diff --git a/CLAUDE.md b/CLAUDE.md index 211094a..23e179d 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -7,8 +7,8 @@ This repo will evolve as we learn things. Expect experimentation. ## AAuth Specification The evolving AAuth specification lives in a separate repo: -- Local path: `../../DickHardt/AAuth` -- GitHub: https://github.com/DickHardt/AAuth +- Local path: `../AAuth-spec` +- GitHub: https://github.com/dickhardt/AAuth Key spec documents: - `README.md` — full specification overview diff --git a/README.md b/README.md index a43b68c..19785ba 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # AAuth — Agent Auth for MCP -TypeScript packages for adding [AAuth](https://github.com/DickHardt/AAuth) (Agent Auth) to MCP servers and agents. +TypeScript packages for adding [AAuth](https://github.com/dickhardt/AAuth) (Agent Auth) to MCP servers and agents. AAuth is an agent-aware authentication protocol that lets AI agents prove their identity and obtain authorization using HTTP Message Signatures and JWTs. @@ -8,9 +8,12 @@ AAuth is an agent-aware authentication protocol that lets AI agents prove their | Package | Description | |---------|-------------| +| [`@aauth/bootstrap`](./bootstrap) | CLI for setting up AAuth agent keys, person server registration, and hosting | +| [`@aauth/fetch`](./fetch) | CLI for making AAuth-authenticated HTTP requests | | [`@aauth/mcp-agent`](./mcp-agent) | Agent-side AAuth: signed fetch, challenge-response, token exchange | | [`@aauth/mcp-server`](./mcp-server) | Server-side AAuth: token verification, challenge building, resource tokens | -| [`@aauth/local-keys`](./local-keys) | Local dev key management via OS keychain | +| [`@aauth/local-keys`](./local-keys) | Library for managing AAuth agent signing keys across hardware and software backends | +| [`@aauth/hardware-keys`](./hardware-keys) | Native bindings for YubiKey PIV and macOS Secure Enclave | | [`@aauth/mcp-stdio`](./mcp-stdio) | stdio-to-HTTP proxy with AAuth signatures | | [`@aauth/mcp-openclaw`](./mcp-openclaw) | OpenClaw plugin for AAuth-authenticated MCP connections | @@ -80,10 +83,12 @@ const token = await createResourceToken({ resource, authServer, agent, agentJkt ### Local development ```bash -# Generate a key pair and store in OS keychain -npx @aauth/local-keys https://yourusername.github.io +# Generate keys, register with a person server, and publish them +npx @aauth/bootstrap --ps https://hello.coop ``` +See [`@aauth/bootstrap`](./bootstrap) for the full setup flow. + ## Protocol Support This implementation covers the core AAuth protocol flows. The following spec features are **not yet supported**: @@ -93,7 +98,7 @@ This implementation covers the core AAuth protocol flows. The following spec fea ## Specification -The AAuth protocol specification: [github.com/DickHardt/AAuth](https://github.com/DickHardt/AAuth) +The AAuth protocol specification: [github.com/dickhardt/AAuth](https://github.com/dickhardt/AAuth) ## License diff --git a/bootstrap/README.md b/bootstrap/README.md new file mode 100644 index 0000000..94bfc34 --- /dev/null +++ b/bootstrap/README.md @@ -0,0 +1,92 @@ +# @aauth/bootstrap + +CLI for setting up AAuth agent keys, registering with a person server, and publishing keys to a hosting platform. + +Part of [aauth-dev/packages-js](https://github.com/aauth-dev/packages-js). Protocol spec: [dickhardt/AAuth](https://github.com/dickhardt/AAuth). + +## Quick Start + +```bash +# Generate keys, register with a person server, and walk through hosting setup +npx @aauth/bootstrap --ps https://hello.coop +``` + +The bootstrap flow detects available key backends (YubiKey PIV, macOS Secure Enclave, software), generates keys on the strongest