@datacules/agent-identity 0.9.0 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +128 -0
- package/dist/cjs/attestation.js +131 -29
- package/dist/cjs/attestation.js.map +1 -1
- package/dist/cjs/identity-providers.js +100 -0
- package/dist/cjs/identity-providers.js.map +1 -0
- package/dist/cjs/index.js +5 -0
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/revocation-listener.js +78 -0
- package/dist/cjs/revocation-listener.js.map +1 -0
- package/dist/cjs/revocation.js +59 -0
- package/dist/cjs/revocation.js.map +1 -0
- package/dist/cjs/rotation.js +6 -1
- package/dist/cjs/rotation.js.map +1 -1
- package/dist/cjs/router.js +27 -5
- package/dist/cjs/router.js.map +1 -1
- package/dist/cjs/schemas.js +26 -2
- package/dist/cjs/schemas.js.map +1 -1
- package/dist/esm/attestation.js +129 -28
- package/dist/esm/attestation.js.map +1 -1
- package/dist/esm/identity-providers.js +97 -0
- package/dist/esm/identity-providers.js.map +1 -0
- package/dist/esm/index.js +5 -0
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/revocation-listener.js +74 -0
- package/dist/esm/revocation-listener.js.map +1 -0
- package/dist/esm/revocation.js +55 -0
- package/dist/esm/revocation.js.map +1 -0
- package/dist/esm/rotation.js +6 -1
- package/dist/esm/rotation.js.map +1 -1
- package/dist/esm/router.js +27 -5
- package/dist/esm/router.js.map +1 -1
- package/dist/esm/schemas.js +25 -1
- package/dist/esm/schemas.js.map +1 -1
- package/dist/types/attestation.d.ts +34 -6
- package/dist/types/attestation.d.ts.map +1 -1
- package/dist/types/identity-providers.d.ts +53 -0
- package/dist/types/identity-providers.d.ts.map +1 -0
- package/dist/types/index.d.ts +3 -0
- package/dist/types/index.d.ts.map +1 -1
- package/dist/types/revocation-listener.d.ts +63 -0
- package/dist/types/revocation-listener.d.ts.map +1 -0
- package/dist/types/revocation.d.ts +52 -0
- package/dist/types/revocation.d.ts.map +1 -0
- package/dist/types/rotation.d.ts.map +1 -1
- package/dist/types/router.d.ts +14 -0
- package/dist/types/router.d.ts.map +1 -1
- package/dist/types/schemas.d.ts +89 -4
- package/dist/types/schemas.d.ts.map +1 -1
- package/dist/types/types.d.ts +82 -1
- package/dist/types/types.d.ts.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* RevocationListener — framework-agnostic inbound revocation handler.
|
|
3
|
+
*
|
|
4
|
+
* The listener does NOT handle JWKS fetching or JWT signature verification —
|
|
5
|
+
* those depend on external libraries. Pass a LogoutJwtVerifier that handles
|
|
6
|
+
* verification for your environment, then wire handleRequest() into your router.
|
|
7
|
+
*
|
|
8
|
+
* Express example:
|
|
9
|
+
* app.post('/agent/auth/revoke', async (req, res) => {
|
|
10
|
+
* const result = await listener.handleRequest(req.body, req.headers);
|
|
11
|
+
* res.status(result.httpStatus).json(result.body);
|
|
12
|
+
* });
|
|
13
|
+
*
|
|
14
|
+
* Fastify example:
|
|
15
|
+
* fastify.post('/agent/auth/revoke', async (req, reply) => {
|
|
16
|
+
* const result = await listener.handleRequest(req.body as string, req.headers);
|
|
17
|
+
* reply.code(result.httpStatus).send(result.body);
|
|
18
|
+
* });
|
|
19
|
+
*
|
|
20
|
+
* @module revocation-listener
|
|
21
|
+
*/
|
|
22
|
+
// ─── RevocationListener ──────────────────────────────────────────────────
|
|
23
|
+
export class RevocationListener {
|
|
24
|
+
constructor(opts) {
|
|
25
|
+
this.opts = opts;
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* Handle a raw revocation request body and headers.
|
|
29
|
+
*
|
|
30
|
+
* Processing steps:
|
|
31
|
+
* 1. Validate Content-Type contains 'application/logout+jwt'.
|
|
32
|
+
* 2. Call verifier.verify(rawBody) — if null, reject with 400.
|
|
33
|
+
* 3. Call handler.process(payload) — if replay, return 200 with 0 revoked.
|
|
34
|
+
* 4. Return 200 with credentialsRevoked count.
|
|
35
|
+
*
|
|
36
|
+
* @param rawBody The request body string (the logout+jwt token itself,
|
|
37
|
+
* per Content-Type: application/logout+jwt)
|
|
38
|
+
* @param headers Request headers (for Content-Type validation)
|
|
39
|
+
*/
|
|
40
|
+
async handleRequest(rawBody, headers) {
|
|
41
|
+
// 1. Content-Type validation
|
|
42
|
+
const contentType = headers['content-type'] ?? headers['Content-Type'] ?? '';
|
|
43
|
+
const ctString = Array.isArray(contentType) ? contentType[0] : contentType;
|
|
44
|
+
if (!ctString.includes('application/logout+jwt')) {
|
|
45
|
+
return {
|
|
46
|
+
httpStatus: 400,
|
|
47
|
+
body: { error: 'invalid_content_type' },
|
|
48
|
+
};
|
|
49
|
+
}
|
|
50
|
+
// 2. Signature verification (delegated to caller-supplied verifier)
|
|
51
|
+
const payload = await this.opts.verifier.verify(rawBody);
|
|
52
|
+
if (!payload) {
|
|
53
|
+
return {
|
|
54
|
+
httpStatus: 400,
|
|
55
|
+
body: { error: 'invalid_logout_token' },
|
|
56
|
+
};
|
|
57
|
+
}
|
|
58
|
+
// 3. Process revocation (includes replay detection)
|
|
59
|
+
const result = await this.opts.handler.process(payload);
|
|
60
|
+
// Replay: return 200 with 0 revoked (idempotent)
|
|
61
|
+
if (result.replay) {
|
|
62
|
+
return {
|
|
63
|
+
httpStatus: 200,
|
|
64
|
+
body: { status: 'ok', credentialsRevoked: 0 },
|
|
65
|
+
};
|
|
66
|
+
}
|
|
67
|
+
// 4. Success
|
|
68
|
+
return {
|
|
69
|
+
httpStatus: 200,
|
|
70
|
+
body: { status: 'ok', credentialsRevoked: result.credentialsRevoked },
|
|
71
|
+
};
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
//# sourceMappingURL=revocation-listener.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"revocation-listener.js","sourceRoot":"","sources":["../../src/revocation-listener.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AA0BH,4EAA4E;AAE5E,MAAM,OAAO,kBAAkB;IAC7B,YAA6B,IAA+B;QAA/B,SAAI,GAAJ,IAAI,CAA2B;IAAG,CAAC;IAEhE;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,aAAa,CACjB,OAAe,EACf,OAAsD;QAEtD,6BAA6B;QAC7B,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAC7E,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;QAC3E,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,CAAC;YACjD,OAAO;gBACL,UAAU,EAAE,GAAG;gBACf,IAAI,EAAE,EAAE,KAAK,EAAE,sBAAsB,EAAE;aACxC,CAAC;QACJ,CAAC;QAED,oEAAoE;QACpE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACzD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,UAAU,EAAE,GAAG;gBACf,IAAI,EAAE,EAAE,KAAK,EAAE,sBAAsB,EAAE;aACxC,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAExD,iDAAiD;QACjD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,OAAO;gBACL,UAAU,EAAE,GAAG;gBACf,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,EAAE,CAAC,EAAE;aAC9C,CAAC;QACJ,CAAC;QAED,aAAa;QACb,OAAO;YACL,UAAU,EAAE,GAAG;YACf,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,EAAE;SACtE,CAAC;IACJ,CAAC;CACF"}
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Inbound revocation handler — receives logout+jwt tokens from identity
|
|
3
|
+
* providers and propagates revocation to the CredentialStore.
