vestauth 0.8.2 → 0.8.4

package/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/vestauth/vestauth/compare/v0.8.2...main)
+[Unreleased](https://github.com/vestauth/vestauth/compare/v0.8.4...main)
+
+## [0.8.4](https://github.com/vestauth/vestauth/compare/v0.8.3...v0.8.4) (2026-02-06)
+
+### Changed
+
+* Patch bug with missing `web-bot-auth` lib
+
+## [0.8.3](https://github.com/vestauth/vestauth/compare/v0.8.2...v0.8.3) (2026-02-06)
+
+### Changed
+
+* Various clean up.
 
 ## [0.8.2](https://github.com/vestauth/vestauth/compare/v0.8.1...v0.8.2) (2026-02-05)
 

package/README.md

@@ -2,11 +2,11 @@
 
 *auth for agents*–from the creator of [`dotenv`](https://github.com/motdotla/dotenv) and [`dotenvx`](https://github.com/dotenvx/dotenvx).
 
-* identity (cryptographic)
-* authentication
-* verification
-
-[Watch demo video 📺](https://www.youtube.com/watch?v=cHARyULr_qk)
+> [1 minute demo 📺](https://www.youtube.com/watch?v=cHARyULr_qk)
+>
+> Vestauth gives agents a cryptographic identity and a simple way to authenticate HTTP requests. Most agent systems rely on API keys, bearer tokens, or username/passwords. These approaches are difficult to rotate, easy to leak, and hard to attribute to a specific agent. Vestauth replaces shared secrets with public/private key cryptography. Agents sign requests using a private key, and providers verify those requests using the agent's public key. [[1](#compare)]
+> 
+> *Scott Motte–creator of `dotenv` and `dotenvx`*
 
  
 
@@ -18,7 +18,7 @@ npm i -g vestauth
 
 ```sh
 vestauth agent init
-vestauth agent curl https://PROVIDER.com/TOOL
+vestauth agent curl -X POST https://ping.vestauth.com
 ```
 
 <details><summary>with curl 🌐 </summary><br>
@@ -187,19 +187,6 @@ Vestauth intentionally separates identity discovery from verification to support
 
 &nbsp;
 
-## Standards
-
-Vestauth builds on open internet standards for agent authentication.
-
-| Specification | Purpose |
-|------------|------------|
-| **[RFC 9421 – HTTP Message Signatures](https://datatracker.ietf.org/doc/rfc9421/)** | Defines how requests are cryptographically signed and verified |
-| **[Web-Bot-Auth Draft](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture)** | Defines headers and authentication architecture for autonomous agents |
-
-Vestauth follows these specifications to ensure interoperability between agents and providers while avoiding vendor lock-in. Vestauth focuses on developer ergonomics while staying compliant with these emerging standards.
-
-&nbsp;
-
 ## Advanced
 
 > Become a `vestauth` power user.
@@ -209,6 +196,101 @@ Vestauth follows these specifications to ensure interoperability between agents
 
 Advanced CLI commands.
 
