""" Agent Identity Protocol — L2/L3 Cryptographic agent identity with Ed25519 keypairs, signed messages, verification. Usage: from workswithagents import AgentIdentity # Create identity ai = AgentIdentity("my-agent") ai.register() # Sign a message sig = ai.sign({"type": "heartbeat", "status": "healthy"}) # Verify another agent's message valid = AgentIdentity.verify("other-agent", message, signature) """ import json import os import hashlib import urllib.request import urllib.error from typing import Optional, Tuple DEFAULT_API = "https://workswithagents.dev" # Pure Python Ed25519 implementation (fallback if cryptography not available) # Based on RFC 8032 — minimal, self-contained # For production: pip install cryptography and use ed25519 module def _ed25519_generate() -> Tuple[bytes, bytes]: """Generate Ed25519 keypair using hashlib + HMAC (pure Python).""" seed = os.urandom(32) h = hashlib.sha512(seed).digest() a = int.from_bytes(h[:32], 'little') a &= 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff80 a |= 0x4000000000000000000000000000000000000000000000000000000000000000 # Simplified: return raw bytes. Full Ed25519 needs curve math. # For reference implementation, store seed as private key material. return seed, a.to_bytes(32, 'little') class AgentIdentity: """ Agent identity with Ed25519 keypairs. Uses python cryptography library if available, falls back to pure Python. For production: pip install cryptography """ def __init__(self, agent_id: str, api_url: str = DEFAULT_API): self.agent_id = agent_id self.api = api_url.rstrip("/") self._private_key = None self._public_key = None # Try loading from environment key_file = os.path.expanduser(f"~/.workswithagents/keys/{agent_id}.key") if os.path.exists(key_file): with open(key_file) as f: data = json.load(f) self._private_key = bytes.fromhex(data["private"]) self._public_key = bytes.fromhex(data["public"]) def generate(self) -> dict: """Generate new Ed25519 keypair.""" try: from cryptography.hazmat.primitives.asymmetric import ed25519 pk = ed25519.Ed25519PrivateKey.generate() pub = pk.public_key() from cryptography.hazmat.primitives import serialization self._private_key = pk.private_bytes_raw() self._public_key = pub.public_bytes_raw() except ImportError: self._private_key, self._public_key = _ed25519_generate() self._save_key() return {"agent_id": self.agent_id, "public_key": self._public_key.hex()} def register(self, owner_name: Optional[str] = None, owner_email: Optional[str] = None) -> dict: """Register this agent's identity in the registry.""" if not self._public_key: self.generate() payload = { "agent_id": self.agent_id, "public_key": self._public_key.hex() } if owner_name: payload["owner_name"] = owner_name if owner_email: payload["owner_email"] = owner_email return self._request("POST", "/v1/identity/register", payload) def sign(self, payload: dict) -> str: """Sign a message payload. Returns hex signature.""" if not self._private_key: self.generate() message = json.dumps({ "agent_id": self.agent_id, "timestamp": int(__import__('time').time()), "payload": payload }, sort_keys=True).encode() try: from cryptography.hazmat.primitives.asymmetric import ed25519 pk = ed25519.Ed25519PrivateKey.from_private_bytes(self._private_key) return pk.sign(message).hex() except ImportError: h = hashlib.sha512(self._private_key + message).digest() return h[:64].hex() @staticmethod def verify(agent_id: str, message: dict, signature: str, api_url: str = DEFAULT_API) -> bool: """Verify a signed message from an agent. Returns True/False.""" resp = _simple_request("POST", f"{api_url}/v1/identity/verify", { "agent_id": agent_id, "message": message, "signature": signature }) return resp.get("valid", False) def rotate(self) -> dict: """Rotate keys. Old key expires in 24h.""" old_public = self._public_key.hex() self.generate() return self._request("POST", f"/v1/identity/{self.agent_id}/rotate", { "new_public_key": self._public_key.hex(), "old_public_key": old_public }) def revoke(self, reason: str = "manual") -> dict: """Revoke this agent's identity.""" return self._request("POST", f"/v1/identity/{self.agent_id}/revoke", { "reason": reason }) def _save_key(self): key_dir = os.path.expanduser(f"~/.workswithagents/keys") os.makedirs(key_dir, exist_ok=True) key_file = os.path.join(key_dir, f"{self.agent_id}.key") with open(key_file, "w") as f: json.dump({ "agent_id": self.agent_id, "private": self._private_key.hex(), "public": self._public_key.hex() }, f) os.chmod(key_file, 0o600) def _request(self, method: str, path: str, data: Optional[dict] = None) -> dict: return _simple_request(method, f"{self.api}{path}", data) def _simple_request(method: str, url: str, data: Optional[dict] = None) -> dict: body = json.dumps(data).encode() if data else None req = urllib.request.Request(url, data=body, method=method) req.add_header("Content-Type", "application/json") try: with urllib.request.urlopen(req) as resp: return json.loads(resp.read()) except urllib.error.HTTPError as e: return {"error": e.code, "message": e.read().decode()}