npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@sphereon/gx-agent-cli

v0.10.2

Published

Gaia-X Compliance Client CLI

Downloads

219

Readme


Warning: This package is in very early development. Breaking changes without notice will happen at this point!


GX Compliance Agent CLI

The Gaia-X Compliance Agent Command Line interface, allows you to manage the agent from the command line. Common methods, like creating a DID, generating self-descriptions, acquiring Compliance Credentials from the Compliance Service are supported.

Overview

After Prerequisites and installation part, we will discuss how to setup your own X.509 keys and SSL certificate. What follows is a guide for using this cli agent to connect to a gaia-x compatible Compliance Service (gx-compliance for short). Below you can see a simple workflow scenario of this CLI tool:

Flow diagram

Prerequisites and installation

NodeJS version 18

Please download NodeJS version 18. You can find NodeJS for your computer on the following page: https://nodejs.org/en/blog/release/v18.16.0/ Follow the installation instructions on the nodejs website

Install the Gaia-X agent CLI tool

After installing nodejs open a terminal window or command prompt on your computer. Ideally with elevated permissions. Type in the following command:

npm install -g @sphereon/gx-agent-cli --no-audit

If you are using yarn instead of npm (required you to install yarn first separately from nodejs)

yarn global add @sphereon/gx-agent-cli

Check that the CLI is available to you

Open a new terminal or command prompt on your computer and type

gx-agent --help

Usage: cli [options] [command]

Options:
  -h, --help      display help for command

Commands:
  config            Agent configuration
  did               Decentralized Identifiers (DID) commands
  vc                Generic Verifiable Credential commands
  vp                Generic Verifiable Presentation commands
  ecosystem         Ecosystem specific commands
  participant       Participant commands
  so|service        Service Offering commands
  export [options]  Exports all agent data so it can be hosted or backed-up
  help [command]    display help for command

If you see an output similar like the above, the Gaia-X Agent CLI is properly installed.

Create X.509 keys and get SSL certificate

You will first need to have an existing X.509 EV SSL certificate or create a new one. This document explains how to set up a new X.509 certificate. Without following the steps in the document you cannot be onboarded as Gaia-X participant.

Agent configuration Commands

The agent requires an agent.yml file. This is a config file for the agent. It contains parameters and variables, determining what methods are available for instance. The agent.yml file can either be located in the current directory, or in a .gx-agent directory in your home directory. By default, the .gx-agent directory in your home directory is used, unless the current working directory contains an agent.yml file.

Create configuration

Creates the agent.yml agent configuration file. It has one option, which is not mandatory. The -l/--location option can have a value of cwd, meaning the agent.yml file will be written to current working directory, or home, meaning the agent.yml file will be written to the .gx-agent directory in your user home-directory. If no option is provided, home will be assumed.

gx-agent config create

output:

Creating agent file: C:\Users\example\.gx-agent\agent.yml
Done. Agent file available at: C:\Users\example\.gx-agent\agent.yml
Please check the agent configuration file for any configuration options you wish to modify

We advise you to use the home location, as it means the configuration file is always available no matter from which directory you invoke the command. Using cwd or current working directory is handy, when you want to use distinct configuration files, for instance if you have to manage more than one domain. Although the agent is capable of handling multiple domains from a single agent, you would need to provide the domain or DID value for most commands when the agent manages multiple domains/DIDs. Having separate configuration files in separate directories then means, you do not have to provide the DID/domain values, as the agent will notice you are only managing a single domain/DID.

Gaia-X Versions

There has been a couple of gaia-x versions, since there are major changes between versions, this library intends to only support the latest v1.2.8 support for versions v2206 and v2210 are removed in this release

  • 1.2.8 (latest) this version is the first version that supports VerifiablePresentation by design.

Verify configuration

Verifies a Gaia-X agent.yml file at a specific file location. If the -f/--filename option is omitted the default home-dir location will be used instead. The --show option, will display the entire configuration file.

For technical people or developers. You can also test whether low level agent methods are properly configured and available by providing the -m/--method option. For example to test the DID resolution method, you could supply resolveDid as -m/--method option.

gx-agent config verify -f ./agent.yml --show

output:

version: 3
gx:
  complianceServiceUrl: https://nk-gx-compliance.eu.ngrok.io
  complianceServiceVersion: v1.2.8
  dbEncryptionKey: 13455271cbd1bd1a0fc4d9b75cd4d2990de535baf5caadfdf8d8f86664aa7201
  dbFile: ./db/gx.db.sqlite
  kmsName: local
constants:
  ... truncated for README

Your Gaia-X agent configuration seems fine. An agent can be created and the 'agent.execute()' method can be called on it.

DID Commands

Gaia-X DIDs currently rely on the so called DID:web DID documents and method. The DID document is responsible for listing public keys associated with the DID and your organizational domain. This DID is used to sign Gaia-X self-descriptions and so-called Verifiable Credentials. This allows others to determine that data is authentic and not manipulated, originating from your organization. For Gaia-X so called did:web DIDs will be used, meaning DIDs associated with your domain name hosted at a well known location (https://example.com/.well-known/did.json). The DID will list at least the X.509 Certificate public key generated from the public certificate you received in the previous step.

