secretless-ai 0.17.1 → 0.18.0

package/README.md

@@ -1,5 +1,7 @@
 # secretless-ai
 
+[![Status: stable](https://img.shields.io/badge/status-stable-green)](./STATUS.md)
+
 > **[OpenA2A](https://github.com/opena2a-org/opena2a)**: [CLI](https://github.com/opena2a-org/opena2a) · [HackMyAgent](https://github.com/opena2a-org/hackmyagent) · [Secretless](https://github.com/opena2a-org/secretless-ai) · [AIM](https://github.com/opena2a-org/agent-identity-management) · [Browser Guard](https://github.com/opena2a-org/AI-BrowserGuard) · [DVAA](https://github.com/opena2a-org/damn-vulnerable-ai-agent)
 
 Keep API keys and other secrets invisible to AI coding tools. Works with Claude Code, Cursor, GitHub Copilot, Windsurf, Cline, and Aider. Apache 2.0.

package/dist/broker/atx.d.ts

@@ -0,0 +1,168 @@
+/**
+ * ATX (Agent Trust eXtension) verification — the subject-claim check the broker
+ * runs before resolving any grant. AAP §6 step 2.
+ *
+ * The ATX is the signed, portable credential defined by ATP/ATX that states what an
+ * agent *is*. AAP does not redefine it; this verifier mirrors the OpenA2A reference
+ * verifier (`atx-conformance/verifiers/python/verify.py`, itself a port of
+ * `opena2a-registry/pkg/atcverify/verify.go canonicalPayload()`) VERBATIM so a broker
+ * accepts exactly the credentials the conformance suite accepts.
+ *
+ * (ATX is the current name for the credential formerly called ATC; fixtures use the
+ * `atcVersion` field. This verifier dual-supports both signing forms.)
+ *
+ * Scope: Ed25519 is verified fully. ML-DSA-65 presence is recorded but verification is
+ * delegated — Node's stdlib has no ML-DSA, exactly as the Python reference verifier
+ * skips it. Production wires the post-quantum half + the live trusted-issuer/CRL anchors
+ * to AIM's verification path (see AtxVerifier / RegistryAtxVerifier seam below).
+ *
+ * SECURITY — signature coverage depends on atcVersion:
+ *  - v1.0 (canonicalPayload): the pipe-delimited string covers identity, issuer,
+ *    trustLevel, trustScore, contentHash, buildAttestation, and the validity window.
+ *    It does NOT cover `capabilities`, `scanSummary.oasbLevel`, `issuerChain`, or
+ *    `jurisdiction`. A holder of any validly-signed v1.0 ATX can edit those without
+ *    invalidating the signature, so they MUST NOT be trusted for authorization.
+ *  - v1.1 (canonicalPayloadV11): the signature covers JCS(TBS), which includes
+ *    `capabilities`, `scanSummary`, `issuerChain`, and `publisher`. Those fields are
+ *    integrity-protected and safe to authorize on.
+ *
+ * The verified context exposes `signedCapabilities` (true iff v1.1) so callers can tell
+ * the two apart. Phase 3 of the ATX v1.1 rollout adds a `requireSignedCapabilities`
+ * grant-policy flag that refuses capability-gated grants whose context has
+ * `signedCapabilities === false`. Until then a production verifier still SHOULD source
+ * authorization attributes for v1.0 credentials from the issuing Registry/AIM for the
+ * verified `agentId` rather than the presented blob.
+ */
+/** Legacy schema version: signs the 11-field pipe string (Go quirk, replicated). */
+export declare const SUPPORTED_ATX_VERSION = "1.0";
+/**
+ * ATX v1.1: signs JCS(TBS) (RFC 8785) per atx-spec core.md §1.3a.2, bringing
+ * capabilities, scanSummary, issuerChain, publisher, and behavioralProfile under
+ * the signature. Verified here using the same canonicalizer (erdtman/canonicalize)
+ * and the same TBS projection the registry and conformance verifiers use; byte
+ * agreement is proven by atx-conformance/jcs-vectors.
