moltyjacs 0.3.0 → 0.8.3

package/README.md

@@ -1,10 +1,12 @@
 # moltyjacs
 
-JACS cryptographic provenance plugin for OpenClaw.
+**Sign it. Prove it.** JACS cryptographic provenance plugin for OpenClaw.
+
+[Which integration should I use?](https://humanassisted.github.io/JACS/getting-started/decision-tree.html) | [Full JACS documentation](https://humanassisted.github.io/JACS/)
 
 ## Why use JACS?
 
-**So your OpenClaw agent can be trusted—and can trust others.** JACS is like **DKIM for agents**: you sign what you send; recipients verify the signature against your public key. It’s **decentralized**—no single authority. You publish your key (DNS, optional HAI.ai); others fetch and verify. Without it, nothing you say or do can be proven. With JACS you sign messages, commitments, and state; anyone with your public key can verify they came from you and weren’t altered. You get proof of origin, integrity, and accountability. Other agents can discover your key via DNS or HAI.ai and verify your documents; you verify theirs with `jacs_verify_auto` and optional trust levels (domain, attested). Keys and signed payloads stay local; you send the same signed JSON over any channel (WhatsApp, HTTP, MCP). **Use it whenever another agent or human needs to trust that you said or agreed to something.**
+**So your OpenClaw agent can be trusted -- and can trust others.** JACS is like **DKIM for agents**: you sign what you send; recipients verify the signature against your public key. It is **decentralized** -- no single authority. You publish your key (DNS, optional HAI.ai); others fetch and verify. Without it, nothing you say or do can be proven. With JACS you sign messages, commitments, and state; anyone with your public key can verify they came from you and were not altered. You get proof of origin, integrity, and accountability. Other agents can discover your key via DNS or HAI.ai and verify your documents; you verify theirs with `jacs_verify_auto` and optional trust levels (domain, attested). Keys and signed payloads stay local; you send the same signed JSON over any channel (WhatsApp, HTTP, MCP). **Use it whenever another agent or human needs to trust that you said or agreed to something.**
 
 ## Overview
 
@@ -13,7 +15,13 @@ moltyjacs adds post-quantum cryptographic signatures to your OpenClaw agent comm
 - **Document signing** - Sign any document with your agent's cryptographic identity
 - **Verification** - Verify documents from other agents
 - **Agent discovery** - Publish and discover agents via well-known endpoints and DNS
+- **A2A interoperability** - Export Agent Cards, wrap A2A artifacts with JACS provenance, and assess remote A2A trust
 - **Multi-party agreements** - Create and manage agreements requiring multiple signatures
+- **Agent state** - Sign and track memory, skills, plans, configs, and hooks
+- **Commitments** - Track agreements and obligations between agents with lifecycle management
+- **Todo lists** - Private, signed work tracking with goals and tasks
+- **Conversations** - Signed message threads between agents
+- **HAI platform features** - Hello/auth checks, username lifecycle, mailbox/email workflow, key registry lookups, and benchmark orchestration
 
 ## Installation
 
@@ -43,21 +51,62 @@ openclaw plugins install https://github.com/HumanAssisted/moltyjacs
 
 ## Quick Start
 
-1. Initialize JACS with key generation:
+1. Configure exactly one private-key password source (env is the developer default):
+   ```bash
+   # Option A (recommended for local dev)
+   export JACS_PRIVATE_KEY_PASSWORD='use-a-strong-password'
+
+   # Option B (recommended for containers/CI secrets mounts)
+   export JACS_PASSWORD_FILE=/run/secrets/jacs_password
+
+   # Option C (CLI convenience, init only)
+   # openclaw jacs init --password-file /run/secrets/jacs_password
+   ```
+
+2. Initialize JACS with key generation:
    ```bash
    openclaw jacs init
    ```
 
-2. Sign a document:
+3. Sign a document:
    ```bash
    openclaw jacs sign document.json
    ```
 
-3. Verify a signed document:
+4. Verify a signed document:
    ```bash
    openclaw jacs verify signed-document.json
    ```
 
