@datacules/agent-identity 0.8.0 → 0.10.0

package/README.md

@@ -0,0 +1,128 @@
+<p align="center">
+  <img src="../../assets/logo.svg" alt="Agent Identity — by Datacules LLC" width="360"/>
+</p>
+
+# `@datacules/agent-identity`
+
+Core credential routing engine for the agent-identity framework. Provider-agnostic; works with OpenAI, Anthropic, Gemini, Mistral, and local models.
+
+Published as the `@datacules/agent-identity` npm package from `packages/core/`.
+
+## Install
+
+```bash
+npm install @datacules/agent-identity
+```
+
+## What's in this package
+
+| Export | Description |
+|--------|-------------|
+| `createRouter` | Build a `CredentialRouter` from an array of credentials + rules |
+| `createRouterFromStore` | Build a router backed by any `CredentialStore` |
+| `createRouterWithConfig` | Full-featured factory — accepts attestation signer, budget enforcer, approval gate |
+| `MemoryCredentialStore` | In-memory store for dev + tests |
+| `CredentialRouter` | Class with `resolve()`, `resolveAsync()`, `resolvePair()`, `resolvePairAsync()` |
+| `@datacules/agent-identity/schemas` | Zod schemas for `AgentRequestContext`, `MigrationContext`, `Credential` |
+| `@datacules/agent-identity/react` | `useAgentIdentity` React hook (server-side credential resolution) |
+
+## Quick start
+
+```typescript
+import { createRouter } from '@datacules/agent-identity';
+import type { AgentRequestContext, Credential, RoutingRule } from '@datacules/agent-identity';
+
+const credentials: Credential[] = [
+  {
+    id: 'cred-openai-prod',
+    ref: 'vault:openai-prod-key',
+    kind: 'fixed',
+    provider: 'openai',
+    status: 'active',
+  },
+];
+
+const rules: RoutingRule[] = [
+  {
+    id: 'rule-default',
+    credentialRef: 'vault:openai-prod-key',
+    credentialKind: 'fixed',
+    priority: 10,
+  },
+];
+
+const router = createRouter(credentials, rules);
+
+const ctx: AgentRequestContext = {
+  userId:      'user-abc',
+  resourceId:  'knowledge-base',
+  resourceKind:'personal',
+  provider:    'openai',
+  model:       'gpt-4o',
+  action:      'read',
+  traceId:     crypto.randomUUID(),
+  requestedAt: new Date().toISOString(),
+};
+
+const resolved = router.resolve(ctx);
+// resolved.ref        → 'vault:openai-prod-key' — look this up in your vault, server-side
+// resolved.resolvedFor → 'service' (or the userId for user-delegated)
+```
+
+## Routing rule fields
+
+```typescript
+const rule: RoutingRule = {
+  id:             'rule-personal-docs',
+  credentialRef:  'user-oauth-slot',     // ref to a Credential
+  credentialKind: 'user-delegated',      // 'fixed' | 'user-delegated'
+  priority:       10,                    // higher = evaluated first
+  resourceKind:   'personal',            // optional match
+  matchProvider:  'anthropic',           // optional match
+  matchAction:    ['read', 'write'],     // optional match
+  matchUserId:    'user-abc',            // optional match
+  matchSpiffeId:  'spiffe://acme.com/ns/prod/sa/agent', // optional
+  matchPhase:     'extract',             // migration phase match
+  canaryRef:      'user-oauth-slot-v2', // optional canary credential
+  canaryWeight:   5,                    // 0–100% traffic to canary
+  readOnly:       true,                 // enforce read scope
+};
+```
+
+## Migration: `resolvePair`
+
+```typescript
+import type { MigrationContext } from '@datacules/agent-identity';
+
+const pair = router.resolvePair(ctx as MigrationContext);
+// pair.source  — read credential for sourceResourceId
+// pair.target  — write credential for targetResourceId
+// pair.expiresAt — earliest expiry of both
+```
+
+## Zod schemas
+
+```typescript
+import { AgentRequestContextSchema } from '@datacules/agent-identity/schemas';
+
+const parsed = AgentRequestContextSchema.safeParse(body);
+if (!parsed.success) return Response.json({ error: parsed.error.flatten() }, { status: 400 });
+```
+
+## React hook
+
+```typescript
+import { useAgentIdentity } from '@datacules/agent-identity/react';
+
+function Component({ userId }: { userId: string }) {
+  const { resolvedFor, loading, error, expiresAt } = useAgentIdentity({
+    userId, resourceId: 'kb', resourceKind: 'personal',
+    provider: 'anthropic', model: 'claude-sonnet-4-20250514',
+    action: 'read', traceId: crypto.randomUUID(),
+    requestedAt: new Date().toISOString(),
+  });
+  // ...
+}
+```
+
+See the [root README](../../README.md) for the full API reference and all integration options.