+ */
+export declare const SUPPORTED_ATX_VERSION_V11 = "1.1";
+/** A signature reference on an ATX. */
+export interface AtxSignature {
+    keyId?: string;
+    algorithm: 'Ed25519' | 'ML-DSA-65' | string;
+    /** base64-encoded signature value. */
+    value: string;
+}
+/** The ATX credential (subset used for verification + context derivation). */
+export interface Atx {
+    atcVersion?: string;
+    agentId: string;
+    agentDid: string;
+    /** Publisher identity. Unsigned under v1.0; covered by the v1.1 signature. */
+    publisher?: string;
+    publisherDid?: string;
+    version: string;
+    contentHash: string;
+    buildAttestation?: string;
+    issuerDid: string;
+    issuerChain?: string[];
+    trustLevel: number;
+    trustScore: number;
+    issuedAt: string;
+    expiresAt: string;
+    capabilities?: string[];
+    /** Observed-behavior summary. Covered by the v1.1 signature. */
+    behavioralProfile?: {
+        checksum?: string;
+        generatedAt?: string;
+        observationDays?: number;
+    } | null;
+    scanSummary?: {
+        oasbLevel?: string;
+        [k: string]: unknown;
+    };
+    /** Optional, optional-to-ignore jurisdiction claim (AAP §9). */
+    jurisdiction?: string[];
+    revoked?: boolean;
+    signatures: AtxSignature[];
+}
+/** A public key the verifier trusts, keyed by algorithm. */
+export interface AtxPublicKey {
+    algorithm: 'Ed25519' | 'ML-DSA-65' | string;
+    /** hex-encoded raw public key (32 bytes for Ed25519). */
+    publicKeyHex: string;
+}
+/** Trust anchors the verifier evaluates against (in production: fetched from AIM/Registry). */
+export interface AtxTrustAnchors {
+    trustedIssuers: string[];
+    publicKeys: AtxPublicKey[];
+    /** Cached, federated CRL. Revocation rides entirely on the ATX + CRL (AAP §6). */
+    crl?: {
+        entries: Array<{
+            agentId: string;
+            reason?: string;
+        }>;
+    };
+    /** Clock source (injectable for tests). Defaults to wall clock. */
+    now?: () => Date;
+}
+export type RejectCategory = 'UNSUPPORTED_VERSION' | 'EXPIRED' | 'REVOKED' | 'UNTRUSTED_ISSUER' | 'SIGNATURE_INVALID' | 'MALFORMED';
+/** Context the broker derives from a *verified* ATX. Contains no backend information. */
+export interface ResolutionContext {
+    agentId: string;
+    agentDid: string;
+    issuerDid: string;
+    issuerChain: string[];
+    trustLevel: number;
+    trustScore: number;
+    capabilities: string[];
+    oasbLevel?: string;
+    jurisdiction?: string[];
+    /**
+     * True when the credential is v1.1+, i.e. capabilities/scanSummary/issuerChain
+     * are covered by the signature and may be trusted for authorization. False for
+     * v1.0, where those fields are forgeable by the holder. Phase 3 of the ATX v1.1
+     * rollout gates capability-based grants on this.
+     */
+    signedCapabilities: boolean;
+}
+export interface AtxVerificationResult {
+    valid: boolean;
+    /** Present when valid: the context the broker resolves against. */
+    context?: ResolutionContext;
+    /** Present when invalid. */
+    rejectCategory?: RejectCategory;
+    reason?: string;
+    /** Whether an ML-DSA-65 signature was present (and therefore delegated, not skipped silently). */
+    mldsaPresent?: boolean;
+}
+/** The verification interface. Lets the broker swap a local verifier for an AIM-backed one. */
+export interface AtxVerifier {
+    verify(atx: Atx): AtxVerificationResult;
+}
+/**
+ * Local ATX verifier. Cryptographically real (Ed25519) and interoperable with the
+ * conformance fixtures; trust anchors are injected. The production counterpart
+ * (`RegistryAtxVerifier`, a seam for a later pass) fetches `trustedIssuers`,
+ * `publicKeys`, and the `crl` from AIM's verification endpoint and adds ML-DSA-65.
+ */
+export declare class LocalAtxVerifier implements AtxVerifier {
+    private readonly anchors;
+    constructor(anchors: AtxTrustAnchors);
+    verify(atx: Atx): AtxVerificationResult;
+}
+/**
+ * Mirror of `opena2a-registry/pkg/atcverify/verify.go canonicalPayload()`:
+ *   fmt.Sprintf("%s|%s|%s|%s|%s|%s|%d|%.6f|%s|%s|%s", ...)
+ * with atxVersion hardcoded to "1.0".
+ */
+export declare function canonicalPayload(atx: Atx): Buffer;
+/**
+ * Project an ATX into the v1.1 TBS and return JCS(TBS) (RFC 8785). Unlike
+ * canonicalPayload, this covers capabilities, scanSummary, issuerChain,
+ * publisher, and behavioralProfile. The projection (canonical empties,
+ * always-full scanSummary, %.6f string trustScore, root-first issuerChain) and
+ * the canonicalizer match opena2a-registry/pkg/atcverify and the conformance
+ * verifiers exactly; byte agreement is pinned by atx-conformance/jcs-vectors.