+5. Bootstrap trust with another agent (tool flow):
+   - Sender runs `jacs_share_public_key` and `jacs_share_agent`
+   - Receiver runs `jacs_trust_agent_with_key` with the shared `agentJson` and `publicKeyPem`
+
+### Direct JACS SDK Quick Start (outside this plugin)
+
+For direct `@hai.ai/jacs/client` or `@hai.ai/jacs/simple` usage, first-time quickstart now requires identity (`name` and `domain`):
+
+```ts
+import { JacsClient } from "@hai.ai/jacs/client";
+
+const client = await JacsClient.quickstart({
+  name: "my-agent",
+  domain: "agent.example.com",
+  // optional; defaults to pq2025
+  algorithm: "pq2025",
+});
+```
+
+## JACS Workspace Compatibility
+
+For coordinated local development, `moltyjacs` now resolves `@hai.ai/jacs` from the sibling `../JACS/jacsnpm` workspace so its A2A surface matches the current `haiai` wrapper contract. The JACS Node API remains **async-first**. All NAPI operations return Promises by default; sync variants use a `Sync` suffix (e.g. `loadSync` vs `load`). moltyjacs uses the async API for setup (`agent.load()`, `createAgent()`) and the sync API for hot-path operations (`signRequest`, `verifyResponse`) that must run on the V8 thread.
+
+Recent JACS updates relevant to moltyjacs:
+- Direct `quickstart()` usage in `@hai.ai/jacs/client` and `@hai.ai/jacs/simple` now requires identity inputs (`name` and `domain`) for first-time agent creation.
+- Default algorithm across JACS is `pq2025`.
+- Trust/bootstrap surfaces now include `trustAgentWithKey` / `trust_agent_with_key`, `sharePublicKey` / `share_public_key`, and `shareAgent` / `share_agent`.
+- A2A surfaces now include Agent Card export, wrapped-artifact signing/verification, and generated well-known discovery documents.
+
 ## CLI Commands
 
 | Command | Description |
@@ -69,40 +118,157 @@ openclaw plugins install https://github.com/HumanAssisted/moltyjacs
 | `openclaw jacs hash <string>` | Hash a string |
 | `openclaw jacs dns-record <domain>` | Generate DNS TXT record for discovery |
 | `openclaw jacs lookup <domain>` | Look up another agent's info |
-| `openclaw jacs register [--api-key <key>] [--preview]` | Register this agent with HAI.ai for attested trust level |
+| `openclaw jacs register [--preview]` | Register this agent with HAI.ai for attested trust level |
 | `openclaw jacs attestation [domain]` | Check attestation status for this agent or another by domain |
 | `openclaw jacs claim [level]` | Set or view verification claim (includes DNS/HAI proof details) |
 
 ## HAI.ai registration
 
-To get an attested trust level, register your agent with HAI.ai once: run `openclaw jacs register`. You must set the `HAI_API_KEY` environment variable or pass `--api-key`. Use `--preview` to see what would be sent without registering. After registration, use `openclaw jacs attestation` to check your (or another agent's) attestation status, and `openclaw jacs claim <level>` to set or view your verification claim. `verified` now requires DNS TXT hash verification (domain configured + published hash matches your public key). See [Configuration](#configuration) and [Security](#security) for related options.
+To get an attested trust level, register your agent with HAI.ai once: run `openclaw jacs register`. Registration uses JACS-signed authentication (no API key needed). Use `--preview` to see what would be sent without registering. After registration, use `openclaw jacs attestation` to check your (or another agent's) attestation status, and `openclaw jacs claim <level>` to set or view your verification claim. `verified` now requires DNS TXT hash verification (domain configured + published hash matches your public key). See [Configuration](#configuration) and [Security](#security) for related options.
 
 ## Agent Tools
 
 When used with an AI agent, these tools are available:
 
