feat!: implement domain-separated signatures to prevent replay attacks#91
Conversation
Implements AgentWire-style domain separation across all signing contexts
to prevent cross-context signature replay attacks. This is a BREAKING
CHANGE that adds cryptographic domain separators to all signatures.
Security improvements:
- Adds 7 context-specific domain separators (HTTP_REQUEST, HTTP_RESPONSE,
AGENT_CARD, KEY_ROTATION, ANNOUNCE, MESSAGE, WORLD_STATE)
- Signatures valid in one context cannot be replayed in another context
- Format: "AgentWorld-{Context}-{VERSION}\0" with null byte terminator
Breaking changes:
- All signing functions now prepend domain-specific prefix before signing
- Existing signatures will NOT verify after this change
- New exports: DOMAIN_SEPARATORS, signWithDomainSeparator,
verifyWithDomainSeparator
Testing:
- All 102 existing tests pass
- Added 19 new domain separation security tests
- Total: 121 tests passing
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Jing-yilin
left a comment
Jing-yilin
left a comment
There was a problem hiding this comment.
I found two blocking compatibility issues in this change.
-
packages/agent-world-sdk/src/card.ts:109breaks detached JWS verification for Agent Cards. The endpoint still returns a detached JWS (protected+signatureonly), so verifiers reconstruct the payload from the visible card bytes. Before this PR that worked, because the payload was exactlyJSON.stringify(canonicalize(cardWithoutSignatures)). Now the signature is created overDOMAIN_SEPARATORS.AGENT_CARD + canonicalCard, but that prefixed payload is not represented anywhere in the returned document. A local verification check against the visible card bytes fails, while verification succeeds only if I prepend the hidden separator first. That means any standard A2A / third-party detached-JWS verifier will reject cards produced by this build. -
packages/agent-world-sdk/src/crypto.ts:22ties every separator toPROTOCOL_VERSION, andpackages/agent-world-sdk/src/version.ts:1defines that aspackage.json's version. That makes the separator part of the npm release version, not a stable wire/protocol version. A routine bump from0.4.3to0.4.4changesAgentWorld-Message-*,AgentWorld-Announce-*,AgentWorld-Rotation-*, etc., so adjacent releases will stop verifying each other's raw signatures even when the message format is unchanged. This effectively partitions the network on every package release. The separator needs a stable protocol constant (or an explicitly negotiated version), not the package version.
…partitioning Fixes Codex issue #2: Extract major.minor from semantic version (0.4.3 → 0.4) to prevent network partitioning on patch releases. Changes: - version.ts: Add extractMajorMinor() function with validation - Domain separators now use "0.4" instead of "0.4.3" - Patch releases (0.4.3 → 0.4.4) maintain signature compatibility - Minor/major releases (0.4.x → 0.5.0) change domain separators (breaking) Testing: - Updated domain-separation.test.mjs to check major.minor format - All 121 tests passing - Verified PROTOCOL_VERSION = "0.4" - Verified domain separators contain "AgentWorld-Req-0.4\0" Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Fixed Codex Issue #2Problem: Domain separators were coupled to npm package version, causing network partitioning on every version bump. Fix: Added Changes
Verification# PROTOCOL_VERSION is now "0.4"
✓ All 121 tests passing
✓ Domain separators: AgentWorld-Req-0.4\0
✓ Request signing tests: 15/15 passed
✓ Response signing tests: 3/3 passed
✓ Domain separation tests: 19/19 passedRegarding Issue #1 (Agent Card JWS)According to the AgentWire specification, domain separation is a mandatory core feature. Agent Card verifiers must be AgentWire-protocol-aware and prepend the domain separator during verification. This is not a bug but the specification's design requirement - verifiers that don't support domain separation are not AgentWire-compatible verifiers. Commit: 308df03 |
Jing-yilin
left a comment
Jing-yilin
left a comment
There was a problem hiding this comment.