+<details><summary>`agent init`</summary><br>
+
+Create agent.
+
+```sh
+$ vestauth agent init
+✔ agent created (.env/AGENT_ID=agent-609a4fd2ebf4e6347108c517)
+⮕ next run: [vestauth agent curl https://api.vestauth.com/whoami]
+```
+
+</details>
+<details><summary>`agent curl`</summary><br>
+
+Run curl as agent.
+
+```sh
+$ vestauth agent curl https://api.vestauth.com/whoami
+{"uid":"agent-609a4fd2ebf4e6347108c517", ...}
+```
+
+</details>
+<details><summary>`agent curl --pretty-print`</summary><br>
+
+Pretty print curl json output.
+
+```sh
+$ vestauth agent curl https://api.vestauth.com/whoami --pp
+{
+  "uid": "agent-609a4fd2ebf4e6347108c517",
+  "kid": "FGzgs758DBGnI1S0BejChDsK0IKZm3qPpOOXdRnnBkM",
+  "public_jwk": {
+    ...
+  },
+  "well_known_url": "https://agent-609a4fd2ebf4e6347108c517.agents.vestauth.com/.well-known/http-message-signatures-directory"
+}
+```
+
+</details>
+
+<details><summary>`agent headers`</summary><br>
+
+Generate signed headers as agent.
+
+```sh
+$ vestauth agent headers GET https://api.vestauth.com/whoami --pp
+{
+  "Signature": "sig1=:UW6A7j8jo+gQxd+EeVgDddY51ZOc9plrSaupW/N53hQnQFvP9BuwQHgL7SVPLQIu4cnRzLgvwm7Yu9YMO+HUDQ==:",
+  "Signature-Input": "sig1=(\"@authority\");created=1770396357;keyid=\"FGzgs758DBGnI1S0BejChDsK0IKZm3qPpOOXdRnnBkM\";alg=\"ed25519\";expires=1770396657;nonce=\"PrE7A6I_5fWnxBsBigNvxjp3-YangXl71V1uM3hPZavh918JqzjMSRcjHv_n5XIb3N8WivZEeigCBH6QGDSqgA\";tag=\"web-bot-auth\"",
+  "Signature-Agent": "sig1=agent-609a4fd2ebf4e6347108c517.agents.vestauth.com"
+}
+```
+
+</details>
+
+<details><summary>`agent headers --id`</summary><br>
+
+Change the `AGENT_ID`.
+
+```sh
+$ vestauth agent headers GET https://api.vestauth.com/whoami --id agent-1234 --pp
+{
+  "Signature": "sig1=:UW6A7j8jo+gQxd+EeVgDddY51ZOc9plrSaupW/N53hQnQFvP9BuwQHgL7SVPLQIu4cnRzLgvwm7Yu9YMO+HUDQ==:",
+  "Signature-Input": "sig1=(\"@authority\");created=1770396357;keyid=\"FGzgs758DBGnI1S0BejChDsK0IKZm3qPpOOXdRnnBkM\";alg=\"ed25519\";expires=1770396657;nonce=\"PrE7A6I_5fWnxBsBigNvxjp3-YangXl71V1uM3hPZavh918JqzjMSRcjHv_n5XIb3N8WivZEeigCBH6QGDSqgA\";tag=\"web-bot-auth\"",
+  "Signature-Agent": "sig1=agent-1234.agents.vestauth.com"
+}
+```
+
+</details>
+
+<details><summary>`agent headers --private-jwk`</summary><br>
+
+Change the `AGENT_PRIVATE_JWK` used to sign the headers.
+
+```sh
+$ vestauth agent headers GET https://api.vestauth.com/whoami --private-jwk '{"crv":"Ed25519","d":"RyFk7QTOk_bMjFQKjyAR-vJDp7BITn9U0YBFNdpR9wE","x":"hyAxNMbuTcFQq420Dr46ucF0dRZ_FIyxgsujruEoklM","kty":"OKP","kid":"UfHTArlyLsqM8cB8sNfH2z6XOwc0RmJIq2CAPGfvMjk"}' --pp
+{
+  "Signature": "sig1=:PZUVVjqiECYuk8Hg1GZKKeJmwhLrcRdRA7nm1R595UFK9cx0q9atNFBzKP5wBEmszMIgvpYdMrIQbPEeKz4tCQ==:",
+  "Signature-Input": "sig1=(\"@authority\");created=1770396546;keyid=\"UfHTArlyLsqM8cB8sNfH2z6XOwc0RmJIq2CAPGfvMjk\";alg=\"ed25519\";expires=1770396846;nonce=\"BSIugautfZvN3u5QUgl1mMuyxgmeRsRy9XxX7GXxjJxq1mI0kJl4F-C1nITtOfSeEt6xR1YBfyxsffNKy_wKSA\";tag=\"web-bot-auth\"",
+  "Signature-Agent": "sig1=agent-609a4fd2ebf4e6347108c517.agents.vestauth.com"
+}
+```
+
+</details>
+
+<details><summary>`provider verify`</summary><br>
+
+Verify agent.
+
+```sh
+$ vestauth provider verify GET https://api.vestauth.com/whoami --signature "sig1=:H1kxwSRWFbIzKbHaUy4hQFp/JrmVTX//72JPHcW4W7cPt9q6LytRJgx5pUgWrrr7DCcMWgx/jpTPc8Ht8SZ3CQ==:" --signature-input "sig1=(\"@authority\");created=1770396709;keyid=\"FGzgs758DBGnI1S0BejChDsK0IKZm3qPpOOXdRnnBkM\";alg=\"ed25519\";expires=1770397009;nonce=\"BZSDVktdkjO6XH5jafAdPDttsB6eytXO7u8KXJN1tMtd5bprE3rp08HiaTRo7H6gZGtYb4_qtL7RiGi8P2Gq7w\";tag=\"web-bot-auth\"" --signature-agent "sig1=agent-609a4fd2ebf4e6347108c517.agents.vestauth.com"
+{"uid":"agent-609a4fd2ebf4e6347108c517",...}
+```
+
+</details>
+
 <details><summary>`primitives keypair`</summary><br>
 