+### Core signing and verification
+
 | Tool | Purpose |
 |------|---------|
 | `jacs_sign` | Sign a document (returns signed doc; when small enough, includes `verification_url` for sharing) |
 | `jacs_verify_link` | Get a shareable verification URL for a signed document (for https://hai.ai/jacs/verify) |
 | `jacs_verify` | Verify a self-signed document |
-| `jacs_verify_auto` | Verify any document (auto-fetches keys) |
+| `jacs_verify_standalone` | Verify any signed document without JACS init (no agent required) |
+| `jacs_verify_auto` | Verify any document (auto-fetches keys, supports trust levels) |
+| `jacs_verify_dns` | Verify agent identity via DNS TXT record |
 | `jacs_fetch_pubkey` | Fetch another agent's public key |
 | `jacs_verify_with_key` | Verify with a specific public key |
+| `jacs_hash` | Hash content |
+| `jacs_identity` | Get your identity info |
+| `jacs_share_public_key` | Share your current public key PEM for trust bootstrap |
+| `jacs_share_agent` | Share your self-signed agent document for trust establishment |
+| `jacs_trust_agent_with_key` | Trust an agent document using an explicit public key PEM |
+| `jacs_audit` | Run read-only JACS security audit |
+
+### A2A interoperability
+
+| Tool | Purpose |
+|------|---------|
+| `jacs_a2a_export_agent_card` | Export this agent as an A2A Agent Card |
+| `jacs_a2a_sign_artifact` | Wrap an A2A task/message/result with JACS provenance |
+| `jacs_a2a_verify_artifact` | Verify a wrapped A2A artifact |
+| `jacs_a2a_assess_remote_agent` | Apply A2A trust policy to a remote Agent Card |
+| `jacs_a2a_trust_agent` | Add a remote Agent Card to the local trust store |
+| `jacs_a2a_generate_well_known` | Generate A2A discovery documents for `/.well-known` serving |
+
+### Discovery and trust
+
+| Tool | Purpose |
+|------|---------|
 | `jacs_dns_lookup` | Look up DNS TXT record |
-| `jacs_lookup_agent` | Get complete agent info |
+| `jacs_lookup_agent` | Get complete agent info (well-known + DNS + HAI.ai) |
+| `jacs_verify_hai_registration` | Verify HAI.ai registration for an agent |
+| `jacs_get_attestation` | Get full attestation status for an agent |
+| `jacs_set_verification_claim` | Set verification claim level |
+
+### HAI platform integration
+
+| Tool | Purpose |
+|------|---------|
+| `jacs_hai_hello` | Call HAI hello endpoint with JACS auth |
+| `jacs_hai_test_connection` | Test HAI connectivity without mutating state |
+| `jacs_hai_register` | Register this agent with HAI |
+| `jacs_hai_check_username` | Check HAI username availability |
+| `jacs_hai_claim_username` | Claim username for an agent |
+| `jacs_hai_update_username` | Rename claimed username |
+| `jacs_hai_delete_username` | Release claimed username |
+| `jacs_hai_verify_document` | Verify signed document via HAI public verifier |
+| `jacs_hai_get_verification` | Get advanced verification/badge by agent ID |
+| `jacs_hai_verify_agent_document` | Run advanced verification using an agent document |
+| `jacs_hai_fetch_remote_key` | Fetch remote key from HAI key registry |
+| `jacs_hai_verify_agent` | Multi-level agent verification (signature + DNS + HAI) |
+| `jacs_hai_send_email` | Send email from this agent mailbox |
+| `jacs_hai_list_messages` | List mailbox messages |
+| `jacs_hai_get_message` | Retrieve one mailbox message by ID |
+| `jacs_hai_mark_message_read` | Mark message as read |
+| `jacs_hai_mark_message_unread` | Mark message as unread |
+| `jacs_hai_delete_message` | Delete mailbox message |
+| `jacs_hai_search_messages` | Search mailbox with filters |
+| `jacs_hai_get_unread_count` | Get unread mailbox count |
+| `jacs_hai_reply` | Reply to a message ID |
+| `jacs_hai_get_email_status` | Get mailbox status/limits |
+| `jacs_hai_free_chaotic_run` | Run free benchmark tier |
+| `jacs_hai_dns_certified_run` | Run DNS-certified benchmark flow (returns checkout URL when pending) |
+| `jacs_hai_submit_response` | Submit benchmark job response |
+| `jacs_hai_benchmark_run` | Run legacy benchmark endpoint by name/tier |
+
+### Agreements
+
+| Tool | Purpose |
+|------|---------|
 | `jacs_create_agreement` | Create multi-party agreement |
 | `jacs_sign_agreement` | Sign an agreement |
 | `jacs_check_agreement` | Check agreement status |
-| `jacs_hash` | Hash content |
-| `jacs_identity` | Get your identity info |
-| `jacs_audit` | Run read-only JACS security audit |
+
+### Agent state
+
+| Tool | Purpose |
+|------|---------|
+| `jacs_create_agentstate` | Create signed agent state (memory, skill, plan, config, hook) |
+| `jacs_sign_file_as_state` | Sign a file as agent state with path reference and hash |
+| `jacs_verify_agentstate` | Verify an agent state document |
+
+### Commitments
+
+| Tool | Purpose |
+|------|---------|
+| `jacs_create_commitment` | Create a signed commitment |
+| `jacs_update_commitment` | Update commitment status or fields |
+| `jacs_dispute_commitment` | Dispute a commitment with a reason |
+| `jacs_revoke_commitment` | Revoke a commitment with a reason |
+
+### Todo lists
+
+| Tool | Purpose |
+|------|---------|
+| `jacs_create_todo` | Create a signed todo list |
+| `jacs_add_todo_item` | Add an item to a todo list |
+| `jacs_update_todo_item` | Update a todo item |
+
+### Conversations
+
+| Tool | Purpose |
+|------|---------|
+| `jacs_start_conversation` | Create the first signed message payload in a new thread |
+| `jacs_send_message` | Create a signed message payload in an existing thread |
+
+## MCP and Message Transport
+
+`jacs_start_conversation` and `jacs_send_message` create signed JACS message payloads. They do **not** perform delivery/transport by themselves.
+
+Use this pattern for agent-to-agent messaging:
+
+1. Create/sign payload (`jacs_start_conversation` or `jacs_send_message`)
+2. Deliver the returned signed JSON over your chosen channel (MCP, HTTP, queue, chat bridge, etc.)
+3. Verify on receipt (`jacs_verify_auto`, `jacs_verify_standalone`, or `jacs_verify_with_key`)
+
+For custom Node MCP servers, JACS supports transport-level integration via `@hai.ai/jacs/mcp`:
+
+- `createJACSTransportProxy(...)` for automatic signing/verification at transport boundaries
+- `registerJacsTools(...)` to expose JACS operations as MCP tools
+- Expanded trust/bootstrap MCP/LangChain tools include `jacs_share_public_key`, `jacs_share_agent`, and `jacs_trust_agent_with_key`
+
+This OpenClaw plugin does not automatically intercept all host MCP traffic; use explicit JACS tools or host transport middleware/adapters.
 
