Your keys live only in `~/.livybolt/`. They are never sent to the server, which
48
+ stores ciphertext and public keys only. **Back up the seed words** printed by
49
+ `livybolt id new` — there is no recovery.
50
+
51
+ ## Docs
52
+
53
+ - CLI reference: https://livybolt.com/docs/cli
54
+ - HTTP API reference: https://livybolt.com/docs/api
package/package.json ADDED
@@ -0,0 +1,43 @@
1
+ {
2
+ "name": "livybolt",
3
+ "version": "0.1.0",
4
+ "description": "livybolt — accountless, self-custody, end-to-end-encrypted surveys over Lightning. CLI client for Livybolt (Nostr edition).",
5
+ "type": "module",
6
+ "bin": {
7
+ "livybolt": "scripts/livybolt.mjs"
8
+ },
9
+ "engines": {
10
+ "node": ">=20.0.0"
11
+ },
12
+ "files": [
13
+ "scripts",
14
+ "src",
15
+ "README.md"
16
+ ],
17
+ "dependencies": {
18
+ "nostr-tools": "^2.23.5"
19
+ },
20
+ "scripts": {
21
+ "prepack": "node prepack.mjs"
22
+ },
23
+ "keywords": [
24
+ "survey",
25
+ "lightning",
26
+ "bitcoin",
27
+ "nostr",
28
+ "l402",
29
+ "end-to-end-encryption",
30
+ "self-custody",
31
+ "cli"
32
+ ],
33
+ "license": "MIT",
34
+ "homepage": "https://livybolt.com",
35
+ "repository": {
36
+ "type": "git",
37
+ "url": "git+https://github.com/cozzyland/lightsurvey-nostr-edition.git",
38
+ "directory": "cli"
39
+ },
40
+ "bugs": {
41
+ "url": "https://github.com/cozzyland/lightsurvey-nostr-edition/issues"
42
+ }
43
+ }
@@ -0,0 +1,43 @@
1
+ // Local at-rest store for the Agent Identity Key (node-only: fs/os/perms).
2
+ //
3
+ // Kept OUT of src/lib/crypto/agent-identity.ts on purpose — that module is
4
+ // isomorphic (browser + node), this one touches the filesystem. The store holds
5
+ // only public fields in the clear; the secret is the SEED — a NIP-49 `ncryptsec`
6
+ // of the BIP-39 entropy (encrypted default, `secretKind: seed-entropy-nip49`) or,
7
+ // with --plaintext, the bare seed words (`secretKind: seed-plaintext`, the one
8
+ // path where the secret rests in cleartext). Storing the seed (not the account-0
9
+ // privkey) is what lets per-survey keys derive from it. Default location:
10
+ // ~/.livybolt/identity.json (override with LIVYBOLT_IDENTITY_HOME).
11
+ // Dir 0700, file 0600.
12
+
13
+ import { homedir } from 'node:os'
14
+ import { join } from 'node:path'
15
+ import { mkdirSync, writeFileSync, readFileSync, existsSync, chmodSync } from 'node:fs'
16
+
17
+ // v2: seed-bearing store (v1 stored the account-0 privkey, which could not derive
18
+ // per-survey keys). Greenfield — no v1 stores exist to migrate.
19
+ export const STORE_VERSION = 2
20
+
21
+ export function storeHome() {
22
+ return process.env.LIVYBOLT_IDENTITY_HOME ?? join(homedir(), '.livybolt')
23
+ }
24
+
25
+ export function storePath() {
26
+ return join(storeHome(), 'identity.json')
27
+ }
28
+
29
+ export function readStore() {
30
+ const path = storePath()
31
+ if (!existsSync(path)) return null
32
+ return JSON.parse(readFileSync(path, 'utf8'))
33
+ }
34
+
35
+ export function writeStore(record) {
36
+ const home = storeHome()
37
+ mkdirSync(home, { recursive: true, mode: 0o700 })
38
+ const path = storePath()
39
+ writeFileSync(path, JSON.stringify(record, null, 2) + '\n', { mode: 0o600 })
40
+ // writeFileSync only applies mode on create — force it on overwrite too.