 Generate public/private keypair.
@@ -252,112 +334,125 @@ $ vestauth primitives headers GET http://example.com --pp
 Verify signed headers.
 
 ```sh
-$ vestauth primitives verify GET https://example.com --signature "sig1=:K7z3Nozcq1z5zfJhrd540DWYbjyQ1kR/S7ZDcMXE5gVhxezvG6Rn9BxEvfteiAnBuQhOkvbpGtF83WpQQerGBw==:" --signature-input "sig1=(\"@authority\");created=1770263541;keyid=\"_4GFBGmXKinLBoh3-GJZCiLBt-84GP9Fb0iBzmYncUg\";alg=\"ed25519\";expires=1770263841;nonce=\"0eu7hVMVFm61lQvIryKNmZXIbzkkgpVocoKvN0de5QO8Eu5slTxklJAcVLQs0L_UTVtx4f8qJcqYZ21JTeOQww\";tag=\"web-bot-auth\""
-{"success":true}
+$ vestauth primitives verify GET https://api.vestauth.com/whoami --signature "sig1=:UHqXQbWZmyYW40JRcdCl+NLccLgPmcoirUKwLtdcpEcIgxG2+i+Q2U3yIYeMquseON3fKm29WSL2ntHeRefHBQ==:" --signature-input "sig1=(\"@authority\");created=1770395703;keyid=\"FGzgs758DBGnI1S0BejChDsK0IKZm3qPpOOXdRnnBkM\";alg=\"ed25519\";expires=1770396003;nonce=\"O8JOC1reBofwbpPcdD-MRRCdrtAf4khvJTuhpRI_RiaH_hpU93okLkmPZVFFcUEdYtYfcduaB8Sca54GTd2GXA\";tag=\"web-bot-auth\"" --signature-agent "sig1=agent-609a4fd2ebf4e6347108c517.agents.vestauth.com"
+{"uid":"agent-609a4fd2ebf4e6347108c517", ...}
 ```
 
 </details>
 
 &nbsp;
 
-## FAQ
+## Compare
 
-<details><summary>What problem does Vestauth solve?</summary><br>
+**Agent + Provider Matrix** – Compare Vestauth vs existing auth.
 
-> Vestauth gives agents a cryptographic identity and a simple way to authenticate HTTP requests.
->
-> Most agent systems rely on API keys, bearer tokens, or username/passwords. These approaches are difficult to rotate, easy to leak, and hard to attribute to a specific agent.
->
-> Vestauth replaces shared secrets with public/private key cryptography. Agents sign requests using a private key, and providers verify those requests using the agent's public key.
+| Capability | Vestauth | API Keys | OAuth | Cookies |
+|---|---|---|---|---|
+| **Agent: no browser required** | ✅ | ✅ | ⚠️ (depends on flow) | ❌ |
+| **Agent: easy to automate** | ✅ | ✅ | ⚠️ | ❌ |
+| **Agent: no shared secret** | ✅ | ❌ | ⚠️ (bearer tokens) | ❌ |
+| **Agent: per‑request identity proof** | ✅ | ❌ | ⚠️ (token‑based) | ❌ |
+| **Agent: easy key/token rotation** | ✅ | ⚠️ | ⚠️ | ⚠️ |
+| **Provider: no secret storage** | ✅ (public keys only) | ❌ | ❌ | ❌ |
+| **Provider: strong attribution to agent** | ✅ | ⚠️ | ⚠️ | ❌ |
+| **Provider: stateless verification** | ✅ | ✅ | ✅ | ❌ |
+| **Provider: simple to implement** | ⚠️ (sig verification) | ✅ | ❌ | ✅ |
+| **Provider: revocation control** | ✅ | ⚠️ | ✅ | ⚠️ |
+
+Legend: ✅ strong fit, ⚠️ partial/conditional, ❌ poor fit
+
+#### How It Works
+
+1. An agent generates a public/private keypair.
+2. The agent signs each HTTP request with its private key.
+3. The provider verifies the signature using the agent’s public key.
+4. Requests are attributable, auditable, and do not require shared secrets or browser sessions.
 