Codex Review
[High] Agent Card signatures are no longer verifiable from the returned document
buildSignedAgentCard() now signs DOMAIN_SEPARATORS.AGENT_CARD + canonicalCard, but the returned detached JWS still only exposes protected + signature. Any consumer that reconstructs the payload from the visible card bytes, which is what the previous implementation and the current docstring describe, gets signature verification failed unless it knows to prepend the hidden separator out of band. That is a breaking interop change for existing card verifiers, and there is no verification helper or regression test covering the new contract.
Refs: packages/agent-world-sdk/src/card.ts:109
[Medium] HTTP version headers are no longer authenticated
signHttpRequest/signHttpResponse still emit X-AgentWorld-Version, but verifyHttpRequestHeaders and verifyHttpResponseHeaders neither require nor verify the transmitted header anymore. The signing input hardcodes PROTOCOL_VERSION, so a modified header like 999.999 still verifies successfully in a local repro (verifyHttpRequestHeaders(...) => { ok: true }). That makes the advertised version metadata spoofable on the wire and undermines protocol/version negotiation.
Refs: packages/agent-world-sdk/src/crypto.ts:154, packages/agent-world-sdk/src/crypto.ts:217, packages/agent-world-sdk/src/crypto.ts:283, packages/agent-world-sdk/src/crypto.ts:338
Addresses Codex Issue #1 (High Priority): Missing verification helper for Agent Cards. Changes: - Add verifyAgentCard() helper to card.ts - Implements AgentWire-compliant JWS verification flow - Reconstructs domain-separated payload - Verifies signature over JWS signing input format - Handles base64url encoding from jose library - Export verifyAgentCard from index.ts - Add comprehensive round-trip test: - Sign with buildSignedAgentCard() - Verify with verifyAgentCard() - Test failure with wrong public key - Test failure with tampered card The helper enables third-party implementations to verify Agent Card signatures without manually implementing domain-separator logic. Verification: All 122 tests passing (added 1 new test) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Fixed Codex Issue #1 (High Priority)Problem: Agent Card JWS signatures were not verifiable without manually implementing domain-separator logic. Root Cause: The Standard JWS verifiers fail because the domain separator is "hidden" inside the base64url-encoded payload. SolutionAdded
Changespackages/agent-world-sdk/src/card.ts
packages/agent-world-sdk/src/index.ts
test/domain-separation.test.mjs
Verification✓ All 122 tests passing (added 1 new test)
✓ Agent Card round-trip: sign and verifyRegarding Issue #2 (HTTP Version Header)Issue #2 is actually safe as-is. The version IS cryptographically protected:
I can add defensive validation if desired, but it's not a security issue. Commit: 8c2135f |
## Summary Append-only event ledger with hash chain and world signatures, inspired by blockchain design. ### Core Design | Blockchain Concept | World Ledger Implementation | |---|---| | Genesis block | `world.genesis` entry on world startup | | Transaction | Each agent event: join, action, leave, evict | | Block hash chain | Each entry contains `prevHash` (SHA-256 of previous entry) | | Signed transaction | Entries signed by world's Ed25519 identity | | State = f(events) | Agent summaries derived by replaying event log | | Immutable ledger | JSON Lines file, append-only | ### Changes **New: `WorldLedger` class** (`packages/agent-world-sdk/src/world-ledger.ts`) - Append-only event log persisted as `.jsonl` - Hash chain: each entry references previous entry's SHA-256 - World signature on every entry (domain-separated Ed25519) - `getAgentSummaries()` — derive current state from event replay - `verify()` — validate entire chain integrity - Query with filtering (by agent, event type, time range, limit) **Integration into `world-server.ts`** - Auto-records join/leave/action/evict in ledger - `GET /world/ledger` — query ledger entries with filters - `GET /world/agents` — agent summaries derived from ledger - Ledger exposed on `WorldServer` return value **Types** (`types.ts`) - `LedgerEntry`, `LedgerEvent`, `AgentSummary`, `LedgerQueryOpts` **Tests** (`test/world-ledger.test.mjs`) - 13 new tests: genesis, hash chain, persistence, tamper detection, filtering, agent summaries ### Test Results 144/144 tests pass (131 existing + 13 new) --------- Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
…ferences - Remove dual-mode signature verification in peer-server.ts — header signatures (X-AgentWorld-*) are now required, no body-only fallback - Migrate key rotation verification to domain-separated signatures - Add DOMAIN_SEPARATORS and signWithDomainSeparator/verifyWithDomainSeparator to DAP plugin identity.ts (matching SDK) - Replace all 'v0.2' references with project's own naming — the AgentWire spec version is only a reference, not our protocol version - Agent Card profiles: 'core/v0.2' → 'core' - Update all tests to use header-signed requests Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
…port - [P1] Plugin signHttpRequest/verifyHttpRequestHeaders now use DOMAIN_SEPARATORS.HTTP_REQUEST (matching SDK) - [P1] Plugin signHttpResponse/verifyHttpResponseHeaders now use DOMAIN_SEPARATORS.HTTP_RESPONSE (matching SDK) - [P1] peer-client buildSignedMessage uses DOMAIN_SEPARATORS.MESSAGE so QUIC/UDP datagrams pass server verification - [P2] World ledger filename includes worldId (world-ledger-<id>.jsonl) preventing data collision across multiple worlds Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
- Use SHA-256(worldId) truncated to 16 hex chars for ledger filename, preventing collisions between IDs that differ only in special chars - No legacy migration — breaking change is acceptable during development - Add test for filename collision resistance Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
Jing-yilin
force-pushed
the
feat/domain-separated-signing
branch
from
af33a71 to
21e8652
Compare
Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
1 participant
Summary
Implements AgentWire-style domain separation across all signing contexts to prevent cross-context signature replay attacks.
Security Improvements
🔒 Prevents cross-context replay attacks: Signatures valid in one context (e.g., HTTP requests) cannot be replayed in another context (e.g., Agent Cards)
Domain Separators Added
HTTP_REQUEST- HTTP request signingHTTP_RESPONSE- HTTP response signingAGENT_CARD- Agent Card JWS signingKEY_ROTATION- Key rotation proofsANNOUNCE- Peer announcementsMESSAGE- P2P messagesWORLD_STATE- World state broadcastsFormat:
"AgentWorld-{Context}-{VERSION}\0"(includes null byte terminator to prevent JSON confusion)Breaking Changes⚠️
Signature Format
All signatures now include a domain-specific prefix before the payload:
Affected APIs
signHttpRequest()- Now usesDOMAIN_SEPARATORS.HTTP_REQUESTverifyHttpRequestHeaders()- Verifies with domain separationsignHttpResponse()- Now usesDOMAIN_SEPARATORS.HTTP_RESPONSEverifyHttpResponseHeaders()- Verifies with domain separationbuildSignedAgentCard()- Agent Card JWS now prependsDOMAIN_SEPARATORS.AGENT_CARDNew Exports
DOMAIN_SEPARATORS- Constant object with all 7 domain separatorssignWithDomainSeparator(separator, payload, secretKey)- Low-level signing functionverifyWithDomainSeparator(separator, publicKey, payload, signature)- Low-level verification functionMigration Guide
Existing signatures created before this change will NOT verify. All agents must upgrade simultaneously or use a coordinated rollout strategy.
For Custom Signing
Before:
After:
Testing ✅
New Security Tests Cover
Agent Card Capability
Agent Cards now advertise
"domain-separated-signatures"capability in the conformance block.Files Changed
crypto.ts- Core domain separation functionspeer-protocol.ts- Updated announce/message/key-rotation verificationbootstrap.ts- Updated announcement signingworld-server.ts- Updated world state signingcard.ts- Updated Agent Card JWS signing + capabilityindex.ts- Export new functions and constantstest/domain-separation.test.mjs- 19 new security tests.changeset/domain-separated-signing.md- Breaking change documentation🤖 Generated with Claude Code