available backend, registers your agent with a person server, and bundles agent skills that walk you through publishing keys on platforms like GitHub Pages, GitLab Pages, Cloudflare Pages, and Netlify. + +## Commands + +``` +npx @aauth/bootstrap [options] + +Commands: + discover List available key backends (JSON) + generate [options] Generate a key pair, output public JWK (JSON) + sign-token [options] Sign an agent token with ephemeral cnf (JSON) + public-key [options] Output public key(s) (JSON) + add-agent [opts] Register an agent URL in config + config Dump ~/.aauth/config.json + show Human-readable status overview + skill List available skills (JSON) + skill Show full skill instructions + help Show this help +``` + +### Generate options + +``` +--backend software (default), yubikey-piv, secure-enclave +--algorithm EdDSA (default for software), ES256, RS256 +--agent Associate key with an agent URL +``` + +### Sign-token options + +``` +--agent Agent URL (required) +--agent-id Agent identifier (default: from config) +--lifetime Token lifetime (default: 3600) +``` + +### Person server bootstrap + +Can be combined with any command: + +``` +--person-server Bootstrap with person server (alias: --ps) +--local Local part of agent identifier (default: "local") +--login-hint Hint about who to authorize +--domain-hint Domain/org routing hint +--provider-hint Upstream identity provider hint +--tenant Tenant identifier +``` + +## For AI Agents + +If you are an AI agent helping a user set up AAuth, **do not guess what is available**. Run the CLI to detect the user's environment first: + +```bash +# 1. Detect available hardware and software backends +npx @aauth/bootstrap discover + +# 2. Check current state (existing agents, keys, hosting) +npx @aauth/bootstrap show + +# 3. Load the setup skill for step-by-step instructions +npx @aauth/bootstrap skill setup + +# 4. List available hosting platform skills +npx @aauth/bootstrap skill +``` + +The `discover` output tells you what key backends are available on this machine. Use that — not assumptions — to guide key generation. Hardware backends (Secure Enclave, YubiKey) are always preferred over software (OS keychain). + +The `skill` commands return structured instructions for the setup flow and each hosting platform. Load and follow these rather than improvising. + +## Related Packages + +- [`@aauth/local-keys`](../local-keys) — underlying library for key management and signing (use this from other packages) +- [`@aauth/fetch`](../fetch) — CLI for making AAuth-authenticated HTTP requests + +## License + +MIT diff --git a/bootstrap/skills/platforms/cloudflare-pages.md b/bootstrap/skills/platforms/cloudflare-pages.md index d040043..eb7e73a 100644 --- a/bootstrap/skills/platforms/cloudflare-pages.md +++ b/bootstrap/skills/platforms/cloudflare-pages.md @@ -19,7 +19,7 @@ The user wants to publish their AAuth agent metadata and public keys via Cloudfl ## Prerequisites - `@aauth/local-keys` is installed -- Keys have been generated (run `npx @aauth/local-keys show` to check) +- Keys have been generated (run `npx @aauth/bootstrap show` to check) - Cloudflare account - `wrangler` CLI installed (`npm install -g wrangler`) and authenticated (`wrangler login`), OR a git repo connected to Cloudflare Pages @@ -37,7 +37,7 @@ Ask the user which they plan to use. Run: ``` -npx @aauth/local-keys public-key +npx @aauth/bootstrap public-key ``` ### 2. Create or locate the project diff --git a/bootstrap/skills/platforms/github-pages.md b/bootstrap/skills/platforms/github-pages.md index 7261741..d11d459 100644 --- a/bootstrap/skills/platforms/github-pages.md +++ b/bootstrap/skills/platforms/github-pages.md @@ -20,7 +20,7 @@ The user