npm - vestauth - Versions diffs - 0.12.0 → 0.13.0 - Mend

vestauth 0.12.0 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/CHANGELOG.md +13 -1
package/README.md +9 -13
package/package.json +1 -1
package/src/cli/commands/agent.js +1 -1
package/src/cli/vestauth.js +1 -1
package/src/lib/api/postRegister.js +4 -2
package/src/lib/helpers/agentInit.js +4 -6
package/src/lib/helpers/headers.js +7 -1
package/src/lib/helpers/normalizeAgentHostname.js +4 -1
package/src/lib/helpers/parseSignatureAgentHeader.js +1 -1
package/src/lib/helpers/verifyAgentFqdn.js +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -2,7 +2,19 @@
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
-[Unreleased](https://github.com/vestauth/vestauth/compare/v0.12.0...main)
+[Unreleased](https://github.com/vestauth/vestauth/compare/v0.13.0...main)
+## [0.13.0](https://github.com/vestauth/vestauth/compare/v0.12.1...v0.13.0) (2026-02-18)
+### Changed
+* Move from `*.agents.vestauth.com` FQDN to `*.api.vestaut.com` to prepare way for custom `--hostname` for internal enterprise use cases.
+## [0.12.1](https://github.com/vestauth/vestauth/compare/v0.12.0...v0.12.1) (2026-02-17)
+### Changed
+* Change usage message to `vestauth agent init`
 ## [0.12.0](https://github.com/vestauth/vestauth/compare/v0.11.2...v0.12.0) (2026-02-17)