41
+ chmodSync(path, 0o600)
42
+ return path
43
+ }
@@ -0,0 +1,230 @@
1
+ // Provision and manage an Agent Identity Key — entirely client-side.
2
+ //
3
+ // This is the executable TWIN of the canonical inline recipe (see
4
+ // docs/reference/agent-identity.md). A code-capable agent can run this script if
5
+ // it has the repo, or paste the equivalent ~15-line recipe; either way the
6
+ // secret is generated and held locally and NEVER sent to the server.
7
+ //
8
+ // It imports the REAL isomorphic identity lib (src/lib/crypto/agent-identity.ts)
9
+ // so the CLI and any inline reimplementation produce byte-identical keys.
10
+ //
11
+ // Commands:
12
+ // new Generate a fresh identity. Prints npub + seed words ONCE, seals it
13
+ // to the local store (encrypted by default), prints the ncryptsec backup.
14
+ // show Print the stored npub/pubkey (never the secret).
15
+ // export Print the ncryptsec backup blob (for off-machine backup).
16
+ // restore Rebuild the store from --seed "<words>" or --ncryptsec <blob>.
17
+ // unlock Verify the store opens (password if encrypted); prints npub.
18
+ //
19
+ // Flags:
20
+ // --plaintext Store the bare seed words at 0600 instead of an ncryptsec
21
+ // (zero-friction for headless agents; secret rests in cleartext).
22
+ // --password <pw> Password for the ncryptsec. Else LIVYBOLT_IDENTITY_PASSWORD,
23
+ // else an interactive (hidden) prompt.
24
+ // --seed "<words>" BIP-39 mnemonic (restore).
25
+ // --ncryptsec <blob> ncryptsec1… backup blob (restore).
26
+ //
27
+ // Store location: ~/.livybolt/identity.json (override LIVYBOLT_IDENTITY_HOME).
28
+ //
29
+ // Usage:
30
+ // node scripts/agent-identity.mjs new --password "hunter2"
31
+ // node scripts/agent-identity.mjs new --plaintext
32
+ // node scripts/agent-identity.mjs show
33
+ // node scripts/agent-identity.mjs export > backup.ncryptsec
34
+ // node scripts/agent-identity.mjs restore --seed "word1 word2 …" --password "hunter2"
35
+
36
+ import {
37
+ generateAgentIdentity,
38
+ agentIdentityFromSeedWords,
39
+ AgentIdentityError,
40
+ } from '../src/lib/crypto/agent-identity.js'
41
+ import { sealSeed, unlockSeed, SeedStoreError } from '../src/lib/crypto/seed-store.js'
42
+ import { readStore, writeStore, storePath, STORE_VERSION } from './agent-identity-store.mjs'
43
+ import { resolveIdentityPassword } from './cli-prompt.mjs'
44
+
45
+ function fail(msg) {
46
+ console.error(`error: ${msg}`)
47
+ process.exit(1)
48
+ }
49
+
50
+ // --- flag parsing (no framework) ---------------------------------------------
51
+ function parseFlags(argv) {
52
+ const flags = {}
53
+ for (let i = 0; i < argv.length; i++) {
54
+ const a = argv[i]
55
+ if (a === '--plaintext') flags.plaintext = true
56
+ else if (a === '--password') flags.password = argv[++i]
57
+ else if (a === '--seed') flags.seed = argv[++i]
58
+ else if (a === '--ncryptsec') flags.ncryptsec = argv[++i]
59
+ else fail(`unknown argument: ${a}`)
60
+ }
61
+ return flags
62
+ }
63
+
64
+ async function resolvePassword(flags, purpose) {
65
+ const pw = await resolveIdentityPassword(flags, fail, purpose)
66
+ if (!pw) fail('empty password')
67
+ return pw
68
+ }
69
+
70
+ // --- store sealing + self-check ----------------------------------------------
71
+ // The persisted secret is the SEED, so per-survey keys can derive from it. We
72
+ // store the seed words (plaintext mode) or a NIP-49 ncryptsec of the BIP-39
73
+ // entropy (encrypted default). `secretKind` tags the payload so the seed entropy
74
+ // is never misread as an nsec.
75
+ function sealRecord(id, { plaintext, password }) {
76
+ if (!id.seedWords) {
77
+ fail('cannot store a seed-bearing identity without seed words (use restore --seed or --ncryptsec)')
78
+ }
79
+ const base = {
80
+ v: STORE_VERSION,
81
+ npub: id.npub,
82
+ pubkey: id.pubkeyHex,
83
+ createdAt: new Date().toISOString(),
84
+ }
85
+ if (plaintext) return { ...base, secretKind: 'seed-plaintext', seedWords: id.seedWords }
86
+ return { ...base, secretKind: 'seed-entropy-nip49', ncryptsec: sealSeed(id.seedWords, password) }
87
+ }
88
+
89
+ // Recover the seed mnemonic from a stored record (plaintext words, or the
90
+ // NIP-49 ncryptsec-of-entropy under the given password). Fails loud on a missing
91
+ // or unrecognized secretKind (e.g. an old pre-v2 store) rather than silently
92
+ // misreading the secret.
93
+ function seedFromRecord(record, password) {
94
+ if (record.secretKind === 'seed-plaintext') {
95
+ if (!record.seedWords) fail('corrupt store: seed-plaintext record is missing seedWords')
96
+ return record.seedWords
97
+ }
98
+ if (record.secretKind === 'seed-entropy-nip49') {
99
+ return unlockSeed(record.ncryptsec, password)
100
+ }
101
+ fail(
102
+ `unrecognized identity store (secretKind=${record.secretKind ?? 'none'}) — ` +
103
+ 'likely an old (pre-v2) store; re-provision with `livybolt id new`'
104
+ )
105
+ }
106
+
107
+ // Re-open what we just wrote and confirm the re-derived npub matches — catches a
108
+ // mis-seal before the key is ever trusted. This is the agent's correctness oracle.
109
+ function selfCheck(record, password) {
110
+ const reopened = agentIdentityFromSeedWords(seedFromRecord(record, password))
111
+ if (reopened.npub !== record.npub) {
112
+ fail('self-check FAILED: re-derived npub does not match the stored npub')
113
+ }
114
+ }
115
+
116
+ // --- commands ----------------------------------------------------------------
117
+ async function cmdNew(flags) {
118
+ if (readStore()) {
119
+ fail(`an identity already exists at ${storePath()} — refusing to overwrite. Move it aside first.`)
120
+ }
121
+ const id = generateAgentIdentity()
122
+ const password = flags.plaintext ? null : await resolvePassword(flags, 'encrypt the new identity')
123
+ const record = sealRecord(id, { plaintext: flags.plaintext, password })
124
+ writeStore(record)
125
+ selfCheck(record, password)
126
+
127
+ console.error('')
128
+ console.error(' ⚠ BACK UP THESE SEED WORDS NOW — shown once, never sent to the server.')
129
+ console.error(' They are the canonical recovery for this identity.')
130
+ console.error(` Stored ${flags.plaintext ? 'in CLEARTEXT (--plaintext)' : 'encrypted'} at ${storePath()} (0600).`)
131
+ console.error('')
132
+
133
+ console.log(`npub=${id.npub}`)
134
+ console.log(`pubkey=${id.pubkeyHex}`)
135
+ console.log(`seed_words=${id.seedWords}`)
136
+ if (record.ncryptsec) console.log(`ncryptsec=${record.ncryptsec}`)
137
+ }
138
+
139
+ function cmdShow() {
140
+ const rec = readStore()
141
+ if (!rec) fail(`no identity at ${storePath()}. Run: node scripts/agent-identity.mjs new`)
142
+ console.log(`npub=${rec.npub}`)
143
+ console.log(`pubkey=${rec.pubkey}`)
144
+ console.log(`mode=${rec.secretKind === 'seed-plaintext' ? 'plaintext' : 'encrypted'}`)
145
+ console.log(`created=${rec.createdAt}`)
146
+ }
147
+
148
+ async function cmdExport(flags) {
149
+ const rec = readStore()
150
+ if (!rec) fail(`no identity at ${storePath()}. Run: node scripts/agent-identity.mjs new`)
151
+ // The exported blob is a NIP-49 ncryptsec of the seed entropy — restore it with
152
+ // `restore --ncryptsec`. It is NOT a portable nsec; the seed words are the
153
+ // canonical cross-tool backup.