+ */
+export declare function canonicalPayloadV11(atx: Atx): Buffer;
+/** Normalize an RFC 3339 timestamp to UTC "YYYY-MM-DDTHH:MM:SSZ" (Go time.RFC3339 for UTC). */
+export declare function normalizeRfc3339(s: string): string;
+//# sourceMappingURL=atx.d.ts.map

package/dist/broker/atx.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"atx.d.ts","sourceRoot":"","sources":["../../src/broker/atx.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAKH,oFAAoF;AACpF,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAE3C;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,QAAQ,CAAC;AAE/C,uCAAuC;AACvC,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,SAAS,GAAG,WAAW,GAAG,MAAM,CAAC;IAC5C,sCAAsC;IACtC,KAAK,EAAE,MAAM,CAAC;CACf;AAED,8EAA8E;AAC9E,MAAM,WAAW,GAAG;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,8EAA8E;IAC9E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,gEAAgE;IAChE,iBAAiB,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IACjG,WAAW,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAC;IAC3D,gEAAgE;IAChE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,YAAY,EAAE,CAAC;CAC5B;AAED,4DAA4D;AAC5D,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,SAAS,GAAG,WAAW,GAAG,MAAM,CAAC;IAC5C,yDAAyD;IACzD,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,+FAA+F;AAC/F,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,UAAU,EAAE,YAAY,EAAE,CAAC;IAC3B,kFAAkF;IAClF,GAAG,CAAC,EAAE;QAAE,OAAO,EAAE,KAAK,CAAC;YAAE,OAAO,EAAE,MAAM,CAAC;YAAC,MAAM,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC;IAC/D,mEAAmE;IACnE,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;CAClB;AAED,MAAM,MAAM,cAAc,GACtB,qBAAqB,GACrB,SAAS,GACT,SAAS,GACT,kBAAkB,GAClB,mBAAmB,GACnB,WAAW,CAAC;AAEhB,yFAAyF;AACzF,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;;OAKG;IACH,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,mEAAmE;IACnE,OAAO,CAAC,EAAE,iBAAiB,CAAC;IAC5B,4BAA4B;IAC5B,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kGAAkG;IAClG,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,+FAA+F;AAC/F,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,GAAG,EAAE,GAAG,GAAG,qBAAqB,CAAC;CACzC;AAED;;;;;GAKG;AACH,qBAAa,gBAAiB,YAAW,WAAW;IACtC,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,EAAE,eAAe;IAErD,MAAM,CAAC,GAAG,EAAE,GAAG,GAAG,qBAAqB;CAqGxC;AAMD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM,CAejD;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM,CAkCpD;AAwBD,+FAA+F;AAC/F,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAMlD"}

package/dist/broker/atx.js

@@ -0,0 +1,308 @@
+"use strict";
+/**
+ * ATX (Agent Trust eXtension) verification — the subject-claim check the broker
+ * runs before resolving any grant. AAP §6 step 2.
+ *
+ * The ATX is the signed, portable credential defined by ATP/ATX that states what an
+ * agent *is*. AAP does not redefine it; this verifier mirrors the OpenA2A reference
+ * verifier (`atx-conformance/verifiers/python/verify.py`, itself a port of
+ * `opena2a-registry/pkg/atcverify/verify.go canonicalPayload()`) VERBATIM so a broker
+ * accepts exactly the credentials the conformance suite accepts.
+ *
+ * (ATX is the current name for the credential formerly called ATC; fixtures use the
+ * `atcVersion` field. This verifier dual-supports both signing forms.)
+ *
+ * Scope: Ed25519 is verified fully. ML-DSA-65 presence is recorded but verification is
+ * delegated — Node's stdlib has no ML-DSA, exactly as the Python reference verifier
+ * skips it. Production wires the post-quantum half + the live trusted-issuer/CRL anchors
+ * to AIM's verification path (see AtxVerifier / RegistryAtxVerifier seam below).
+ *
+ * SECURITY — signature coverage depends on atcVersion:
+ *  - v1.0 (canonicalPayload): the pipe-delimited string covers identity, issuer,
+ *    trustLevel, trustScore, contentHash, buildAttestation, and the validity window.
+ *    It does NOT cover `capabilities`, `scanSummary.oasbLevel`, `issuerChain`, or
+ *    `jurisdiction`. A holder of any validly-signed v1.0 ATX can edit those without
+ *    invalidating the signature, so they MUST NOT be trusted for authorization.
+ *  - v1.1 (canonicalPayloadV11): the signature covers JCS(TBS), which includes
+ *    `capabilities`, `scanSummary`, `issuerChain`, and `publisher`. Those fields are
+ *    integrity-protected and safe to authorize on.
+ *
+ * The verified context exposes `signedCapabilities` (true iff v1.1) so callers can tell
+ * the two apart. Phase 3 of the ATX v1.1 rollout adds a `requireSignedCapabilities`
+ * grant-policy flag that refuses capability-gated grants whose context has
+ * `signedCapabilities === false`. Until then a production verifier still SHOULD source
+ * authorization attributes for v1.0 credentials from the issuing Registry/AIM for the
+ * verified `agentId` rather than the presented blob.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LocalAtxVerifier = exports.SUPPORTED_ATX_VERSION_V11 = exports.SUPPORTED_ATX_VERSION = void 0;
+exports.canonicalPayload = canonicalPayload;
+exports.canonicalPayloadV11 = canonicalPayloadV11;
+exports.normalizeRfc3339 = normalizeRfc3339;
+const crypto = __importStar(require("crypto"));
+const canonicalize_1 = __importDefault(require("canonicalize"));
+/** Legacy schema version: signs the 11-field pipe string (Go quirk, replicated). */
+exports.SUPPORTED_ATX_VERSION = '1.0';
+/**
+ * ATX v1.1: signs JCS(TBS) (RFC 8785) per atx-spec core.md §1.3a.2, bringing
+ * capabilities, scanSummary, issuerChain, publisher, and behavioralProfile under
+ * the signature. Verified here using the same canonicalizer (erdtman/canonicalize)
+ * and the same TBS projection the registry and conformance verifiers use; byte
+ * agreement is proven by atx-conformance/jcs-vectors.