package/dist/cjs/attestation.js

@@ -1,42 +1,74 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.HmacAttestationSigner = void 0;
+exports.AsymmetricAttestationSigner = exports.HmacAttestationSigner = void 0;
 exports.buildAttestation = buildAttestation;
 exports.verifyAttestation = verifyAttestation;
-// ─── HMAC Signer (built-in, zero deps) ──────────────────────────────────────
+// ─── Shared base64url helpers (module-level; used by both signers) ──────────
+/** Encode a UTF-8 string to base64url */
+function base64urlEncode(input) {
+    if (typeof Buffer !== 'undefined') {
+        return Buffer.from(input).toString('base64url');
+    }
+    return btoa(input).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+/** Encode an ArrayBuffer to base64url */
+function bufToBase64url(buf) {
+    if (typeof Buffer !== 'undefined') {
+        return Buffer.from(buf).toString('base64url');
+    }
+    const bytes = new Uint8Array(buf);
+    let binary = '';
+    for (let i = 0; i < bytes.byteLength; i++)
+        binary += String.fromCharCode(bytes[i]);
+    return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+/**
+ * Decode a base64url string to a Uint8Array<ArrayBuffer>.
+ *
+ * Returns Uint8Array<ArrayBuffer> (not ArrayBufferLike) so the result is
+ * directly usable as BufferSource in crypto.subtle.verify() without an
+ * extra cast — required since TypeScript 5.5 made Uint8Array generic.
+ */
+function base64urlToBuffer(s) {
+    if (typeof Buffer !== 'undefined') {
+        // Buffer.from() returns Uint8Array<ArrayBufferLike>; copy into a fresh
+        // Uint8Array<ArrayBuffer> so crypto.subtle accepts it as BufferSource.
+        const nodeBuf = Buffer.from(s, 'base64url');
+        const out = new Uint8Array(nodeBuf.length);
+        out.set(nodeBuf);
+        return out;
+    }
+    const b64 = s.replace(/-/g, '+').replace(/_/g, '/');
+    const padded = b64 + '='.repeat((4 - (b64.length % 4)) % 4);
+    const binary = atob(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++)
+        bytes[i] = binary.charCodeAt(i);
+    return bytes;
+}
+/** Decode a base64url body segment to a UTF-8 string */
+function base64urlDecodeString(s) {
+    if (typeof Buffer !== 'undefined') {
+        return Buffer.from(s, 'base64url').toString('utf8');
+    }
+    return atob(s.replace(/-/g, '+').replace(/_/g, '/'));
+}
+// ─── HMAC Signer (built-in, zero deps) ───────────────────────────────────
 class HmacAttestationSigner {
     constructor(options) {
         this.secret = options.secret;
         this.issuer = options.issuer ?? 'agent-identity';
         this.ttlSeconds = options.ttlSeconds ?? 300;
     }
-    base64url(input) {
-        // Works in both browser and Node 18+ (Buffer is global in Node)
-        if (typeof Buffer !== 'undefined') {
-            return Buffer.from(input).toString('base64url');
-        }
-        // Browser fallback via btoa
-        return btoa(input).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-    }
-    bufToBase64url(buf) {
-        if (typeof Buffer !== 'undefined') {
-            return Buffer.from(buf).toString('base64url');
-        }
-        const bytes = new Uint8Array(buf);
-        let binary = '';
-        for (let i = 0; i < bytes.byteLength; i++)
-            binary += String.fromCharCode(bytes[i]);
-        return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-    }
     async hmacSign(data) {
         const enc = new TextEncoder();
         const key = await crypto.subtle.importKey('raw', enc.encode(this.secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
         const sig = await crypto.subtle.sign('HMAC', key, enc.encode(data));
-        return this.bufToBase64url(sig);
+        return bufToBase64url(sig);
     }
     async sign(payload) {
-        const header = this.base64url(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
-        const body = this.base64url(JSON.stringify(payload));
+        const header = base64urlEncode(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+        const body = base64urlEncode(JSON.stringify(payload));
         const sig = await this.hmacSign(`${header}.${body}`);
         return `${header}.${body}.${sig}`;
     }
@@ -48,11 +80,7 @@ class HmacAttestationSigner {
             const expected = await this.hmacSign(`${header}.${body}`);
             if (expected !== sig)
                 return null;
-            // Decode body: Node uses Buffer, browsers use atob