154
+ if (rec.secretKind === 'seed-entropy-nip49') {
155
+ console.log(rec.ncryptsec)
156
+ return
157
+ }
158
+ // Plaintext store: derive an encrypted seed backup on demand.
159
+ const password = await resolvePassword(flags, 'encrypt the backup')
160
+ console.log(sealSeed(rec.seedWords, password))
161
+ }
162
+
163
+ async function cmdRestore(flags) {
164
+ if (readStore()) {
165
+ fail(`an identity already exists at ${storePath()} — refusing to overwrite. Move it aside first.`)
166
+ }
167
+ let id
168
+ if (flags.seed) {
169
+ id = agentIdentityFromSeedWords(flags.seed)
170
+ } else if (flags.ncryptsec) {
171
+ const password = await resolvePassword(flags, 'open the ncryptsec')
172
+ // The blob is a seed-entropy ncryptsec (see cmdExport); recover the seed words.
173
+ id = agentIdentityFromSeedWords(unlockSeed(flags.ncryptsec, password))
174
+ } else {
175
+ fail('restore needs --seed "<words>" or --ncryptsec <blob>')
176
+ }
177
+ const password = flags.plaintext ? null : await resolvePassword(flags, 'encrypt the restored identity')
178
+ const record = sealRecord(id, { plaintext: flags.plaintext, password })
179
+ writeStore(record)
180
+ selfCheck(record, password)
181
+ console.log(`npub=${id.npub}`)
182
+ }
183
+
184
+ async function cmdUnlock(flags) {
185
+ const rec = readStore()
186
+ if (!rec) fail(`no identity at ${storePath()}. Run: node scripts/agent-identity.mjs new`)
187
+ const password =
188
+ rec.secretKind === 'seed-plaintext'
189
+ ? undefined
190
+ : await resolvePassword(flags, 'unlock the identity')
191
+ const id = agentIdentityFromSeedWords(seedFromRecord(rec, password))
192
+ if (id.npub !== rec.npub) fail('unlock FAILED: re-derived npub does not match the stored npub')
193
+ console.error('unlocked OK')
194
+ console.log(`npub=${id.npub}`)
195
+ }
196
+
197
+ // --- main --------------------------------------------------------------------
198
+ const [command, ...rest] = process.argv.slice(2)
199
+ const flags = parseFlags(rest)
200
+
201
+ try {
202
+ switch (command) {
203
+ case 'new':
204
+ await cmdNew(flags)
205
+ break
206
+ case 'show':
207
+ cmdShow()
208
+ break
209
+ case 'export':
210
+ await cmdExport(flags)
211
+ break
212
+ case 'restore':
213
+ await cmdRestore(flags)
214
+ break
215
+ case 'unlock':
216
+ await cmdUnlock(flags)
217
+ break
218
+ default:
219
+ fail(
220
+ `unknown command: ${command ?? '(none)'}\n` +
221
+ ' commands: new | show | export | restore | unlock\n' +
222
+ ' e.g. node scripts/agent-identity.mjs new --password "hunter2"'
223
+ )
224
+ }
225
+ } catch (err) {
226
+ if (err instanceof AgentIdentityError || err instanceof SeedStoreError) {
227
+ fail(`${err.code}: ${err.message}`)
228
+ }
229
+ throw err
230
+ }
@@ -0,0 +1,68 @@
1
+ // `livybolt balance --survey <id>` — show a survey's prepaid-pool accounting:
2
+ // how many of the prepaid responses are consumed / remaining, and how many
3
+ // overage responses are locked awaiting unlock.
4
+ //
5
+ // NIP-98 gated: opens the local vault to derive the survey key, signs the
6
+ // request, then GETs the balance. No payment.