|
|
4
|
+
*
|
|
5
|
+
* This module validates the logout+jwt STRUCTURE (does NOT verify the
|
|
6
|
+
* signature). The caller (e.g. an Express/Fastify route handler) is
|
|
7
|
+
* responsible for JWKS-based signature verification before passing the
|
|
8
|
+
* decoded payload here.
|
|
9
|
+
*
|
|
10
|
+
* @module revocation
|
|
11
|
+
*/
|
|
12
|
+
// ─── RevocationHandler ─────────────────────────────────────────────────────
|
|
13
|
+
/**
|
|
14
|
+
* RevocationHandler validates and processes inbound logout tokens.
|
|
15
|
+
*
|
|
16
|
+
* Usage:
|
|
17
|
+
* const handler = new RevocationHandler(store);
|
|
18
|
+
* // In your route: const payload = await verifyLogoutJwt(token, jwks); // caller's job
|
|
19
|
+
* const result = await handler.process(payload);
|
|
20
|
+
*
|
|
21
|
+
* The handler keeps an in-memory jti replay cache with configurable TTL.
|
|
22
|
+
* Stale entries are evicted lazily on each process() call.
|
|
23
|
+
*/
|
|
24
|
+
export class RevocationHandler {
|
|
25
|
+
constructor(store, options) {
|
|
26
|
+
this.store = store;
|
|
27
|
+
/**
|
|
28
|
+
* jti → processed-at timestamp (ms).
|
|
29
|
+
* Evict entries older than maxAgeMs.
|
|
30
|
+
*/
|
|
31
|
+
this.seen = new Map();
|
|
32
|
+
this.maxAgeMs = options?.maxAgeMs ?? 10 * 60 * 1000; // 10 minutes default
|
|
33
|
+
}
|
|
34
|
+
async process(payload) {
|
|
35
|
+
this.evictStale();
|
|
36
|
+
// Replay detection
|
|
37
|
+
if (this.seen.has(payload.jti)) {
|
|
38
|
+
return { jti: payload.jti, credentialsRevoked: 0, replay: true };
|
|
39
|
+
}
|
|
40
|
+
this.seen.set(payload.jti, Date.now());
|
|
41
|
+
// Propagate revocation to the store (optional method; graceful if absent)
|
|
42
|
+
const count = this.store.revokeByIdentity
|
|
43
|
+
? await this.store.revokeByIdentity(payload.iss, payload.sub, payload.aud)
|
|
44
|
+
: 0;
|
|
45
|
+
return { jti: payload.jti, credentialsRevoked: count, replay: false };
|
|
46
|
+
}
|
|
47
|
+
evictStale() {
|
|
48
|
+
const cutoff = Date.now() - this.maxAgeMs;
|
|
49
|
+
for (const [jti, ts] of this.seen) {
|
|
50
|
+
if (ts < cutoff)
|
|
51
|
+
this.seen.delete(jti);
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
//# sourceMappingURL=revocation.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"revocation.js","sourceRoot":"","sources":["../../src/revocation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAsBH,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,OAAO,iBAAiB;IAQ5B,YACmB,KAAsB,EACvC,OAA+B;QADd,UAAK,GAAL,KAAK,CAAiB;QARzC;;;WAGG;QACc,SAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;QAOhD,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,qBAAqB;IAC5E,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAA2B;QACvC,IAAI,CAAC,UAAU,EAAE,CAAC;QAElB,mBAAmB;QACnB,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,kBAAkB,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QACnE,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAEvC,0EAA0E;QAC1E,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,gBAAgB;YACvC,CAAC,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC;YAC1E,CAAC,CAAC,CAAC,CAAC;QAEN,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IACxE,CAAC;IAEO,UAAU;QAChB,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YAClC,IAAI,EAAE,GAAG,MAAM;gBAAE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;CACF"}
|
package/dist/esm/rotation.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
// ─── CredentialRotationScheduler
|
|
1
|
+
// ─── CredentialRotationScheduler ───────────────────────────────────────────────
|
|
2
2
|
export class CredentialRotationScheduler {
|
|
3
3
|
constructor(repository, auditLogger) {
|
|
4
4
|
this.repository = repository;
|
|
@@ -17,8 +17,13 @@ export class CredentialRotationScheduler {
|
|
|
17
17
|
const credentials = await this.repository.listActive();
|
|
18
18
|
const now = new Date();
|
|
19
19
|
for (const cred of credentials) {
|
|
20
|
+
// Skip credentials with no rotation policy
|
|
20
21
|
if (!cred.rotation)
|
|
21
22
|
continue;
|
|
23
|
+
// Skip unclaimed auth.md credentials — they cannot be rotated until
|
|
24
|
+
// the claim ceremony is complete and status flips to 'active'
|
|
25
|
+
if (cred.status === 'unclaimed')
|
|
26
|
+
continue;
|
|
22
27
|
const due = this.isRotationDue(cred, cred.rotation, now);
|
|
23
28
|
if (!due) {
|
|
24
29
|
await this.maybeEmitWarning(cred, cred.rotation, now);
|
package/dist/esm/rotation.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"rotation.js","sourceRoot":"","sources":["../../src/rotation.ts"],"names":[],"mappings":"AA+BA,
|
|
1
|
+