wants to publish their AAuth agent metadata and public keys via GitHub ## Prerequisites - `@aauth/local-keys` is installed -- Keys have been generated (run `npx @aauth/local-keys show` to check) +- Keys have been generated (run `npx @aauth/bootstrap show` to check) - `gh` CLI is authenticated ## Steps @@ -33,7 +33,7 @@ Ask the user for their GitHub Pages URL if not obvious. It will be `https://user Run: ``` -npx @aauth/local-keys public-key +npx @aauth/bootstrap public-key ``` This outputs all local public keys as JSON. Each key includes an `aauth` metadata object with `device` and `created` fields. diff --git a/bootstrap/skills/platforms/gitlab-pages.md b/bootstrap/skills/platforms/gitlab-pages.md index f3261a3..85429bf 100644 --- a/bootstrap/skills/platforms/gitlab-pages.md +++ b/bootstrap/skills/platforms/gitlab-pages.md @@ -20,7 +20,7 @@ The user wants to publish their AAuth agent metadata and public keys via GitLab ## Prerequisites - `@aauth/local-keys` is installed -- Keys have been generated (run `npx @aauth/local-keys show` to check) +- Keys have been generated (run `npx @aauth/bootstrap show` to check) - GitLab account - `glab` CLI installed and authenticated (`glab auth login`), OR `git` configured for GitLab @@ -36,7 +36,7 @@ For the simplest setup, use the user Pages site: create a repo named `username.g Run: ``` -npx @aauth/local-keys public-key +npx @aauth/bootstrap public-key ``` ### 2. Locate or create the GitLab Pages repo diff --git a/bootstrap/skills/platforms/netlify.md b/bootstrap/skills/platforms/netlify.md index 09d808f..34effee 100644 --- a/bootstrap/skills/platforms/netlify.md +++ b/bootstrap/skills/platforms/netlify.md @@ -19,7 +19,7 @@ The user wants to publish their AAuth agent metadata and public keys via Netlify ## Prerequisites - `@aauth/local-keys` is installed -- Keys have been generated (run `npx @aauth/local-keys show` to check) +- Keys have been generated (run `npx @aauth/bootstrap show` to check) - Netlify account ## Agent URL @@ -36,7 +36,7 @@ Ask the user which they plan to use. Run: ``` -npx @aauth/local-keys public-key +npx @aauth/bootstrap public-key ``` ### 2. Create or locate the project diff --git a/bootstrap/skills/setup.md b/bootstrap/skills/setup.md index e929bee..828061f 100644 --- a/bootstrap/skills/setup.md +++ b/bootstrap/skills/setup.md @@ -11,8 +11,8 @@ when: User wants to create an AAuth agent identity, generate keys, add a key fro Before giving the user ANY guidance, you MUST run these commands and use the output to determine what is available: ``` -npx @aauth/local-keys discover -npx @aauth/local-keys show +npx @aauth/bootstrap discover +npx @aauth/bootstrap show ``` Do NOT assume which backends are available. Do NOT suggest EdDSA or OS keychain keys unless `discover` shows no hardware backends. The discovery output is the source of truth for what this machine supports. @@ -51,9 +51,9 @@ Do NOT pick a hosting platform or agent URL without asking the user. If the user already has an agent identity set up and wants to add a key from a new device (e.g. they got a new YubiKey, or they're on a new Mac with a Secure Enclave): -1. Check existing setup: `npx @aauth/local-keys show` -2. Discover backends: `npx @aauth/local-keys discover` -3. Generate a key on the new hardware: `npx @aauth/local-keys generate --backend --agent ` +1. Check existing setup: `npx @aauth/bootstrap show` +2. Discover backends: `npx @aauth/bootstrap discover` +3. Generate a key on the new hardware: `npx @aauth/bootstrap generate --backend --agent ` 4. Add the new public key to the existing JWKS on the hosting platform (load the appropriate platform skill) 5. The new key will be used automatically — key resolution matches