vestauth 0.1.13 → 0.1.18

package/CHANGELOG.md

@@ -0,0 +1,11 @@
+# Changelog
+
+All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
+
+[Unreleased](https://github.com/dotenvx/dotenvx-ops/compare/v0.1.0...main)
+
+## [0.1.3](https://github.com/dotenvx/dotenvx-ops/compare/v0.1.0...v0.1.1) (2026-01-17)
+
+### Changed
+
+* TBD

package/LICENSE

@@ -0,0 +1,28 @@
+BSD 3-Clause License
+
+Copyright (c) 2026, Scott Motte
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "vestauth",
-  "version": "0.1.13",
-  "description": "vestauth",
+  "version": "0.1.18",
+  "description": "auth for agents",
   "keywords": [
     "vestauth"
   ],
@@ -16,6 +16,16 @@
   ],
   "license": "BSD-3-Clause",
   "main": "src/lib/main.js",
+  "exports": {
+    ".": {
+      "require": "./src/lib/main.js",
+      "default": "./src/lib/main.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "bin": {
+    "vestauth": "./src/cli/vestauth.js"
+  },
   "author": "@motdotla",
   "type": "commonjs",
   "scripts": {
@@ -23,17 +33,23 @@
     "standard:fix": "standard --fix",
     "test": "tap run --allow-empty-coverage --disable-coverage --timeout=60000",
     "test-coverage": "tap run --show-full-coverage --timeout=60000",
-    "testshell": "bash shellspec",
-    "prerelease": "npm test && npm run testshell",
+    "prerelease": "npm test",
     "release": "standard-version"
   },
   "dependencies": {
     "@noble/hashes": "^1.8.0",
-    "@noble/secp256k1": "^3.0.0",
+    "@noble/secp256k1": "^1.7.2",
+    "commander": "^11.1.0",
     "eciesjs": "^0.4.16"
   },
   "devDependencies": {
+    "@yao-pkg/pkg": "^5.14.2",
+    "capture-console": "^1.0.2",
+    "esbuild": "^0.25.8",
+    "proxyquire": "^2.1.3",
+    "sinon": "^14.0.1",
     "standard": "^17.1.0",
-    "standard-version": "^9.5.0"
+    "standard-version": "^9.5.0",
+    "tap": "^21.0.1"
   }
 }

package/src/cli/actions/challenge.js

@@ -0,0 +1,23 @@
+const { logger } = require('./../../shared/logger')
+
+const main = require('./../../lib/main')
+
+function challenge () {
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const chal = main.challenge()
+
+  const output = {
+    callenge: chal
+  }
+
+  let space = 0
+  if (options.prettyPrint) {
+    space = 2
+  }
+
+  console.log(JSON.stringify(output, null, space))
+}
+
+module.exports = challenge

package/src/cli/actions/hash.js

@@ -0,0 +1,26 @@
+const { logger } = require('./../../shared/logger')
+
+const main = require('./../../lib/main')
+
+function hash (message) {
+  logger.debug(`message: ${message}`)
+
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const hashMessage = main.hash(message)
+  const hashBase64Url = Buffer.from(hashMessage).toString('base64url')
+
+  const output = {
+    hash: hashBase64Url
+  }
+
+  let space = 0
+  if (options.prettyPrint) {
+    space = 2
+  }
+
+  console.log(JSON.stringify(output, null, space))
+}
+
+module.exports = hash

package/src/cli/actions/keypair.js

@@ -0,0 +1,24 @@
+const { logger } = require('./../../shared/logger')
+
+const main = require('./../../lib/main')
+
+function keypair (existingPrivateKey) {
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const kp = main.keypair(existingPrivateKey)
+
+  const output = {
+    public_key: kp.publicKey,
+    private_key: kp.privateKey
+  }
+
+  let space = 0
+  if (options.prettyPrint) {
+    space = 2
+  }
+
+  console.log(JSON.stringify(output, null, space))
+}
+
+module.exports = keypair

package/src/cli/actions/sign.js

@@ -0,0 +1,26 @@
+const { logger } = require('./../../shared/logger')
+
+const main = require('./../../lib/main')
+
+async function sign (challenge, privateKeyHex) {
+  logger.debug(`challenge: ${challenge}`)
+  logger.debug(`privateKey: ${privateKeyHex}`)
+
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const signature = await main.sign(challenge, privateKeyHex)
+
+  const output = {
+    signature
+  }
+
+  let space = 0
+  if (options.prettyPrint) {
+    space = 2
+  }
+
+  console.log(JSON.stringify(output, null, space))
+}
+
+module.exports = sign