package/README.md CHANGED Viewed

@@ -113,7 +113,7 @@ $ vestauth primitives headers GET https://api.vestauth.com/whoami --pp
 {
   "Signature": "sig1=:d4Id5SXhUExsf1XyruD8eBmlDtWzt/vezoCS+SKf0M8CxSkhKBtdHH7KkYyMN6E0hmxmNHsYus11u32nhvpWBQ==:",
   "Signature-Input": "sig1=(\"@authority\");created=1770247189;keyid=\"B0u80Gw28W9U2Jl5t_EBiWeBajO2104kOYZ9Ikucl5I\";alg=\"ed25519\";expires=1770247489;nonce=\"NURxn28X7zyKJ9k5bHxuOyO5qdvF9L5s2qHmhTrGUzbwGSIoUCHmwSlwiiCRgTDGuum83yyWMHJU4jmrVI_XPg\";tag=\"web-bot-auth\"",
-  "Signature-Agent": "sig1=agent-4b94ccd425e939fac5016b6b.agents.vestauth.com"
+  "Signature-Agent": "sig1=agent-4b94ccd425e939fac5016b6b.api.vestauth.com"
 }
 ```
@@ -242,7 +242,7 @@ $ vestauth agent curl https://api.vestauth.com/whoami --pp
   "public_jwk": {
     ...
   },
-  "well_known_url": "https://agent-609a4fd2ebf4e6347108c517.agents.vestauth.com/.well-known/http-message-signatures-directory"
+  "well_known_url": "https://agent-609a4fd2ebf4e6347108c517.api.vestauth.com/.well-known/http-message-signatures-directory"
 }
 ```
@@ -257,7 +257,7 @@ $ vestauth agent headers GET https://api.vestauth.com/whoami --pp
 {
   "Signature": "sig1=:UW6A7j8jo+gQxd+EeVgDddY51ZOc9plrSaupW/N53hQnQFvP9BuwQHgL7SVPLQIu4cnRzLgvwm7Yu9YMO+HUDQ==:",
   "Signature-Input": "sig1=(\"@authority\");created=1770396357;keyid=\"FGzgs758DBGnI1S0BejChDsK0IKZm3qPpOOXdRnnBkM\";alg=\"ed25519\";expires=1770396657;nonce=\"PrE7A6I_5fWnxBsBigNvxjp3-YangXl71V1uM3hPZavh918JqzjMSRcjHv_n5XIb3N8WivZEeigCBH6QGDSqgA\";tag=\"web-bot-auth\"",
-  "Signature-Agent": "sig1=agent-609a4fd2ebf4e6347108c517.agents.vestauth.com"
+  "Signature-Agent": "sig1=agent-609a4fd2ebf4e6347108c517.api.vestauth.com"
 }
 ```
@@ -272,7 +272,7 @@ $ vestauth agent headers GET https://api.vestauth.com/whoami --uid agent-1234 --
 {
   "Signature": "sig1=:UW6A7j8jo+gQxd+EeVgDddY51ZOc9plrSaupW/N53hQnQFvP9BuwQHgL7SVPLQIu4cnRzLgvwm7Yu9YMO+HUDQ==:",
   "Signature-Input": "sig1=(\"@authority\");created=1770396357;keyid=\"FGzgs758DBGnI1S0BejChDsK0IKZm3qPpOOXdRnnBkM\";alg=\"ed25519\";expires=1770396657;nonce=\"PrE7A6I_5fWnxBsBigNvxjp3-YangXl71V1uM3hPZavh918JqzjMSRcjHv_n5XIb3N8WivZEeigCBH6QGDSqgA\";tag=\"web-bot-auth\"",
-  "Signature-Agent": "sig1=agent-1234.agents.vestauth.com"
+  "Signature-Agent": "sig1=agent-1234.api.vestauth.com"
 }
 ```
@@ -287,7 +287,7 @@ $ vestauth agent headers GET https://api.vestauth.com/whoami --private-jwk '{"cr
 {
   "Signature": "sig1=:PZUVVjqiECYuk8Hg1GZKKeJmwhLrcRdRA7nm1R595UFK9cx0q9atNFBzKP5wBEmszMIgvpYdMrIQbPEeKz4tCQ==:",
   "Signature-Input": "sig1=(\"@authority\");created=1770396546;keyid=\"UfHTArlyLsqM8cB8sNfH2z6XOwc0RmJIq2CAPGfvMjk\";alg=\"ed25519\";expires=1770396846;nonce=\"BSIugautfZvN3u5QUgl1mMuyxgmeRsRy9XxX7GXxjJxq1mI0kJl4F-C1nITtOfSeEt6xR1YBfyxsffNKy_wKSA\";tag=\"web-bot-auth\"",
-  "Signature-Agent": "sig1=agent-609a4fd2ebf4e6347108c517.agents.vestauth.com"
+  "Signature-Agent": "sig1=agent-609a4fd2ebf4e6347108c517.api.vestauth.com"
 }
 ```
@@ -308,7 +308,7 @@ $ vestauth agent rotate
 Verify agent.
 ```sh
-$ vestauth provider verify GET https://api.vestauth.com/whoami --signature "sig1=:H1kxwSRWFbIzKbHaUy4hQFp/JrmVTX//72JPHcW4W7cPt9q6LytRJgx5pUgWrrr7DCcMWgx/jpTPc8Ht8SZ3CQ==:" --signature-input "sig1=(\"@authority\");created=1770396709;keyid=\"FGzgs758DBGnI1S0BejChDsK0IKZm3qPpOOXdRnnBkM\";alg=\"ed25519\";expires=1770397009;nonce=\"BZSDVktdkjO6XH5jafAdPDttsB6eytXO7u8KXJN1tMtd5bprE3rp08HiaTRo7H6gZGtYb4_qtL7RiGi8P2Gq7w\";tag=\"web-bot-auth\"" --signature-agent "sig1=agent-609a4fd2ebf4e6347108c517.agents.vestauth.com"
+$ vestauth provider verify GET https://api.vestauth.com/whoami --signature "sig1=:H1kxwSRWFbIzKbHaUy4hQFp/JrmVTX//72JPHcW4W7cPt9q6LytRJgx5pUgWrrr7DCcMWgx/jpTPc8Ht8SZ3CQ==:" --signature-input "sig1=(\"@authority\");created=1770396709;keyid=\"FGzgs758DBGnI1S0BejChDsK0IKZm3qPpOOXdRnnBkM\";alg=\"ed25519\";expires=1770397009;nonce=\"BZSDVktdkjO6XH5jafAdPDttsB6eytXO7u8KXJN1tMtd5bprE3rp08HiaTRo7H6gZGtYb4_qtL7RiGi8P2Gq7w\";tag=\"web-bot-auth\"" --signature-agent "sig1=agent-609a4fd2ebf4e6347108c517.api.vestauth.com"
 {"uid":"agent-609a4fd2ebf4e6347108c517",...}
 ```
@@ -347,7 +347,7 @@ $ vestauth primitives headers GET http://example.com --pp
 {
   "Signature": "sig1=:K7z3Nozcq1z5zfJhrd540DWYbjyQ1kR/S7ZDcMXE5gVhxezvG6Rn9BxEvfteiAnBuQhOkvbpGtF83WpQQerGBw==:",
   "Signature-Input": "sig1=(\"@authority\");created=1770263541;keyid=\"_4GFBGmXKinLBoh3-GJZCiLBt-84GP9Fb0iBzmYncUg\";alg=\"ed25519\";expires=1770263841;nonce=\"0eu7hVMVFm61lQvIryKNmZXIbzkkgpVocoKvN0de5QO8Eu5slTxklJAcVLQs0L_UTVtx4f8qJcqYZ21JTeOQww\";tag=\"web-bot-auth\"",
-  "Signature-Agent": "sig1=agent-35e4a794a904d227ee2373b6.agents.vestauth.com"
+  "Signature-Agent": "sig1=agent-35e4a794a904d227ee2373b6.api.vestauth.com"
 }
 ```
@@ -357,7 +357,7 @@ $ vestauth primitives headers GET http://example.com --pp
 Verify signed headers.
 ```sh
-$ vestauth primitives verify GET https://api.vestauth.com/whoami --signature "sig1=:UHqXQbWZmyYW40JRcdCl+NLccLgPmcoirUKwLtdcpEcIgxG2+i+Q2U3yIYeMquseON3fKm29WSL2ntHeRefHBQ==:" --signature-input "sig1=(\"@authority\");created=1770395703;keyid=\"FGzgs758DBGnI1S0BejChDsK0IKZm3qPpOOXdRnnBkM\";alg=\"ed25519\";expires=1770396003;nonce=\"O8JOC1reBofwbpPcdD-MRRCdrtAf4khvJTuhpRI_RiaH_hpU93okLkmPZVFFcUEdYtYfcduaB8Sca54GTd2GXA\";tag=\"web-bot-auth\"" --signature-agent "sig1=agent-609a4fd2ebf4e6347108c517.agents.vestauth.com"
+$ vestauth primitives verify GET https://api.vestauth.com/whoami --signature "sig1=:UHqXQbWZmyYW40JRcdCl+NLccLgPmcoirUKwLtdcpEcIgxG2+i+Q2U3yIYeMquseON3fKm29WSL2ntHeRefHBQ==:" --signature-input "sig1=(\"@authority\");created=1770395703;keyid=\"FGzgs758DBGnI1S0BejChDsK0IKZm3qPpOOXdRnnBkM\";alg=\"ed25519\";expires=1770396003;nonce=\"O8JOC1reBofwbpPcdD-MRRCdrtAf4khvJTuhpRI_RiaH_hpU93okLkmPZVFFcUEdYtYfcduaB8Sca54GTd2GXA\";tag=\"web-bot-auth\"" --signature-agent "sig1=agent-609a4fd2ebf4e6347108c517.api.vestauth.com"
 {"uid":"agent-609a4fd2ebf4e6347108c517", ...}
 ```
@@ -588,7 +588,7 @@ Vestauth follows these specifications to ensure interoperability between agents
 > By default, Vestauth only resolves agent discovery endpoints inside the controlled namespace:
 >
 > ```ini
-> *.agents.vestauth.com
+> *.api.vestauth.com
 > ```
 >
 > When a provider verifies a request, Vestauth converts the agent identity into a fixed .well-known endpoint within this trusted domain. Because this domain is controlled by Vestauth, providers never fetch attacker-supplied URLs or internal network addresses.
@@ -670,7 +670,3 @@ You can fork this repo and create [pull requests](https://github.com/vestauth/ve
 * [github.com/vestauth/vestauth](https://github.com/vestauth/vestauth/issues) - bugs and discussions
 * [@vestauth 𝕏](https://x.com/vestauthx) (DMs are open)
-## Roadmap
-* Feb 15: Add first vestauth provider `dotenvx as2`