{"version":3,"file":"rotation.js","sourceRoot":"","sources":["../../src/rotation.ts"],"names":[],"mappings":"AA+BA,kFAAkF;AAElF,MAAM,OAAO,2BAA2B;IAItC,YACmB,UAA8B,EAC9B,WAAyB;QADzB,eAAU,GAAV,UAAU,CAAoB;QAC9B,gBAAW,GAAX,WAAW,CAAc;QAL3B,cAAS,GAAG,IAAI,GAAG,EAA4B,CAAC;QACzD,mBAAc,GAA0C,IAAI,CAAC;IAKlE,CAAC;IAEJ,gBAAgB,CAAC,QAA0B;QACzC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,OAAO;QACX,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC;QACvD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,2CAA2C;YAC3C,IAAI,CAAC,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAE7B,oEAAoE;YACpE,8DAA8D;YAC9D,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW;gBAAE,SAAS;YAE1C,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YACzD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;gBACtD,SAAS;YACX,CAAC;YAED,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW;gBACxC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC/C,CAAC,CAAC,IAAI,CAAC;YAET,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO,CAAC,IAAI,CAAC,kDAAkD,IAAI,CAAC,EAAE,kBAAkB,IAAI,CAAC,QAAQ,CAAC,WAAW,IAAI,OAAO,GAAG,CAAC,CAAC;gBACjI,SAAS;YACX,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC1D,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC,CAAC;gBAE/E,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;wBACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,OAAO,EAAE,YAAY,IAAI,CAAC,EAAE,EAAE;wBAC9B,MAAM,EAAE,QAAQ;wBAChB,MAAM,EAAE,oBAAoB;wBAC5B,UAAU,EAAE,IAAI,CAAC,EAAE;wBACnB,YAAY,EAAE,QAAQ;wBACtB,QAAQ,EAAE,OAAO;wBACjB,KAAK,EAAE,QAAQ;wBACf,YAAY,EAAE,IAAI,CAAC,EAAE;wBACrB,cAAc,EAAE,IAAI,CAAC,IAAI;wBACzB,WAAW,EAAE,QAAQ;qBACtB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,2CAA2C,IAAI,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;gBAC1E,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;wBACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,OAAO,EAAE,YAAY,IAAI,CAAC,EAAE,EAAE;wBAC9B,MAAM,EAAE,QAAQ;wBAChB,MAAM,EAAE,4BAA4B;wBACpC,UAAU,EAAE,IAAI,CAAC,EAAE;wBACnB,YAAY,EAAE,QAAQ;wBACtB,QAAQ,EAAE,OAAO;wBACjB,KAAK,EAAE,QAAQ;wBACf,YAAY,EAAE,IAAI,CAAC,EAAE;wBACrB,cAAc,EAAE,IAAI,CAAC,IAAI;wBACzB,WAAW,EAAE,QAAQ;qBACtB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU,GAAG,OAAS;QAC1B,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI;YAAE,OAAO;QACzC,IAAI,CAAC,cAAc,GAAG,WAAW,CAAC,GAAG,EAAE;YACrC,IAAI,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC,EAAE,UAAU,CAAC,CAAC;IACjB,CAAC;IAED,IAAI;QACF,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;YACjC,aAAa,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACnC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,IAAgB,EAAE,MAAsB,EAAE,GAAS;QACvE,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC7D,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC/C,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,GAAG,QAAU,CAAC;YACvE,IAAI,SAAS,IAAI,MAAM,CAAC,eAAe;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,IAAgB,EAAE,MAAsB,EAAE,GAAS;QAChF,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,OAAO;QAC9B,IAAI,MAAM,CAAC,gBAAgB,KAAK,SAAS,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACtG,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC/C,MAAM,YAAY,GAAG,MAAM,CAAC,eAAe,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,GAAG,QAAU,CAAC;YACnG,IAAI,YAAY,GAAG,CAAC,IAAI,YAAY,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;gBAChE,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;oBACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,OAAO,EAAE,oBAAoB,IAAI,CAAC,EAAE,EAAE;oBACtC,MAAM,EAAE,QAAQ;oBAChB,MAAM,EAAE,yBAAyB;oBACjC,UAAU,EAAE,IAAI,CAAC,EAAE;oBACnB,YAAY,EAAE,QAAQ;oBACtB,QAAQ,EAAE,OAAO;oBACjB,KAAK,EAAE,QAAQ;oBACf,YAAY,EAAE,IAAI,CAAC,EAAE;oBACrB,cAAc,EAAE,IAAI,CAAC,IAAI;oBACzB,WAAW,EAAE,QAAQ;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;CACF"}
|
package/dist/esm/router.js
CHANGED
|
@@ -9,6 +9,8 @@
|
|
|
9
9
|
* - resolveAsync(): full async resolution path for cloud stores
|
|
10
10
|
* - resolvePairAsync(): async migration pair resolution (async counterpart
|
|
11
11
|
* of resolvePair(), enabling budget + attestation on migration workflows)
|
|
12
|
+
* - Unclaimed guard: credentials with status='unclaimed' are never routed
|
|
13
|
+
* until the auth.md claim ceremony completes and status flips to 'active'
|
|
12
14
|
*/
|
|
13
15
|
import { buildAttestation } from './attestation';
|
|
14
16
|
function isSyncCapable(store) {
|
|
@@ -44,6 +46,20 @@ export class MemoryCredentialStore {
|
|
|
44
46
|
if (existing?.migrationId === migrationId)
|
|
45
47
|
this.reservations.delete(ref);
|
|
46
48
|
}
|
|
49
|
+
/**
|
|
50
|
+
* revokeByIdentity — MemoryCredentialStore no-op implementation.
|
|
51
|
+
*
|
|
52
|
+
* MemoryCredentialStore does not track the issuer/subject triple that
|
|
53
|
+
* corresponds to each credential (it only stores the credential object
|
|
54
|
+
* itself). It therefore cannot determine which credentials belong to
|
|
55
|
+
* a given identity triple and always returns 0.
|
|
56
|
+
*
|
|
57
|
+
* Implementers of custom stores should override this to mark matching
|
|
58
|
+
* credentials as status='revoked' based on their own metadata schema.