-            const decoded = typeof Buffer !== 'undefined'
-                ? Buffer.from(body, 'base64url').toString('utf8')
-                : atob(body.replace(/-/g, '+').replace(/_/g, '/'));
-            return JSON.parse(decoded);
+            return JSON.parse(base64urlDecodeString(body));
         }
         catch {
             return null;
@@ -60,6 +88,80 @@ class HmacAttestationSigner {
     }
 }
 exports.HmacAttestationSigner = HmacAttestationSigner;
+// ─── Asymmetric Signer (RS256 / ES256) ──────────────────────────────────
+/**
+ * Asymmetric JWT signer/verifier using Web Crypto (RS256 or ES256).
+ * Uses only crypto.subtle — no external dependencies.
+ *
+ * For signing (e.g. minting your own attestations):
+ *   const signer = await AsymmetricAttestationSigner.fromKeyPair(privateKey, publicKey, 'RS256');
+ *
+ * For verification only (e.g. verifying incoming ID-JAGs from JWKS):
+ *   const verifier = await AsymmetricAttestationSigner.fromPublicJwk(publicJwk, 'RS256');
+ */
+class AsymmetricAttestationSigner {
+    constructor(privateKey, publicKey, algorithm, ttlSeconds) {
+        this.privateKey = privateKey;
+        this.publicKey = publicKey;
+        this.algorithm = algorithm;
+        this.ttlSeconds = ttlSeconds;
+    }
+    // ─── Static factory methods ──────────────────────────────────────────────
+    /**
+     * Create a signing+verification instance from an already-imported key pair.
+     */
+    static async fromKeyPair(privateKey, publicKey, algorithm, options) {
+        return new AsymmetricAttestationSigner(privateKey, publicKey, algorithm, options?.ttlSeconds ?? 300);
+    }
+    /**
+     * Create a verification-only instance from a JSON Web Key.
+     * Calling sign() on this instance will throw.
+     */
+    static async fromPublicJwk(jwk, algorithm) {
+        const importAlgo = algorithm === 'RS256'
+            ? { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }
+            : { name: 'ECDSA', namedCurve: 'P-256' };
+        const publicKey = await crypto.subtle.importKey('jwk', jwk, importAlgo, true, ['verify']);
+        return new AsymmetricAttestationSigner(null, publicKey, algorithm, 300);
+    }
+    // ─── Sign / Verify ────────────────────────────────────────────────────────────
+    async sign(payload) {
+        if (!this.privateKey) {
+            throw new Error('AsymmetricAttestationSigner: no private key — verification-only instance');
+        }
+        const header = base64urlEncode(JSON.stringify({ alg: this.algorithm, typ: 'JWT' }));
+        const body = base64urlEncode(JSON.stringify(payload));
+        const signingInput = `${header}.${body}`;
+        const data = new TextEncoder().encode(signingInput);
+        const algo = this.algorithm === 'RS256'
+            ? 'RSASSA-PKCS1-v1_5'
+            : { name: 'ECDSA', hash: 'SHA-256' };
+        const sigBuf = await crypto.subtle.sign(algo, this.privateKey, data);
+        const sig = bufToBase64url(sigBuf);
+        return `${header}.${body}.${sig}`;
+    }
+    async verify(token) {
+        try {
+            const [header, body, sig] = token.split('.');
+            if (!header || !body || !sig)
+                return null;
+            const signingInput = `${header}.${body}`;
+            const data = new TextEncoder().encode(signingInput);
+            const sigBytes = base64urlToBuffer(sig);
+            const algo = this.algorithm === 'RS256'
+                ? 'RSASSA-PKCS1-v1_5'
+                : { name: 'ECDSA', hash: 'SHA-256' };
+            const valid = await crypto.subtle.verify(algo, this.publicKey, sigBytes, data);
+            if (!valid)
+                return null;
+            return JSON.parse(base64urlDecodeString(body));
+        }
+        catch {
+            return null;
+        }
+    }
+}
+exports.AsymmetricAttestationSigner = AsymmetricAttestationSigner;
 async function buildAttestation(ctx, resolved, options) {
     const now = Math.floor(Date.now() / 1000);
     const payload = {
@@ -76,7 +178,7 @@ async function buildAttestation(ctx, resolved, options) {
     };
     return options.signer.sign(payload);
 }
-// ─── Standalone verifyAttestation helper ────────────────────────────────────
+// ─── Standalone verifyAttestation helper ──────────────────────────────────
 async function verifyAttestation(token, signer) {
     const raw = await signer.verify(token);
     if (!raw)