 ## Well-Known Endpoints
 
 Your agent exposes these endpoints:
 
+- `GET /.well-known/agent-card.json` - A2A Agent Card for discovery
+- `GET /.well-known/jwks.json` - A2A/JACS JWKS for verifier interoperability
+- `GET /.well-known/jacs-agent.json` - JACS agent descriptor
+- `GET /.well-known/jacs-extension.json` - JACS A2A extension descriptor
 - `GET /.well-known/jacs-pubkey.json` - Your public key
+- `GET /jacs/agent` - Current self-signed JACS agent document
 - `GET /jacs/status` - Health check
 - `POST /jacs/verify` - Public verification (this agent)
 - `GET /jacs/attestation` - Full attestation status (trust level, HAI registration, DNS verification)
@@ -118,33 +284,40 @@ Configure via `openclaw.plugin.json`:
 ```json
 {
   "keyAlgorithm": "pq2025",
-  "autoSign": false,
-  "autoVerify": true,
   "agentName": "My Agent",
   "agentDescription": "Description",
   "agentDomain": "agent.example.com"
 }
 ```
 
+`autoSign` and `autoVerify` are accepted for backward compatibility but are deprecated no-ops in `moltyjacs`.
+
 `agentId` is set automatically when you run `openclaw jacs init` and is not edited in the config file.
 
+JACS key filenames are read from `jacs.config.json`:
+- `jacs_agent_public_key_filename` (default: `jacs.public.pem`)
+- `jacs_agent_private_key_filename` (default: `jacs.private.pem.enc`)
+
 ### Environment variables
 
 | Variable | Purpose |
 |----------|---------|
-| `JACS_PRIVATE_KEY_PASSWORD` | Password for the encrypted private key; required for signing when not prompted (e.g. headless/CI). |
-| `HAI_API_KEY` | Used by `openclaw jacs register`; can be passed via `--api-key` instead. |
-| `HAI_API_URL` | Optional override for HAI API base URL (default `https://api.hai.ai`). |
+| `JACS_PRIVATE_KEY_PASSWORD` | Password for the encrypted private key; developer-default source for local/headless usage. |
+| `JACS_PASSWORD_FILE` | Path to a file containing the private-key password (newline allowed at end of file). |
 
-The key password is generated at `openclaw jacs init` and must be stored securely.
+Configure exactly one password source. If multiple password sources are set, initialization fails closed to avoid ambiguity.
+On Unix-like systems, password files must be owner-only (for example `chmod 600 /run/secrets/jacs_password`).
 