|
|
59
|
+
*/
|
|
60
|
+
async revokeByIdentity(_issuer, _subject, _audience) {
|
|
61
|
+
return 0;
|
|
62
|
+
}
|
|
47
63
|
}
|
|
48
64
|
export class CredentialRouter {
|
|
49
65
|
constructor(config) {
|
|
@@ -69,6 +85,9 @@ export class CredentialRouter {
|
|
|
69
85
|
return null;
|
|
70
86
|
if (cred.expiresAt && new Date(cred.expiresAt) < new Date())
|
|
71
87
|
return null;
|
|
88
|
+
// Unclaimed credentials (auth.md pre-claim) must not be resolved
|
|
89
|
+
if (cred.status === 'unclaimed')
|
|
90
|
+
return null;
|
|
72
91
|
if (rule.readOnly && !cred.scope.toLowerCase().includes('read'))
|
|
73
92
|
return null;
|
|
74
93
|
const resolved = {
|
|
@@ -108,6 +127,9 @@ export class CredentialRouter {
|
|
|
108
127
|
return null;
|
|
109
128
|
if (cred.expiresAt && new Date(cred.expiresAt) < new Date())
|
|
110
129
|
return null;
|
|
130
|
+
// Unclaimed credentials (auth.md pre-claim) must not be resolved
|
|
131
|
+
if (cred.status === 'unclaimed')
|
|
132
|
+
return null;
|
|
111
133
|
if (rule.readOnly && !cred.scope.toLowerCase().includes('read'))
|
|
112
134
|
return null;
|
|
113
135
|
// Budget check
|
|
@@ -147,7 +169,7 @@ export class CredentialRouter {
|
|
|
147
169
|
return null;
|
|
148
170
|
return { source, target, migrationId: ctx.migrationId };
|
|
149
171
|
}
|
|
150
|
-
// ─── Pair resolve for migration (async)
|
|
172
|
+
// ─── Pair resolve for migration (async) ────────────────────────────────
|
|
151
173
|
/**
|
|
152
174
|
* Async counterpart of resolvePair(). Resolves source and target credentials
|
|
153
175
|
* in parallel using resolveAsync(), so both resolutions benefit from:
|
|
@@ -193,7 +215,7 @@ export class CredentialRouter {
|
|
|
193
215
|
}
|
|
194
216
|
return { source, target, migrationId: ctx.migrationId, expiresAt };
|
|
195
217
|
}
|
|
196
|
-
// ─── Canary selection
|
|
218
|
+
// ─── Canary selection ───────────────────────────────────────────────────
|
|
197
219
|
selectRef(rule) {
|
|
198
220
|
if (rule.canaryRef && rule.canaryWeight && rule.canaryWeight > 0) {
|
|
199
221
|
const roll = Math.random() * 100;
|
|
@@ -202,7 +224,7 @@ export class CredentialRouter {
|
|
|
202
224
|
}
|
|
203
225
|
return rule.credentialRef;
|
|
204
226
|
}
|
|
205
|
-
// ─── Rule matching
|
|
227
|
+
// ─── Rule matching ─────────────────────────────────────────────────────
|
|
206
228
|
ruleMatches(rule, ctx) {
|
|
207
229
|
if (rule.matchResourceKind && rule.matchResourceKind !== ctx.resourceKind)
|
|
208
230
|
return false;
|
|
@@ -227,7 +249,7 @@ export class CredentialRouter {
|
|
|
227
249
|
}
|
|
228
250
|
return true;
|
|
229
251
|
}
|
|
230
|
-
// ─── Audit entry builder
|
|
252
|
+
// ─── Audit entry builder ───────────────────────────────────────────────
|
|
231
253
|
buildAuditEntry(ctx, resolved, rule, isCanary) {
|
|
232
254
|
return {
|
|
233
255
|
timestamp: new Date().toISOString(),
|
|
@@ -246,7 +268,7 @@ export class CredentialRouter {
|
|
|
246
268
|
};
|
|
247
269
|
}
|
|
248
270
|
}
|
|
249
|
-
// ─── Factory functions
|
|
271
|
+
// ─── Factory functions ───────────────────────────────────────────────────────────
|
|
250
272
|
export function createRouter(credentials, rules, logger) {
|
|
251
273
|
return new CredentialRouter({ store: new MemoryCredentialStore(credentials), rules, logger });
|
|
252
274
|
}
|
package/dist/esm/router.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/router.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/router.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAcH,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAQjD,SAAS,aAAa,CAAC,KAAsB;IAC3C,OAAO,OAAQ,KAA0B,CAAC,aAAa,KAAK,UAAU,CAAC;AACzE,CAAC;AAcD,MAAM,OAAO,qBAAqB;IAIhC,YAAY,WAAyB;QAFpB,iBAAY,GAAG,IAAI,GAAG,EAAsD,CAAC;QAG5F,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC;IAC3B,CAAC;IAED,aAAa,CAAC,GAAW;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,IAAI,IAAI,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,OAAO,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAwB;QACvC,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB,EAAE,UAAkB;QAChE,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,QAAQ,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW,IAAI,QAAQ,CAAC,SAAS,GAAG,GAAG;YAAE,OAAO,KAAK,CAAC;QAC/F,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,GAAG,UAAU,GAAG,IAAI,EAAE,CAAC,CAAC;QAChF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,QAAQ,EAAE,WAAW,KAAK,WAAW;YAAE,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3E,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,gBAAgB,CACpB,OAAe,EACf,QAAgB,EAChB,SAAiB;QAEjB,OAAO,CAAC,CAAC;IACX,CAAC;CACF;AAED,MAAM,OAAO,gBAAgB;IAC3B,YAA6B,MAAoB;QAApB,WAAM,GAAN,MAAM,CAAc;IAAG,CAAC;IAErD,6EAA6E;IAE7E,OAAO,CAAC,GAAwB;QAC9B,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QACrC,MAAM,QAAQ,GAAG,KAAK;aACnB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;aACvC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QAE3C,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,CAAC,IAAI,CAAC,6FAA6F,CAAC,CAAC;YAC5G,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,KAAK,IAAI,CAAC,SAAS,CAAC;QAExC,MAAM,IAAI,GAAG,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE;YAAE,OAAO,IAAI,CAAC;QACzE,iEAAiE;QACjE,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QAC7C,IAAI,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QAE7E,MAAM,QAAQ,GAAuB;YACnC,YAAY,EAAE,IAAI,CAAC,EAAE;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,WAAW,EAAE,IAAI,CAAC,IAAI,KAAK,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACpE,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ;YACR,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;YAClE,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACtE,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,6EAA6E;IAE7E,KAAK,CAAC,YAAY,CAAC,GAAwB;QACzC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QACzF,MAAM,QAAQ,GAAG,KAAK;aACnB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;aACvC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QAE3C,