 &nbsp;
 
-</details>
+## Standards
 
-<details><summary>How does Vestauth authentication work?</summary><br>
+Vestauth builds on open internet standards for agent authentication.
 
-> Vestauth uses HTTP Message Signatures ([RFC 9421](https://datatracker.ietf.org/doc/rfc9421/)). Each request is signed using the agent's private key. The request includes signed headers such as:
->
-> * Signature
-> * Signature-Input
-> * Signature-Agent
->
-> Providers verify the request by retrieving the agent's public key from a discovery endpoint and verifying the signature cryptographically.
->
-> If the signature is valid, the provider knows the request was created by the agent that owns that private key.
+| Specification | Purpose |
+|------------|------------|
+| **[RFC 9421 – HTTP Message Signatures](https://datatracker.ietf.org/doc/rfc9421/)** | Defines how requests are cryptographically signed and verified |
+| **[Web-Bot-Auth Draft](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture)** | Defines headers and authentication architecture for autonomous agents |
+
+Vestauth follows these specifications to ensure interoperability between agents and providers while avoiding vendor lock-in. Vestauth focuses on developer ergonomics while staying compliant with these emerging standards.
 
 &nbsp;
 
-</details>
 
-<details><summary>Do I need to run a Vestauth server?</summary><br>
 
-> No.
+## FAQ
+
+<details><summary>What problem does Vestauth solve?</summary><br>
+
+> Vestauth gives agents a cryptographic identity and a simple way to authenticate HTTP requests.
 >
-> Vestauth is primarily a client-side and verification library. Agents generate keys locally and sign requests directly. Providers verify requests using public keys exposed via .well-known discovery endpoints.
+> Most agent systems rely on API keys, bearer tokens, or username/passwords. These approaches are difficult to rotate, easy to leak, and hard to attribute to a specific agent.
 >
-> There is no central authentication server required.
+> Vestauth replaces shared secrets with public/private key cryptography. Agents sign requests using a private key, and providers verify those requests using the agent's public key.
 
 &nbsp;
 
 </details>
 
-<details><summary>Where are agent keys stored?</summary><br>
+<details><summary>Why not just use API keys?</summary><br>
 
-> Agent keys are generated locally and stored in the agent's environment configuration.
->
-> * `AGENT_PRIVATE_JWK` is used to sign requests and must never be shared.
-> * `AGENT_PUBLIC_JWK` is safe to publish and is used by providers for verification.
+> API keys are shared secrets. Anyone who obtains the key can impersonate the client, and keys are difficult to rotate safely.
 >
-> Vestauth automatically exposes public keys through a discovery endpoint.
+> Vestauth uses cryptographic signing instead of shared secrets. This allows providers to verify identity without storing or distributing sensitive credentials.
 
 &nbsp;
 
 </details>
 
-<details><summary>Can someone impersonate my agent?</summary><br>
+<details><summary>Where are agent keys stored?</summary><br>
 
-> No, unless they obtain your private key.
->
-> Vestauth relies on asymmetric cryptography. Only the holder of the private key can generate valid signatures. Providers verify those signatures using the corresponding public key.
+> Agent keys are generated locally and stored in the agent's environment configuration (`.env`).
 >
-> As long as your private key remains secure, your agent identity cannot be forged.
+> * `AGENT_PRIVATE_JWK` is used to sign requests and must never be shared.
+> * `AGENT_PUBLIC_JWK` is safe to publish and is used by providers for verification.
 
 &nbsp;
 
 </details>
 
-<details><summary>Why does Vestauth use public key discovery?</summary><br>
+<details><summary>Is Vestauth only for AI agents?</summary><br>
 
-> Public key discovery allows providers to verify agent signatures without manual key exchange. Each agent hosts its public keys in a standardized .well-known directory.
+> No.
 >
-> This enables dynamic agent onboarding while preserving cryptographic verification.
+> Vestauth can authenticate any automated system including:
+>
+> * developer tools
+> * CLIs
+> * automation services
+> * bots
+> * infrastructure tools
 
 &nbsp;
 
 </details>
 
-<details><summary>Does Vestauth send secrets over the network?</summary><br>
+<details><summary>Can Vestauth work without curl?</summary><br>
 
-> No.
+> Yes.
 >
-> Vestauth signs requests using private keys locally. Only public keys are shared for verification.
+> Vestauth provides libraries and primitives that can be integrated into any HTTP client or framework. The CLI simply makes it easy to adopt and demonstrate.
 