 ### Key Algorithms
 
 - `pq2025` (default) - Post-quantum ML-DSA-87
-- `pq-dilithium` - Dilithium
 - `ring-Ed25519` - Ed25519
 - `RSA-PSS` - RSA with PSS padding
 
+## Cross-Language Compatibility
+
+Documents signed by moltyjacs (Node.js) can be verified by Rust or Python agents, and vice versa. Cross-language interop is tested on every commit with Ed25519 and post-quantum (ML-DSA-87) algorithms. See the [JACS cross-language tests](https://github.com/HumanAssisted/JACS/tree/main/jacs/tests/cross_language) for details.
+
 ## Security
 
 - Private keys are encrypted with AES-256-GCM
@@ -152,8 +325,33 @@ The key password is generated at `openclaw jacs init` and must be stored securel
 - Default algorithm (pq2025) provides quantum resistance
 - DNS records enable DNSSEC-backed identity verification
 
+## Development
+
+```bash
+# Install dependencies
+npm install
+
+# Build
+npm run build
+
+# Watch mode
+npm run watch
+
+# Run unit tests (uses mocked JACS module)
+npm test
+
+# Run integration tests (requires real @hai.ai/jacs native binary)
+npm run test:integration
+
+# Test local installation
+openclaw plugins install . --link
+openclaw plugins list
+```
+
 ## Publishing
 
+CI publishes on push of a tag `v*` (e.g. `v0.8.0`). **Publish [@hai.ai/jacs](https://www.npmjs.com/package/@hai.ai/jacs) from the [JACS](https://github.com/HumanAssisted/JACS) repo first** (tag `npm/v*`), then tag and push moltyjacs so the build can resolve the dependency.
+
 ### To npm
 
 ```bash
@@ -173,51 +371,14 @@ Or publish to both npm and ClawHub:
 npm run publish:all
 ```
 
-### Manual ClawHub Publishing
-
-1. Install the ClawHub CLI:
-   ```bash
-   npm install -g clawhub
-   ```
-
-2. Publish the plugin:
-   ```bash
-   clawhub publish .
-   ```
-
-3. Sync updates:
-   ```bash
-   clawhub sync
-   ```
-
-## Development
-
-```bash
-# Install dependencies
-npm install
-
-# Build
-npm run build
-
-# Watch mode
-npm run watch
-
-# Test local installation
-openclaw plugins install . --link
-openclaw plugins list
-```
-
-## Publishing
-
-CI publishes on push of a tag `v*` (e.g. `v0.3.0`). **Publish [@hai.ai/jacs](https://www.npmjs.com/package/@hai.ai/jacs) from the [JACS](https://github.com/HumanAssisted/JACS) repo first** (tag `npm/v*`), then tag and push moltyjacs so the build can resolve the dependency.
-
 ## License
 
 MIT License - see [LICENSE](LICENSE)
 
 ## Links
 - [HAI.AI](https://hai.ai)
-- [JACS Documentation](https://github.com/HumanAssisted/JACS/)
+- [JACS Documentation](https://humanassisted.github.io/JACS/)
+- [Decision Tree](https://humanassisted.github.io/JACS/getting-started/decision-tree.html)
 - [OpenClaw](https://docs.openclaw.ai)
 - [ClawHub](https://www.clawhub.com)
 - [GitHub](https://github.com/HumanAssisted/moltyjacs)

package/dist/a2a.d.ts

@@ -0,0 +1,19 @@
+import type { OpenClawPluginAPI } from "./index";
+export type A2ATrustPolicy = "open" | "verified" | "strict";
+export declare function exportA2AAgentCard(api: OpenClawPluginAPI, trustPolicy?: A2ATrustPolicy): Promise<{
+    agentCard: Record<string, unknown>;
+    agentData: Record<string, unknown>;
+}>;
+export declare function signA2AArtifact(api: OpenClawPluginAPI, artifact: Record<string, unknown>, artifactType: string, parentSignatures?: Record<string, unknown>[] | null, trustPolicy?: A2ATrustPolicy): Promise<Record<string, unknown>>;
+export declare function verifyA2AArtifact(api: OpenClawPluginAPI, wrappedArtifact: string | Record<string, unknown>, trustPolicy?: A2ATrustPolicy): Promise<Record<string, unknown>>;
+export declare function assessRemoteA2AAgent(api: OpenClawPluginAPI, agentCard: string | Record<string, unknown>, trustPolicy?: A2ATrustPolicy): Promise<Record<string, unknown>>;
+export declare function trustRemoteA2AAgent(api: OpenClawPluginAPI, agentCard: string | Record<string, unknown>, trustPolicy?: A2ATrustPolicy): Promise<Record<string, unknown>>;
+export declare function generateA2AWellKnownDocuments(api: OpenClawPluginAPI, options?: {
+    trustPolicy?: A2ATrustPolicy;
+    jwsSignature?: string;
+}): Promise<{
+    documents: Record<string, Record<string, unknown>>;
+    agentCard: Record<string, unknown>;
+    agentData: Record<string, unknown>;
+}>;
+//# sourceMappingURL=a2a.d.ts.map