+ */
+exports.SUPPORTED_ATX_VERSION_V11 = '1.1';
+/**
+ * Local ATX verifier. Cryptographically real (Ed25519) and interoperable with the
+ * conformance fixtures; trust anchors are injected. The production counterpart
+ * (`RegistryAtxVerifier`, a seam for a later pass) fetches `trustedIssuers`,
+ * `publicKeys`, and the `crl` from AIM's verification endpoint and adds ML-DSA-65.
+ */
+class LocalAtxVerifier {
+    constructor(anchors) {
+        this.anchors = anchors;
+    }
+    verify(atx) {
+        const now = (this.anchors.now ?? (() => new Date()))();
+        // Step 1: schema version. Dispatch on atcVersion: "1.0" verifies the legacy
+        // pipe form, "1.1" verifies JCS(TBS) (atx-spec §1.3a).
+        if (atx.atcVersion !== exports.SUPPORTED_ATX_VERSION && atx.atcVersion !== exports.SUPPORTED_ATX_VERSION_V11) {
+            return reject('UNSUPPORTED_VERSION', `unsupported atxVersion ${String(atx.atcVersion)}`);
+        }
+        const isV11 = atx.atcVersion === exports.SUPPORTED_ATX_VERSION_V11;
+        // Step 2: expiry.
+        const expires = new Date(atx.expiresAt);
+        if (Number.isNaN(expires.getTime())) {
+            return reject('MALFORMED', 'expiresAt is not a valid timestamp');
+        }
+        if (now.getTime() > expires.getTime()) {
+            return reject('EXPIRED', `expired at ${normalizeRfc3339(atx.expiresAt)}`);
+        }
+        // Step 3: revocation (ATX field + federated CRL).
+        if (atx.revoked) {
+            return reject('REVOKED', 'credential revoked field is true');
+        }
+        for (const entry of this.anchors.crl?.entries ?? []) {
+            if (entry.agentId === atx.agentId) {
+                return reject('REVOKED', `agent appears on CRL: ${entry.reason ?? ''}`);
+            }
+        }
+        // Step 4: issuer trust.
+        if (!this.anchors.trustedIssuers.includes(atx.issuerDid)) {
+            return reject('UNTRUSTED_ISSUER', `issuer DID ${atx.issuerDid} is not trusted`);
+        }
+        // Step 5: signature verification (Ed25519 fully; ML-DSA-65 presence recorded).
+        // A v1.1 TBS that fails to canonicalize is a malformed credential, not a
+        // verifier error: reject closed rather than throwing.
+        let payload;
+        if (isV11) {
+            try {
+                payload = canonicalPayloadV11(atx);
+            }
+            catch (err) {
+                return reject('MALFORMED', `v1.1 canonicalization failed: ${err.message}`);
+            }
+        }
+        else {
+            payload = canonicalPayload(atx);
+        }
+        const edKeys = this.anchors.publicKeys
+            .filter((k) => k.algorithm === 'Ed25519')
+            .map((k) => ed25519FromRawHex(k.publicKeyHex))
+            .filter((k) => k !== null);
+        let edVerified = false;
+        let mldsaPresent = false;
+        for (const sig of atx.signatures ?? []) {
+            if (sig.algorithm === 'Ed25519') {
+                let sigBytes;
+                try {
+                    sigBytes = Buffer.from(sig.value, 'base64');
+                }
+                catch {
+                    return reject('SIGNATURE_INVALID', `signature ${sig.keyId ?? ''} has invalid base64`);
+                }
+                const ok = edKeys.some((key) => {
+                    try {
+                        return crypto.verify(null, payload, key, sigBytes);
+                    }
+                    catch {
+                        return false;
+                    }
+                });
+                if (!ok) {
+                    return reject('SIGNATURE_INVALID', `Ed25519 signature ${sig.keyId ?? ''} did not verify`);
+                }
+                edVerified = true;
+            }
+            else if (sig.algorithm === 'ML-DSA-65') {
+                // Presence recorded; PQC verification delegated (see module docstring). Not silently skipped.
+                mldsaPresent = true;
+            }
+        }
+        if (!edVerified) {
+            return reject('SIGNATURE_INVALID', 'no Ed25519 signature verified');
+        }
+        return {
+            valid: true,
+            mldsaPresent,
+            context: {
+                agentId: atx.agentId,
+                agentDid: atx.agentDid,
+                issuerDid: atx.issuerDid,
+                issuerChain: atx.issuerChain ?? [atx.issuerDid],
+                trustLevel: atx.trustLevel,
+                trustScore: atx.trustScore,
+                capabilities: atx.capabilities ?? [],
+                oasbLevel: atx.scanSummary?.oasbLevel,
+                jurisdiction: atx.jurisdiction,
+                signedCapabilities: isV11,
+            },
+        };
+    }
+}
+exports.LocalAtxVerifier = LocalAtxVerifier;
+function reject(rejectCategory, reason) {
+    return { valid: false, rejectCategory, reason };
+}
+/**
+ * Mirror of `opena2a-registry/pkg/atcverify/verify.go canonicalPayload()`:
+ *   fmt.Sprintf("%s|%s|%s|%s|%s|%s|%d|%.6f|%s|%s|%s", ...)
+ * with atxVersion hardcoded to "1.0".