NOTE: You first will have to get a X509 certificate for your domain and DID:WEB, before you can proceed with creating the DID in the agent. More information can be found here

Create a DID and import the X.509 certificate

After having followed the instructions to obtain an X.509 certificate, you should have the private-key PEM file, the certificate PEM file and the Certificate Authority Chain PEM file ready.

The below command creates a new DID Document, with the privkey.pem file as private Key input, the cert.pem file as public certificate input and cacerts.pem as the Certificate Chain input. Lastly you need to pass in the domain name that will host the DID document. This domain name needs to be exactly the same as the CN input parameter of the X.509 Certificate and should match the website name/domain you will be hosting the Gaia-X resources on!

Optionally you can provide a --ca-chain-url argument, if you wish to host the Certificate Chain somewhere else than the default location.

gx-agent did create --private-key-file=path/to/privkey.pem --cert-file=path/to/cert.pem --ca-chain-file=path/to/cacerts.pem --domain=nx-gx-agent.eu.ngrok.io

output:
┌──────────┬─────────────────────────────────┬─────────────────────────────────┐
│ provider │                             DID │                           alias │
├──────────┼─────────────────────────────────┼─────────────────────────────────┤
│  did:web │ did:web:nk-gx-agent.eu.ngrok.io │ did:web:nk-gx-agent.eu.ngrok.io │
└──────────┴─────────────────────────────────┴─────────────────────────────────┘

The DID Document is now created. You will either export it later, or serve it directly from the Gaia-X Participant agent (described later in this document). If you do want to have a quick peek, you could use the below command to explore the database of the agent

List DIDs

Lists all DIDs known to the agent. Normally you will only have one DID:web for your organization. When only one DID is present, the agent will automatically select this DID for its commands. If you have more DIDs available, you should use the -d option available on most commands, to select the appropriate DID

gx-agent did list

example output:
┌──────────┬──────────────────────────────────────┬──────────────────────────────────────┐
│ provider │                                  DID │                                alias │
├──────────┼──────────────────────────────────────┼──────────────────────────────────────┤
│  did:web │ did:web:nk-gx-agent.eu.ngrok.io      │ did:web:nk-gx-agent.eu.ngrok.io      │
└──────────┴──────────────────────────────────────┴──────────────────────────────────────┘

Resolve a DID

Resolving a DID, means retrieving the DID Document associated with that particular DID document. Since Gaia-X uses did: web, it means accessing the domain name with a well-known location for the DID document, eg: https://identity.foundation/.well-known/did.json

The below command allows you to resolve DID document. Not that directly after importing the X.509 certificates and creating the DID in the agent, your domain will not yet host the DID document. You will have to export the DID document first (see next command). The agent allows you to resolve any DID:web DID, but it can also resolve a DID not yet exported and only locally known to the agent. This is handy during the onboarding phase. You will have to provide the ' -l' or '--local-only' options to enable local agent resolution

Example commands:

gx-agent did resolve

output:
┌──────────────────────────────────────┐
│                                  DID │
├──────────────────────────────────────┤
│ did:web:nk-gx-agent.eu.ngrok.io      │
└──────────────────────────────────────┘
┌──────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│    error │                                                                                                           message │
├──────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notFound │ resolver_error: DID must resolve to a valid https URL containing a JSON document: Error: Bad response Bad Gateway │
└──────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

The above error is expected as long as the DID is not yet exported and hosted at the domain. Let's try again, but directly ask the agent and with a specific DID:

gx-agent did resolve did:web:nk-gx-agent.eu.ngrok.io -l

output:
┌──────────────────────────────────────┐
│                                  DID │
├──────────────────────────────────────┤
│ did:web:nk-gx-agent.eu.ngrok.io      │
└──────────────────────────────────────┘

DID Document:
{
  "@context": "https://w3id.org/did/v1",
  "id": "did:web:nk-gx-agent.eu.ngrok.io",
  "verificationMethod": [
    {
      "id": "did:web:nk-gx-agent.eu.ngrok.io#JWK2020-RSA",
      "type": "JsonWebKey2020",
      "controller": "did:web:nk-gx-agent.eu.ngrok.io",
      "publicKeyJwk": {
        "kty": "RSA",
        "n": "uUGlbA84qYjmawZ1r9j1rUDAhkrsxdvS7rE7AZIIj41-kNpZw3UU9gPgcRwZIA7TdXewDmU5sLbOXwmNu4WuTlaXBkJAFZ390E5S_fvCBxthE8nMjjyFV8Juj_kZ__00WAHSkZxmsGs6en1AUHhRH74nX8b55Eh5UvysYbP8C6KJlyb8TUpJcOlfLT-RE-1byxgDR4Vnz3r-2kPYxdViUButOGWqKSjSIJtYZi5_kYAQC5zweUBlWeyZ3W5Ai3zRX9MC5_Y6B9fGCZu0__5y6ORCoTOU_hG2U3y7zyMCGIObjCsURhmRSwi30vyE3oIMtBV7YVl4KmrSH2jEg4iaeQ",
        "e": "AQAB",
        "x5u": "https://nk-gx-agent.eu.ngrok.io/.well-known/fullchain.pem"
      }
    }
  ],
  "authentication": [
    "did:web:nk-gx-agent.eu.ngrok.io#JWK2020-RSA"
  ],
  "assertionMethod": [
    "did:web:nk-gx-agent.eu.ngrok.io#JWK2020-RSA"
  ],
  "service": []
}

Export a DID and the CA chain

You will need to host the DID on your domain. For now, you will have to copy the files to your webserver (the agent can host them for you, but that option is not yet available). The document will have to be served from your domain in the /.well-known location. The easiest way to accommodate that typically is to create a folder called .well-known in your Website root directory. The export command already creates that folder for you!