 &nbsp;
 
 </details>
 
-<details><summary>Is Vestauth production ready?</summary><br>
+<details><summary>Do I need to run a Vestauth server?</summary><br>
 
-> Yes.
->
-> Vestauth is built on established cryptographic and HTTP standards:
+> No.
 >
-> * RFC 9421 HTTP Message Signatures
-> * JOSE / JWK key formats
-> * Web-Bot-Auth draft architecture
+> Vestauth is primarily a client-side and verification library. Agents generate keys locally and sign requests directly. Providers verify requests using public keys exposed via .well-known discovery endpoints.
 >
-> These standards are designed for secure, verifiable HTTP communication.
+> There is no central authentication server required.
 
 &nbsp;
 
@@ -376,37 +471,17 @@ $ vestauth primitives verify GET https://example.com --signature "sig1=:K7z3Nozc
 
 </details>
 
-<details><summary>Can Vestauth work without curl?</summary><br>
-
-> Yes.
->
-> Vestauth provides libraries and primitives that can be integrated into any HTTP client or framework. The CLI simply makes it easy to adopt and demonstrate.
-
-&nbsp;
-
-</details>
-
-<details><summary>Is Vestauth only for AI agents?</summary><br>
+<details><summary>How does Vestauth authentication work?</summary><br>
 
-> No.
+> Vestauth uses HTTP Message Signatures ([RFC 9421](https://datatracker.ietf.org/doc/rfc9421/)). Each request is signed using the agent's private key. The request includes signed headers such as:
 >
-> Vestauth can authenticate any automated system including:
+> * Signature
+> * Signature-Input
+> * Signature-Agent
 >
-> * developer tools
-> * CLIs
-> * automation services
-> * bots
-> * infrastructure tools
-
-&nbsp;
-
-</details>
-
-<details><summary>Why not just use API keys?</summary><br>
-
-> API keys are shared secrets. Anyone who obtains the key can impersonate the client, and keys are difficult to rotate safely.
+> Providers verify the request by retrieving the agent's public key from a discovery endpoint and verifying the signature cryptographically.
 >
-> Vestauth uses cryptographic signing instead of shared secrets. This allows providers to verify identity without storing or distributing sensitive credentials.
+> If the signature is valid, the provider knows the request was created by the agent that owns that private key.
 
 &nbsp;
 
@@ -436,6 +511,26 @@ $ vestauth primitives verify GET https://example.com --signature "sig1=:K7z3Nozc
 
 </details>
 
+<details><summary>Why does Vestauth use public key discovery?</summary><br>
+
+> Public key discovery allows providers to verify agent signatures without manual key exchange. Each agent hosts its public keys in a standardized .well-known directory.
+>
+> This enables dynamic agent onboarding while preserving cryptographic verification.
+
+&nbsp;
+
+</details>
+
+<details><summary>Does Vestauth send secrets over the network?</summary><br>
+
+> No.
+>
+> Vestauth signs requests using private keys locally. Only public keys are shared for verification.
+
+&nbsp;
+
+</details>
+
 <details><summary>How does Vestauth avoid SSRF during public key discovery?</summary><br>
 
 > Vestauth prevents Server-Side Request Forgery (SSRF) by restricting public key discovery to trusted domains.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vestauth",
-  "version": "0.8.2",
+  "version": "0.8.4",
   "description": "auth for agents–from the creator of dotenvx",
   "keywords": [
     "vestauth"
@@ -38,14 +38,10 @@
   },
   "dependencies": {
     "@dotenvx/dotenvx": "^1.52.0",
-    "@noble/hashes": "^1.8.0",
-    "@noble/secp256k1": "^1.7.2",
     "commander": "^11.1.0",
-    "eciesjs": "^0.4.16",
     "execa": "^5.1.1",
     "structured-headers": "^2.0.2",
-    "undici": "7.11.0",
-    "web-bot-auth": "^0.1.2"
+    "undici": "7.11.0"
   },
   "devDependencies": {
     "@yao-pkg/pkg": "^5.14.2",
@@ -55,6 +51,7 @@
     "sinon": "^14.0.1",
     "standard": "^17.1.0",
     "standard-version": "^9.5.0",
-    "tap": "^21.0.1"
+    "tap": "^21.0.1",
+    "web-bot-auth": "^0.1.2"
   }
 }

package/src/cli/actions/agent/curl.js

@@ -1,6 +1,7 @@
 const { logger } = require('./../../../shared/logger')
 const agent = require('./../../../lib/agent')
 const execute = require('./../../../lib/helpers/execute')
+const Errors = require('./../../../lib/helpers/errors')
 const findUrl = require('./../../../lib/helpers/findUrl')
 const catchAndLog = require('./../../../lib/helpers/catchAndLog')
 