+ */
+function canonicalPayload(atx) {
+    const fields = [
+        atx.agentId,
+        atx.agentDid,
+        atx.version,
+        atx.contentHash,
+        atx.buildAttestation ?? '',
+        atx.issuerDid,
+        String(Math.trunc(atx.trustLevel)),
+        Number(atx.trustScore).toFixed(6),
+        normalizeRfc3339(atx.issuedAt),
+        normalizeRfc3339(atx.expiresAt),
+        exports.SUPPORTED_ATX_VERSION,
+    ];
+    return Buffer.from(fields.join('|'), 'utf-8');
+}
+/**
+ * Project an ATX into the v1.1 TBS and return JCS(TBS) (RFC 8785). Unlike
+ * canonicalPayload, this covers capabilities, scanSummary, issuerChain,
+ * publisher, and behavioralProfile. The projection (canonical empties,
+ * always-full scanSummary, %.6f string trustScore, root-first issuerChain) and
+ * the canonicalizer match opena2a-registry/pkg/atcverify and the conformance
+ * verifiers exactly; byte agreement is pinned by atx-conformance/jcs-vectors.
+ */
+function canonicalPayloadV11(atx) {
+    const scan = (atx.scanSummary ?? {});
+    const tbs = {
+        atcVersion: atx.atcVersion,
+        agentId: atx.agentId,
+        agentDid: atx.agentDid,
+        publisher: atx.publisher ?? '',
+        publisherDid: atx.publisherDid ?? '',
+        version: atx.version,
+        contentHash: atx.contentHash,
+        buildAttestation: atx.buildAttestation ?? '',
+        capabilities: atx.capabilities ?? [],
+        behavioralProfile: projectBehavioralProfile(atx.behavioralProfile),
+        scanSummary: {
+            hma: asString(scan.hma),
+            criticalFindings: asInt(scan.criticalFindings),
+            highFindings: asInt(scan.highFindings),
+            secretless: asString(scan.secretless),
+            cryptoServe: asString(scan.cryptoServe),
+            oasbLevel: asString(scan.oasbLevel),
+        },
+        // trustScore is the %.6f string form so trustLevel is the only JSON number.
+        trustScore: Number(atx.trustScore).toFixed(6),
+        trustLevel: Math.trunc(atx.trustLevel),
+        issuedAt: normalizeRfc3339(atx.issuedAt),
+        expiresAt: normalizeRfc3339(atx.expiresAt),
+        issuerDid: atx.issuerDid,
+        issuerChain: atx.issuerChain ?? [],
+    };
+    const canonical = (0, canonicalize_1.default)(tbs);
+    if (typeof canonical !== 'string') {
+        throw new Error('canonicalize returned non-string');
+    }
+    return Buffer.from(canonical, 'utf-8');
+}
+/** behavioralProfile -> null when absent, else the canonical three-field object. */
+function projectBehavioralProfile(bp) {
+    if (bp === null || bp === undefined) {
+        return null;
+    }
+    return {
+        checksum: asString(bp.checksum),
+        generatedAt: bp.generatedAt ? normalizeRfc3339(bp.generatedAt) : '',
+        observationDays: asInt(bp.observationDays),
+    };
+}
+function asString(v) {
+    return typeof v === 'string' ? v : '';
+}
+function asInt(v) {
+    return typeof v === 'number' && Number.isFinite(v) ? Math.trunc(v) : 0;
+}
+/** Normalize an RFC 3339 timestamp to UTC "YYYY-MM-DDTHH:MM:SSZ" (Go time.RFC3339 for UTC). */
+function normalizeRfc3339(s) {
+    const dt = new Date(s);
+    if (Number.isNaN(dt.getTime())) {
+        throw new Error(`invalid RFC 3339 timestamp: ${s}`);
+    }
+    return dt.toISOString().replace(/\.\d{3}Z$/, 'Z');
+}
+const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex');
+/** Build a Node KeyObject from a raw 32-byte Ed25519 public key (hex). */
+function ed25519FromRawHex(hex) {
+    const raw = Buffer.from(hex, 'hex');
+    if (raw.length !== 32)
+        return null;
+    try {
+        return crypto.createPublicKey({
+            key: Buffer.concat([ED25519_SPKI_PREFIX, raw]),
+            format: 'der',
+            type: 'spki',
+        });
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=atx.js.map

package/dist/broker/atx.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"atx.js","sourceRoot":"","sources":["../../src/broker/atx.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0OH,4CAeC;AAUD,kDAkCC;AAyBD,4CAMC;AAlUD,+CAAiC;AACjC,gEAAwC;AAExC,oFAAoF;AACvE,QAAA,qBAAqB,GAAG,KAAK,CAAC;AAE3C;;;;;;GAMG;AACU,QAAA,yBAAyB,GAAG,KAAK,CAAC;AAkG/C;;;;;GAKG;AACH,MAAa,gBAAgB;IAC3B,YAA6B,OAAwB;QAAxB,YAAO,GAAP,OAAO,CAAiB;IAAG,CAAC;IAEzD,MAAM,CAAC,GAAQ;QACb,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;QAEvD,4EAA4E;QAC5E,uDAAuD;QACvD,IAAI,GAAG,CAAC,UAAU,KAAK,6BAAqB,IAAI,GAAG,CAAC,UAAU,KAAK,iCAAyB,EAAE,CAAC;YAC7F,OAAO,MAAM,CAAC,qBAAqB,EAAE,0BAA0B,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;QAC3F,CAAC;QACD,MAAM,KAAK,GAAG,GAAG,CAAC,UAAU,KAAK,iCAAyB,CAAC;QAE3D,kBAAkB;QAClB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACxC,IAAI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACpC,OAAO,MAAM,CAAC,WAAW,EAAE,oCAAoC,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