package/dist/cjs/attestation.js.map

@@ -1 +1 @@
-{"version":3,"file":"attestation.js","sourceRoot":"","sources":["../../src/attestation.ts"],"names":[],"mappings":";;;AA2FA,4CAmBC;AAID,8CASC;AA9GD,+EAA+E;AAE/E,MAAa,qBAAqB;IAKhC,YAAY,OAAiE;QAC3E,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,gBAAgB,CAAC;QACjD,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC;IAC9C,CAAC;IAEO,SAAS,CAAC,KAAa;QAC7B,gEAAgE;QAChE,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAClD,CAAC;QACD,4BAA4B;QAC5B,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC/E,CAAC;IAEO,cAAc,CAAC,GAAgB;QACrC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAChD,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC,EAAE;YAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACnF,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAChF,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,IAAY;QACjC,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EACvB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAgC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC5E,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QACrD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QACrD,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YAC1C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;YAC1D,IAAI,QAAQ,KAAK,GAAG;gBAAE,OAAO,IAAI,CAAC;YAClC,mDAAmD;YACnD,MAAM,OAAO,GAAG,OAAO,MAAM,KAAK,WAAW;gBAC3C,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACjD,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;YACrD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF;AAjED,sDAiEC;AAWM,KAAK,UAAU,gBAAgB,CACpC,GAAwB,EACxB,QAA4B,EAC5B,OAA2B;IAE3B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAuB;QAClC,GAAG,EAAE,OAAO,CAAC,MAAM,IAAI,gBAAgB;QACvC,GAAG,EAAE,GAAG,CAAC,MAAM;QACf,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC;KACvC,CAAC;IACF,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,OAA6C,CAAC,CAAC;AAC5E,CAAC;AAED,+EAA+E;AAExE,KAAK,UAAU,iBAAiB,CACrC,KAAa,EACb,MAAyB;IAEzB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IAC9D,OAAO,GAAoC,CAAC;AAC9C,CAAC"}
+{"version":3,"file":"attestation.js","sourceRoot":"","sources":["../../src/attestation.ts"],"names":[],"mappings":";;;AAiOA,4CAmBC;AAID,8CASC;AApPD,+EAA+E;AAE/E,yCAAyC;AACzC,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC/E,CAAC;AAED,yCAAyC;AACzC,SAAS,cAAc,CAAC,GAAgB;IACtC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC,EAAE;QAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACnF,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAChF,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CAAC,CAAS;IAClC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,uEAAuE;QACvE,uEAAuE;QACvE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC3C,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACjB,OAAO,GAAG,CAAC;IACb,CAAC;IACD,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,wDAAwD;AACxD,SAAS,qBAAqB,CAAC,CAAS;IACtC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,4EAA4E;AAE5E,MAAa,qBAAqB;IAKhC,YAAY,OAAiE;QAC3E,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,gBAAgB,CAAC;QACjD,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC;IAC9C,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,IAAY;QACjC,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EACvB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QACpE,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAgC;QACzC,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC7E,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QACtD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QACrD,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YAC1C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;YAC1D,IAAI,QAAQ,KAAK,GAAG;gBAAE,OAAO,IAAI,CAAC;YAClC,OAAO,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF;AA1CD,sDA0CC;AAED,2EAA2E;AAE3E;;;;;;;;;GASG;AACH,MAAa,2BAA2B;IACtC,YACmB,UAA4B,EAC5B,SAAoB,EACpB,SAA4B,EAC5B,UAAkB;QAHlB,eAAU,GAAV,UAAU,CAAkB;QAC5B,cAAS,GAAT,SAAS,CAAW;QACpB,cAAS,GAAT,SAAS,CAAmB;QAC5B,eAAU,GAAV,UAAU,CAAQ;IAClC,CAAC;IAEJ,4EAA4E;IAE5E;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,WAAW,CACtB,UAAqB,EACrB,SAAoB,EACpB,SAA4B,EAC5B,OAAiC;QAEjC,OAAO,IAAI,2BAA2B,CACpC,UAAU,EACV,SAAS,EACT,SAAS,EACT,OAAO,EAAE,UAAU,IAAI,GAAG,CAC3B,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,aAAa,CACxB,GAAe,EACf,SAA4B;QAE5B,MAAM,UAAU,GACd,SAAS,KAAK,OAAO;YACnB,CAAC,CAAC,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE;YAChD,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC1F,OAAO,IAAI,2BAA2B,CAAC,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;IAC1E,CAAC;IAED,iFAAiF;IAEjF,KAAK,CAAC,IAAI,CAAC,OAAgC;QACzC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CACb,0EAA0E,CAC3E,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,eAAe,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CACpD,CAAC;QACF,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QACtD,MAAM,YAAY,GAAG,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAEpD,MAAM,IAAI,GACR,IAAI,CAAC,SAAS,KAAK,OAAO;YACxB,CAAC,CAAC,mBAAmB;YACrB,CAAC,CAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAkB,CAAC;QAE1D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;QACrE,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;QACnC,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YAE1C,MAAM,YAAY,GAAG,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;YACzC,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YACpD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;YAExC,MAAM,IAAI,GACR,IAAI,CAAC,SAAS,KAAK,OAAO;gBACxB,CAAC,CAAC,mBAAmB;gBACrB,CAAC,CAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAkB,CAAC;YAE1D,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;YAC/E,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC;YAExB,OAAO,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF;AA1FD,kEA0FC;AAWM,KAAK,UAAU,gBAAgB,CACpC,GAAwB,EACxB,QAA4B,EAC5B,OAA2B;IAE3B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAuB;QAClC,GAAG,EAAE,OAAO,CAAC,MAAM,IAAI,gBAAgB;QACvC,GAAG,EAAE,GAAG,CAAC,MAAM;QACf,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC;KACvC,CAAC;IACF,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,OAA6C,CAAC,CAAC;AAC5E,CAAC;AAED,6EAA6E;AAEtE,KAAK,UAAU,iBAAiB,CACrC,KAAa,EACb,MAAyB;IAEzB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IAC9D,OAAO,GAAoC,CAAC;AAC9C,CAAC"}