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "vestauth",
-  "version": "0.12.0",
+  "version": "0.13.0",
   "description": "auth for agents–from the creator of dotenvx",
   "keywords": [
     "vestauth",

package/src/cli/commands/agent.js CHANGED Viewed

@@ -11,7 +11,7 @@ agent
 const initAction = require('./../actions/agent/init')
 agent.command('init')
   .description('create agent')
-  .option('--hostname <hostname>', 'agent API hostname')
+  .option('--hostname <hostname>', 'agent API hostname', env('AGENT_HOSTNAME'))
   .action(initAction)
 // vestauth agent curl

package/src/cli/vestauth.js CHANGED Viewed

@@ -20,7 +20,7 @@ if (commanderVersion && parseInt(commanderVersion.split('.')[0], 10) >= 12) {
 // global log levels
 program
-  .usage('vestauth')
+  .usage('agent init')
   .option('--log-level <level>', 'set log level', 'info')
   .option('--quiet', 'sets log level to error')
   .option('--verbose', 'sets log level to verbose')

package/src/lib/api/postRegister.js CHANGED Viewed

@@ -3,17 +3,19 @@ const buildApiError = require('../helpers/buildApiError')
 const agentHeaders = require('../helpers/agentHeaders')
 class PostRegister {
-  constructor (hostname, publicJwk) {
+  constructor (hostname, publicJwk, privateJwk) {
     this.hostname = hostname || 'https://api.vestauth.com'
     this.publicJwk = publicJwk
+    this.privateJwk = privateJwk
   }
   async run () {
     const url = `${this.hostname}/register`
     const publicJwk = this.publicJwk
+    const privateJwk = this.privateJwk
     const httpMethod = 'POST'
-    const headers = await agentHeaders(httpMethod, url, 'REGISTERING')
+    const headers = await agentHeaders(httpMethod, url, 'REGISTERING', JSON.stringify(privateJwk))
     headers['Content-Type'] = 'application/json'
     const resp = await http(url, {