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,gBAAgB;QAChB,IAAI,IAAI,CAAC,QAAQ,IAAI,eAAe,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;YAC9F,IAAI,MAAM,KAAK,UAAU,IAAI,MAAM,KAAK,aAAa;gBAAE,OAAO,IAAI,CAAC;QACrE,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,KAAK,IAAI,CAAC,SAAS,CAAC;QAExC,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE;YAAE,OAAO,IAAI,CAAC;QACzE,iEAAiE;QACjE,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QAC7C,IAAI,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QAE7E,eAAe;QACf,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAChD,IAAI,CAAC,MAAM,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC;QACnC,CAAC;QAED,MAAM,QAAQ,GAAuB;YACnC,YAAY,EAAE,IAAI,CAAC,EAAE;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,WAAW,EAAE,IAAI,CAAC,IAAI,KAAK,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACpE,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ;YACR,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;QAEF,cAAc;QACd,IAAI,iBAAiB,EAAE,CAAC;YACtB,QAAQ,CAAC,qBAAqB,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,QAAQ,EAAE;gBACrE,MAAM,EAAE,iBAAiB;gBACzB,MAAM,EAAE,IAAI,CAAC,EAAE;aAChB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvB,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;QACpF,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,4EAA4E;IAE5E,WAAW,CAAC,GAAqB;QAC/B,MAAM,SAAS,GAAwB,EAAE,GAAG,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,gBAAgB,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACpG,MAAM,SAAS,GAAwB,EAAE,GAAG,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,gBAAgB,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAE9H,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEpC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC;IAC1D,CAAC;IAED,0EAA0E;IAE1E;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,gBAAgB,CAAC,GAAqB;QAC1C,MAAM,SAAS,GAAwB;YACrC,GAAG,GAAG;YACN,UAAU,EAAE,GAAG,CAAC,gBAAgB;YAChC,MAAM,EAAE,MAAM;SACf,CAAC;QACF,MAAM,SAAS,GAAwB;YACrC,GAAG,GAAG;YACN,UAAU,EAAE,GAAG,CAAC,gBAAgB;YAChC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM;SACzC,CAAC;QAEF,6EAA6E;QAC7E,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACzC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC;YAC5B,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC;SAC7B,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEpC,2DAA2D;QAC3D,IAAI,SAA6B,CAAC;QAClC,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACzC,SAAS,GAAG,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC;QACxF,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,CAAC;QACnD,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,SAAS,EAAE,CAAC;IACrE,CAAC;IAED,2EAA2E;IAEnE,SAAS,CAAC,IAAiB;QACjC,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,YAAY,GAAG,CAAC,EAAE,CAAC;YACjE,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,CAAC;YACjC,IAAI,IAAI,GAAG,IAAI,CAAC,YAAY;gBAAE,OAAO,IAAI,CAAC,SAAS,CAAC;QACtD,CAAC;QACD,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAED,0EAA0E;IAElE,WAAW,CAAC,IAAiB,EAAE,GAAwB;QAC7D,IAAI,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,iBAAiB,KAAK,GAAG,CAAC,YAAY;YAAE,OAAO,KAAK,CAAC;QACxF,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,KAAK,GAAG,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC5E,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,KAAK,GAAG,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACtE,IAAI,IAAI,CAAC,aAAa,IAAI,GAAG,CAAC,QAAQ,KAAK,IAAI,CAAC,aAAa;YAAE,OAAO,KAAK,CAAC;QAC5E,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACxF,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;QAClD,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,MAAM,GAAG,GAAuB,CAAC;YACvC,IAAI,CAAC,MAAM,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC;YAChC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACpF,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;QACnD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,0EAA0E;IAElE,eAAe,CACrB,GAAwB,EACxB,QAA4B,EAC5B,IAAiB,EACjB,QAAiB;QAEjB,OAAO;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,YAAY,EAAE,GAAG,CAAC,YAAY;YAC9B,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,cAAc,EAAE,QAAQ,CAAC,IAAI;YAC7B,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,QAAQ;YACR,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB,CAAC;IACJ,CAAC;CACF;AAED,oFAAoF;AAEpF,MAAM,UAAU,YAAY,CAC1B,WAAyB,EACzB,KAAoB,EACpB,MAAoB;IAEpB,OAAO,IAAI,gBAAgB,CAAC,EAAE,KAAK,EAAE,IAAI,qBAAqB,CAAC,WAAW,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;AAChG,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,KAAsB,EACtB,KAAoB,EACpB,MAAoB;IAEpB,OAAO,IAAI,gBAAgB,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,MAAoB;IACzD,OAAO,IAAI,gBAAgB,CAAC,MAAM,CAAC,CAAC;AACtC,CAAC"}
|
package/dist/esm/schemas.js
CHANGED
|
@@ -19,7 +19,11 @@ export const SupportedProviderSchema = z.enum([
|
|
|
19
19
|
]);
|
|
20
20
|
export const ResourceKindSchema = z.enum(['shared', 'personal']);
|
|
21
21
|
export const CredentialKindSchema = z.enum(['fixed', 'user-delegated']);
|
|
22
|
-
|
|
22
|
+
/**
|
|
23
|
+
* 'unclaimed' added for auth.md anonymous-flow credentials that are
|
|
24
|
+
* awaiting claim ceremony completion before becoming fully active.
|
|
25
|
+
*/
|
|
26
|
+
export const CredentialStatusSchema = z.enum(['active', 'pending', 'unclaimed', 'revoked']);
|
|
23
27
|
export const MigrationPhaseSchema = z.enum([
|
|
24
28
|
'dry-run',
|
|
25
29
|
'extract',
|
|
@@ -77,6 +81,12 @@ export const CredentialSchema = z.object({
|
|
|
77
81
|
rotation: RotationPolicySchema.optional(),
|
|
78
82
|
budget: BudgetPolicySchema.optional(),
|
|
79
83
|
tags: z.array(z.string()).optional(),
|
|
84
|
+
// auth.md claim-ceremony fields
|
|
85
|
+
preClaimScopes: z.array(z.string()).optional(),
|
|
86
|
+
postClaimScopes: z.array(z.string()).optional(),
|
|
87
|
+
claimedAt: z.string().datetime().optional(),
|
|
88
|
+
// claimToken is intentionally omitted from the schema — it must never
|
|
89
|
+
// be serialised or validated at an API boundary; it is held in memory only.