package/src/cli/actions/verify.js

@@ -0,0 +1,28 @@
+const { logger } = require('./../../shared/logger')
+
+const main = require('./../../lib/main')
+
+async function verify (challenge, signatureBase64, publicKeyHex) {
+  logger.debug(`challenge: ${challenge}`)
+  logger.debug(`signature: ${signatureBase64}`)
+  logger.debug(`publicKey: ${publicKeyHex}`)
+
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const success = main.verify(challenge, signatureBase64, publicKeyHex)
+
+  const output = {
+    success,
+    public_key: publicKeyHex
+  }
+
+  let space = 0
+  if (options.prettyPrint) {
+    space = 2
+  }
+
+  console.log(JSON.stringify(output, null, space))
+}
+
+module.exports = verify

package/src/cli/vestauth.js

@@ -0,0 +1,101 @@
+#!/usr/bin/env node
+
+/* c8 ignore start */
+const { Command } = require('commander')
+const program = new Command()
+
+const { setLogLevel, logger } = require('../shared/logger')
+const packageJson = require('./../lib/helpers/packageJson')
+const Errors = require('./../lib/helpers/errors')
+const getCommanderVersion = require('./../lib/helpers/getCommanderVersion')
+
+// surface hoisting problems
+const commanderVersion = getCommanderVersion()
+if (commanderVersion && parseInt(commanderVersion.split('.')[0], 10) >= 12) {
+  const message = `vestauth depends on commander@11.x.x but you are attempting to hoist commander@${commanderVersion}`
+  const error = new Errors({ message }).dangerousDependencyHoist()
+  logger.error(error.message)
+  if (error.help) logger.error(error.help)
+}
+
+// global log levels
+program
+  .usage('vestauth')
+  .option('-l, --log-level <level>', 'set log level', 'info')
+  .option('-q, --quiet', 'sets log level to error')
+  .option('-v, --verbose', 'sets log level to verbose')
+  .option('-d, --debug', 'sets log level to debug')
+  .hook('preAction', (thisCommand, actionCommand) => {
+    const options = thisCommand.opts()
+
+    setLogLevel(options)
+  })
+
+// cli
+program
+  .name('vestauth')
+  .description(packageJson.description)
+  .version(packageJson.version)
+  .allowUnknownOption()
+
+// vestauth challenge
+const challengeAction = require('./actions/challenge')
+program.command('challenge')
+  .description('generate challenge')
+  .option('-pp, --pretty-print', 'pretty print output')
+  .action(challengeAction)
+
+// vestauth hash [message]
+const hashAction = require('./actions/hash')
+program.command('hash')
+  .description('hash message')
+  .argument('<message>', 'message string')
+  .option('-pp, --pretty-print', 'pretty print output')
+  .action(hashAction)
+
+// vestauth keypair
+const keypairAction = require('./actions/keypair')
+program.command('keypair')
+  .description('generate public/private keypair')
+  .argument('[private_key]', 'pre-existing private key')
+  .option('-pp, --pretty-print', 'pretty print output')
+  .action(keypairAction)
+
+// vestauth sign
+const signAction = require('./actions/sign')
+program.command('sign')
+  .description('sign challenge')
+  .argument('<challenge>', 'challenge (base64url)')
+  .argument('<privateKey>', 'private key (hex)')
+  .option('-pp, --pretty-print', 'pretty print output')
+  .action(signAction)
+
+// vestauth verify
+const verifyAction = require('./actions/verify')
+program.command('verify')
+  .description('verify signature')
+  .argument('<challenge>', 'challenge (base64url)')
+  .argument('<signature>', 'signature (base64url)')
+  .argument('<publicKey>', 'public key (hex)')
+  .option('-pp, --pretty-print', 'pretty print output')
+  .action(verifyAction)
+
+// vestauth help
+program.command('help [command]')
+  .description('display help for command')
+  .action((command) => {
+    if (command) {
+      const subCommand = program.commands.find(c => c.name() === command)
+      if (subCommand) {
+        subCommand.outputHelp()
+      } else {
+        program.outputHelp()
+      }
+    } else {
+      program.outputHelp()
+    }
+  })
+
+/* c8 ignore stop */
+
+program.parse(process.argv)