any published key that has a local private key @@ -63,7 +63,7 @@ If the user already has an agent identity set up and wants to add a key from a n Run: ``` -npx @aauth/local-keys discover +npx @aauth/bootstrap discover ``` This returns a JSON array of available backends with their supported algorithms. You MUST run this and use the output — do not skip this step. @@ -73,8 +73,8 @@ This returns a JSON array of available backends with their supported algorithms. For each hardware backend in the discovery output, generate a key and associate it with the agent URL: ``` -npx @aauth/local-keys generate --backend yubikey-piv --agent -npx @aauth/local-keys generate --backend secure-enclave --agent +npx @aauth/bootstrap generate --backend yubikey-piv --agent +npx @aauth/bootstrap generate --backend secure-enclave --agent ``` Each command outputs JSON with: @@ -83,19 +83,19 @@ Each command outputs JSON with: **Only generate a software key if no hardware backends are available:** ``` -npx @aauth/local-keys generate --agent +npx @aauth/bootstrap generate --agent ``` ### 3. Set the person server The person server URL is included as the `ps` claim in agent tokens. Set it during setup: ``` -npx @aauth/local-keys add-agent --person-server +npx @aauth/bootstrap add-agent --person-server ``` The default person server is `https://issuer.hello.coop`. If the user doesn't specify one, use the default: ``` -npx @aauth/local-keys add-agent --person-server https://issuer.hello.coop +npx @aauth/bootstrap add-agent --person-server https://issuer.hello.coop ``` ### 4. Choose a hosting platform @@ -111,7 +111,7 @@ const platforms = listPlatforms() Or via CLI: ``` -npx @aauth/local-keys skill +npx @aauth/bootstrap skill ``` Platform skills are in `skills/platforms/`. Each platform's front matter includes discovery metadata: @@ -148,14 +148,14 @@ Also mention that any static HTTPS hosting works — the platforms with skills j After the user chooses, register the hosting platform: ``` -npx @aauth/local-keys add-agent --hosting --repo +npx @aauth/bootstrap add-agent --hosting --repo ``` ### 5. Publish keys using the platform skill Load the full instructions for the chosen platform: ``` -npx @aauth/local-keys skill +npx @aauth/bootstrap skill ``` Follow the skill instructions to publish the keys. @@ -163,7 +163,7 @@ Follow the skill instructions to publish the keys. ### 6. Verify setup ``` -npx @aauth/local-keys show +npx @aauth/bootstrap show ``` This shows all configured agents, their keys, and which backends are available. diff --git a/fetch/README.md b/fetch/README.md new file mode 100644 index 0000000..8121827 --- /dev/null +++ b/fetch/README.md @@ -0,0 +1,92 @@ +# @aauth/fetch + +CLI for making AAuth-authenticated HTTP requests. Handles HTTP Message Signatures, agent tokens, and the full AAuth authorization flow including R3 (Rich Resource Requests). + +Part of [aauth-dev/packages-js](https://github.com/aauth-dev/packages-js). Protocol spec: [dickhardt/AAuth](https://github.com/dickhardt/AAuth). + +## Prerequisites + +The agent must be bootstrapped with a person server before making authorized requests. Use [`@aauth/bootstrap`](../bootstrap): + +```bash +npx @aauth/bootstrap --ps https://hello.coop +``` + +## Quick Start + +```bash +# Call an AAuth-protected API — handles 401 challenges and auth flow automatically +npx @aauth/fetch https://whoami.aauth.dev + +# Request specific scopes +npx @aauth/fetch "https://whoami.aauth.dev?scope=email+profile" +``` + +## Authorize-then-call (recommended for multi-call workflows) + +Capture an auth token once, then reuse it for subsequent calls. + +```bash +# 1. Authorize and capture tokens (writes JSON to stdout) +npx @aauth/fetch --authorize "https://whoami.aauth.dev?scope=email" + +# For R3 resources, POST to the authorize endpoint with operations: +npx @aauth/fetch --authorize https://notes.aauth.dev/authorize \ + --operations listNotes,createNote +``` + +Returns the auth token and ephemeral signing key. Save them and pass back in via JSON stdin to avoid exposing keys on the process command line. + +## Usage + +``` +aauth-fetch [options] + +Meta: + --skill Output LLM-readable usage guide + +Modes: + --authorize Auth only: return authToken + signingKey JSON + --agent-only Sign with agent token only, don't handle 401 + --operations R3 operationIds (comma-separated, with --authorize) + --scope Requested scopes + +Request: + -X, --method HTTP method (default: GET) + -d, --data Request body (use - for stdin) + -H, --header
Additional header (repeatable) + --json Read full request from stdin as JSON + +AAuth: + --agent-url Agent URL (default: from config) + --local Local part of agent identifier (default: from config) + --auth-token Pre-existing auth token + --signing-key Ephemeral private key (with --auth-token) + --person-server Override person server URL + +Hints & prompt: + --login-hint Hint about who to authorize (user/account) + --domain-hint Domain/org hint for identity provider routing + --tenant Tenant identifier for multi-tenant systems + --justification Markdown explaining why access is needed + +Capabilities: + --capabilities Agent capabilities: interaction, clarification, payment + +Interaction: + --browser Force open browser for consent + --no-browser Never open browser +``` + +## For AI Agents + +Run `npx @aauth/fetch --skill` to print a structured LLM-readable usage guide covering discovery, one-shot requests, the authorize-then-call workflow, and how to pipe JSON tokens between calls. + +## Related Packages + +- [`@aauth/bootstrap`](../bootstrap) — set up agent keys and register with a person server (run this first) +- [`@aauth/mcp-agent`](../mcp-agent) — programmatic agent-side AAuth for use inside applications + +## License + +MIT diff --git a/hardware-keys/README.md b/hardware-keys/README.md new file mode 100644 index 0000000..0e14af4 --- /dev/null +++ b/hardware-keys/README.md @@ -0,0 +1,49 @@ +# @aauth/hardware-keys + +Native bindings for hardware key backends used by AAuth: YubiKey PIV and macOS Secure Enclave. Built with [napi-rs](https://napi.rs/) and shipped as prebuilt binaries for macOS (Apple Silicon + Intel), Linux x86_64, and Windows x86_64. + +Part of [aauth-dev/packages-js](https://github.com/aauth-dev/packages-js). Protocol spec: [dickhardt/AAuth](https://github.com/dickhardt/AAuth). + +> Most users do not depend on this package directly. It is loaded as an optional dependency of [`@aauth/local-keys`](../local-keys), which provides a higher-level API with automatic key resolution and fallback to software keys. + +## Install + +```bash +npm install @aauth/hardware-keys +``` + +The right prebuilt binary for your platform is selected automatically. If no prebuilt is available, key operations on hardware backends will be unavailable but the package will still load. + +## Supported Backends + +| Backend | Algorithm | Platform | Notes | +|---------|-----------|----------|-------| +| `yubikey-piv` | ES256, RS256 | macOS, Linux, Windows | Uses slot 9e (no PIN required) | +| `secure-enclave` | ES256 | macOS (Apple Silicon) | Keys never leave the Secure Enclave | + +## API + +```ts +import { discover, generateKey, signHash, listKeys } from '@aauth/hardware-keys' + +// Discover available hardware backends +const backends = discover() +// [{ backend: 'yubikey-piv', description: '...', algorithms: ['ES256'], deviceId: '9570775' }] + +// Generate a