package/src/lib/helpers/agentInit.js CHANGED Viewed

@@ -8,7 +8,7 @@ const PostRegister = require('../api/postRegister')
 async function agentInit (hostname = null) {
   const envPath = '.env'
   const normalizedHostname = normalizeAgentHostname(hostname)
-  const shouldPersistHostname = Boolean(hostname && String(hostname).trim())
+  const shouldPersistHostname = normalizedHostname !== 'https://api.vestauth.com'
   // keypair
   const currentPrivateJwk = identity(false).privateJwk
@@ -16,17 +16,15 @@ async function agentInit (hostname = null) {
   touch(envPath)
-  // must come before registration so that registration can send headers
+  // register agent
+  const agent = await new PostRegister(normalizedHostname, kp.publicJwk, kp.privateJwk).run()
+  dotenvx.set('AGENT_UID', agent.uid, { path: envPath, plain: true, quiet: true })
   dotenvx.set('AGENT_PUBLIC_JWK', JSON.stringify(kp.publicJwk), { path: envPath, plain: true, quiet: true })
   dotenvx.set('AGENT_PRIVATE_JWK', JSON.stringify(kp.privateJwk), { path: envPath, plain: true, quiet: true })
   if (shouldPersistHostname) {
     dotenvx.set('AGENT_HOSTNAME', new URL(normalizedHostname).host, { path: envPath, plain: true, quiet: true })
   }
-  // register agent
-  const agent = await new PostRegister(normalizedHostname, kp.publicJwk).run()
-  dotenvx.set('AGENT_UID', agent.uid, { path: envPath, plain: true, quiet: true })
   return {
     AGENT_PUBLIC_JWK: kp.publicJwk,
     AGENT_UID: agent.uid,

package/src/lib/helpers/headers.js CHANGED Viewed

@@ -2,6 +2,12 @@ const Errors = require('./errors')
 const thumbprint = require('./thumbprint')
 const signatureParams = require('./signatureParams')
 const webBotAuthSignature = require('./webBotAuthSignature')
+const env = require('./env')
+function getAgentDiscoveryDomain () {
+  const hostname = (env('AGENT_HOSTNAME') || process.env.AGENT_HOSTNAME || 'api.vestauth.com').trim().toLowerCase()
+  return hostname.replace(/^https?:\/\//, '').split('/')[0]
+}
 async function headers (httpMethod, uri, uid, privateJwk, tag = 'web-bot-auth', nonce = null) {
   if (!uid) throw new Errors().missingUid()
@@ -21,7 +27,7 @@ async function headers (httpMethod, uri, uid, privateJwk, tag = 'web-bot-auth',
   const signatureInput = signatureParams(privateJwk.kid, tag, nonce)
   const signature = webBotAuthSignature(httpMethod, uri, signatureInput, privateJwk)
-  const signatureAgent = `${uid}.agents.vestauth.com` // agent-1234.agents.vestauth.com (no scheme) /.well-known/http-message-signatures-directory
+  const signatureAgent = `${uid}.${getAgentDiscoveryDomain()}` // no scheme; fqdn only
   return {
     Signature: `sig1=:${signature}:`,

package/src/lib/helpers/normalizeAgentHostname.js CHANGED Viewed

@@ -1,5 +1,8 @@
+const env = require('./env')
 function normalizeAgentHostname (hostname = null) {
-  const value = (hostname || process.env.AGENT_HOSTNAME || 'api.vestauth.com').trim()
+  const envHostname = env('AGENT_HOSTNAME')
+  const value = (hostname || envHostname || 'api.vestauth.com').trim()
   const candidate = /^https?:\/\//i.test(value) ? value : `https://${value}`
   const url = new URL(candidate)

package/src/lib/helpers/parseSignatureAgentHeader.js CHANGED Viewed

@@ -1,7 +1,7 @@
 const { parseDictionary } = require('structured-headers')
 const Errors = require('./errors')
-// example: sig1=agent-9aa52a556ca85ee195866c0b.agents.vestauth.com
+// example: sig1=agent-9aa52a556ca85ee195866c0b.api.vestauth.com
 function parseSignatureAgentHeader (signatureAgentHeader) {
   if (Array.isArray(signatureAgentHeader)) {
     signatureAgentHeader = signatureAgentHeader[0]

package/src/lib/helpers/verifyAgentFqdn.js CHANGED Viewed

@@ -1,4 +1,4 @@
-const DEFAULT_PROVIDER_FQDN_REGEX = /^[A-Za-z0-9-]+\.agents\.vestauth\.com$/
+const DEFAULT_PROVIDER_FQDN_REGEX = /^[A-Za-z0-9-]+\.(?:agents|api)\.vestauth\.com$/
 const Errors = require('./errors')
 function getProviderFqdnRegex () {