|
|
80
90
|
});
|
|
81
91
|
// ─── Routing Rule ──────────────────────────────────────────────────────────
|
|
82
92
|
export const RoutingRuleSchema = z.object({
|
|
@@ -121,4 +131,18 @@ export const MigrationContextSchema = AgentRequestContextSchema.extend({
|
|
|
121
131
|
batchIndex: z.number().int().nonnegative().optional(),
|
|
122
132
|
totalBatches: z.number().int().positive().optional(),
|
|
123
133
|
});
|
|
134
|
+
// ─── Trusted Identity Providers (auth.md) ──────────────────────────────────
|
|
135
|
+
export const TrustedIdentityProviderSchema = z.object({
|
|
136
|
+
issuerUrl: z.string().url(),
|
|
137
|
+
label: z.string().min(1),
|
|
138
|
+
jwksUri: z.string().url().optional(),
|
|
139
|
+
cimdUri: z.string().url().optional(),
|
|
140
|
+
requiredAmr: z.array(z.string()).optional(),
|
|
141
|
+
enabled: z.boolean().optional(),
|
|
142
|
+
});
|
|
143
|
+
export const TrustedProviderRegistrySchema = z.object({
|
|
144
|
+
providers: z.array(TrustedIdentityProviderSchema),
|
|
145
|
+
jwksCacheTtlMs: z.number().int().positive().optional(),
|
|
146
|
+
jwksCacheFloorMs: z.number().int().positive().optional(),
|
|
147
|
+
});
|
|
124
148
|
//# sourceMappingURL=schemas.js.map
|
package/dist/esm/schemas.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../src/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,iFAAiF;AAEjF,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,IAAI,CAAC;IAC5C,QAAQ;IACR,WAAW;IACX,QAAQ;IACR,SAAS;IACT,OAAO;CACR,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;AAEjE,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAExE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../src/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,iFAAiF;AAEjF,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,IAAI,CAAC;IAC5C,QAAQ;IACR,WAAW;IACX,QAAQ;IACR,SAAS;IACT,OAAO;CACR,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;AAEjE,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAExE;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC;AAE5F,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,IAAI,CAAC;IACzC,SAAS;IACT,SAAS;IACT,WAAW;IACX,MAAM;IACN,QAAQ;IACR,UAAU;CACX,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;AAExE,gFAAgF;AAEhF,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACvD,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACvD,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IAC7D,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACxD,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAC;AAEH,iFAAiF;AAEjF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IACzC,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC7D,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC7D,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAClD,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC3D,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACrC,CAAC,CAAC;AAEH,gFAAgF;AAEhF,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,IAAI,EAAE,kBAAkB;IACxB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC1B,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAC9C,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC;IAClC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACtD,UAAU,EAAE,CAAC;SACV,MAAM,CAAC;QACN,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3B,oBAAoB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;KAC7C,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEH,+EAA+E;AAE/E,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,IAAI,EAAE,oBAAoB;IAC1B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,MAAM,EAAE,sBAAsB;IAC9B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC3C,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC7C,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtC,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IAC/D,QAAQ,EAAE,oBAAoB,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,kBAAkB,CAAC,QAAQ,EAAE;IACrC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACpC,gCAAgC;IAChC,cAAc,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC9C,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC/C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC3C,sEAAsE;IACtE,4EAA4E;CAC7E,CAAC,CAAC;AAEH,8EAA8E;AAE9E,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACxC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;IACvB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,cAAc,EAAE,oBAAoB;IACpC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC1B,iBAAiB,EAAE,kBAAkB,CAAC,QAAQ,EAAE;IAChD,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClE,aAAa,EAAE,uBAAuB,CAAC,QAAQ,EAAE;IACjD,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,UAAU,EAAE,CAAC;SACV,KAAK,CAAC,CAAC,oBAAoB,EAAE,CAAC,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC;SAC5D,QAAQ,EAAE;IACb,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IACzD,QAAQ,EAAE,oBAAoB,CAAC,QAAQ,EAAE;CAC1C,CAAC,CAAC;AAEH,4EAA4E;AAE5E,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,YAAY,EAAE,kBAAkB;IAChC,QAAQ,EAAE,uBAAuB;IACjC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,sBAAsB,GAAG,yBAAyB,CAAC,MAAM,CAAC;IACrE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,KAAK,EAAE,oBAAoB;IAC3B,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE;IACnB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IACrD,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CACrD,CAAC,CAAC;AAEH,8EAA8E;AAE9E,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC;IACpD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC3B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC3C,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC;IACpD,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,6BAA6B,CAAC;IACjD,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACtD,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CACzD,CAAC,CAAC"}
|
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Zero-Trust Credential Attestation — @datacules/agent-identity core
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
* HMAC-SHA256
|
|
6
|
-
*
|
|
4
|
+
* Two signer implementations:
|
|
5
|
+
* - HmacAttestationSigner: symmetric HMAC-SHA256 JWTs (zero deps, fastest)
|
|
6
|
+
* - AsymmetricAttestationSigner: RS256/ES256 JWTs via Web Crypto (for ID-JAG)
|
|
7
7
|
*
|
|
8
|
-
*
|
|
8
|
+
* Both use Web Crypto API (crypto.subtle) exclusively — available in:
|
|
9
9
|
* Node.js 18+ (global), browsers, Cloudflare Workers, Deno, Bun.
|
|
10
10
|
* No dynamic imports — compatible with both ESM and CJS builds.
|
|
11
11
|
*/
|
|
@@ -19,12 +19,40 @@ export declare class HmacAttestationSigner implements AttestationSigner {
|
|
|
19
19
|
issuer?: string;
|
|
20
20
|
ttlSeconds?: number;
|
|
21
21
|
});
|
|
22
|
-
private base64url;
|
|
23
|
-
private bufToBase64url;
|
|
24
22
|
private hmacSign;
|
|
25
23
|
sign(payload: Record<string, unknown>): Promise<string>;
|
|
26
24
|
verify(token: string): Promise<Record<string, unknown> | null>;
|
|
27
25
|
}
|
|
26
|
+
/**
|
|
27
|
+
* Asymmetric JWT signer/verifier using Web Crypto (RS256 or ES256).