package/src/lib/helpers/colorDepth.js

@@ -0,0 +1,17 @@
+const { WriteStream } = require('tty')
+
+const getColorDepth = () => {
+  try {
+    return WriteStream.prototype.getColorDepth()
+  } catch (error) {
+    const term = process.env.TERM
+
+    if (term && (term.includes('256color') || term.includes('xterm'))) {
+      return 8 // 256 colors
+    }
+
+    return 4
+  }
+}
+
+module.exports = { getColorDepth }

package/src/lib/helpers/errors.js

@@ -0,0 +1,18 @@
+class Errors {
+  constructor (options = {}) {
+    this.message = options.message
+  }
+
+  dangerousDependencyHoist () {
+    const code = 'DANGEROUS_DEPENDENCY_HOIST'
+    const message = `[${code}] your environment has hoisted an incompatible version of a vestauth dependency: ${this.message}`
+    const help = `[${code}] https://github.com/vestauth/vestauth`
+
+    const e = new Error(message)
+    e.code = code
+    e.help = help
+    return e
+  }
+}
+
+module.exports = Errors

package/src/lib/helpers/getCommanderVersion.js

@@ -0,0 +1,10 @@
+const fs = require('fs')
+const path = require('path')
+
+function getCommanderVersion () {
+  const commanderMain = require.resolve('commander')
+  const pkgPath = path.join(commanderMain, '..', 'package.json')
+  return JSON.parse(fs.readFileSync(pkgPath, 'utf8')).version
+}
+
+module.exports = getCommanderVersion

package/src/lib/helpers/hash.js

@@ -1,8 +1,8 @@
 const { sha256 } = require('@noble/hashes/sha2.js')
 const { utf8ToBytes } = require('@noble/hashes/utils.js')
 
-function hash (str = '') {
-  return sha256(utf8ToBytes(str))
+function hash (message = '') {
+  return sha256(utf8ToBytes(message))
 }
 
 module.exports = hash

package/src/lib/helpers/packageJson.js

@@ -0,0 +1,3 @@
+const { name, version, description } = require('../../../package.json')
+
+module.exports = { name, version, description }

package/src/lib/helpers/sign.js

@@ -1,15 +1,10 @@
-// import { sign, verify, getPublicKey } from '@noble/secp256k1'
 const secp = require('@noble/secp256k1')
-const { sha256 } = require('@noble/hashes/sha2.js')
-const { hmac } = require('@noble/hashes/hmac.js')
-secp.hashes.sha256 = sha256
-secp.hashes.hmacSha256 = (key, msg) => hmac(sha256, key, msg)
 const hash = require('./hash')
 
-function sign (challenge, privateKeyHex) {
+async function sign (challenge, privateKeyHex) {
   const hashChallenge = hash(challenge)
   const privateKeyBytes = Buffer.from(privateKeyHex, 'hex')
-  const signature = secp.sign(hashChallenge, privateKeyBytes)
+  const signature = await secp.sign(hashChallenge, privateKeyBytes)
 
   return Buffer.from(signature).toString('base64url') // base64 returned
 }

package/src/lib/helpers/truncate.js

@@ -0,0 +1,10 @@
+function truncate (str, showChar = 7) {
+  if (str && str.length > 0) {
+    const visiblePart = str.slice(0, showChar)
+    return visiblePart + '…'
+  } else {
+    return ''
+  }
+}
+
+module.exports = truncate

package/src/shared/colors.js

@@ -0,0 +1,54 @@
+const depth = require('../lib/helpers/colorDepth')
+
+const colors16 = new Map([
+  ['blue', 34],
+  ['gray', 37],
+  ['green', 32],
+  ['olive', 33],
+  ['orangered', 31], // mapped to red
+  ['plum', 35], // mapped to magenta
+  ['red', 31],
+  ['electricblue', 36],
+  ['dodgerblue', 36]
+])
+
+const colors256 = new Map([
+  ['blue', 21],
+  ['gray', 244],
+  ['green', 34],
+  ['olive', 142],
+  ['orangered', 202],
+  ['plum', 182],
+  ['red', 196],
+  ['electricblue', 45],
+  ['dodgerblue', 33]
+])
+
+function getColor (color) {
+  const colorDepth = depth.getColorDepth()
+  if (!colors256.has(color)) {
+    throw new Error(`Invalid color ${color}`)
+  }
+  if (colorDepth >= 8) {
+    const code = colors256.get(color)
+    return (message) => `\x1b[38;5;${code}m${message}\x1b[39m`
+  }
+  if (colorDepth >= 4) {
+    const code = colors16.get(color)
+    return (message) => `\x1b[${code}m${message}\x1b[39m`
+  }
+  return (message) => message
+}
+
+function bold (message) {
+  if (depth.getColorDepth() >= 4) {
+    return `\x1b[1m${message}\x1b[22m`
+  }
+
+  return message
+}
+
+module.exports = {
+  getColor,
+  bold
+}