package/dist/a2a.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"a2a.d.ts","sourceRoot":"","sources":["../src/a2a.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAGjD,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,UAAU,GAAG,QAAQ,CAAC;AAqE5D,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,iBAAiB,EACtB,WAAW,GAAE,cAAqC,GACjD,OAAO,CAAC;IAAE,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAC,CAMrF;AAED,wBAAsB,eAAe,CACnC,GAAG,EAAE,iBAAiB,EACtB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,YAAY,EAAE,MAAM,EACpB,gBAAgB,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAW,EACzD,WAAW,GAAE,cAAqC,GACjD,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAMlC;AAED,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,iBAAiB,EACtB,eAAe,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjD,WAAW,GAAE,cAAqC,GACjD,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAIlC;AAED,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,iBAAiB,EACtB,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC3C,WAAW,GAAE,cAAqC,GACjD,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAIlC;AAED,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,iBAAiB,EACtB,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC3C,WAAW,GAAE,cAAqC,GACjD,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAKlC;AAED,wBAAsB,6BAA6B,CACjD,GAAG,EAAE,iBAAiB,EACtB,OAAO,CAAC,EAAE;IACR,WAAW,CAAC,EAAE,cAAc,CAAC;IAC7B,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GACA,OAAO,CAAC;IACT,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IACnD,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC,CAAC,CAyBD"}