7
+
8
+ import { fetchBalance, DEFAULT_HOST } from './livybolt-api.mjs'
9
+ import { openVaultEntry } from './vault-open.mjs'
10
+ import { signNip98Token } from '../src/lib/nip98.js'
11
+
12
+ function fail(msg) {
13
+ console.error(`error: ${msg}`)
14
+ process.exit(1)
15
+ }
16
+
17
+ function parseFlags(argv) {
18
+ const flags = {}
19
+ for (let i = 0; i < argv.length; i++) {
20
+ const a = argv[i]
21
+ if (a === '--survey') flags.survey = argv[++i]
22
+ else if (a === '--host') flags.host = argv[++i]
23
+ else if (a === '--password') flags.password = argv[++i]
24
+ else if (a === '--json') flags.json = true
25
+ else fail(`unknown argument: ${a}`)
26
+ }
27
+ return flags
28
+ }
29
+
30
+ export async function main(argv) {
31
+ const flags = parseFlags(argv)
32
+ if (!flags.survey) fail('usage: livybolt balance --survey <id>')
33
+
34
+ const { entry, surveyPrivkey } = await openVaultEntry(flags.survey, flags)
35
+ const host = flags.host ?? DEFAULT_HOST
36
+ const authorization = surveyPrivkey
37
+ ? await signNip98Token(
38
+ `${host}/api/surveys/${encodeURIComponent(entry.surveyId)}/balance`,
39
+ 'GET',
40
+ surveyPrivkey
41
+ )
42
+ : undefined
43
+ const bal = await fetchBalance({
44
+ host,
45
+ surveyId: entry.surveyId,
46
+ ownerToken: entry.ownerToken,
47
+ authorization,
48
+ })
49
+
50
+ if (flags.json) {
51
+ console.log(JSON.stringify(bal, null, 2))
52
+ return
53
+ }
54
+
55
+ console.log(`survey: ${bal.surveyId}`)
56
+ console.log(`prepaid: ${bal.prepaid_responses}`)
57
+ console.log(`consumed: ${bal.consumed_responses}`)
58
+ console.log(`remaining: ${bal.remaining_responses} (${bal.remaining_sats} sats of credit)`)
59
+ console.log(`locked: ${bal.overage_responses} (overage awaiting unlock)`)
60
+ if (bal.expires_at) console.log(`expires: ${bal.expires_at}`)
61
+ }
62
+
63
+ if (import.meta.url === `file://${process.argv[1]}`) {
64
+ main(process.argv.slice(2)).catch((err) => {
65
+ console.error(`error: ${err.message}`)
66
+ process.exit(1)
67
+ })
68
+ }
@@ -0,0 +1,38 @@
1
+ // Shared identity-password resolution for the CLI scripts that unlock the seed.
2
+ // Centralizes what were four byte-identical copies (agent-identity, vault-read,
3
+ // vault-open, survey-create) so the resolution ladder lives in one place.
4
+
5
+ import { createInterface } from 'node:readline'
6
+
7
+ /** Read a line without echoing it (for passwords). */
8
+ export function promptHidden(query) {
9
+ return new Promise((resolve) => {
10
+ const rl = createInterface({ input: process.stdin, output: process.stdout })
11
+ // Mute echo so the password is not displayed as it is typed.
12
+ rl._writeToOutput = () => {}
13
+ process.stdout.write(query)
14
+ rl.question('', (answer) => {
15
+ rl.close()
16
+ process.stdout.write('\n')
17
+ resolve(answer)
18
+ })
19
+ })
20
+ }
21
+
22
+ /**
23
+ * Resolve the identity password: --password flag, else LIVYBOLT_IDENTITY_PASSWORD,
24
+ * else an interactive (hidden) prompt. When there is no password and no TTY, calls
25
+ * `onMissing(message)` — pass the caller's fail() (which exits). `purpose` tunes
26
+ * the wording (e.g. 'unlock the identity', 'encrypt the new identity').
27
+ */
28
+ export async function resolveIdentityPassword(flags, onMissing, purpose = 'unlock the identity') {
29
+ if (flags.password != null) return flags.password
30
+ if (process.env.LIVYBOLT_IDENTITY_PASSWORD) return process.env.LIVYBOLT_IDENTITY_PASSWORD
31
+ if (!process.stdin.isTTY) {
32
+ onMissing(
33
+ `no password to ${purpose}. Pass --password, set LIVYBOLT_IDENTITY_PASSWORD, or run interactively.`
34
+ )
35
+ return undefined
36
+ }
37
+ return await promptHidden(`Password to ${purpose}: `)
38
+ }