,GAAG,CAAC,OAAO,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;YACtC,OAAO,MAAM,CAAC,SAAS,EAAE,cAAc,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAC5E,CAAC;QAED,kDAAkD;QAClD,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;YAChB,OAAO,MAAM,CAAC,SAAS,EAAE,kCAAkC,CAAC,CAAC;QAC/D,CAAC;QACD,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,IAAI,EAAE,EAAE,CAAC;YACpD,IAAI,KAAK,CAAC,OAAO,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC;gBAClC,OAAO,MAAM,CAAC,SAAS,EAAE,yBAAyB,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC,CAAC;YAC1E,CAAC;QACH,CAAC;QAED,wBAAwB;QACxB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACzD,OAAO,MAAM,CAAC,kBAAkB,EAAE,cAAc,GAAG,CAAC,SAAS,iBAAiB,CAAC,CAAC;QAClF,CAAC;QAED,+EAA+E;QAC/E,yEAAyE;QACzE,sDAAsD;QACtD,IAAI,OAAe,CAAC;QACpB,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC;gBACH,OAAO,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;YACrC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,MAAM,CAAC,WAAW,EAAE,iCAAkC,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YACxF,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;QAClC,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU;aACnC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC;aACxC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;aAC7C,MAAM,CAAC,CAAC,CAAC,EAAyB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;QAEpD,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,IAAI,YAAY,GAAG,KAAK,CAAC;QAEzB,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,EAAE,CAAC;YACvC,IAAI,GAAG,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBAChC,IAAI,QAAgB,CAAC;gBACrB,IAAI,CAAC;oBACH,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;gBAC9C,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,MAAM,CAAC,mBAAmB,EAAE,aAAa,GAAG,CAAC,KAAK,IAAI,EAAE,qBAAqB,CAAC,CAAC;gBACxF,CAAC;gBACD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE;oBAC7B,IAAI,CAAC;wBACH,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;oBACrD,CAAC;oBAAC,MAAM,CAAC;wBACP,OAAO,KAAK,CAAC;oBACf,CAAC;gBACH,CAAC,CAAC,CAAC;gBACH,IAAI,CAAC,EAAE,EAAE,CAAC;oBACR,OAAO,MAAM,CAAC,mBAAmB,EAAE,qBAAqB,GAAG,CAAC,KAAK,IAAI,EAAE,iBAAiB,CAAC,CAAC;gBAC5F,CAAC;gBACD,UAAU,GAAG,IAAI,CAAC;YACpB,CAAC;iBAAM,IAAI,GAAG,CAAC,SAAS,KAAK,WAAW,EAAE,CAAC;gBACzC,8FAA8F;gBAC9F,YAAY,GAAG,IAAI,CAAC;YACtB,CAAC;QACH,CAAC;QAED,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,MAAM,CAAC,mBAAmB,EAAE,+BAA+B,CAAC,CAAC;QACtE,CAAC;QAED,OAAO;YACL,KAAK,EAAE,IAAI;YACX,YAAY;YACZ,OAAO,EAAE;gBACP,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,SAAS,EAAE,GAAG,CAAC,SAAS;gBACxB,WAAW,EAAE,GAAG,CAAC,WAAW,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;gBAC/C,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,YAAY,EAAE,GAAG,CAAC,YAAY,IAAI,EAAE;gBACpC,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE,SAAS;gBACrC,YAAY,EAAE,GAAG,CAAC,YAAY;gBAC9B,kBAAkB,EAAE,KAAK;aAC1B;SACF,CAAC;IACJ,CAAC;CACF;AAxGD,4CAwGC;AAED,SAAS,MAAM,CAAC,cAA8B,EAAE,MAAc;IAC5D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC;AAClD,CAAC;AAED;;;;GAIG;AACH,SAAgB,gBAAgB,CAAC,GAAQ;IACvC,MAAM,MAAM,GAAG;QACb,GAAG,CAAC,OAAO;QACX,GAAG,CAAC,QAAQ;QACZ,GAAG,CAAC,OAAO;QACX,GAAG,CAAC,WAAW;QACf,GAAG,CAAC,gBAAgB,IAAI,EAAE;QAC1B,GAAG,CAAC,SAAS;QACb,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAClC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;QACjC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC9B,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC;QAC/B,6BAAqB;KACtB,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,mBAAmB,CAAC,GAAQ;IAC1C,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAA4B,CAAC;IAChE,MAAM,GAAG,GAA4B;QACnC,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,EAAE;QAC9B,YAAY,EAAE,GAAG,CAAC,YAAY,IAAI,EAAE;QACpC,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,gBAAgB,EAAE,GAAG,CAAC,gBAAgB,IAAI,EAAE;QAC5C,YAAY,EAAE,GAAG,CAAC,YAAY,IAAI,EAAE;QACpC,iBAAiB,EAAE,wBAAwB,CAAC,GAAG,CAAC,iBAAiB,CAAC;QAClE,WAAW,EAAE;YACX,GAAG,EAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;YACvB,gBAAgB,EAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC;YAC9C,YAAY,EAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC;YACtC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC;YACrC,WAAW,EAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC;YACvC,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;SACpC;QACD,4EAA4E;QAC5E,UAAU,EAAE,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;QAC7C,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC;QACtC,QAAQ,EAAE,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC;QACxC,SAAS,EAAE,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC;QAC1C,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,WAAW,EAAE,GAAG,CAAC,WAAW,IAAI,EAAE;KACnC,CAAC;IACF,MAAM,SAAS,GAAG,IAAA,sBAAY,EAAC,GAAG,CAAC,CAAC