package/dist/cjs/identity-providers.js

@@ -0,0 +1,100 @@
+"use strict";
+/**
+ * ID-JAG verification utilities — validates the claims on a decoded ID-JAG
+ * payload against a TrustedProviderRegistry.
+ *
+ * Signature verification is left to the caller (requires a JWT library or
+ * Web Crypto with the provider's JWKS). This module validates claims only.
+ *
+ * @module identity-providers
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateIdJagClaims = validateIdJagClaims;
+// ─── validateIdJagClaims ──────────────────────────────────────────────────────
+/**
+ * Validate ID-JAG claims (NOT signature — that's the caller's responsibility).
+ *
+ * Steps:
+ *   1. Find provider by payload.iss — return issuer_not_trusted if absent.
+ *   2. If provider.enabled === false — return provider_disabled.
+ *   3. If token is expired (with clock skew tolerance) — return expired.
+ *   4. If audience does not include the expected audience — return audience_mismatch.
+ *   5. If neither email_verified nor phone_number_verified — return missing_verified_identity.
+ *   6. If provider.requiredAmr is set and none of its values appear in payload.amr
+ *      — return amr_not_satisfied.
+ *   7. Return { valid: true, provider }.
+ *
+ * @param payload       Decoded JWT payload (signature NOT verified here)
+ * @param audience      Expected aud (this service's authorization server URL)
+ * @param registry      Configured trusted providers
+ * @param nowMs         Current time in ms (injectable for testing; defaults to Date.now())
+ * @param clockSkewMs   Accepted clock skew in ms (default: 120_000 = 2 minutes)
+ */
+function validateIdJagClaims(payload, audience, registry, nowMs, clockSkewMs) {
+    const now = nowMs ?? Date.now();
+    const skew = clockSkewMs ?? 120000;
+    // 1. Issuer lookup
+    const provider = registry.providers.find((p) => p.issuerUrl === payload.iss);
+    if (!provider) {
+        return {
+            valid: false,
+            error: 'issuer_not_trusted',
+            errorMessage: `Issuer '${payload.iss}' is not in the trusted provider registry`,
+        };
+    }
+    // 2. Provider enabled check (undefined → enabled)
+    if (provider.enabled === false) {
+        return {
+            valid: false,
+            provider,
+            error: 'provider_disabled',
+            errorMessage: `Provider '${provider.label}' is currently disabled`,
+        };
+    }
+    // 3. Expiry check (exp is in seconds; add clock skew tolerance)
+    if (payload.exp * 1000 < now - skew) {
+        return {
+            valid: false,
+            provider,
+            error: 'expired',
+            errorMessage: `Token expired at ${new Date(payload.exp * 1000).toISOString()}`,
+        };
+    }
+    // 4. Audience check
+    const audiences = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
+    if (!audiences.includes(audience)) {
+        return {
+            valid: false,
+            provider,
+            error: 'audience_mismatch',
+            errorMessage: `Expected audience '${audience}' not found in token aud claim`,
+        };
+    }
+    // 5. Verified identity check — must have at least one verified identity claim
+    const hasVerifiedEmail = payload.email_verified === true;
+    const hasVerifiedPhone = payload.phone_number_verified === true;
+    if (!hasVerifiedEmail && !hasVerifiedPhone) {
+        return {
+            valid: false,
+            provider,
+            error: 'missing_verified_identity',
+            errorMessage: 'Token must have either email_verified=true or phone_number_verified=true',
+        };
+    }
+    // 6. AMR check
+    if (provider.requiredAmr && provider.requiredAmr.length > 0) {
+        const tokenAmr = payload.amr ?? [];
+        const satisfied = provider.requiredAmr.some((required) => tokenAmr.includes(required));
+        if (!satisfied) {
+            return {
+                valid: false,
+                provider,
+                error: 'amr_not_satisfied',
+                errorMessage: `Required AMR values [${provider.requiredAmr.join(', ')}] not found in token amr: [${tokenAmr.join(', ')}]`,
+            };
+        }
+    }
+    // 7. All checks passed
+    return { valid: true, provider };
+}
+//# sourceMappingURL=identity-providers.js.map

