Documentation
¶
Index ¶
- Constants
- func CreateBindingData(ed25519PubKey, nostrPubKey string) []byte
- func ExpectedTXTRecord(fingerprint string) string
- type Anchor
- type DomainVerifier
- type IdentityAnchor
- type NostrAnchor
- func (na *NostrAnchor) Publish(ctx context.Context, anchor Anchor) (string, error)
- func (na *NostrAnchor) RecoveryKeys(ctx context.Context, pubKey string) ([]string, error)
- func (na *NostrAnchor) Resolve(ctx context.Context, pubKey string) (*Anchor, error)
- func (na *NostrAnchor) Verify(ctx context.Context, anchor Anchor) (bool, error)
- type RecoveryConfig
- type RecoveryManager
- type RecoveryRequest
Constants ¶
const NostrAnchorKind = 10078
NostrAnchorKind is the Nostr replaceable event kind for identity anchors.
Variables ¶
This section is empty.
Functions ¶
func CreateBindingData ¶
CreateBindingData creates the data to be signed for bidirectional key binding.
func ExpectedTXTRecord ¶
ExpectedTXTRecord returns the TXT record value that should be set for domain verification.
Types ¶
type Anchor ¶
type Anchor struct {
// PubKey is the agent's Ed25519 public key (base64).
PubKey string `json:"pub_key"`
// AnchorType identifies the anchoring system (e.g., "nostr", "bitcoin", "ethereum").
AnchorType string `json:"anchor_type"`
// AnchorID is the identifier in the anchoring system (e.g., Nostr npub).
AnchorID string `json:"anchor_id"`
// Ed25519Signature is the Ed25519 signature over the anchor binding data.
Ed25519Signature string `json:"ed25519_signature"`
// AnchorSignature is the signature from the anchor system (e.g., Nostr/secp256k1).
AnchorSignature string `json:"anchor_signature"`
// Timestamp is when the anchor was created.
Timestamp time.Time `json:"timestamp"`
// RecoveryKeys lists public keys authorized for identity recovery.
RecoveryKeys []string `json:"recovery_keys,omitempty"`
// Domain is the optional DNS-verified domain binding.
Domain string `json:"domain,omitempty"`
// ChainID is the reference in the anchoring system (e.g., event ID).
ChainID string `json:"chain_id,omitempty"`
}
Anchor represents a published identity assertion that binds an Ed25519 key to an external identity anchor (e.g., Nostr npub).
type DomainVerifier ¶
type DomainVerifier struct{}
DomainVerifier verifies DNS TXT record domain bindings.
func NewDomainVerifier ¶
func NewDomainVerifier() *DomainVerifier
NewDomainVerifier creates a new domain verifier.
type IdentityAnchor ¶
type IdentityAnchor interface {
// Publish creates or updates an identity anchor on the external system.
Publish(ctx context.Context, anchor Anchor) (chainID string, err error)
// Verify checks if an identity anchor is valid and authentic.
Verify(ctx context.Context, anchor Anchor) (bool, error)
// Resolve looks up the current identity anchor for a given public key.
Resolve(ctx context.Context, pubKey string) (*Anchor, error)
// RecoveryKeys returns the authorized recovery keys for a public key.
RecoveryKeys(ctx context.Context, pubKey string) ([]string, error)
}
IdentityAnchor defines the interface for publishing and verifying identity anchors.
type NostrAnchor ¶
type NostrAnchor struct {
// contains filtered or unexported fields
}
NostrAnchor implements IdentityAnchor using Nostr replaceable events. It creates a bidirectional key binding: Ed25519 signs the Nostr key, and the Nostr key signs the Ed25519 key.
func NewNostrAnchor ¶
func NewNostrAnchor(relayURLs []string) *NostrAnchor
NewNostrAnchor creates a new Nostr-based identity anchor.
func (*NostrAnchor) Publish ¶
Publish creates or updates an identity anchor as a Nostr replaceable event (kind 10078). In a full implementation, this would connect to relays and publish the event. Currently returns the anchor data that would be published.
func (*NostrAnchor) RecoveryKeys ¶
RecoveryKeys returns the authorized recovery keys from the anchor.
type RecoveryConfig ¶
type RecoveryConfig struct {
// RecoveryKeys are the public keys authorized for recovery.
RecoveryKeys []string
// Threshold is the minimum number of recovery keys required (threshold-of-n).
Threshold int
}
RecoveryConfig holds the configuration for identity recovery.
type RecoveryManager ¶
type RecoveryManager struct {
// contains filtered or unexported fields
}
RecoveryManager handles multi-signature identity recovery.
func NewRecoveryManager ¶
func NewRecoveryManager(config RecoveryConfig) (*RecoveryManager, error)
NewRecoveryManager creates a new recovery manager.
func (*RecoveryManager) AuthorizedKeys ¶
func (rm *RecoveryManager) AuthorizedKeys() []string
AuthorizedKeys returns the list of authorized recovery keys.
func (*RecoveryManager) RequiredSignatures ¶
func (rm *RecoveryManager) RequiredSignatures() int
RequiredSignatures returns the number of signatures needed for recovery.
func (*RecoveryManager) ValidateRecovery ¶
func (rm *RecoveryManager) ValidateRecovery(req RecoveryRequest) (bool, error)
ValidateRecovery checks if a recovery request has enough valid signatures. It verifies that at least `threshold` of the configured recovery keys have signed the recovery data (old_pub_key + new_pub_key).
type RecoveryRequest ¶
type RecoveryRequest struct {
// OldPubKey is the public key being recovered.
OldPubKey string `json:"old_pub_key"`
// NewPubKey is the new public key to bind.
NewPubKey string `json:"new_pub_key"`
// Signatures maps recovery key -> signature over the recovery data.
Signatures map[string]string `json:"signatures"`
}
RecoveryRequest represents a request to recover an identity.
Source Files