|
|
28
|
+
* Uses only crypto.subtle — no external dependencies.
|
|
29
|
+
*
|
|
30
|
+
* For signing (e.g. minting your own attestations):
|
|
31
|
+
* const signer = await AsymmetricAttestationSigner.fromKeyPair(privateKey, publicKey, 'RS256');
|
|
32
|
+
*
|
|
33
|
+
* For verification only (e.g. verifying incoming ID-JAGs from JWKS):
|
|
34
|
+
* const verifier = await AsymmetricAttestationSigner.fromPublicJwk(publicJwk, 'RS256');
|
|
35
|
+
*/
|
|
36
|
+
export declare class AsymmetricAttestationSigner implements AttestationSigner {
|
|
37
|
+
private readonly privateKey;
|
|
38
|
+
private readonly publicKey;
|
|
39
|
+
private readonly algorithm;
|
|
40
|
+
private readonly ttlSeconds;
|
|
41
|
+
private constructor();
|
|
42
|
+
/**
|
|
43
|
+
* Create a signing+verification instance from an already-imported key pair.
|
|
44
|
+
*/
|
|
45
|
+
static fromKeyPair(privateKey: CryptoKey, publicKey: CryptoKey, algorithm: 'RS256' | 'ES256', options?: {
|
|
46
|
+
ttlSeconds?: number;
|
|
47
|
+
}): Promise<AsymmetricAttestationSigner>;
|
|
48
|
+
/**
|
|
49
|
+
* Create a verification-only instance from a JSON Web Key.
|
|
50
|
+
* Calling sign() on this instance will throw.
|
|
51
|
+
*/
|
|
52
|
+
static fromPublicJwk(jwk: JsonWebKey, algorithm: 'RS256' | 'ES256'): Promise<AsymmetricAttestationSigner>;
|
|
53
|
+
sign(payload: Record<string, unknown>): Promise<string>;
|
|
54
|
+
verify(token: string): Promise<Record<string, unknown> | null>;
|
|
55
|
+
}
|
|
28
56
|
export interface AttestationOptions {
|
|
29
57
|
signer: AttestationSigner;
|
|
30
58
|
issuer?: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../src/attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../src/attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAyD9G,qBAAa,qBAAsB,YAAW,iBAAiB;IAC7D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,OAAO,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE;YAM/D,QAAQ;IAahB,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;IAOvD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAWrE;AAID;;;;;;;;;GASG;AACH,qBAAa,2BAA4B,YAAW,iBAAiB;IAEjE,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAJ7B,OAAO;IASP;;OAEG;WACU,WAAW,CACtB,UAAU,EAAE,SAAS,EACrB,SAAS,EAAE,SAAS,EACpB,SAAS,EAAE,OAAO,GAAG,OAAO,EAC5B,OAAO,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,GAChC,OAAO,CAAC,2BAA2B,CAAC;IASvC;;;OAGG;WACU,aAAa,CACxB,GAAG,EAAE,UAAU,EACf,SAAS,EAAE,OAAO,GAAG,OAAO,GAC3B,OAAO,CAAC,2BAA2B,CAAC;IAWjC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;IAuBvD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAsBrE;AAID,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,iBAAiB,CAAC;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,mBAAmB,EACxB,QAAQ,EAAE,kBAAkB,EAC5B,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,MAAM,CAAC,CAejB;AAID,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,iBAAiB,GACxB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAMpC"}
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ID-JAG verification utilities — validates the claims on a decoded ID-JAG
|
|
3
|
+
* payload against a TrustedProviderRegistry.
|
|
4
|
+
*
|
|
5
|
+
* Signature verification is left to the caller (requires a JWT library or
|
|
6
|
+
* Web Crypto with the provider's JWKS). This module validates claims only.
|
|
7
|
+
*
|
|
8
|
+
* @module identity-providers
|
|
9
|
+
*/
|
|
10
|
+
import type { TrustedIdentityProvider, TrustedProviderRegistry } from './types';
|
|
11
|
+
export interface IdJagPayload {
|
|
12
|
+
iss: string;
|
|
13
|
+
sub: string;
|
|
14
|
+
aud: string | string[];
|
|
15
|
+
client_id?: string;
|
|
16
|
+
jti: string;
|
|
17
|
+
iat: number;
|
|
18
|
+
exp: number;
|
|
19
|
+
email?: string;
|
|
20
|
+
email_verified?: boolean;
|
|
21
|
+
phone_number?: string;
|
|
22
|
+
phone_number_verified?: boolean;
|
|
23
|
+
amr?: string[];
|
|
24
|
+
[key: string]: unknown;
|
|
25
|
+
}
|
|
26
|
+
export type IdJagValidationError = 'issuer_not_trusted' | 'provider_disabled' | 'expired' | 'audience_mismatch' | 'missing_verified_identity' | 'amr_not_satisfied' | 'clock_skew';
|
|
27
|
+
export interface IdJagValidationResult {
|
|
28
|
+
valid: boolean;
|
|
29
|
+
provider?: TrustedIdentityProvider;
|
|
30
|
+
error?: IdJagValidationError;
|
|
31
|
+
errorMessage?: string;
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Validate ID-JAG claims (NOT signature — that's the caller's responsibility).
|
|
35
|
+
*
|
|
36
|
+
* Steps:
|
|
37
|
+
* 1. Find provider by payload.iss — return issuer_not_trusted if absent.
|
|
38
|
+
* 2. If provider.enabled === false — return provider_disabled.
|
|
39
|
+
* 3. If token is expired (with clock skew tolerance) — return expired.
|
|
40
|
+
* 4. If audience does not include the expected audience — return audience_mismatch.
|
|
41
|
+
* 5. If neither email_verified nor phone_number_verified — return missing_verified_identity.
|
|
42
|
+
* 6. If provider.requiredAmr is set and none of its values appear in payload.amr
|
|
43
|
+
* — return amr_not_satisfied.
|
|
44
|
+
* 7. Return { valid: true, provider }.