package/dist/cjs/identity-providers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-providers.js","sourceRoot":"","sources":["../../src/identity-providers.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AA2DH,kDA+EC;AApGD,iFAAiF;AAEjF;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,mBAAmB,CACjC,OAAqB,EACrB,QAAgB,EAChB,QAAiC,EACjC,KAAc,EACd,WAAoB;IAEpB,MAAM,GAAG,GAAG,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IAChC,MAAM,IAAI,GAAG,WAAW,IAAI,MAAO,CAAC;IAEpC,mBAAmB;IACnB,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;IAC7E,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,oBAAoB;YAC3B,YAAY,EAAE,WAAW,OAAO,CAAC,GAAG,2CAA2C;SAChF,CAAC;IACJ,CAAC;IAED,kDAAkD;IAClD,IAAI,QAAQ,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,QAAQ;YACR,KAAK,EAAE,mBAAmB;YAC1B,YAAY,EAAE,aAAa,QAAQ,CAAC,KAAK,yBAAyB;SACnE,CAAC;IACJ,CAAC;IAED,gEAAgE;IAChE,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,GAAG,GAAG,IAAI,EAAE,CAAC;QACpC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,QAAQ;YACR,KAAK,EAAE,SAAS;YAChB,YAAY,EAAE,oBAAoB,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;SAC/E,CAAC;IACJ,CAAC;IAED,oBAAoB;IACpB,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3E,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,QAAQ;YACR,KAAK,EAAE,mBAAmB;YAC1B,YAAY,EAAE,sBAAsB,QAAQ,gCAAgC;SAC7E,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,MAAM,gBAAgB,GAAG,OAAO,CAAC,cAAc,KAAK,IAAI,CAAC;IACzD,MAAM,gBAAgB,GAAG,OAAO,CAAC,qBAAqB,KAAK,IAAI,CAAC;IAChE,IAAI,CAAC,gBAAgB,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC3C,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,QAAQ;YACR,KAAK,EAAE,2BAA2B;YAClC,YAAY,EAAE,0EAA0E;SACzF,CAAC;IACJ,CAAC;IAED,eAAe;IACf,IAAI,QAAQ,CAAC,WAAW,IAAI,QAAQ,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5D,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;QACnC,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QACvF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,QAAQ;gBACR,KAAK,EAAE,mBAAmB;gBAC1B,YAAY,EAAE,wBAAwB,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,8BAA8B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;aAC1H,CAAC;QACJ,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;AACnC,CAAC"}

package/dist/cjs/index.js

@@ -30,6 +30,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 // ─── Runtime modules (classes, functions, const) ─────────────────────────────
+// Core router + built-in stores
 __exportStar(require("./router"), exports);
 __exportStar(require("./providers"), exports);
 __exportStar(require("./credentials"), exports);
@@ -39,4 +40,8 @@ __exportStar(require("./attestation"), exports);
 __exportStar(require("./approval"), exports);
 __exportStar(require("./budget"), exports);
 __exportStar(require("./federation"), exports);
+// auth.md compatibility — identity providers, revocation, and claim lifecycle
+__exportStar(require("./identity-providers"), exports);
+__exportStar(require("./revocation"), exports);
+__exportStar(require("./revocation-listener"), exports);
 //# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;AAOH,gFAAgF;AAChF,2CAAyB;AACzB,8CAA4B;AAC5B,gDAA8B;AAC9B,6CAA2B;AAC3B,6CAA2B;AAC3B,gDAA8B;AAC9B,6CAA2B;AAC3B,2CAAyB;AACzB,+CAA6B"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;AAOH,gFAAgF;AAChF,gCAAgC;AAChC,2CAAyB;AACzB,8CAA4B;AAC5B,gDAA8B;AAC9B,6CAA2B;AAC3B,6CAA2B;AAC3B,gDAA8B;AAC9B,6CAA2B;AAC3B,2CAAyB;AACzB,+CAA6B;AAE7B,8EAA8E;AAC9E,uDAAqC;AACrC,+CAA6B;AAC7B,wDAAsC"}

