Aller au contenu principal

Quickstart

1. Issue a credential

Sign in to /apps/zeq-ssl/ and click + Issue credential, or via HTTP:

curl -X POST 'http://zeq.dev.local:3099/api/ssl/credentials/issue' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <zeq_auth_token>' \
  -d '{"machine":"foundation","mode":"A"}'

Response:

{
  "ok": true,
  "credential": {
    "id": "fa11ce11-...",
    "kid": "kid_xxxxxxxxxxxx",
    "pubkey_seed": "<64-hex>",
    "mode": "A",
    "issued_at_zeqond": 2287490000,
    "expires_at_zeqond": 2287621072,
    "row_fingerprint": "<64-hex>"
  },
  "secret_seed_hex": "<64-hex — SHOWN ONCE>"
}

Save secret_seed_hex — the framework stores only its SHA-256 fingerprint (pubkey_seed).

2. Verify a credential

Anyone can verify:

curl 'http://zeq.dev.local:3099/api/ssl/verify?machine=foundation&kid=kid_xxxxxxxxxxxx'

Returns { valid: true, credential: {...} } or { valid: false, reason: "expired|revoked|future_dated|not_found" }.

3. Run a Zeq-SSL server

import { ZeqSslServer } from "@zeq-os/zeq-ssl";

const server = ZeqSslServer({
  port: 3009,
  localMachineId: "fa11ce11-...",
  localKid: "kid_alpha",
  localCredentialSecret: process.env.SSL_LOCAL_SECRET!,
  resolvePeerPubkey: async ({ machineId, kid }) => {
    const r = await fetch(`http://zeq.dev.local:3099/api/ssl/verify?machine=${machineId}&kid=${kid}`);
    const data = await r.json();
    return data.valid ? data.credential.pubkey_seed : null;
  },
  currentZeqondNumber: () => Math.floor(Date.now() / 1000 / 0.777000777),
});

server.on("connection", (conn) => {
  conn.on("data", (chunk) => conn.write(Buffer.from("echo: " + chunk.toString())));
});

4. Connect from a client

import { ZeqSslClient } from "@zeq-os/zeq-ssl";

const sock = await ZeqSslClient({
  host: "edge.example.com",
  port: 3009,
  localMachineId: "c1ie..-",
  localKid: "kid_bravo",
  localCredentialSecret: process.env.SSL_CLIENT_SECRET!,
  peer: {
    machineId: "fa11ce11-...",
    kid: "kid_alpha",
    pubkeySeed: "<64-hex from GET /api/ssl/credentials>",
  },
  currentZeqondNumber: () => Math.floor(Date.now() / 1000 / 0.777000777),
});

sock.write(Buffer.from("ping"));
sock.on("data", (b) => console.log(b.toString()));

5. Rotate, revoke

# Rotate (old credential stays valid for 128 Zeqonds)
curl -X POST '.../api/ssl/credentials/rotate' \
  -H 'Content-Type: application/json' \
  -d '{"credential_id":"fa11ce11-..."}'

# Revoke (immediate)
curl -X POST '.../api/ssl/credentials/revoke' \
  -H 'Content-Type: application/json' \
  -d '{"credential_id":"fa11ce11-...","reason":"key_compromise"}'

6. Grant trust to another machine

curl -X POST '.../api/ssl/trust/grant' \
  -H 'Content-Type: application/json' \
  -d '{"truster":"foundation","trusted":"partner-machine","trust_level":"federated"}'

Levels: basic (no transitivity), peer (bilateral final-hop only), federated (one-hop chainable, BFS up to MAX_TRUST_HOPS = 4).