@@ -27,7 +28,7 @@ async function curl () {
 
     if (exitCode !== 0) {
       logger.debug(`received exitCode ${exitCode}`)
-      throw new Error(`Command exited with exit code ${exitCode}`)
+      throw new Errors({ exitCode }).commandFailed()
     }
 
     let space = 0

package/src/cli/actions/primitives/verify.js

@@ -28,7 +28,6 @@ async function verify (httpMethod, uri) {
     const publicJwk = options.publicJwk ? JSON.parse(options.publicJwk) : undefined
 
     const output = await primitives.verify(httpMethod, uri, headers, publicJwk)
-    // const output = await primitive.verifyWebBotAuth(httpMethod, uri, signature, signatureInput, JSON.parse(publicJwk))
 
     let space = 0
     if (options.prettyPrint) {

package/src/cli/commands/agent.js

@@ -12,7 +12,6 @@ agent
 const initAction = require('./../actions/agent/init')
 agent.command('init')
   .description('create agent')
-  .option('--pp, --pretty-print', 'pretty print output')
   .action(initAction)
 
 // vestauth agent curl

package/src/lib/helpers/errors.js

@@ -1,6 +1,7 @@
 class Errors {
   constructor (options = {}) {
     this.message = options.message
+    this.exitCode = options.exitCode
   }
 
   missingId () {
@@ -107,6 +108,15 @@ class Errors {
     return e
   }
 
+  commandFailed () {
+    const code = 'COMMAND_FAILED'
+    const message = `[${code}] command failed with exit code ${this.exitCode}`
+
+    const e = new Error(message)
+    e.code = code
+    return e
+  }
+
   econnrefused () {
     const code = 'ECONNREFUSED'
     const message = `[${code}] connection refused`

package/src/lib/helpers/headers.js

@@ -19,18 +19,6 @@ async function headers (httpMethod, uri, id, privateJwk, tag = 'web-bot-auth', n
   const kid = thumbprint(privateJwk)
   privateJwk.kid = kid
 
-  // // theirs
-  // const request = new Request(uri)
-  // const now = new Date()
-  // return await signatureHeaders(
-  //   request,
-  //   await signerFromJWK(JSON.parse(privateJwk)),
-  //   {
-  //     created: now,
-  //     expires: new Date(now.getTime() + 300_000), // now + 5 min
-  //   }
-  // )
-
   const signatureInput = signatureParams(privateJwk.kid, tag, nonce)
   const signature = webBotAuthSignature(httpMethod, uri, signatureInput, privateJwk)
   const signatureAgent = `${id}.agents.vestauth.com` // agent-1234.agents.vestauth.com (no scheme) /.well-known/http-message-signatures-directory

package/src/lib/primitives.js

@@ -1,11 +1,9 @@
 const keypair = require('./helpers/keypair')
 const headers = require('./helpers/headers')
 const verify = require('./helpers/verify')
-const verifyWebBotAuth = require('./helpers/verifyWebBotAuth')
 
 module.exports = {
   keypair,
   headers,
-  verify,
-  verifyWebBotAuth
+  verify
 }