package/dist/cjs/revocation-listener.js

@@ -0,0 +1,78 @@
+"use strict";
+/**
+ * RevocationListener — framework-agnostic inbound revocation handler.
+ *
+ * The listener does NOT handle JWKS fetching or JWT signature verification —
+ * those depend on external libraries. Pass a LogoutJwtVerifier that handles
+ * verification for your environment, then wire handleRequest() into your router.
+ *
+ * Express example:
+ *   app.post('/agent/auth/revoke', async (req, res) => {
+ *     const result = await listener.handleRequest(req.body, req.headers);
+ *     res.status(result.httpStatus).json(result.body);
+ *   });
+ *
+ * Fastify example:
+ *   fastify.post('/agent/auth/revoke', async (req, reply) => {
+ *     const result = await listener.handleRequest(req.body as string, req.headers);
+ *     reply.code(result.httpStatus).send(result.body);
+ *   });
+ *
+ * @module revocation-listener
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RevocationListener = void 0;
+// ─── RevocationListener ──────────────────────────────────────────────────
+class RevocationListener {
+    constructor(opts) {
+        this.opts = opts;
+    }
+    /**
+     * Handle a raw revocation request body and headers.
+     *
+     * Processing steps:
+     *   1. Validate Content-Type contains 'application/logout+jwt'.
+     *   2. Call verifier.verify(rawBody) — if null, reject with 400.
+     *   3. Call handler.process(payload) — if replay, return 200 with 0 revoked.
+     *   4. Return 200 with credentialsRevoked count.
+     *
+     * @param rawBody  The request body string (the logout+jwt token itself,
+     *                 per Content-Type: application/logout+jwt)
+     * @param headers  Request headers (for Content-Type validation)
+     */
+    async handleRequest(rawBody, headers) {
+        // 1. Content-Type validation
+        const contentType = headers['content-type'] ?? headers['Content-Type'] ?? '';
+        const ctString = Array.isArray(contentType) ? contentType[0] : contentType;
+        if (!ctString.includes('application/logout+jwt')) {
+            return {
+                httpStatus: 400,
+                body: { error: 'invalid_content_type' },
+            };
+        }
+        // 2. Signature verification (delegated to caller-supplied verifier)
+        const payload = await this.opts.verifier.verify(rawBody);
+        if (!payload) {
+            return {
+                httpStatus: 400,
+                body: { error: 'invalid_logout_token' },
+            };
+        }
+        // 3. Process revocation (includes replay detection)
+        const result = await this.opts.handler.process(payload);
+        // Replay: return 200 with 0 revoked (idempotent)
+        if (result.replay) {
+            return {
+                httpStatus: 200,
+                body: { status: 'ok', credentialsRevoked: 0 },
+            };
+        }
+        // 4. Success
+        return {
+            httpStatus: 200,
+            body: { status: 'ok', credentialsRevoked: result.credentialsRevoked },
+        };
+    }
+}
+exports.RevocationListener = RevocationListener;
+//# sourceMappingURL=revocation-listener.js.map

package/dist/cjs/revocation-listener.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"revocation-listener.js","sourceRoot":"","sources":["../../src/revocation-listener.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;;;AA0BH,4EAA4E;AAE5E,MAAa,kBAAkB;IAC7B,YAA6B,IAA+B;QAA/B,SAAI,GAAJ,IAAI,CAA2B;IAAG,CAAC;IAEhE;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,aAAa,CACjB,OAAe,EACf,OAAsD;QAEtD,6BAA6B;QAC7B,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAC7E,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;QAC3E,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,CAAC;YACjD,OAAO;gBACL,UAAU,EAAE,GAAG;gBACf,IAAI,EAAE,EAAE,KAAK,EAAE,sBAAsB,EAAE;aACxC,CAAC;QACJ,CAAC;QAED,oEAAoE;QACpE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACzD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,UAAU,EAAE,GAAG;gBACf,IAAI,EAAE,EAAE,KAAK,EAAE,sBAAsB,EAAE;aACxC,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAExD,iDAAiD;QACjD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,OAAO;gBACL,UAAU,EAAE,GAAG;gBACf,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,EAAE,CAAC,EAAE;aAC9C,CAAC;QACJ,CAAC;QAED,aAAa;QACb,OAAO;YACL,UAAU,EAAE,GAAG;YACf,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,EAAE;SACtE,CAAC;IACJ,CAAC;CACF;AAxDD,gDAwDC"}