package/dist/a2a.js

@@ -0,0 +1,151 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.exportA2AAgentCard = exportA2AAgentCard;
+exports.signA2AArtifact = signA2AArtifact;
+exports.verifyA2AArtifact = verifyA2AArtifact;
+exports.assessRemoteA2AAgent = assessRemoteA2AAgent;
+exports.trustRemoteA2AAgent = trustRemoteA2AAgent;
+exports.generateA2AWellKnownDocuments = generateA2AWellKnownDocuments;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const client_1 = require("@hai.ai/jacs/client");
+const haiai_1 = require("@haiai/haiai");
+const jacs_config_1 = require("./jacs-config");
+const DEFAULT_TRUST_POLICY = "verified";
+const jacsClientCache = new Map();
+function getConfigPath(api) {
+    return path.join(api.runtime.homeDir, ".openclaw", "jacs", "jacs.config.json");
+}
+function getKeysDir(api) {
+    return path.join(api.runtime.homeDir, ".openclaw", "jacs_keys");
+}
+function parseAgentIdAndVersion(value) {
+    if (!value || typeof value !== "string") {
+        return {};
+    }
+    const [agentId, version] = value.split(":");
+    return {
+        agentId: agentId || undefined,
+        version: version || undefined,
+    };
+}
+function resolveConfiguredPublicKey(api, configPath) {
+    const runtimeKey = api.runtime.jacs?.getPublicKey();
+    if (typeof runtimeKey === "string" && runtimeKey.trim() !== "") {
+        return runtimeKey;
+    }
+    const config = (0, jacs_config_1.readJacsConfig)(configPath);
+    const publicKeyPath = (0, jacs_config_1.resolvePublicKeyPath)(getKeysDir(api), config);
+    if (!fs.existsSync(publicKeyPath)) {
+        throw new Error(`Public key not found at ${publicKeyPath}`);
+    }
+    return fs.readFileSync(publicKeyPath, "utf-8");
+}
+function resolveAgentData(api, configPath) {
+    const config = (0, jacs_config_1.readJacsConfig)(configPath);
+    const { agentId, version } = parseAgentIdAndVersion(config?.jacs_agent_id_and_version);
+    return {
+        jacsId: api.config.agentId || api.runtime.jacs?.getAgentId() || agentId || "unknown-agent",
+        jacsName: api.config.agentName || "OpenClaw JACS Agent",
+        jacsDescription: api.config.agentDescription || "OpenClaw agent with JACS cryptographic provenance",
+        jacsVersion: version || "1",
+        jacsAgentDomain: api.config.agentDomain,
+        jacsAgentType: "ai",
+        keyAlgorithm: api.config.keyAlgorithm || config?.jacs_agent_key_algorithm || "pq2025",
+    };
+}
+async function getJacsClient(configPath) {
+    const cached = jacsClientCache.get(configPath);
+    if (cached) {
+        return cached;
+    }
+    const client = new client_1.JacsClient({ configPath });
+    if (typeof client.loadSync === "function") {
+        client.loadSync(configPath);
+    }
+    else {
+        await client.load(configPath);
+    }
+    jacsClientCache.set(configPath, client);
+    return client;
+}
+async function exportA2AAgentCard(api, trustPolicy = DEFAULT_TRUST_POLICY) {
+    const configPath = getConfigPath(api);
+    const client = await getJacsClient(configPath);
+    const agentData = resolveAgentData(api, configPath);
+    const agentCard = await (0, haiai_1.exportAgentCard)(client, agentData, { trustPolicy });
+    return { agentCard, agentData };
+}
+async function signA2AArtifact(api, artifact, artifactType, parentSignatures = null, trustPolicy = DEFAULT_TRUST_POLICY) {
+    const configPath = getConfigPath(api);
+    const client = await getJacsClient(configPath);
+    return (0, haiai_1.signArtifact)(client, artifact, artifactType, parentSignatures, {
+        trustPolicy,
+    });
+}
+async function verifyA2AArtifact(api, wrappedArtifact, trustPolicy = DEFAULT_TRUST_POLICY) {
+    const configPath = getConfigPath(api);
+    const client = await getJacsClient(configPath);
+    return (0, haiai_1.verifyArtifact)(client, wrappedArtifact, { trustPolicy });
+}
+async function assessRemoteA2AAgent(api, agentCard, trustPolicy = DEFAULT_TRUST_POLICY) {
+    const configPath = getConfigPath(api);
+    const client = await getJacsClient(configPath);
+    return (0, haiai_1.assessRemoteAgent)(client, agentCard, { trustPolicy });
+}
+async function trustRemoteA2AAgent(api, agentCard, trustPolicy = DEFAULT_TRUST_POLICY) {
+    const configPath = getConfigPath(api);
+    const client = await getJacsClient(configPath);
+    const result = await (0, haiai_1.trustA2AAgent)(client, agentCard, { trustPolicy });
+    return { trusted: true, result };
+}
+async function generateA2AWellKnownDocuments(api, options) {
+    const trustPolicy = options?.trustPolicy ?? DEFAULT_TRUST_POLICY;
+    const configPath = getConfigPath(api);
+    const client = await getJacsClient(configPath);
+    const { agentCard, agentData } = await exportA2AAgentCard(api, trustPolicy);
+    const publicKeyPem = resolveConfiguredPublicKey(api, configPath);
+    const publicKeyB64 = Buffer.from(publicKeyPem, "utf-8").toString("base64");
+    const documents = await (0, haiai_1.generateWellKnownDocuments)(client, agentCard, options?.jwsSignature ?? "", publicKeyB64, agentData, { trustPolicy });
+    if (!options?.jwsSignature) {
+        const cardDoc = documents["/.well-known/agent-card.json"];
+        if (cardDoc && Array.isArray(cardDoc.signatures) && cardDoc.signatures.length === 0) {
+            delete cardDoc.signatures;
+        }
+    }
+    return { documents, agentCard, agentData };
+}
+//# sourceMappingURL=a2a.js.map