;IACpC,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;AACzC,CAAC;AAED,oFAAoF;AACpF,SAAS,wBAAwB,CAC/B,EAA4B;IAE5B,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,SAAS,EAAE,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO;QACL,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC,QAAQ,CAAC;QAC/B,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,gBAAgB,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,EAAE;QACnE,eAAe,EAAE,KAAK,CAAC,EAAE,CAAC,eAAe,CAAC;KAC3C,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,KAAK,CAAC,CAAU;IACvB,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACzE,CAAC;AAED,+FAA+F;AAC/F,SAAgB,gBAAgB,CAAC,CAAS;IACxC,MAAM,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC;IACvB,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;AAE3E,0EAA0E;AAC1E,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACpC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,eAAe,CAAC;YAC5B,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC;YAC9C,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,MAAM;SACb,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/broker/cpi/assertion.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Broker assertion minting — the broker as its own identity provider (AAP Broker Profile §11).
+ *
+ * In AAP token-model terms (AAP-SPEC.md), the assertion minted here IS a Capability Grant Token
+ * (CGT) / Delegation Assertion (DA): a short-lived, scoped authorization derived from the verified
+ * ATX (which the Agent Identity Token references) and used as the RFC 8693 subject token.
+ *
+ * For Assume and Exchange, the broker mints a short-lived assertion whose claims derive
+ * from the *verified* ATX, signed with the broker's own signing key. The downstream
+ * (STS for Assume, authorization server for Exchange) is configured once to trust the
+ * broker's IdP via its published public key — the broker holds no standing secret to any
+ * backend, only this one rotating key.
+ *
+ * The assertion is a compact EdDSA JWT. The SAME assertion a broker mints for its own
+ * agents is what a peer broker will verify for a foreign agent in v2 federation — which
+ * is why the claims carry the ATX issuer chain and trust level, not just a subject.
+ */
+import * as crypto from 'crypto';
+import type { ResolutionContext } from '../atx';
+import type { ResourceBinding } from './types';
+/**
+ * The broker's IdP signing key. In production this is the existing short-lived delegated
+ * signing key (30-day default) and it ROTATES; only the public half is published on the
+ * operator's own domain. Here it is an Ed25519 key pair the broker holds in memory.
+ */
+export interface BrokerSigningKey {
+    /** Key id published in the broker's discovery document; lands in the JWT header `kid`. */
+    kid: string;
+    /** Ed25519 private key (Node KeyObject). */
+    privateKey: crypto.KeyObject;
+    /** Issuer identifier for the broker IdP (e.g. the operator's broker URL). */
+    issuer: string;
+}
+/** Generate a fresh Ed25519 broker signing key (rotation produces a new one). */
+export declare function generateBrokerSigningKey(issuer: string, kid: string): BrokerSigningKey;
+/**
+ * Mint a broker assertion (compact EdDSA JWT) from a verified-ATX context and a binding.
+ *
+ * Claims are derived ONLY from the verified ATX and the local binding — never from
+ * agent-supplied input. `nowSeconds` is injectable for deterministic tests.
+ */
+export declare function mintBrokerAssertion(ctx: ResolutionContext, binding: ResourceBinding, key: BrokerSigningKey, nowSeconds?: number): string;
+/** Export the public half as a JWK for the broker's discovery document (operator's domain). */
+export declare function brokerPublicJwk(key: BrokerSigningKey): Record<string, unknown>;
+//# sourceMappingURL=assertion.d.ts.map

package/dist/broker/cpi/assertion.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"assertion.d.ts","sourceRoot":"","sources":["../../../src/broker/cpi/assertion.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAChD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAE/C;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,0FAA0F;IAC1F,GAAG,EAAE,MAAM,CAAC;IACZ,4CAA4C;IAC5C,UAAU,EAAE,MAAM,CAAC,SAAS,CAAC;IAC7B,6EAA6E;IAC7E,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,iFAAiF;AACjF,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAGtF;AAMD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,iBAAiB,EACtB,OAAO,EAAE,eAAe,EACxB,GAAG,EAAE,gBAAgB,EACrB,UAAU,GAAE,MAAsC,GACjD,MAAM,CAkBR;AAED,+FAA+F;AAC/F,wBAAgB,eAAe,CAAC,GAAG,EAAE,gBAAgB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAI9E"}

package/dist/broker/cpi/assertion.js

@@ -0,0 +1,96 @@
+"use strict";
+/**
+ * Broker assertion minting — the broker as its own identity provider (AAP Broker Profile §11).