|
|
45
|
+
*
|
|
46
|
+
* @param payload Decoded JWT payload (signature NOT verified here)
|
|
47
|
+
* @param audience Expected aud (this service's authorization server URL)
|
|
48
|
+
* @param registry Configured trusted providers
|
|
49
|
+
* @param nowMs Current time in ms (injectable for testing; defaults to Date.now())
|
|
50
|
+
* @param clockSkewMs Accepted clock skew in ms (default: 120_000 = 2 minutes)
|
|
51
|
+
*/
|
|
52
|
+
export declare function validateIdJagClaims(payload: IdJagPayload, audience: string, registry: TrustedProviderRegistry, nowMs?: number, clockSkewMs?: number): IdJagValidationResult;
|
|
53
|
+
//# sourceMappingURL=identity-providers.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"identity-providers.d.ts","sourceRoot":"","sources":["../../src/identity-providers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAC;AAIhF,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,MAAM,oBAAoB,GAC5B,oBAAoB,GACpB,mBAAmB,GACnB,SAAS,GACT,mBAAmB,GACnB,2BAA2B,GAC3B,mBAAmB,GACnB,YAAY,CAAC;AAEjB,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,QAAQ,CAAC,EAAE,uBAAuB,CAAC;IACnC,KAAK,CAAC,EAAE,oBAAoB,CAAC;IAC7B,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAID;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,YAAY,EACrB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,uBAAuB,EACjC,KAAK,CAAC,EAAE,MAAM,EACd,WAAW,CAAC,EAAE,MAAM,GACnB,qBAAqB,CAyEvB"}
|
package/dist/types/index.d.ts
CHANGED
|
@@ -23,4 +23,7 @@ export * from './attestation';
|
|
|
23
23
|
export * from './approval';
|
|
24
24
|
export * from './budget';
|
|
25
25
|
export * from './federation';
|
|
26
|
+
export * from './identity-providers';
|
|
27
|
+
export * from './revocation';
|
|
28
|
+
export * from './revocation-listener';
|
|
26
29
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH,mBAAmB,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH,mBAAmB,SAAS,CAAC;AAI7B,cAAc,UAAU,CAAC;AACzB,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC;AAC3B,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,UAAU,CAAC;AACzB,cAAc,cAAc,CAAC;AAG7B,cAAc,sBAAsB,CAAC;AACrC,cAAc,cAAc,CAAC;AAC7B,cAAc,uBAAuB,CAAC"}
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* RevocationListener — framework-agnostic inbound revocation handler.
|
|
3
|
+
*
|
|
4
|
+
* The listener does NOT handle JWKS fetching or JWT signature verification —
|
|
5
|
+
* those depend on external libraries. Pass a LogoutJwtVerifier that handles
|
|
6
|
+
* verification for your environment, then wire handleRequest() into your router.
|
|
7
|
+
*
|
|
8
|
+
* Express example:
|
|
9
|
+
* app.post('/agent/auth/revoke', async (req, res) => {
|
|
10
|
+
* const result = await listener.handleRequest(req.body, req.headers);
|
|
11
|
+
* res.status(result.httpStatus).json(result.body);
|
|
12
|
+
* });
|
|
13
|
+
*
|
|
14
|
+
* Fastify example:
|
|
15
|
+
* fastify.post('/agent/auth/revoke', async (req, reply) => {
|
|
16
|
+
* const result = await listener.handleRequest(req.body as string, req.headers);
|
|
17
|
+
* reply.code(result.httpStatus).send(result.body);
|
|
18
|
+
* });
|
|
19
|
+
*
|
|
20
|
+
* @module revocation-listener
|
|
21
|
+
*/
|
|
22
|
+
import { RevocationHandler } from './revocation';
|
|
23
|
+
import type { LogoutTokenPayload } from './revocation';
|
|
24
|
+
export interface LogoutJwtVerifier {
|
|
25
|
+
/**
|
|
26
|
+
* Verify a logout+jwt string and return the decoded payload.
|
|
27
|
+
* Return null if the signature is invalid, issuer is untrusted, or token is
|
|
28
|
+
* malformed. Never throw — return null on any error.
|
|
29
|
+
*/
|
|
30
|
+
verify(token: string): Promise<LogoutTokenPayload | null>;
|
|
31
|
+
}
|
|
32
|
+
export interface RevocationListenerOptions {
|
|
33
|
+
handler: RevocationHandler;
|
|
34
|
+
verifier: LogoutJwtVerifier;
|
|
35
|
+
}
|
|
36
|
+
export interface RevocationListenerResult {
|
|
37
|
+
httpStatus: 200 | 400;
|
|
38
|
+
body: {
|
|
39
|
+
status: 'ok';
|
|
40
|
+
credentialsRevoked: number;
|
|
41
|
+
} | {
|
|
42
|
+
error: string;
|
|
43
|
+
};
|
|
44
|
+
}
|
|
45
|
+
export declare class RevocationListener {
|
|
46
|
+
private readonly opts;
|
|
47
|
+
constructor(opts: RevocationListenerOptions);
|
|
48
|
+
/**
|
|
49
|
+
* Handle a raw revocation request body and headers.
|
|
50
|
+
*
|
|
51
|
+
* Processing steps:
|
|
52
|
+
* 1. Validate Content-Type contains 'application/logout+jwt'.
|
|
53
|
+
* 2. Call verifier.verify(rawBody) — if null, reject with 400.
|
|
54
|
+
* 3. Call handler.process(payload) — if replay, return 200 with 0 revoked.
|
|
55
|
+
* 4. Return 200 with credentialsRevoked count.
|
|
56
|
+
*
|
|
57
|
+
* @param rawBody The request body string (the logout+jwt token itself,
|
|
58
|
+
* per Content-Type: application/logout+jwt)
|
|
59
|
+
* @param headers Request headers (for Content-Type validation)
|
|
60
|
+
*/
|
|
61
|
+
handleRequest(rawBody: string, headers: Record<string, string | string[] | undefined>): Promise<RevocationListenerResult>;
|
|
62
|
+
}
|
|
63
|
+
//# sourceMappingURL=revocation-listener.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"revocation-listener.d.ts","sourceRoot":"","sources":["../../src/revocation-listener.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAIvD,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;CAC3D;AAED,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,iBAAiB,CAAC;IAC3B,QAAQ,EAAE,iBAAiB,CAAC;CAC7B;AAED,MAAM,WAAW,wBAAwB;IACvC,UAAU,EAAE,GAAG,GAAG,GAAG,CAAC;IACtB,IAAI,EAAE;QAAE,MAAM,EAAE,IAAI,CAAC;QAAC,kBAAkB,EAAE,MAAM,CAAA;KAAE,GAAG;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;CACxE;AAID,qBAAa,kBAAkB;IACjB,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAJ,IAAI,EAAE,yBAAyB;IAE5D;;;;;;;;;;;;OAYG;IACG,aAAa,CACjB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GACrD,OAAO,CAAC,wBAAwB,CAAC;CAqCrC"}
|