key on a backend +const key = generateKey('yubikey-piv', 'ES256') +// { backend, keyId, algorithm, publicJwk } + +// Sign a SHA-256 hash with an existing key +const result = signHash('yubikey-piv', '9e', hashBuffer) +// { signature: Buffer, algorithm: 'ES256' } + +// List existing keys on a backend +const keys = listKeys('secure-enclave') +``` + +For most uses, prefer the higher-level [`@aauth/local-keys`](../local-keys) API which handles backend discovery, key resolution against published JWKS, and graceful fallback between hardware and software keys. + +## License + +MIT diff --git a/local-keys/README.md b/local-keys/README.md index 41a6742..9275289 100644 --- a/local-keys/README.md +++ b/local-keys/README.md @@ -1,30 +1,10 @@ # @aauth/local-keys -Manage AAuth agent signing keys across hardware and software backends. Supports YubiKey PIV, macOS Secure Enclave, and OS keychain — with automatic key resolution that prefers hardware keys and tolerates devices being unavailable. +Library for managing AAuth agent signing keys across hardware and software backends. Supports YubiKey PIV, macOS Secure Enclave, and OS keychain — with automatic key resolution that prefers hardware keys and tolerates devices being unavailable. -Part of the [AAuth](https://github.com/AAuth-dev/packages-js) project. +Part of [aauth-dev/packages-js](https://github.com/aauth-dev/packages-js). Protocol spec: [dickhardt/AAuth](https://github.com/dickhardt/AAuth). -## For AI Agents - -If you are an AI agent helping a user set up AAuth, **do not guess what is available**. You MUST run the CLI commands to detect the user's environment before giving any guidance: - -```bash -# 1. REQUIRED FIRST STEP: detect available hardware and software backends -npx @aauth/local-keys discover - -# 2. Check current state (existing agents, keys, backends) -npx @aauth/local-keys show - -# 3. Load the setup skill for step-by-step instructions -npx @aauth/local-keys skill setup - -# 4. List available hosting platforms -npx @aauth/local-keys skill -``` - -The `discover` output tells you what key backends are available on this machine. Use that — not assumptions — to guide key generation. Hardware backends (Secure Enclave, YubiKey) are always preferred over software (OS keychain). Do not suggest software keys if hardware is available. - -The `skill` commands return structured instructions for the setup flow and each hosting platform. Load and follow these rather than improvising. +> **Looking for a CLI?** This package is a library. The CLI for setting up agent keys, registering with a person server, and publishing keys is [`@aauth/bootstrap`](../bootstrap). Run `npx @aauth/bootstrap --ps https://hello.coop` to get started. ## Install @@ -32,31 +12,6 @@ The `skill` commands return structured instructions for the setup flow and each npm install @aauth/local-keys ``` -## Quick Start - -```bash -# See what key backends are available -npx @aauth/local-keys discover - -# Generate keys on available hardware -npx @aauth/local-keys generate \ - --backend yubikey-piv --agent https://you.github.io -npx @aauth/local-keys generate \ - --backend secure-enclave --agent https://you.github.io - -# Set up hosting and person server -npx @aauth/local-keys add-agent https://you.github.io \ - --person-server https://hello.coop \ - --hosting github-pages --repo you/you.github.io - -# Publish keys (platform-specific instructions) -npx @aauth/local-keys skill github-pages - -# Sign an agent token -npx @aauth/local-keys sign-token \ - --agent https://you.github.io --delegate claude -``` - ## Key Backends | Backend | Algorithm | Platform | Storage | @@ -65,7 +20,7 @@ npx @aauth/local-keys sign-token \ | `secure-enclave` | ES256 | macOS (Apple Silicon) | Secure Enclave hardware | | `software` | EdDSA, ES256 | All | OS keychain | -Generate keys on **all available hardware backends** for redundancy. Only use software keys if no hardware is available. If a YubiKey is unplugged, signing automatically falls back to the next available key. +Hardware keys are always preferred over software keys. If a YubiKey is unplugged, signing automatically falls back to the next available key. ## API @@ -109,20 +64,6 @@ const key = await resolveKey('https://you.github.io') // { backend: 'yubikey-piv', keyId: '9e', kid: '2026-04-09_a3f', algorithm: 'ES256', publicJwk: {...} } ``` -### `listSkills(): SkillSummary[]` / `getSkill(name): Skill` - -Discover and load agent skill instructions bundled with the package. - -```ts -import { listSkills, getSkill } from '@aauth/local-keys' - -const skills = listSkills() -// [{ name: 'keygen', description: '...', when: '...' }, ...] - -const skill = getSkill('github.io') -// { name, description, when, requires, body: '# full markdown...' } -``` - ### Config Management ```ts @@ -149,29 +90,6 @@ setHosting('https://you.github.io', { }) ``` -## CLI - -``` -npx @aauth/local-keys discover # list backends -npx @aauth/local-keys generate [opts] # generate key - --backend # yubikey-piv, secure-enclave, software - --algorithm # ES256 (hw default), EdDSA, RS256 - --agent # associate with agent URL -npx @aauth/local-keys sign-token [opts] # sign token - --agent # agent URL (optional if configured) - --delegate # delegate name (required) - --lifetime # token lifetime (default: 3600) -npx @aauth/local-keys add-agent # register agent - --person-server - --hosting # github-pages, cloudflare-pages, etc. - --repo -npx @aauth/local-keys public-key [--agent ] -npx @aauth/local-keys skill # list skills -npx @aauth/local-keys skill # show skill -npx @aauth/local-keys config # dump config -npx @aauth/local-keys show # status overview -``` - ## Config File `~/.aauth/config.json`: @@ -204,26 +122,7 @@ npx @aauth/local-keys show # status overview } ``` -## Skills - -Skills are agent-readable instructions bundled with the package for common tasks. Use `listSkills()` or `npx @aauth/local-keys skill` to discover them. - -| Skill | Description | -|-------|-------------| -| `setup` | Generate signing keys, add keys from new devices, choose a hosting platform | - -Platform skills (in `skills/platforms/`): - -| Platform Skill | Description | -|----------------|-------------| -| `github-pages` | Publish to GitHub Pages | -| `gitlab-pages` | Publish to GitLab Pages | -| `cloudflare-pages` | Publish to Cloudflare Pages | -| `netlify` | Publish to Netlify | - -Platform skills include discovery metadata (CLI detection, auth checks) in their front matter so the `setup` skill can dynamically detect which platforms the user has available. - -**Contributing platform skills**: We welcome PRs for additional hosting platforms. Add a file to [`skills/platforms/`](./skills/platforms/) with YAML front matter including `name`, `description`, `when`, `detect_cli`, `detect_auth`, `pros`, `cons`, and `agentUrlPattern`. See the existing platform skills for the format. +This file is written by [`@aauth/bootstrap`](../bootstrap) and read by every package that needs to sign as the agent. ## Key Resolution diff --git a/mcp-agent/README.md b/mcp-agent/README.md index 44c6edd..7dda045 100644 --- a/mcp-agent/README.md +++ b/mcp-agent/README.md @@ -2,7 +2,7 @@ Agent-side AAuth for MCP. Handles signed HTTP requests, AAuth challenge-response flows, token exchange with auth servers, and 202 deferred/interaction polling. -See the [AAuth repo](https://github.com/AAuth-dev/packages-js) for protocol overview. +Part