+ *
+ * In AAP token-model terms (AAP-SPEC.md), the assertion minted here IS a Capability Grant Token
+ * (CGT) / Delegation Assertion (DA): a short-lived, scoped authorization derived from the verified
+ * ATX (which the Agent Identity Token references) and used as the RFC 8693 subject token.
+ *
+ * For Assume and Exchange, the broker mints a short-lived assertion whose claims derive
+ * from the *verified* ATX, signed with the broker's own signing key. The downstream
+ * (STS for Assume, authorization server for Exchange) is configured once to trust the
+ * broker's IdP via its published public key — the broker holds no standing secret to any
+ * backend, only this one rotating key.
+ *
+ * The assertion is a compact EdDSA JWT. The SAME assertion a broker mints for its own
+ * agents is what a peer broker will verify for a foreign agent in v2 federation — which
+ * is why the claims carry the ATX issuer chain and trust level, not just a subject.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateBrokerSigningKey = generateBrokerSigningKey;
+exports.mintBrokerAssertion = mintBrokerAssertion;
+exports.brokerPublicJwk = brokerPublicJwk;
+const crypto = __importStar(require("crypto"));
+/** Generate a fresh Ed25519 broker signing key (rotation produces a new one). */
+function generateBrokerSigningKey(issuer, kid) {
+    const { privateKey } = crypto.generateKeyPairSync('ed25519');
+    return { kid, privateKey, issuer };
+}
+function base64url(input) {
+    return Buffer.from(input).toString('base64url');
+}
+/**
+ * Mint a broker assertion (compact EdDSA JWT) from a verified-ATX context and a binding.
+ *
+ * Claims are derived ONLY from the verified ATX and the local binding — never from
+ * agent-supplied input. `nowSeconds` is injectable for deterministic tests.
+ */
+function mintBrokerAssertion(ctx, binding, key, nowSeconds = Math.floor(Date.now() / 1000)) {
+    const header = { alg: 'EdDSA', typ: 'JWT', kid: key.kid };
+    const claims = {
+        iss: key.issuer,
+        sub: ctx.agentDid,
+        aud: binding.audience,
+        scope: binding.scope,
+        // Federation attributes carried for v2 cross-broker verification (AAP §7, §11).
+        trust_class: binding.scope,
+        issuer_chain: ctx.issuerChain,
+        trust_level: ctx.trustLevel,
+        iat: nowSeconds,
+        exp: nowSeconds + binding.ttlSeconds,
+        jti: crypto.randomBytes(16).toString('hex'),
+    };
+    const signingInput = `${base64url(JSON.stringify(header))}.${base64url(JSON.stringify(claims))}`;
+    const signature = crypto.sign(null, Buffer.from(signingInput), key.privateKey);
+    return `${signingInput}.${base64url(signature)}`;
+}
+/** Export the public half as a JWK for the broker's discovery document (operator's domain). */
+function brokerPublicJwk(key) {
+    const pub = crypto.createPublicKey(key.privateKey);
+    const jwk = pub.export({ format: 'jwk' });
+    return { ...jwk, kid: key.kid, use: 'sig', alg: 'EdDSA' };
+}
+//# sourceMappingURL=assertion.js.map

package/dist/broker/cpi/assertion.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"assertion.js","sourceRoot":"","sources":["../../../src/broker/cpi/assertion.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;GAgBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqBH,4DAGC;AAYD,kDAuBC;AAGD,0CAIC;AAhED,+CAAiC;AAkBjC,iFAAiF;AACjF,SAAgB,wBAAwB,CAAC,MAAc,EAAE,GAAW;IAClE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAC7D,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;AACrC,CAAC;AAED,SAAS,SAAS,CAAC,KAAsB;IACvC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAClD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,mBAAmB,CACjC,GAAsB,EACtB,OAAwB,EACxB,GAAqB,EACrB,aAAqB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAElD,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;IAC1D,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,GAAG,CAAC,MAAM;QACf,GAAG,EAAE,GAAG,CAAC,QAAQ;QACjB,GAAG,EAAE,OAAO,CAAC,QAAQ;QACrB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,gFAAgF;QAChF,WAAW,EAAE,OAAO,CAAC,KAAK;QAC1B,YAAY,EAAE,GAAG,CAAC,WAAW;QAC7B,WAAW,EAAE,GAAG,CAAC,UAAU;QAC3B,GAAG,EAAE,UAAU;QACf,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU;QACpC,GAAG,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;KAC5C,CAAC;IACF,MAAM,YAAY,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;IACjG,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/E,OAAO,GAAG,YAAY,IAAI,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;AACnD,CAAC;AAED,+FAA+F;AAC/F,SAAgB,eAAe,CAAC,GAAqB;IACnD,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACnD,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAA4B,CAAC;IACrE,OAAO,EAAE,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;AAC5D,CAAC"}