package/dist/cjs/revocation.js

@@ -0,0 +1,59 @@
+"use strict";
+/**
+ * Inbound revocation handler — receives logout+jwt tokens from identity
+ * providers and propagates revocation to the CredentialStore.
+ *
+ * This module validates the logout+jwt STRUCTURE (does NOT verify the
+ * signature). The caller (e.g. an Express/Fastify route handler) is
+ * responsible for JWKS-based signature verification before passing the
+ * decoded payload here.
+ *
+ * @module revocation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RevocationHandler = void 0;
+// ─── RevocationHandler ─────────────────────────────────────────────────────
+/**
+ * RevocationHandler validates and processes inbound logout tokens.
+ *
+ * Usage:
+ *   const handler = new RevocationHandler(store);
+ *   // In your route: const payload = await verifyLogoutJwt(token, jwks); // caller's job
+ *   const result = await handler.process(payload);
+ *
+ * The handler keeps an in-memory jti replay cache with configurable TTL.
+ * Stale entries are evicted lazily on each process() call.
+ */
+class RevocationHandler {
+    constructor(store, options) {
+        this.store = store;
+        /**
+         * jti → processed-at timestamp (ms).
+         * Evict entries older than maxAgeMs.
+         */
+        this.seen = new Map();
+        this.maxAgeMs = options?.maxAgeMs ?? 10 * 60 * 1000; // 10 minutes default
+    }
+    async process(payload) {
+        this.evictStale();
+        // Replay detection
+        if (this.seen.has(payload.jti)) {
+            return { jti: payload.jti, credentialsRevoked: 0, replay: true };
+        }
+        this.seen.set(payload.jti, Date.now());
+        // Propagate revocation to the store (optional method; graceful if absent)
+        const count = this.store.revokeByIdentity
+            ? await this.store.revokeByIdentity(payload.iss, payload.sub, payload.aud)
+            : 0;
+        return { jti: payload.jti, credentialsRevoked: count, replay: false };
+    }
+    evictStale() {
+        const cutoff = Date.now() - this.maxAgeMs;
+        for (const [jti, ts] of this.seen) {
+            if (ts < cutoff)
+                this.seen.delete(jti);
+        }
+    }
+}
+exports.RevocationHandler = RevocationHandler;
+//# sourceMappingURL=revocation.js.map

package/dist/cjs/revocation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"revocation.js","sourceRoot":"","sources":["../../src/revocation.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AAsBH,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAa,iBAAiB;IAQ5B,YACmB,KAAsB,EACvC,OAA+B;QADd,UAAK,GAAL,KAAK,CAAiB;QARzC;;;WAGG;QACc,SAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;QAOhD,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,qBAAqB;IAC5E,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAA2B;QACvC,IAAI,CAAC,UAAU,EAAE,CAAC;QAElB,mBAAmB;QACnB,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,kBAAkB,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QACnE,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAEvC,0EAA0E;QAC1E,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,gBAAgB;YACvC,CAAC,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC;YAC1E,CAAC,CAAC,CAAC,CAAC;QAEN,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IACxE,CAAC;IAEO,UAAU;QAChB,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YAClC,IAAI,EAAE,GAAG,MAAM;gBAAE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;CACF;AAtCD,8CAsCC"}

package/dist/cjs/rotation.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CredentialRotationScheduler = void 0;
-// ─── CredentialRotationScheduler ─────────────────────────────────────────────
+// ─── CredentialRotationScheduler ───────────────────────────────────────────────
 class CredentialRotationScheduler {
     constructor(repository, auditLogger) {
         this.repository = repository;
@@ -20,8 +20,13 @@ class CredentialRotationScheduler {
         const credentials = await this.repository.listActive();
         const now = new Date();
         for (const cred of credentials) {
+            // Skip credentials with no rotation policy
             if (!cred.rotation)
                 continue;
+            // Skip unclaimed auth.md credentials — they cannot be rotated until
+            // the claim ceremony is complete and status flips to 'active'
+            if (cred.status === 'unclaimed')
+                continue;
             const due = this.isRotationDue(cred, cred.rotation, now);
             if (!due) {
                 await this.maybeEmitWarning(cred, cred.rotation, now);