The below command will export the DID Document in the file did.json and the CA chain in the file fullchain.pem to disk in the .well-known directory. Copy the .well-known directory to your webserver.

Note: Do not change the path ot the fullchain.pem file on your webserver. Depending on whether you provided the URL for the CA chain during DID creation, it might be different from below. Since the DID Document references that URL, it needs to be resolvable at the correct location!

gx-agent did export -p my-export

output:
┌──────────────────────────────────────┬───────────────┬────────────────────────────────────────────────────────────────────┐
│                                  DID │          file │                                                               path │
├──────────────────────────────────────┼───────────────┼────────────────────────────────────────────────────────────────────┤
│ did:web:nk-gx-agent.eu.ngrok.io      │      did.json │ ./my-export/nk-gx-agent.eu.ngrok.io/.well-known/did.json           │
│ did:web:nk-gx-agent.eu.ngrok.io      │ fullchain.pem │ ./my-export/nk-gx-agent.eu.ngrok.io/.well-known/fullchain.pem      │
└──────────────────────────────────────┴───────────────┴────────────────────────────────────────────────────────────────────┘
Well-known DID files have been exported.
Please copy everything from my-export/nk-gx-agent.eu.ngrok.io, to your webserver. Do not forget to include the hidden .well-known directory!

After you copied the file to the webserver, you should be able to resolve the DID, without using the -l/--local-only option (see above)

Delete a DID

Warning, normally you shouldn't be deleting DIDs from your agent. Only do so if you are sure what you are doing.

gx-agent did delete did:web:nk-gx-agent.eu.ngrok.io

Participant onboarding

You first need to become a Gaia-X compliant participant. In order to do so, you first need to create a participant self-description. This is a so-called Credential in a specific order. You will need to sign this self-description, using your DID, making it a Verifiable Credential. The compliance service will issue an attestation, in the form of a Participant Credential, signed by its DID. This allows you to prove to others that you are a Gaia-X participant.

You can either become compliant in 1 step, or by having 2 extra steps. The benefit of using 2 steps is that you can verify the self-description, before sending it in to become compliant. The agent internally creates the same objects, no matter what choice you make.

Export example participant-input-credential.json

There is a command to export a template/example for two version of participants self-description to disk. If you want to create a Participant according to v2206 api, you can call it with that specific version -v v2206, or you can call it with -v v2210 to get the new version of Participant Self-Description. Also calling it without a version param will generate v2210 version of a participant self-description. You can then edit this example self-description with your information. The --show argument, displays the example self-description to your console.

gx-agent participant sd example -d did:web:nk-gx-agent.eu.ngrok.io --show

output:
┌─────────────┬───────────────────────────────────┬──────────────────────────────────────┐
│        type │                           sd-file │                                  did │
├─────────────┼───────────────────────────────────┼──────────────────────────────────────┤
│ participant │ participant-input-credential.json │ did:web:nk-gx-agent.eu.ngrok.io      │
└─────────────┴───────────────────────────────────┴──────────────────────────────────────┘
Example self-description file has been written to participant-input-credential.json. Please adjust the contents and use one of the onboarding methods
{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/trustframework#"
  ],
  "type": [
    "VerifiableCredential"
  ],
  "id": "urn:uuid:554db947-e001-431c-ae55-22a781e1f928",
  "issuer": "did:web:nk-gx-agent.eu.ngrok.io",
  "issuanceDate": "2023-05-29T18:03:00.887Z",
  "credentialSubject": {
    "id": "did:web:nk-gx-agent.eu.ngrok.io",
    "type": "gx:LegalParticipant",
    "gx:legalName": "Gaia-X European Association for Data and Cloud AISBL",
    "gx:legalRegistrationNumber": {
      "gx:vatID": "BE0762747721"
    },
    "gx:headquarterAddress": {
      "gx:countrySubdivisionCode": "BE-BRU"
    },
    "gx:legalAddress": {
      "gx:countrySubdivisionCode": "BE-BRU"
    },
    "gx-terms-and-conditions:gaiaxTermsAndConditions": "70c1d713215f95191a11d38fe2341faed27d19e083917bc8732ca4fea4976700"
  },
  "proof": {
    "type": "JsonWebSignature2020",
    "created": "2023-05-29T16:05:10Z",
    "verificationMethod": "did:web:nk-gx-agent.eu.ngrok.io#JWK2020-RSA",
    "proofPurpose": "assertionMethod",
    "jws": "eyJhbGciOiJQUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..fqGrFQqR2LrwQ3j2IC5QPZAHsTNIcfDDe8AjgGOzvY5yOKCj4VDE0rSpb70dQIwoGKJEDEQFUQnEXXlKDZSD79EmSDdJJTpTJJ4xlAS8kXHc6jEgq0gYKkKY7eTUQUhuHrCGFEJ-I-KTJLut3czcdzsRsBITqDbazrEoFOvgKv_C6XzOYIMWxxcczRtGFkKm8c-lIHayABnfHV9ES6PsfwNBuGC5HcsCY0lUZ9h4PMMYC60p-sspCxKLzpILfpcGLV-D73JGrvLycdW7zYNW_M5IQ0gOhaebw_oNSfSdaX08QZ9fAQhXLg3QzX4qIvLzsQVVmn1XFbXdiye574x89w"
  }
}