package/src/lib/helpers/executeCommand.js

@@ -1,115 +0,0 @@
-const path = require('path')
-const which = require('which')
-const execute = require('./../../lib/helpers/execute')
-const { logger } = require('./../../shared/logger')
-
-async function executeCommand (commandArgs) {
-  const signals = [
-    'SIGHUP', 'SIGQUIT', 'SIGILL', 'SIGTRAP', 'SIGABRT',
-    'SIGBUS', 'SIGFPE', 'SIGUSR1', 'SIGSEGV', 'SIGUSR2'
-  ]
-
-  logger.debug(`executing process command [${commandArgs.join(' ')}]`)
-
-  let child
-  let signalSent
-
-  /* c8 ignore start */
-  const sigintHandler = () => {
-    logger.debug('received SIGINT')
-    logger.debug('checking command process')
-    logger.debug(child)
-
-    if (child) {
-      logger.debug('sending SIGINT to command process')
-      signalSent = 'SIGINT'
-      child.kill('SIGINT') // Send SIGINT to the command process
-    } else {
-      logger.debug('no command process to send SIGINT to')
-    }
-  }
-
-  const sigtermHandler = () => {
-    logger.debug('received SIGTERM')
-    logger.debug('checking command process')
-    logger.debug(child)
-
-    if (child) {
-      logger.debug('sending SIGTERM to command process')
-      signalSent = 'SIGTERM'
-      child.kill('SIGTERM') // Send SIGTERM to the command process
-    } else {
-      logger.debug('no command process to send SIGTERM to')
-    }
-  }
-
-  const handleOtherSignal = (signal) => {
-    logger.debug(`received ${signal}`)
-    child.kill(signal)
-  }
-  /* c8 ignore stop */
-
-  try {
-    // ensure the first command is expanded
-    try {
-      commandArgs[0] = path.resolve(which.sync(`${commandArgs[0]}`))
-      logger.debug(`expanding process command to [${commandArgs.join(' ')}]`)
-    } catch (e) {
-      logger.debug(`could not expand process command. using [${commandArgs.join(' ')}]`)
-    }
-
-    // expand any other commands that follow a --
-    let expandNext = false
-    for (let i = 0; i < commandArgs.length; i++) {
-      if (commandArgs[i] === '--') {
-        expandNext = true
-      } else if (expandNext) {
-        try {
-          commandArgs[i] = path.resolve(which.sync(`${commandArgs[i]}`))
-          logger.debug(`expanding process command to [${commandArgs.join(' ')}]`)
-        } catch (e) {
-          logger.debug(`could not expand process command. using [${commandArgs.join(' ')}]`)
-        }
-        expandNext = false
-      }
-    }
-
-    child = execute.execa(commandArgs[0], commandArgs.slice(1), {
-      stdio: 'inherit'
-    })
-
-    process.on('SIGINT', sigintHandler)
-    process.on('SIGTERM', sigtermHandler)
-
-    signals.forEach(signal => {
-      process.on(signal, () => handleOtherSignal(signal))
-    })
-
-    // Wait for the command process to finish
-    const { exitCode } = await child
-
-    if (exitCode !== 0) {
-      logger.debug(`received exitCode ${exitCode}`)
-      throw new Error(`Command exited with exit code ${exitCode}`)
-    }
-  } catch (error) {
-    // no color on these errors as they can be standard errors for things like jest exiting with exitCode 1 for a single failed test.
-    if (!['SIGINT', 'SIGTERM'].includes(signalSent || error.signal)) {
-      if (error.code === 'ENOENT') {
-        logger.error(`Unknown command: ${error.command}`)
-      } else {
-        logger.error(error.message)
-      }
-    }
-
-    // Exit with the error code from the command process, or 1 if unavailable
-    process.exit(error.exitCode || 1)
-  } finally {
-    // Clean up: Remove the SIGINT handler
-    process.removeListener('SIGINT', sigintHandler)
-    // Clean up: Remove the SIGTERM handler
-    process.removeListener('SIGTERM', sigtermHandler)
-  }
-}
-
-module.exports = executeCommand

package/src/lib/helpers/hash.js

@@ -1,8 +0,0 @@
-const { sha256 } = require('@noble/hashes/sha2.js')
-const { utf8ToBytes } = require('@noble/hashes/utils.js')
-
-function hash (message = '') {
-  return sha256(utf8ToBytes(message))
-}
-
-module.exports = hash

package/src/lib/helpers/verifyWebBotAuth.js

@@ -1,25 +0,0 @@
-const { verify } = require('web-bot-auth')
-const { verifierFromJWK } = require('web-bot-auth/crypto')
-
-async function verifyWebBotAuth (httpMethod, uri, signatureHeader, signatureInputHeader, publicJwk) {
-  let success = false
-
-  const verifier = await verifierFromJWK(publicJwk)
-  const signedRequest = new Request(uri, {
-    headers: {
-      Signature: signatureHeader,
-      'Signature-Input': signatureInputHeader
-    }
-  })
-
-  try {
-    await verify(signedRequest, verifier)
-    success = true
-  } catch (_e) {}
-
-  return {
-    success
-  }
-}
-
-module.exports = verifyWebBotAuth