of [aauth-dev/packages-js](https://github.com/aauth-dev/packages-js). Protocol spec: [dickhardt/AAuth](https://github.com/dickhardt/AAuth). ## Install diff --git a/mcp-openclaw/README.md b/mcp-openclaw/README.md index 4010598..e918fd9 100644 --- a/mcp-openclaw/README.md +++ b/mcp-openclaw/README.md @@ -2,7 +2,7 @@ OpenClaw plugin for connecting to AAuth-authenticated MCP servers. Discovers remote tools via MCP and registers them as OpenClaw tools with AAuth signing. -See the [AAuth repo](https://github.com/AAuth-dev/packages-js) for protocol overview. +Part of [aauth-dev/packages-js](https://github.com/aauth-dev/packages-js). Protocol spec: [dickhardt/AAuth](https://github.com/dickhardt/AAuth). ## Install diff --git a/mcp-server/README.md b/mcp-server/README.md index e04dc27..70acd2f 100644 --- a/mcp-server/README.md +++ b/mcp-server/README.md @@ -2,7 +2,7 @@ Server-side AAuth for MCP. Verifies signed requests, validates agent and auth tokens, builds AAuth challenge headers, creates resource tokens, and manages 202 interaction flows. -See the [AAuth repo](https://github.com/AAuth-dev/packages-js) for protocol overview. +Part of [aauth-dev/packages-js](https://github.com/aauth-dev/packages-js). Protocol spec: [dickhardt/AAuth](https://github.com/dickhardt/AAuth). ## Install diff --git a/mcp-stdio/README.md b/mcp-stdio/README.md index 1cd59ba..8a77f02 100644 --- a/mcp-stdio/README.md +++ b/mcp-stdio/README.md @@ -2,7 +2,7 @@ Stdio-to-HTTP proxy for MCP with AAuth signatures. Bridges a local stdio MCP client (like Claude Code) to a remote HTTP MCP server, signing all requests with AAuth. -See the [AAuth repo](https://github.com/AAuth-dev/packages-js) for protocol overview. +Part of [aauth-dev/packages-js](https://github.com/aauth-dev/packages-js). Protocol spec: [dickhardt/AAuth](https://github.com/dickhardt/AAuth). ## Install diff --git a/package-lock.json b/package-lock.json index 23f2d99..59fa73a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -151,6 +151,61 @@ "resolved": "hardware-keys", "link": true }, + "node_modules/@aauth/hardware-keys-darwin-arm64": { + "version": "0.8.1", + "resolved": "https://registry.npmjs.org/@aauth/hardware-keys-darwin-arm64/-/hardware-keys-darwin-arm64-0.8.1.tgz", + "integrity": "sha512-ncayAyZsRGbM3LzeAr57iRgXTA0wtKEDs+F4HCBXBRIuxeqI38x/R74PuKT4902pGdZInrbSUcY8MziebmlaLA==", + "cpu": [ + "arm64" + ], + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ] + }, + "node_modules/@aauth/hardware-keys-darwin-x64": { + "version": "0.8.1", + "resolved": "https://registry.npmjs.org/@aauth/hardware-keys-darwin-x64/-/hardware-keys-darwin-x64-0.8.1.tgz", + "integrity": "sha512-GRkHnn5ocwOSg7WfmHY9pa6Td/+LVwCdOYm6D8UKA+5cZEdi+w9PQaZd+/aqTJzi6yt6d6XIcu9DDSKj+aq8yQ==", + "cpu": [ + "x64" + ], + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ] + }, + "node_modules/@aauth/hardware-keys-linux-x64-gnu": { + "version": "0.8.1", + "resolved": "https://registry.npmjs.org/@aauth/hardware-keys-linux-x64-gnu/-/hardware-keys-linux-x64-gnu-0.8.1.tgz", + "integrity": "sha512-HYfgOjaygO8LWYMZwRHH3mb4Ky2eycXb0Svj1GgicCO4qrv9Cue52CGO2DomLAytyrTtLmzmeFle94QyN/oTTA==", + "cpu": [ + "x64" + ], + "libc": [ + "glibc" + ], + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@aauth/hardware-keys-win32-x64-msvc": { + "version": "0.8.1", + "resolved": "https://registry.npmjs.org/@aauth/hardware-keys-win32-x64-msvc/-/hardware-keys-win32-x64-msvc-0.8.1.tgz", + "integrity": "sha512-n23MPcdX5VeAsP7DTNYUJ4Lr1O0DS5+ftlAAS49vDOMRs+6QOH0UAhnakdHDRQAxB8WXrYbFduLzrWR0ojfw5Q==", + "cpu": [ + "x64" + ], + "license": "MIT", + "optional": true, + "os": [ + "win32" + ] + }, "node_modules/@aauth/local-keys": { "resolved": "local-keys", "link": true