package/src/shared/logger.js

@@ -0,0 +1,145 @@
+const packageJson = require('../lib/helpers/packageJson')
+const { getColor, bold } = require('./colors')
+
+const levels = {
+  error: 0,
+  warn: 1,
+  success: 2,
+  successv: 2,
+  info: 2,
+  help: 2,
+  verbose: 4,
+  debug: 5,
+  silly: 6
+}
+
+const error = (m) => bold(getColor('red')(m))
+const warn = getColor('orangered')
+const success = getColor('green')
+const successv = getColor('olive') // yellow-ish tint that 'looks' like dotenv
+const help = getColor('dodgerblue')
+const verbose = getColor('plum')
+const debug = getColor('plum')
+
+let currentLevel = levels.info // default log level
+let currentName = 'vestauth' // default logger name
+let currentVersion = packageJson.version // default logger version
+
+function stderr (level, message) {
+  const formattedMessage = formatMessage(level, message)
+  console.error(formattedMessage)
+}
+
+function stdout (level, message) {
+  if (levels[level] === undefined) {
+    throw new Error(`MISSING_LOG_LEVEL: '${level}'. implement in logger.`)
+  }
+
+  if (levels[level] <= currentLevel) {
+    const formattedMessage = formatMessage(level, message)
+    console.log(formattedMessage)
+  }
+}
+
+function formatMessage (level, message) {
+  const formattedMessage = typeof message === 'object' ? JSON.stringify(message) : message
+
+  switch (level.toLowerCase()) {
+    // errors
+    case 'error':
+      return error(formattedMessage)
+    // warns
+    case 'warn':
+      return warn(formattedMessage)
+    // successes
+    case 'success':
+      return success(formattedMessage)
+    case 'successv': // success with 'version'
+      return successv(`[${currentName}@${currentVersion}] ${formattedMessage}`)
+    // info
+    case 'info':
+      return formattedMessage
+    // help
+    case 'help':
+      return help(formattedMessage)
+    // verbose
+    case 'verbose':
+      return verbose(formattedMessage)
+    // debug
+    case 'debug':
+      return debug(formattedMessage)
+  }
+}
+
+const logger = {
+  // track level
+  level: 'info',
+
+  // errors
+  error: (msg) => stderr('error', msg),
+  // warns
+  warn: (msg) => stdout('warn', msg),
+  // success
+  success: (msg) => stdout('success', msg),
+  successv: (msg) => stdout('successv', msg),
+  // info
+  info: (msg) => stdout('info', msg),
+  // help
+  help: (msg) => stdout('help', msg),
+  // verbose
+  verbose: (msg) => stdout('verbose', msg),
+  // debug
+  debug: (msg) => stdout('debug', msg),
+  setLevel: (level) => {
+    if (levels[level] !== undefined) {
+      currentLevel = levels[level]
+      logger.level = level
+    }
+  },
+  setName: (name) => {
+    currentName = name
+    logger.name = name
+  },
+  setVersion: (version) => {
+    currentVersion = version
+    logger.version = version
+  }
+}
+
+function setLogLevel (options) {
+  const logLevel = options.debug
+    ? 'debug'
+    : options.verbose
+      ? 'verbose'
+      : options.quiet
+        ? 'error'
+        : options.logLevel
+
+  if (!logLevel) return
+  logger.setLevel(logLevel)
+  // Only log which level it's setting if it's not set to quiet mode
+  if (!options.quiet || (options.quiet && logLevel !== 'error')) {
+    logger.debug(`Setting log level to ${logLevel}`)
+  }
+}
+
+function setLogName (options) {
+  const logName = options.logName
+  if (!logName) return
+  logger.setName(logName)
+}
+
+function setLogVersion (options) {
+  const logVersion = options.logVersion
+  if (!logVersion) return
+  logger.setVersion(logVersion)
+}
+
+module.exports = {
+  logger,
+  getColor,
+  setLogLevel,
+  setLogName,
+  setLogVersion,
+  levels
+}