package/dist/a2a.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"a2a.js","sourceRoot":"","sources":["../src/a2a.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmFA,gDASC;AAED,0CAYC;AAED,8CAQC;AAED,oDAQC;AAED,kDASC;AAED,sEAmCC;AA9KD,uCAAyB;AACzB,2CAA6B;AAC7B,gDAAiD;AACjD,wCAOsB;AAEtB,+CAAqE;AAIrE,MAAM,oBAAoB,GAAmB,UAAU,CAAC;AACxD,MAAM,eAAe,GAAG,IAAI,GAAG,EAAsB,CAAC;AAEtD,SAAS,aAAa,CAAC,GAAsB;IAC3C,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,kBAAkB,CAAC,CAAC;AACjF,CAAC;AAED,SAAS,UAAU,CAAC,GAAsB;IACxC,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAc;IAC5C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5C,OAAO;QACL,OAAO,EAAE,OAAO,IAAI,SAAS;QAC7B,OAAO,EAAE,OAAO,IAAI,SAAS;KAC9B,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,GAAsB,EAAE,UAAkB;IAC5E,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC;IACpD,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC/D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,MAAM,MAAM,GAAG,IAAA,4BAAc,EAAC,UAAU,CAAC,CAAC;IAC1C,MAAM,aAAa,GAAG,IAAA,kCAAoB,EAAC,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;IACpE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,2BAA2B,aAAa,EAAE,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAsB,EAAE,UAAkB;IAClE,MAAM,MAAM,GAAG,IAAA,4BAAc,EAAC,UAAU,CAAC,CAAC;IAC1C,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,sBAAsB,CAAC,MAAM,EAAE,yBAAyB,CAAC,CAAC;IACvF,OAAO;QACL,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,OAAO,IAAI,eAAe;QAC1F,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,qBAAqB;QACvD,eAAe,EACb,GAAG,CAAC,MAAM,CAAC,gBAAgB,IAAI,mDAAmD;QACpF,WAAW,EAAE,OAAO,IAAI,GAAG;QAC3B,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,WAAW;QACvC,aAAa,EAAE,IAAI;QACnB,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,YAAY,IAAI,MAAM,EAAE,wBAAwB,IAAI,QAAQ;KACtF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,UAAkB;IAC7C,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,mBAAU,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;IAC9C,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QAC1C,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC9B,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAChC,CAAC;IACD,eAAe,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACxC,OAAO,MAAM,CAAC;AAChB,CAAC;AAEM,KAAK,UAAU,kBAAkB,CACtC,GAAsB,EACtB,cAA8B,oBAAoB;IAElD,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,gBAAgB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,MAAM,IAAA,uBAAqB,EAAC,MAAM,EAAE,SAAS,EAAE,EAAE,WAAW,EAAE,CAA4B,CAAC;IAC7G,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;AAClC,CAAC;AAEM,KAAK,UAAU,eAAe,CACnC,GAAsB,EACtB,QAAiC,EACjC,YAAoB,EACpB,mBAAqD,IAAI,EACzD,cAA8B,oBAAoB;IAElD,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;IAC/C,OAAO,IAAA,oBAAkB,EAAC,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,gBAAgB,EAAE;QAC1E,WAAW;KACZ,CAAqC,CAAC;AACzC,CAAC;AAEM,KAAK,UAAU,iBAAiB,CACrC,GAAsB,EACtB,eAAiD,EACjD,cAA8B,oBAAoB;IAElD,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;IAC/C,OAAO,IAAA,sBAAoB,EAAC,MAAM,EAAE,eAAe,EAAE,EAAE,WAAW,EAAE,CAAqC,CAAC;AAC5G,CAAC;AAEM,KAAK,UAAU,oBAAoB,CACxC,GAAsB,EACtB,SAA2C,EAC3C,cAA8B,oBAAoB;IAElD,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;IAC/C,OAAO,IAAA,yBAAuB,EAAC,MAAM,EAAE,SAAS,EAAE,EAAE,WAAW,EAAE,CAAqC,CAAC;AACzG,CAAC;AAEM,KAAK,UAAU,mBAAmB,CACvC,GAAsB,EACtB,SAA2C,EAC3C,cAA8B,oBAAoB;IAElD,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,MAAM,IAAA,qBAAmB,EAAC,MAAM,EAAE,SAAS,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC;IAC7E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AACnC,CAAC;AAEM,KAAK,UAAU,6BAA6B,CACjD,GAAsB,EACtB,OAGC;IAMD,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,oBAAoB,CAAC;IACjE,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,0BAA0B,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACjE,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAE3E,MAAM,SAAS,GAAG,MAAM,IAAA,kCAAgC,EACtD,MAAM,EACN,SAAS,EACT,OAAO,EAAE,YAAY,IAAI,EAAE,EAC3B,YAAY,EACZ,SAAS,EACT,EAAE,WAAW,EAAE,CAC2B,CAAC;IAE7C,IAAI,CAAC,OAAO,EAAE,YAAY,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,SAAS,CAAC,8BAA8B,CAAC,CAAC;QAC1D,IAAI,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpF,OAAO,OAAO,CAAC,UAAU,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;AAC7C,CAAC"}

package/dist/cli.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,iBAAiB,EAAiC,MAAM,SAAS,CAAC;AAWhF,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,GAAG,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,OAAO,CAAC,SAAS,CAAC,CAAC;CAC5C;AAED,MAAM,WAAW,WAAW;IAC1B,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAAC;CAC3B;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,iBAAiB,GAAG,WAAW,CA+mB/D"}
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,iBAAiB,EAAiC,MAAM,SAAS,CAAC;AAehF,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,GAAG,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,OAAO,CAAC,SAAS,CAAC,CAAC;CAC5C;AAED,MAAM,WAAW,WAAW;IAC1B,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAAC;CAC3B;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,iBAAiB,GAAG,WAAW,CA6nB/D"}