You now should open the file, and adjust the values with your participant information. Update all the values. Do not add new keys or remove any properties/keys, except for some of the keys that are mentioned in the context file:

  • gx:legalRegistrationNumber

  • gx:parentOrganization

  • gx:subOrganization

  • gx:headquarterAddress

  • gx:legalAddress For a better guide on how to populate your requested field you can take a look at the main shape file: https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/trustframework#

  • Make sure to save the file afterwards. If you made some mistakes, you can always re-export the example. Be aware that it will always overwrite the existing file!

Submit the participant self-description

The next command creates a self-asserted Verifiable Credential out of the self-description input file. It sends that in as a Verifiable Presentation to the Compliance service as configured in your agent.yml file. The compliance service then will verify the Verifiable Presentation, containing the self-description Verifiable Credential. It also performs some checks on the information provided, like for instance the registration numbers. If everything is okay, it will return a Compliance Verifiable Credential to you. That credential denotes you are now a valid Gaia-X participant.

Next to using the input file, you could also submit a self-description if it was already stored in the agent. This means you can provide the ID value of the self-description credential in the agent.

You can use the --show option, to show all the credentials used in the exchange.

gx-agent participant sd submit -sif ./participant-input-credential.json

or from an existing agent self-description credential:

gx-agent participant sd submit -id dff1ffbee0abd14c9483946dbe703d443702a7bdbc5b74dce5d29f3e8afb0c197698656d5d1466726c6e57b9ed0590befbf650f09e4a5552999a8697ef51114

output:
┌───────────────────────┬──────────────────────────────────────┬─────────────────────────────────┬──────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                  type │                               issuer │                         subject │            issuance-date │                                                                                                                               id │
├───────────────────────┼──────────────────────────────────────┼─────────────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Compliance            │ did:web:nk-gx-compliance.eu.ngrok.io │ did:web:nk-gx-agent.eu.ngrok.io │ 2023-06-08T14:21:10.896Z │ 763640a06a6c65f79c79d0ff7e549ba1241e06ff260fb98103e67afbc818fe0b82371c2e63907c63a938b836f7dfe85055e8ece07051226516b2143320e020ce │
└───────────────────────┴──────────────────────────────────────┴─────────────────────────────────┴──────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Notice that you now have a Participant Credential, which is issued by the compliance server

List participant self-description credentials

You can list participant self-descriptions known to the agent. Normally this should only be one for a domain, but you can create new ones for the same domain/did, to update values. You can optionally provide a -d/--did option, to provide the DID or domain name for which to list the participant self-description credentials.

gx-agent  participant sd list

output:
┌─────────────────────────────────┬──────────────────────────────────────┬──────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                          issuer │                              subject │            issuance-data │                                                                                                                               id │
├─────────────────────────────────┼──────────────────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ did:web:nk-gx-agent.eu.ngrok.io │ did:web:nk-gx-agent.eu.ngrok.io │ 2023-01-26T03:04:58.179Z │ dff1ffbee0abd14c9483946dbe703d443702a7bdbc5b74dce5d29f3e8afb0c197698656d5d1466726c6e57b9ed0590befbf650f09e4a5552999a8697ef511143 │
└─────────────────────────────────┴──────────────────────────────────────┴──────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Show a participant self-description credential

To show the content of a participant self-description credential known to the agent, you can first list all the participant self-descriptions (see command above). From that output you can get the id value and use that to show the credential.

gx-agent participant sd show dff1ffbee0abd14c9483946dbe703d443702a7bdbc5b74dce5d29f3e8afb0c197698656d5d1466726c6e57b9ed0590befbf650f09e4a5552999a8697ef511143

output:
┌─────────────────────────────────┬──────────────────────────────────────┬──────────────────────────┐
│                          issuer │                              subject │            issuance-data │
├─────────────────────────────────┼──────────────────────────────────────┼──────────────────────────┤
│ did:web:nk-gx-agent.eu.ngrok.io │ did:web:nk-gx-agent.eu.ngrok.io      │ 2023-05-29T18:03:00.887Z │
└─────────────────────────────────┴──────────────────────────────────────┴──────────────────────────┘
id: dff1ffbee0abd14c9483946dbe703d443702a7bdbc5b74dce5d29f3e8afb0c197698656d5d1466726c6e57b9ed0590befbf650f09e4a5552999a8697ef511143
{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/trustframework#"
  ],
  "type": [
    "VerifiableCredential"
  ],
  "id": "urn:uuid:554db947-e001-431c-ae55-22a781e1f928",
  "issuer": "did:web:nk-gx-agent.eu.ngrok.io",
  "issuanceDate": "2023-05-29T18:03:00.887Z",
  "credentialSubject": {
    "id": "2023-05-29T18:03:00.887Z",
    "type": "gx:LegalParticipant",
    "gx:legalName": "Gaia-X European Association for Data and Cloud AISBL",
    "gx:legalRegistrationNumber": {
      "gx:vatID": "BE0762747721"
    },
    "gx:headquarterAddress": {
      "gx:countrySubdivisionCode": "BE-BRU"
    },
    "gx:legalAddress": {
      "gx:countrySubdivisionCode": "BE-BRU"
    },
    "gx-terms-and-conditions:gaiaxTermsAndConditions": "70c1d713215f95191a11d38fe2341faed27d19e083917bc8732ca4fea4976700"
  },
  "proof": {
    "type": "JsonWebSignature2020",
    "created": "2023-05-29T16:05:10Z",
    "verificationMethod": "did:web:nk-gx-agent.eu.ngrok.io#JWK2020-RSA",
    "proofPurpose": "assertionMethod",
    "jws": "eyJhbGciOiJQUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..fqGrFQqR2LrwQ3j2IC5QPZAHsTNIcfDDe8AjgGOzvY5yOKCj4VDE0rSpb70dQIwoGKJEDEQFUQnEXXlKDZSD79EmSDdJJTpTJJ4xlAS8kXHc6jEgq0gYKkKY7eTUQUhuHrCGFEJ-I-KTJLut3czcdzsRsBITqDbazrEoFOvgKv_C6XzOYIMWxxcczRtGFkKm8c-lIHayABnfHV9ES6PsfwNBuGC5HcsCY0lUZ9h4PMMYC60p-sspCxKLzpILfpcGLV-D73JGrvLycdW7zYNW_M5IQ0gOhaebw_oNSfSdaX08QZ9fAQhXLg3QzX4qIvLzsQVVmn1XFbXdiye574x89w"
  }

Verify a participant self-description

This command verifies a participant self-description credential. It first does a local validation of the Verifiable Credential, including a check on the signature/proof. After that it contacts the compliance service to check whether the compliance service provides a response that the participant self-description is compliant.

The optional ---show option shows the contents of credential on the console

gx-agent participant sd verify -id dff1ffbee0abd14c9483946dbe703d443702a7bdbc5b74dce5d29f3e8afb0c197698656d5d1466726c6e57b9ed0590befbf650f09e4a5552999a8697ef511143

output:
Agent validation of the self-description. Valid: true
┌──────────┐
│ verified │
├──────────┤
│     true │
└──────────┘

Ecosystems

Up until now the commands have interacted with the Gaia-X compliance service. The participant self-description resulted in a Compliance credential being issued by the Compliance Server. You will find the concept of self-descriptions in later chapters. These self-descriptions are being used by participants in specific ecosystems. 'The Future Mobility Alliance' is one such ecosystem. The Gaia-X agent supports adding new ecosystems, as long as they are using endpoints similar to the compliance server.

Add an ecosystem

Adds a new ecosystem to the agent.yml file. The name and url are required arguments. If the name contains any spaces be sure to add quotes (") around the name. We suggest to keep the name short and succinct, maybe even abbreviating the full name of the ecosystem. You can always provide an optional description, containing the full name.

gx-agent ecosystem add FMA https://compliance.future-mobility-alliance.org -d "Future Mobility Alliance"

output:
New ecosystem FMA has been added to your agent configuration: C:\Users\Example\.gx-agent\agent.yml
┌──────┬─────────────────────────────────────────────────┬──────────────────────────┐
│ name │                                             url │              description │
├──────┼─────────────────────────────────────────────────┼──────────────────────────┤
│  FMA │ https://compliance.future-mobility-alliance.org │ Future Mobility Alliance │
└──────┴─────────────────────────────────────────────────┴──────────────────────────┘

Update an ecosystem

If you made a mistake in the url or description, you of course could delete the ecosystem first and then add it again, but there is also an update command. Actually that command is an alias for the add command. The command looks at whether an existing ecosystem is already found by that name. If so it updates it. If you made a mistake in the name, you will have to delete the erroneous ecosystem by name and add the new one

Delete an ecosystem

Be aware that if you delete an ecosystem you will not be able to interact with it again, unless you re-add it of-course.

gx-agent ecosystem delete FMA

 output:
┌──────┬─────────────────────────────────────────────────┬──────────────────────────┐
│ name │                                             url │              description │
├──────┼─────────────────────────────────────────────────┼──────────────────────────┤
│  FMA │ https://compliance.future-mobility-alliance.org │ Future Mobility Alliance │
└──────┴─────────────────────────────────────────────────┴──────────────────────────┘
Ecosystem FMA has been deleted from your agent configuration: C:\Users\example\.gx-agent\agent.yml

List

You can list all known ecosystems from the agent.yml configuration file using the below command.

gx-agent ecosystem list

output:
┌──────┬─────────────────────────────────────────────────┬──────────────────────────┐
│ name │                                             url │              description │
├──────┼─────────────────────────────────────────────────┼──────────────────────────┤
│  FMA │ https://compliance.future-mobility-alliance.org │ Future Mobility Alliance │
└──────┴─────────────────────────────────────────────────┴──────────────────────────┘

Service Offerings

As soon as you are a Gaia-X compliant participant, you can start to offer services. In order to do so, you first need to create a service offering self-description. This is a so called "Credential". You will need to sign this self-description, using your DID, making it a Verifiable Credential. The compliance service will issue an attestation, in the form of a ServiceOffering Credential, signed by it’s DID. This allows you to prove to others that you provide certain services.

Export example service-input-credential.json

There is a command to export a template/example service-offering self-description to disk. You can then edit this example self-description with your information. We currently support creation of two different version of this entity. If you want to create the latest version, you have to provide a type argument as well. Accepted type for a service-offering are mentioned below (also you can see them with passing a -h to export-example command): In the current version you can create an example with calling agent:

The ServiceOffering and it's example might change in the near future as GAIA-X team are modifying this part

┌────────────────────────────────┬
│             type               │
├────────────────────────────────┤
│ gx_ServiceOffering             │
├────────────────────────────────┤
│ DcatDataService                │
├────────────────────────────────┤
│ DcatDataset                    │
└────────────────────────────────┴

The --show argument, displays the example self-description to your console.


gx-agent so sd example -d did:web:nk-gx-agent.eu.ngrok.io

output:
IMPORTANT: the values specified with '*' should be populated by you.
┌──────────────────┬────────────────────────────────────────┬────────────────────────────────────────────────┐
│             type │                                sd-file │                                            did │
├──────────────────┼────────────────────────────────────────┼────────────────────────────────────────────────┤
│ service-offering │ service-offering-input-credential.json │ did:web:nk-gx-agent.eu.ngrok.io                │
└──────────────────┴────────────────────────────────────────┴────────────────────────────────────────────────┘
Example service-offering self-description file has been written to service-offering-input-credential.json. Please adjust the contents and use one of the onboarding methods
{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/trustframework#"
  ],
  "issuer": "did:web:nk-gx-agent.eu.ngrok.io",
  "id": "urn:uuid:b0aee1c5-a00f-46b4-8142-dbe60903f8b2",
  "credentialSubject": {
    "id": "https://nk-gx-agent.eu.ngrok.io",
    "type": "gx:ServiceOffering",
    "gx:providedBy": {
      "id": "did:web:nk-gx-agent.eu.ngrok.io"
    },
    "gx:policy": "",
    "gx:termsAndConditions": {
      "gx:URL": "http://termsandconds.com",
      "gx:hash": "d8402a23de560f5ab34b22d1a142feb9e13b3143"
    },
    "gx:dataAccountExport": {
      "gx:requestType": "API",
      "gx:accessType": "digital",
      "gx:formatType": "application/json"
    }
  },
  "type": "VerifiableCredential"
}

You now should open the file, and adjust the values with your service-offer information. Update all the values. Make sure to save the file afterwards. If you made some mistakes, you can always re-export the example. Be aware that it will always overwrite the existing file!

Submit the service-offering self-description

The next command creates a self-asserted Verifiable Credential out of the ServiceOffering self-description input file.

gx-agent so sd submit -sof service-offering-input-credential.json -sid <id>

For the id, see "gx-agent vc list" It sends that in as a Verifiable Presentation with previously fetched ComplianceCredential and Participant SelfDescription to the Ecosystem Compliance service as configured in your agent.yml file.

{
  "type": ["VerifiablePresentation"],
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "verifiableCredential": [
    { // Your LegalParticipant self-description VerifiableCredential },
    { // Your ServiceOffering self-description  VerifiableCredential },
    { // Your LegalParticipant Compliance Credential Signed by Gaia-X Compliance service },
  ],
  "holder": "did:web:4c30-2001-1c04-2b10-ee00-e7d5-abed-7e72-9d92.ngrok-free.app",
  "proof": {
    "type": "JsonWebSignature2020",
    "created": "2023-06-01T08:47:10Z",
    "verificationMethod": "did:web:nk-gx-agent.eu.ngrok.io#JWK2020-RSA",
    "proofPurpose": "assertionMethod",
    "jws": "eyJhbGciOiJQUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..h-rEB7ZPqRCh4Pb9eXK7iX4PEtwF9GdHlrrMR6JSnybVMsxnKcN5tBgqJx33dSIXyPtPSciA2rcp2d7qyQ_tr60oD2dMwu2xnYqgRL67iIkGfg8jIRpunjrZG2PQXPK61ziZvGo4HwuVztY5bwZAqtGTKRs7dWona3U7q2uGsELHojFoHIHfR_j0RPSxLWh8ek_8ZNE13aNVR9QvPwUcxEJ9OGhifhO6XVwwFUDtNtgbGqIU4mwdSC6DU2h6yUsYSK2pu7SRj7qrq4cDbp70OAuLwV8Sywg5IqxuJKKlJZq5YJy_7hgBSvr3RcqeY8BSFr7-H2QGg2n9HuWRIKuwNg"
  }
}

And you Ecosystem Compliance Service will send you another ComplianceCredential in response:

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://registry.lab.gaia-x.eu//development/api/trusted-shape-registry/v1/shapes/jsonld/trustframework#"
  ],
  "type": ["VerifiableCredential"],
  "id": "https://nk-eco-compliance.eu.ngrok.io/credential-offers/67645d91-6bb5-4661-a6d1-2d36dce30172",
  "issuer": "did:web:nk-eco-compliance.eu.ngrok.io",
  "issuanceDate": "2023-05-31T14:10:01.794Z",
  "expirationDate": "2023-08-29T14:10:01.794Z",
  "credentialSubject": [
    {
      "type": "gx:compliance",
      "id": "did:web:nk-eco-compliance.eu.ngrok.io",
      "integrity": "sha256-d03feb54fedcb3ed0411f723bdd8b19e928d742a49f4c7ca109979e08ac83974"
    },
    {
      "type": "gx:compliance",
      "id": "did:web:nk-eco-compliance.eu.ngrok.io",
      "integrity": "sha256-198332fad39100e726dcc94bd1c68dfbee2db02befc12c92e35e7648b4399336"
    },
    {
      "type": "gx:compliance",
      "id": "did:web:nk-eco-compliance.eu.ngrok.io",
      "integrity": "sha256-11fb3ded1ce29b06c5ad15f2bcc8bf1eac41973e70289bf41600aeb1dffe5356"
    }
  ],
  "proof": {
    "type": "JsonWebSignature2020",
    "created": "2023-05-31T14:10:02.314Z",
    "proofPurpose": "assertionMethod",
    "jws": "eyJhbGciOiJQUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..AbRrpo2qbgaCS6HAykU6PACi37iFxlviyu2hxrfhhjhvmz7sItIPFMQc_fj-qGyXD6Zr_LoA2aR5kFE2w4zgu0oEP8Mmudf4fTKzl-3vPNY9lfEUf9tLg_LxLzivs24C2Vz4y2--r2BkNeeXTJ7_pnlBWuDoVPNm3gcrfcT69VcLWmZpErOqhbHTmqafoklr4iGOs7ehU9TGxXS7JptGglAZ_caBVfHvIQQi1MP31mQeIJk7U_t7KohW4Y5ZQKjBL36OL2OqPprZhBEcouOGqI82fRKxAdq22AIjFkgarg9QavwLlq1F_F0qxshpR_QGBE55LV9uU6NJ877Is2sa_w",
    "verificationMethod": "did:web:nk-eco-compliance.eu.ngrok.io#JWK2020-RSA"
  }
}

NOTE: you can run gx-agent vc list in any step and see your VCs in the agent. at the end of this step you should see this list containing all the necessary credentials:

┌─────────────────────┬───────────────────────────────────────┬─────────────────────────────────┬──────────────────────────┬──────────────────────────────────────────────────────────────────┐
│               types │                                issuer │                         subject │            issuance-date │                                                               id │
├─────────────────────┼───────────────────────────────────────┼─────────────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────────┤
│ gx:LegalParticipant │ did:web:nk-gx-agent.eu.ngrok.io       │ did:web:nk-gx-agent.eu.ngrok.io │ 2023-06-08T13:08:29.888Z │ <participant sd id>                                              │
│ ServiceOffering     │ did:web:nk-gx-agent.eu.ngrok.io       │ did:web:nk-gx-agent.eu.ngrok.io │ 2023-06-08T13:08:29.888Z │ <service offering sd id>                                         │
│          Compliance │ did:web:nk-gx-compliance.eu.ngrok.io  │ did:web:nk-gx-agent.eu.ngrok.io │ 2023-06-08T14:10:52.037Z │ <participant compliance id from gx-compliance>                   │
│          Compliance │ did:web:nk-eco-compliance.eu.ngrok.io │ did:web:nk-gx-agent.eu.ngrok.io │ 2023-06-08T14:26:49.870Z │ <participant and service offering compliance from eco-compliance>│
└─────────────────────┴───────────────────────────────────────┴─────────────────────────────────┴──────────────────────────┴──────────────────────────────────────────────────────────────────┘

List service-offering self-description credentials

You can list service-offering self-descriptions known to the agent.

gx-agent so sd list
┌─────────────────────────────────┬──────────────────────────────────────┬──────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                          issuer │                              subject │            issuance-data │                                                                                                                               id │
├─────────────────────────────────┼──────────────────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ did:web:nk-gx-agent.eu.ngrok.io │ 51d15354-4570-4b44-9beb-8e78b9ab6795 │ 2023-01-26T03:35:50.574Z │ 98021d8c32ccf3723ecf83d712a634000ecf10875e1e9b39ece5f90606f65227959936269ad0d65ed9921b6062d9d4cd3ba2ea8d441e38f748e758c864942447 │
└─────────────────────────────────┴──────────────────────────────────────┴──────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Show a service-offering self-description credential

To show the content of a service-offering self-description credential known to the agent, you can first list all the service-offering self-descriptions (see command above). From that output you can get the id value and use that to show the credential.

gx-agent so sd show 98021d8c32ccf3723ecf83d712a634000ecf10875e1e9b39ece5f90606f65227959936269ad0d65ed9921b6062d9d4cd3ba2ea8d441e38f748e758c864942447

output:
┌─────────────────────────────────┬──────────────────────────────────────┬──────────────────────────┐
│                          issuer │                              subject │            issuance-data │
├─────────────────────────────────┼──────────────────────────────────────┼──────────────────────────┤
│ did:web:nk-gx-agent.eu.ngrok.io │ 51d15354-4570-4b44-9beb-8e78b9ab6795 │ 2023-01-26T03:35:50.574Z │
└─────────────────────────────────┴──────────────────────────────────────┴──────────────────────────┘
id: 98021d8c32ccf3723ecf83d712a634000ecf10875e1e9b39ece5f90606f65227959936269ad0d65ed9921b6062d9d4cd3ba2ea8d441e38f748e758c864942447
{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://registry.gaia-x.eu/v2206/api/shape"
  ],
  "issuer": "did:web:nk-gx-agent.eu.ngrok.io",
  "id": "51d15354-4570-4b44-9beb-8e78b9ab6795",
  "credentialSubject": {
    "id": "did:web:nk-gx-agent.eu.ngrok.io",
    "gx-service-offering:providedBy": "https://nk-gx-agent.eu.ngrok.io/.well-known/participant.json",
    "gx-service-offering:name": "my awesome service",
    "gx-service-offering:description": "a service by https://nk-gx-agent.eu.ngrok.io",
    "gx-service-offering:termsAndConditions": [
      {
        "gx-service-offering:url": "https://nk-gx-agent.eu.ngrok.io/terms-and-conditions/",
        "gx-service-offering:hash": "myrandomhash"
      }
    ],
    "gx-service-offering:gdpr": [
      {
        "gx-service-offering:imprint": "https://nk-gx-agent.eu.ngrok.io/terms-and-conditions/"
      },
      {
        "gx-service-offering:privacyPolicy": "https://nk-gx-agent.eu.ngrok.io/personal-data-protection/"
      }
    ],
    "gx-service-offering:dataExport": {
      "gx-service-offering:requestType": "email",
      "gx-service-offering:accessType": "digital",
      "gx-service-offering:formatType": "mime/png"
    }
  },
  "type": [
    "VerifiableCredential",
    "ServiceOffering"
  ],
  "issuanceDate": "2023-01-26T03:35:50.574Z",
  "proof": {
    "type": "JsonWebSignature2020",
    "created": "2023-01-26T03:35:50Z",
    "verificationMethod": "did:web:nk-gx-agent.eu.ngrok.io#JWK2020-RSA",
    "proofPurpose": "assertionMethod",
    "jws": "eyJhbGciOiJSUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..UM74Ij3DEv8qRmfMUoJ8wlbJHFA0XOUD8_xl_rYRzxaQvUOtrwgCrCnUyPy3U1JOT8nGnkakbfpT8r2x51T2c8wKUtxynDmtVhmBCfTJdp7fOsM1JC4BKQmAPRHXBUEpgUbLQc60OREyp37uJFzmN66q-blCvEt5v-YHhhnpMO49SUXWMKhhBruEPlPQh6UkfW5SDb9MB
ZcR-INzqQKkBKMDhLkxl4cXpOEepT6fYm-DUq4LVaGCy3NHdB6SNF7asNT0xIHXSX5UiU-ZeQsz0Q1O8tSuhvk2NP0IFy4RXO6IIynP56RPeY05CbW40ejE65TNCzyc2xNyU0CZFcWy3Q"
  }
}

Verify a service-offering self-description

This command verifies a service-offering self-description credential. It first does a local validation of the Verifiable Credential, including a check on the signature/proof. After that it contacts the compliance service to check whether the compliance service provides a response that the service-offering self-description is compliant.

The optional --show option shows the contents of credential on the console

gx-agent so sd verify -id 98021d8c32ccf3723ecf83d712a634000ecf10875e1e9b39ece5f90606f65227959936269ad0d65ed9921b6062d9d4cd3ba2ea8d441e38f748e758c864942447

output:
Agent validation of the self-description. Valid: true
┌──────────┐
│ conforms │
├──────────┤
│     true │
└──────────┘

Labels

Using this agent, you can also create all kinds of Labels as well. You can then include these labels in your Service Offerings to show a certain credential. Here is an example for a ISO VerifiableCredential: First, you need to create a VerifiableCredential (or ask a third party to generate a VerifiableCredential for you). In order to do this with this agent, you can simply call the following command on an unsigned credential

gx-agent vc issue -f ./iso.json -p

After acquiring a Label Verifiable Credential, you can include this label into you Service Offering VerifiablePresentations. You can use this for both onboarding a Service Offering into gx-compliance and also your selected ecosystem: For onboarding the service in the ecosystem:

gx-agent ecosystem so submit FMA -sid <you self-description participant vc id> -cid <your gx compliance credential id> -eid <your ecosystem compliance id> -sof ./service-offering-input-credential.json -lai <your label id(s)>
# you can also call pass the labels via the file using laf (`--label-files`) instead of `lai` parameter

For onboarding the service in the gx compliance:

gx-agent so sd submit -sof ./service-offering-input-credential.json -sid <ID of your participant self-description vc> -cid <ID of your compliance VC from Gaia-X compliance> -lai <your label id(s)>
# you can also call pass the labels via the file using laf (`--label-files`) instead of `lai` parameter

Developers

Building an executable

Make sure the CLI is build as well as it dependencies in this monorepo, eg yarn build Also install the pkg progam, globally, eg yarn global add pkg

Now create the binaries for the different platforms:

pkg ./dist/cli.js