{"id":50791082,"url":"https://github.com/go-ctap/kit","last_synced_at":"2026-06-12T11:01:29.201Z","repository":{"id":357014557,"uuid":"1228213988","full_name":"go-ctap/kit","owner":"go-ctap","description":"Complete application runtime to integrate FIDO2 hardware token management into your app","archived":false,"fork":false,"pushed_at":"2026-05-20T00:05:56.000Z","size":201,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-20T03:07:53.146Z","etag":null,"topics":["authentication","authorization","ctap2","ctaphid","fido2","hardware-token","hid","runtime","sdk","sdk-go"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/go-ctap.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-05-03T18:38:50.000Z","updated_at":"2026-05-20T00:06:00.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/go-ctap/kit","commit_stats":null,"previous_names":["go-ctap/kit"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/go-ctap/kit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/go-ctap%2Fkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/go-ctap%2Fkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/go-ctap%2Fkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/go-ctap%2Fkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/go-ctap","download_url":"https://codeload.github.com/go-ctap/kit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/go-ctap%2Fkit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34240817,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","ctap2","ctaphid","fido2","hardware-token","hid","runtime","sdk","sdk-go"],"created_at":"2026-06-12T11:01:28.150Z","updated_at":"2026-06-12T11:01:29.189Z","avatar_url":"https://github.com/go-ctap.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ctapkit\n\nReusable CTAP/FIDO2 runtime core for the `go-ctap` application family.\n\nThe current Go module is:\n\n```go\nmodule github.com/go-ctap/kit\n```\n\nThe root package is imported as:\n\n```go\nimport \"github.com/go-ctap/kit\"\nimport \"github.com/go-ctap/kit/model\"\nimport \"github.com/go-ctap/kit/transport\"\n```\n\n## What This Is\n\n`ctapkit` provides the shared runtime boundary for applications that need to discover, inspect, and safely control local FIDO2 authenticators. It is designed for CLI, GUI, and TUI consumers that want the same device/session/operation semantics without duplicating CTAP safety logic.\n\nThis repository does not own terminal UX, command parsing, output rendering, MDS presentation, release packaging, or product-specific workflows. Those live in consumer applications.\n\n## Package Layout\n\n- `ctapkit`: public runtime facade.\n- `model`: public operation, event, interaction, and session DTOs.\n- `model/config`: authenticator config DTOs and reports.\n- `model/credentials`: credential DTOs, previews, and reports.\n- `model/largeblobs`: large-blob DTOs, previews, and reports.\n- `model/report`: shared report DTOs used across model domains.\n- `model/safety`: shared safety/confirmation DTOs.\n- `transport`: HID and Windows proxy transport boundary.\n- `internal/device`: device discovery, selection identity, and leases.\n- `internal/runtime`: event, interaction, and token policies.\n- `internal/session`: opened-session core, lifecycle, serialization, and cache boundary.\n- `internal/workflow`: operation dispatch and domain workflow bodies over an explicit execution environment.\n\n## Session Flow\n\nA consumer should generally do this:\n\n1. Convert UI or CLI input into a typed `model.Operation`.\n2. Discover devices with `ctapkit.DiscoverDevices`.\n3. Pick one returned `ctapkit.Device` handle and open it with `ctapkit.OpenSession`.\n4. Run one typed operation synchronously with `Session.Run`.\n5. Clean up with `Session.Close`.\n\n`Session.Run` returns the typed `model.OperationResult` directly. Consumers that need non-blocking UI can call it from their own goroutine or task. Progress and UI updates are delivered through the `model.EventSink` attached with `ctapkit.WithEventSink`; PIN, user-verification, touch, and confirm participation is delivered through `model.InteractionHandler`.\nInteraction requests and operation events contain only their prompt or event payload; consumers should correlate session-specific work through the `*ctapkit.Session` handle and their own event sink ownership.\n\nVerification defaults to UV when the authenticator supports it, with PIN fallback when CTAP reports a fallback condition. A consumer that wants to offer \"use PIN\" before starting work can pass `ctapkit.WithVerificationFlow(model.VerificationFlowPIN)` to `Session.Run`. User-verification interactions are pre-command prompt and cancel points; the authenticator remains authoritative for whether UV actually succeeds.\n\nCore operations are intentionally UI-neutral. PIN prompts, user verification messages, spinners, progress bars, tables, JSON/YAML formatting, and GUI/TUI event presentation belong to the consumer.\n\nMDS lookup is exposed as a root facade helper rather than a session operation:\n\n```go\nmetadata, err := ctapkit.LookupMDS(ctx, inspect.Result.Info.AAGUID)\n```\n\nThe runtime fetches and verifies the FIDO MDS3 blob, indexes entries by AAGUID,\nand caches the verified response in memory and on disk under the user cache\ndirectory. Disk cache entries are verified again before use. Consumers own any\nMDS presentation or policy decisions.\n\n## Safety Model\n\n- Per-session workflow serialization prevents multi-step flows on the same opened authenticator from interleaving.\n- Device leases represent cross-session or cross-process ownership of authenticator identity; different authenticators may run independently.\n- Secrets such as PIN input and `pinUvAuthToken` must not be logged, marshaled, or exposed through public results.\n- Mutating operations preserve dry-run and confirmation semantics.\n- Destructive flows such as reset, credential deletion, and large-blob deletion require explicit confirmation.\n- Factory reset must be executed shortly after authenticator power-up on many authenticators; consumers should collect any strong UI confirmation before reconnecting and then run a confirmed reset promptly.\n\n## Verification\n\nRun the default checks with:\n\n```powershell\ngo test ./... -count=1\ngo vet ./...\n```\n\nFor lifecycle, session, interaction, or synchronization changes, also run:\n\n```powershell\ngo test -race ./... -count=1\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgo-ctap%2Fkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgo-ctap%2Fkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgo-ctap%2Fkit/lists"}