Skip to content

razashariff/xat

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github/workflows
.github/workflows
 
 
lib
lib
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
index.js
index.js
 
 
package.json
package.json
 
 
test.js
test.js
 
 

Repository files navigation

XAT

Agent infrastructure for AI. Identity, trust, signing, audit. Zero dependencies.

Based on the x-agent-trust extension registered in the OpenAPI Extensions Registry.

Install

npm install xat-agent

Agent side (sign outbound requests)

const xat = require('xat-agent');

const agent = xat.createAgent({
  provider: xat.providers.file('./agent.key'),  // dev only
  keyid: 'my-agent'
});

// fetch wrapper -- Agent-Signature header added automatically
const res = await agent.fetch('https://api.example.com/v1/pay', {
  method: 'POST',
  body: JSON.stringify({ amount: 500, currency: 'usd' })
});

API side (verify inbound requests)

const xat = require('xat-agent');

app.use('/api', xat.verify({
  resolveKey: async (keyid) => {
    // look up the agent's public key by keyid
    return agents[keyid].publicKeyPem;
  }
}));

app.post('/api/pay', (req, res) => {
  console.log('Verified agent:', req.agent.keyid);
  res.json({ ok: true });
});

JWKS endpoint

app.use(xat.jwks(() => [agentPublicKeyPem]));
// serves /.well-known/agent-trust-keys automatically

Key providers

Private keys never enter XAT memory in production. The signing operation happens inside the provider boundary.

// Dev only -- file on disk
xat.providers.file('./key.pem')

// Dev only -- environment variable
xat.providers.env('XAT_PRIVATE_KEY')

// Production -- AWS KMS (key never leaves HSM)
xat.providers.awsKms({ keyId: 'arn:aws:kms:...' })

// Production -- Google Cloud KMS
xat.providers.gcpKms({ keyName: 'projects/.../cryptoKeyVersions/1' })

// Production -- HashiCorp Vault Transit
xat.providers.vault({ addr: 'https://vault:8200', keyName: 'agent-key' })

// Bring your own
xat.providers.custom({
  sign: async (data) => { /* return base64 signature */ },
  getPublicKey: async () => { /* return PEM */ }
})

Generate keys

const { publicKey, privateKey } = xat.generateKeyPair();

Lint your OpenAPI spec

npm install spectral-x-agent-trust
npx @stoplight/spectral-cli lint openapi.yaml --ruleset node_modules/spectral-x-agent-trust/ruleset.js

Links

Author

Raza Sharif, CyberSecAI Ltd

License

Apache-2.0

About

XAT -- Agent infrastructure for AI. Identity, trust, signing, audit. Zero deps. OpenAPI x-agent-trust.

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages