@holoscript/core 8.0.14 → 8.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (187) hide show
  1. package/README.md +6 -13
  2. package/bin/holo-decision.mjs +0 -0
  3. package/bin/holoscript.cjs +0 -0
  4. package/dist/{GLTFPipeline-6LS3UDYX.js → GLTFPipeline-FRBZIATS.js} +6 -6
  5. package/dist/{GLTFPipeline-VTI6PRRQ.cjs → GLTFPipeline-MTPP444P.cjs} +10 -10
  6. package/dist/{HoloCompositionParser-GILABNN3.js → HoloCompositionParser-2GVQAZ2X.js} +7 -7
  7. package/dist/HoloCompositionParser-3NDF6BMX.cjs +45 -0
  8. package/dist/HoloScriptPlusParser-URSIBEAW.cjs +30 -0
  9. package/dist/HoloScriptPlusParser-YCV6L7GI.js +13 -0
  10. package/dist/{HoloScriptRuntime-YBYXJHJN.cjs → HoloScriptRuntime-CRWI6C3P.cjs} +5 -5
  11. package/dist/{HoloScriptRuntime-UTRLJI5L.js → HoloScriptRuntime-IAZGHPFP.js} +4 -4
  12. package/dist/{SceneIRCompiler-VX75RB6H.js → SceneIRCompiler-BJQMKLWL.js} +6 -6
  13. package/dist/{SceneIRCompiler-7KQ5NKAU.cjs → SceneIRCompiler-RTPPDQAV.cjs} +11 -11
  14. package/dist/{chunk-Y2OCKXVD.js → chunk-22AULOAL.js} +5 -5
  15. package/dist/{chunk-D44CEFY4.cjs → chunk-2DJIS7TH.cjs} +5 -5
  16. package/dist/{chunk-LHUDAJQT.cjs → chunk-2PVEXEOL.cjs} +5 -5
  17. package/dist/{chunk-M7XR3F53.js → chunk-2UP2J3OK.js} +4 -4
  18. package/dist/{chunk-3KHRZTNW.js → chunk-3AUYBQ5I.js} +3 -3
  19. package/dist/{chunk-UKEK2NZJ.js → chunk-3MQAOMKD.js} +3 -3
  20. package/dist/{chunk-FWKEY4LD.js → chunk-4AGNARX6.js} +3 -3
  21. package/dist/{chunk-7ITJP33Q.cjs → chunk-4CQ7ULXZ.cjs} +3 -3
  22. package/dist/{chunk-47XZ62KM.js → chunk-4UA5OBWR.js} +5 -5
  23. package/dist/{chunk-ORBVCOTC.js → chunk-5LCJDX5A.js} +3 -3
  24. package/dist/{chunk-IK6Z2HNC.js → chunk-6OQHLNTT.js} +2 -2
  25. package/dist/{chunk-EI3J6LTW.cjs → chunk-6RDHWSZM.cjs} +217 -217
  26. package/dist/{chunk-73EDVY5D.js → chunk-7AY66PZP.js} +3 -3
  27. package/dist/{chunk-6FCNMTL5.js → chunk-7HDRN5BW.js} +4 -4
  28. package/dist/{chunk-N7MIIDLI.cjs → chunk-7IBXTJP7.cjs} +8 -8
  29. package/dist/{chunk-R5VKLUMR.js → chunk-AAUQTR7I.js} +4 -4
  30. package/dist/{chunk-HCONR4J6.cjs → chunk-AN3ZH7M7.cjs} +38 -38
  31. package/dist/{chunk-YW3I2FQL.js → chunk-ANMME7XT.js} +4 -2
  32. package/dist/{chunk-W4AJMMQR.js → chunk-AUF7HFOO.js} +60 -22
  33. package/dist/{chunk-SKVBUGMC.cjs → chunk-AUMTQV64.cjs} +7 -7
  34. package/dist/{chunk-7ZKQ32XK.js → chunk-B5K3WHJ4.js} +4 -4
  35. package/dist/{chunk-QQFB4RT2.cjs → chunk-BTVHY3UB.cjs} +2 -2
  36. package/dist/{chunk-SE2Y5BSL.cjs → chunk-CMEINO5I.cjs} +186 -70
  37. package/dist/{chunk-YMI3ED3B.cjs → chunk-CRUIGXF7.cjs} +5 -5
  38. package/dist/chunk-DDBYJJZK.js +1571 -0
  39. package/dist/{chunk-2E6PP5UE.cjs → chunk-E2SNPMBO.cjs} +11 -11
  40. package/dist/{chunk-GI5YYZH6.js → chunk-E4YS5SIZ.js} +90 -25
  41. package/dist/{chunk-62OYZT6Q.js → chunk-EKNWUSGW.js} +3 -3
  42. package/dist/{chunk-RVN7OPCP.js → chunk-ETIJOUIO.js} +4 -4
  43. package/dist/chunk-EUNELE7Y.cjs +1605 -0
  44. package/dist/{chunk-C73GVAYC.js → chunk-F33KLYOS.js} +5 -5
  45. package/dist/{chunk-4CRMVEON.cjs → chunk-F47FEV4X.cjs} +40 -40
  46. package/dist/{chunk-FGXJPJ3W.cjs → chunk-FCGTI7FO.cjs} +4 -4
  47. package/dist/{chunk-OSKGCXAQ.cjs → chunk-FGTXAVKG.cjs} +5 -5
  48. package/dist/{chunk-XZC75AJ4.cjs → chunk-FPGYWNNA.cjs} +5 -5
  49. package/dist/{chunk-5B2AJKA5.cjs → chunk-FQ4MYZYU.cjs} +20 -20
  50. package/dist/{chunk-KOGPVAP6.js → chunk-FT4FGTR6.js} +3 -3
  51. package/dist/{chunk-N7IYRAFG.cjs → chunk-FVNV4WHQ.cjs} +14 -14
  52. package/dist/{chunk-SJIRCTIS.cjs → chunk-HSGJFCVJ.cjs} +2 -2
  53. package/dist/{chunk-TKDDIE3T.cjs → chunk-ILO2KMER.cjs} +4 -4
  54. package/dist/{chunk-GGH3ZYDB.cjs → chunk-IPBSNGAN.cjs} +92 -27
  55. package/dist/{chunk-JQCXLKAU.js → chunk-IX2U3RQT.js} +3 -3
  56. package/dist/{chunk-P65OIMJT.cjs → chunk-IYK6LMQ7.cjs} +7 -7
  57. package/dist/{chunk-NWKARJM2.js → chunk-J3VVM6GV.js} +4 -4
  58. package/dist/{chunk-FOM36K5I.cjs → chunk-J74S4ZMF.cjs} +18 -18
  59. package/dist/{chunk-36NPLOI4.cjs → chunk-JERWCCEJ.cjs} +4 -2
  60. package/dist/{chunk-VXHB6ZHY.js → chunk-JTDDLCSP.js} +4 -4
  61. package/dist/{chunk-GYJLP4BO.cjs → chunk-K53L47NH.cjs} +30 -30
  62. package/dist/{chunk-FHR2AVMA.cjs → chunk-LJTM5ONX.cjs} +23 -23
  63. package/dist/{chunk-JCVSCKUH.js → chunk-LJVVOVA6.js} +4 -4
  64. package/dist/{chunk-LQNL3IYV.cjs → chunk-LNJKBQ2B.cjs} +38 -38
  65. package/dist/{chunk-2GKF7JQ6.js → chunk-M2GDE3NV.js} +3 -3
  66. package/dist/{chunk-Z7NUL73U.js → chunk-MSZNGI5P.js} +3 -3
  67. package/dist/{chunk-B6JHTTMR.cjs → chunk-N2BOTBPG.cjs} +15 -15
  68. package/dist/{chunk-L4DBUX3N.cjs → chunk-NFALJJCH.cjs} +12 -12
  69. package/dist/{chunk-YBM34FUJ.cjs → chunk-NRZRBK25.cjs} +6 -6
  70. package/dist/{chunk-SNMQUWIO.cjs → chunk-NTSLNIY7.cjs} +10 -10
  71. package/dist/{chunk-645EWDZW.cjs → chunk-NZJOAWJM.cjs} +4 -4
  72. package/dist/{chunk-LGRKBTPM.js → chunk-OG7RKWWX.js} +3 -3
  73. package/dist/{chunk-OOP4S3GU.cjs → chunk-OQVHCYY4.cjs} +5 -5
  74. package/dist/{chunk-TMNAKNV2.cjs → chunk-PEBNX3VM.cjs} +5 -5
  75. package/dist/{chunk-5T6BWIB7.js → chunk-PFZ5WLIP.js} +4 -4
  76. package/dist/{chunk-CESMPUEZ.cjs → chunk-PHLNABJD.cjs} +159 -145
  77. package/dist/{chunk-CHIZSMWD.js → chunk-PLK3DLTF.js} +3 -3
  78. package/dist/{chunk-4NEPHK2K.js → chunk-PMACVMHL.js} +3 -3
  79. package/dist/{chunk-EYHPTJ3F.js → chunk-PV2OXNP5.js} +40 -26
  80. package/dist/{chunk-KLM6QD6D.cjs → chunk-Q6VW7MGX.cjs} +14 -14
  81. package/dist/{chunk-YDSNDCV3.js → chunk-QC3CAVFN.js} +186 -69
  82. package/dist/{chunk-REN3LHO6.cjs → chunk-QKLEDRHN.cjs} +19 -19
  83. package/dist/{chunk-2EGGAZT3.js → chunk-QS27OYBU.js} +3 -3
  84. package/dist/{chunk-4376VHNJ.js → chunk-RUB7WL6C.js} +3 -3
  85. package/dist/chunk-S2BSXG3B.js +3308 -0
  86. package/dist/{chunk-TZQKJOPC.js → chunk-TW2AH2ZS.js} +3 -3
  87. package/dist/{chunk-Q4J2K7FI.js → chunk-TZM6DKSJ.js} +6 -6
  88. package/dist/{chunk-ESSEF6U2.js → chunk-U227RWXB.js} +3 -3
  89. package/dist/{chunk-ERYKKPHW.cjs → chunk-U6CQOM5Q.cjs} +13 -13
  90. package/dist/{chunk-VMCR5QVI.js → chunk-ULT2QAV5.js} +4 -4
  91. package/dist/chunk-VQOTDNFL.cjs +3337 -0
  92. package/dist/{chunk-VZI7S7P6.cjs → chunk-VSO6HPDZ.cjs} +7 -7
  93. package/dist/{chunk-QLPRI3QW.js → chunk-WQJMSSJT.js} +4 -4
  94. package/dist/{chunk-GILYQ5VH.cjs → chunk-WXSDBWGM.cjs} +4 -4
  95. package/dist/{chunk-42Z3SVHQ.js → chunk-X5PMMK7H.js} +3 -3
  96. package/dist/{chunk-ML4V5PVU.cjs → chunk-X5ZLSPU2.cjs} +74 -32
  97. package/dist/{chunk-PSWCJQS4.js → chunk-X727CQ7X.js} +5 -5
  98. package/dist/{chunk-YM7UUYR5.cjs → chunk-XHZYS4QO.cjs} +5 -5
  99. package/dist/{chunk-PZ46WRHX.cjs → chunk-XRQCTTDC.cjs} +8 -8
  100. package/dist/{chunk-IXFNA5TT.js → chunk-YBIHSN55.js} +4 -4
  101. package/dist/{chunk-BLCWQ225.js → chunk-Z574GVI3.js} +4 -4
  102. package/dist/{chunk-ZVQMKUGJ.js → chunk-Z5V3KA7L.js} +2 -2
  103. package/dist/{chunk-VTFLKSJL.cjs → chunk-ZHW6TDZ6.cjs} +14 -14
  104. package/dist/{chunk-KYJD2UMV.js → chunk-ZPHCTPR6.js} +4 -4
  105. package/dist/{chunk-VA7THINF.cjs → chunk-ZXXC2GXB.cjs} +38 -38
  106. package/dist/cli/holoscript-runner.cjs +168 -19
  107. package/dist/cli/holoscript-runner.js +162 -13
  108. package/dist/compiler/agent-inference.cjs +7 -7
  109. package/dist/compiler/agent-inference.js +3 -3
  110. package/dist/compiler/android-xr.cjs +6 -6
  111. package/dist/compiler/android-xr.js +4 -4
  112. package/dist/compiler/android.cjs +5 -5
  113. package/dist/compiler/android.js +3 -3
  114. package/dist/compiler/context.cjs +5 -5
  115. package/dist/compiler/context.js +2 -2
  116. package/dist/compiler/daimon-seed.cjs +8 -8
  117. package/dist/compiler/daimon-seed.js +3 -3
  118. package/dist/compiler/domain-block-utils.cjs +164 -164
  119. package/dist/compiler/domain-block-utils.js +3 -3
  120. package/dist/compiler/dtdl.cjs +6 -6
  121. package/dist/compiler/dtdl.js +3 -3
  122. package/dist/compiler/gltf-pipeline.cjs +8 -8
  123. package/dist/compiler/gltf-pipeline.js +1 -1
  124. package/dist/compiler/godot.cjs +5 -5
  125. package/dist/compiler/godot.js +4 -4
  126. package/dist/compiler/incremental.cjs +7 -7
  127. package/dist/compiler/incremental.js +2 -2
  128. package/dist/compiler/index.cjs +1603 -204
  129. package/dist/compiler/index.d.ts +8 -0
  130. package/dist/compiler/index.js +1431 -55
  131. package/dist/compiler/ios.cjs +5 -5
  132. package/dist/compiler/ios.js +3 -3
  133. package/dist/compiler/llm-provider-capabilities.cjs +5 -5
  134. package/dist/compiler/llm-provider-capabilities.js +2 -2
  135. package/dist/compiler/openxr.cjs +5 -5
  136. package/dist/compiler/openxr.js +4 -4
  137. package/dist/compiler/sdf.cjs +6 -6
  138. package/dist/compiler/sdf.js +4 -4
  139. package/dist/compiler/state.cjs +5 -5
  140. package/dist/compiler/state.js +3 -3
  141. package/dist/compiler/trait-composition.cjs +6 -6
  142. package/dist/compiler/trait-composition.js +2 -2
  143. package/dist/compiler/unity.cjs +5 -5
  144. package/dist/compiler/unity.js +4 -4
  145. package/dist/compiler/unreal.cjs +6 -6
  146. package/dist/compiler/unreal.js +4 -4
  147. package/dist/compiler/urdf.cjs +13 -13
  148. package/dist/compiler/urdf.js +4 -4
  149. package/dist/compiler/usd-physics.cjs +6 -6
  150. package/dist/compiler/usd-physics.js +3 -3
  151. package/dist/compiler/visionos.cjs +5 -5
  152. package/dist/compiler/visionos.js +4 -4
  153. package/dist/compiler/vrchat.cjs +6 -6
  154. package/dist/compiler/vrchat.js +4 -4
  155. package/dist/compiler/wasm.cjs +9 -9
  156. package/dist/compiler/wasm.js +4 -4
  157. package/dist/compiler/webgpu.cjs +5 -5
  158. package/dist/compiler/webgpu.js +4 -4
  159. package/dist/constants.cjs +99 -99
  160. package/dist/constants.js +3 -3
  161. package/dist/debugger.cjs +5 -5
  162. package/dist/debugger.js +3 -3
  163. package/dist/{dist-GRMOP2UL.cjs → dist-YGATNURH.cjs} +705 -9
  164. package/dist/{dist-ZBUKU2JG.js → dist-ZEZXRCBG.js} +701 -10
  165. package/dist/entries/scripting.cjs +8 -8
  166. package/dist/entries/scripting.js +4 -4
  167. package/dist/evolution/index.cjs +20 -20
  168. package/dist/evolution/index.js +8 -8
  169. package/dist/index.cjs +871 -809
  170. package/dist/index.d.ts +8 -0
  171. package/dist/index.js +132 -70
  172. package/dist/parser/HoloCompositionTypes.d.ts +1 -1
  173. package/dist/parser.cjs +21 -21
  174. package/dist/parser.js +7 -7
  175. package/dist/reconstruction/index.cjs +63 -63
  176. package/dist/reconstruction/index.js +7 -7
  177. package/dist/runtime.cjs +9 -9
  178. package/dist/runtime.js +3 -3
  179. package/dist/traits/botanical-lotus.d.ts +61 -0
  180. package/dist/traits/index.cjs +664 -671
  181. package/dist/traits/index.d.ts +65 -0
  182. package/dist/traits/index.js +14 -21
  183. package/dist/types/HoloScriptPlus.d.ts +1 -1
  184. package/package.json +65 -63
  185. package/dist/HoloCompositionParser-ZVRYVEA5.cjs +0 -45
  186. package/dist/HoloScriptPlusParser-WTPRPRPR.cjs +0 -30
  187. package/dist/HoloScriptPlusParser-ZP53ECSL.js +0 -13
@@ -7,7 +7,6 @@ var chunkZHPMP447_cjs = require('./chunk-ZHPMP447.cjs');
7
7
  var crypto3 = require('crypto');
8
8
  var util = require('util');
9
9
  var zod = require('zod');
10
- var jwt = require('jsonwebtoken');
11
10
  var path = require('path');
12
11
 
13
12
  function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
@@ -31,7 +30,6 @@ function _interopNamespace(e) {
31
30
  }
32
31
 
33
32
  var crypto3__namespace = /*#__PURE__*/_interopNamespace(crypto3);
34
- var jwt__default = /*#__PURE__*/_interopDefault(jwt);
35
33
  var path__default = /*#__PURE__*/_interopDefault(path);
36
34
 
37
35
  function calculateJwkThumbprint(publicKeyPem) {
@@ -1262,16 +1260,42 @@ var init_CapabilityTokenIssuer = chunkZHPMP447_cjs.__esm({
1262
1260
  globalCapabilityIssuer = null;
1263
1261
  }
1264
1262
  });
1263
+ function sha256Hex(value) {
1264
+ return crypto3__namespace.createHash("sha256").update(value, "utf8").digest("hex");
1265
+ }
1266
+ function decodeJsonSegment(segment) {
1267
+ try {
1268
+ const parsed = JSON.parse(Buffer.from(segment, "base64url").toString("utf8"));
1269
+ if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
1270
+ return parsed;
1271
+ }
1272
+ return void 0;
1273
+ } catch {
1274
+ return void 0;
1275
+ }
1276
+ }
1277
+ function asRecord(value) {
1278
+ if (value !== null && typeof value === "object" && !Array.isArray(value)) {
1279
+ return value;
1280
+ }
1281
+ return void 0;
1282
+ }
1283
+ function asString(value) {
1284
+ return typeof value === "string" && value.length > 0 ? value : void 0;
1285
+ }
1286
+ function isIntentTokenPayload(value) {
1287
+ const record = asRecord(value);
1288
+ if (!record) return false;
1289
+ const intent = asRecord(record.intent);
1290
+ return typeof record.iss === "string" && typeof record.sub === "string" && typeof record.aud === "string" && typeof record.exp === "number" && typeof record.agent_role === "string" && asRecord(record.agent_checksum) !== void 0 && Array.isArray(record.permissions) && intent !== void 0 && typeof intent.workflow_id === "string" && typeof intent.workflow_step === "string";
1291
+ }
1265
1292
  function getTokenIssuer(config) {
1266
1293
  if (!globalIssuer) {
1267
- globalIssuer = new AgentTokenIssuer({
1268
- ...config,
1269
- jwtSecret: process.env.AGENT_JWT_SECRET
1270
- });
1294
+ globalIssuer = new AgentTokenIssuer(config);
1271
1295
  }
1272
1296
  return globalIssuer;
1273
1297
  }
1274
- var DEFAULT_ISSUER, DEFAULT_JWT_SECRET, DEFAULT_TOKEN_EXPIRATION, AgentTokenIssuer, globalIssuer;
1298
+ var DEFAULT_ISSUER, DEFAULT_TOKEN_EXPIRATION, LEGACY_AUDIENCE, intentPresentationCache, AgentTokenIssuer, globalIssuer;
1275
1299
  var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
1276
1300
  "src/compiler/identity/AgentTokenIssuer.ts"() {
1277
1301
  init_AgentIdentity();
@@ -1279,31 +1303,25 @@ var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
1279
1303
  init_CapabilityToken();
1280
1304
  init_CapabilityTokenIssuer();
1281
1305
  DEFAULT_ISSUER = "holoscript-orchestrator";
1282
- DEFAULT_JWT_SECRET = process.env.AGENT_JWT_SECRET || "dev-secret-change-in-production";
1283
1306
  DEFAULT_TOKEN_EXPIRATION = "24h";
1307
+ LEGACY_AUDIENCE = "holoscript-compiler";
1308
+ intentPresentationCache = /* @__PURE__ */ new Map();
1284
1309
  AgentTokenIssuer = class {
1285
1310
  constructor(config = {}) {
1286
1311
  /** Active workflow state (for validation) */
1287
1312
  this.workflowState = /* @__PURE__ */ new Map();
1288
1313
  this.issuer = config.issuer || DEFAULT_ISSUER;
1289
- this.jwtSecret = config.jwtSecret || DEFAULT_JWT_SECRET;
1290
1314
  this.tokenExpiration = config.tokenExpiration || DEFAULT_TOKEN_EXPIRATION;
1291
1315
  this.strictWorkflowValidation = config.strictWorkflowValidation ?? true;
1292
- if (this.jwtSecret === DEFAULT_JWT_SECRET && process.env.NODE_ENV === "production") {
1293
- console.error(
1294
- "[TOKEN_ISSUER] Using default JWT secret in production! Set AGENT_JWT_SECRET environment variable."
1295
- );
1296
- }
1297
1316
  }
1298
1317
  /**
1299
- * Issue intent token for agent
1318
+ * Issue an intent token for an agent.
1300
1319
  *
1301
- * Creates a signed JWT with:
1302
- * - Standard claims (iss, sub, aud, exp, iat, jti)
1303
- * - Agent identity (role, checksum)
1304
- * - Permissions (RBAC)
1305
- * - Intent metadata (workflow context)
1306
- * - PoP binding (JWK thumbprint)
1320
+ * SOVEREIGN PATH: the token on the wire is an EdDSA UCAN capability token
1321
+ * signed with the request's Ed25519 key pair via `CapabilityTokenIssuer`.
1322
+ * The full legacy `IntentTokenPayload` view (standard claims, agent
1323
+ * identity/checksum, permissions, intent metadata, PoP binding) travels in
1324
+ * the token facts and is reconstructed verbatim by `verifyToken`.
1307
1325
  */
1308
1326
  async issueToken(request) {
1309
1327
  const {
@@ -1327,12 +1345,13 @@ var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
1327
1345
  const permissions = getDefaultPermissions(agentConfig.role);
1328
1346
  const updatedDelegationChain = [...delegationChain, agentConfig.role];
1329
1347
  const now = Math.floor(Date.now() / 1e3);
1348
+ const lifetimeSec = typeof this.tokenExpiration === "string" ? this.parseExpiration(this.tokenExpiration) : this.tokenExpiration;
1330
1349
  const payload = {
1331
- // Standard JWT claims
1350
+ // Standard claims
1332
1351
  iss: this.issuer,
1333
1352
  sub: `agent:${agentConfig.role}:${agentConfig.name}`,
1334
- aud: "holoscript-compiler",
1335
- exp: typeof this.tokenExpiration === "string" ? now + this.parseExpiration(this.tokenExpiration) : now + this.tokenExpiration,
1353
+ aud: LEGACY_AUDIENCE,
1354
+ exp: now + lifetimeSec,
1336
1355
  iat: now,
1337
1356
  jti: crypto3__namespace.randomUUID(),
1338
1357
  // Agent-specific claims
@@ -1356,70 +1375,131 @@ var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
1356
1375
  // Ed25519 public key for HTTP Message Signature verification
1357
1376
  publicKey: keyPair.publicKey
1358
1377
  };
1359
- const token = jwt__default.default.sign(payload, this.jwtSecret, {
1360
- algorithm: "HS256"
1361
- });
1378
+ const resource = agentConfig.scope ? `${HOLOSCRIPT_RESOURCE_SCHEME}${agentConfig.scope}` : HOLOSCRIPT_RESOURCE_ALL;
1379
+ const capabilities = permissions.map((perm) => ({
1380
+ with: resource,
1381
+ can: PERMISSION_TO_ACTION[perm] || perm
1382
+ }));
1383
+ const capToken = await this.getCapabilityTokenIssuer().issueRoot(
1384
+ {
1385
+ issuer: payload.sub,
1386
+ audience: LEGACY_AUDIENCE,
1387
+ capabilities,
1388
+ lifetimeSec,
1389
+ facts: {
1390
+ intent_payload: payload,
1391
+ publicKey: keyPair.publicKey
1392
+ }
1393
+ },
1394
+ keyPair
1395
+ );
1362
1396
  this.workflowState.set(workflowId, workflowStep);
1363
1397
  const keystore = getKeystore();
1364
1398
  await keystore.storeCredential({
1365
1399
  role: agentConfig.role,
1366
- token,
1400
+ token: capToken.raw,
1367
1401
  keyPair,
1368
1402
  createdAt: new Date(now * 1e3),
1369
- expiresAt: new Date(payload.exp * 1e3)
1403
+ expiresAt: new Date(capToken.payload.exp * 1e3)
1370
1404
  });
1371
- return token;
1405
+ return capToken.raw;
1372
1406
  }
1373
1407
  /**
1374
- * Verify agent token
1408
+ * Verify an agent token — FAIL CLOSED.
1375
1409
  *
1376
1410
  * Validates:
1377
- * - Signature authenticity
1378
- * - Token expiration
1379
- * - Claims structure
1411
+ * - EdDSA capability-token structure (legacy HS256 jsonwebtoken envelopes
1412
+ * are rejected with `LEGACY_JWT_REJECTED`, never verified)
1413
+ * - Ed25519 signature against the embedded verification key
1414
+ * - Expiration
1415
+ * - Issuer / audience claims
1416
+ * - Required legacy claims structure
1380
1417
  * - Workflow step sequence (if strict mode)
1418
+ *
1419
+ * Never throws — every failure mode maps to a rejected result.
1381
1420
  */
1382
1421
  verifyToken(token) {
1383
1422
  try {
1384
- const decoded = jwt__default.default.verify(token, this.jwtSecret, {
1385
- issuer: this.issuer,
1386
- audience: "holoscript-compiler"
1387
- });
1388
- if (!decoded.agent_role || !decoded.agent_checksum || !decoded.intent) {
1423
+ if (typeof token !== "string" || token.length === 0) {
1389
1424
  return {
1390
1425
  valid: false,
1391
- error: "Missing required claims",
1392
- errorCode: "INVALID_CLAIMS"
1426
+ error: "Invalid signature or malformed token",
1427
+ errorCode: "INVALID_SIGNATURE"
1393
1428
  };
1394
1429
  }
1395
- if (this.strictWorkflowValidation) {
1396
- const currentStep = this.workflowState.get(decoded.intent.workflow_id);
1397
- if (currentStep && currentStep !== decoded.intent.workflow_step) {
1398
- return {
1399
- valid: false,
1400
- error: `Workflow step mismatch: expected ${currentStep}, got ${decoded.intent.workflow_step}`,
1401
- errorCode: "WORKFLOW_VIOLATION"
1402
- };
1430
+ const tokenSha256 = sha256Hex(token);
1431
+ const cached = intentPresentationCache.get(tokenSha256);
1432
+ if (cached) {
1433
+ const now = Math.floor(Date.now() / 1e3);
1434
+ if (cached.exp <= now) {
1435
+ intentPresentationCache.delete(tokenSha256);
1436
+ return { valid: false, error: "Token expired", errorCode: "EXPIRED" };
1403
1437
  }
1438
+ return this.checkClaimsAndWorkflow(structuredClone(cached));
1404
1439
  }
1405
- return {
1406
- valid: true,
1407
- payload: decoded
1408
- };
1409
- } catch (error) {
1410
- if (error instanceof Error && error.name === "TokenExpiredError") {
1440
+ const parts = token.split(".");
1441
+ if (parts.length !== 3 || parts.some((part) => part.length === 0)) {
1411
1442
  return {
1412
1443
  valid: false,
1413
- error: "Token expired",
1414
- errorCode: "EXPIRED"
1444
+ error: "Invalid signature or malformed token",
1445
+ errorCode: "INVALID_SIGNATURE"
1415
1446
  };
1416
- } else if (error instanceof Error && error.name === "JsonWebTokenError") {
1447
+ }
1448
+ const header = decodeJsonSegment(parts[0]);
1449
+ if (!header || typeof header.alg !== "string") {
1417
1450
  return {
1418
1451
  valid: false,
1419
- error: "Invalid signature or malformed token",
1452
+ error: "Malformed token: header segment is not decodable JSON with an alg claim.",
1453
+ errorCode: "INVALID_SIGNATURE"
1454
+ };
1455
+ }
1456
+ if (header.alg !== "EdDSA") {
1457
+ return {
1458
+ valid: false,
1459
+ error: `Legacy ${header.alg} jsonwebtoken envelope is no longer accepted. Reissue a sovereign capability token via issueToken.`,
1460
+ errorCode: "LEGACY_JWT_REJECTED"
1461
+ };
1462
+ }
1463
+ const rawPayload = decodeJsonSegment(parts[1]);
1464
+ if (!rawPayload) {
1465
+ return {
1466
+ valid: false,
1467
+ error: "Malformed token: payload segment is not decodable JSON.",
1468
+ errorCode: "INVALID_SIGNATURE"
1469
+ };
1470
+ }
1471
+ const facts = asRecord(rawPayload.fct);
1472
+ const verificationKey = asString(facts?.publicKey);
1473
+ if (!verificationKey) {
1474
+ return {
1475
+ valid: false,
1476
+ error: "Capability token does not embed its Ed25519 verification key (fct.publicKey). Fail closed.",
1477
+ errorCode: "INVALID_CLAIMS"
1478
+ };
1479
+ }
1480
+ const verification = this.getCapabilityTokenIssuer().verify(token, verificationKey);
1481
+ if (!verification.valid || !verification.payload) {
1482
+ if (verification.errorCode === "EXPIRED") {
1483
+ return { valid: false, error: "Token expired", errorCode: "EXPIRED" };
1484
+ }
1485
+ return {
1486
+ valid: false,
1487
+ error: verification.error ?? "Invalid signature or malformed token",
1420
1488
  errorCode: "INVALID_SIGNATURE"
1421
1489
  };
1422
1490
  }
1491
+ const verifiedFacts = asRecord(verification.payload.fct);
1492
+ const intentPayload = verifiedFacts?.intent_payload;
1493
+ if (!isIntentTokenPayload(intentPayload)) {
1494
+ return {
1495
+ valid: false,
1496
+ error: "Missing required claims",
1497
+ errorCode: "INVALID_CLAIMS"
1498
+ };
1499
+ }
1500
+ intentPresentationCache.set(tokenSha256, intentPayload);
1501
+ return this.checkClaimsAndWorkflow(structuredClone(intentPayload));
1502
+ } catch (error) {
1423
1503
  return {
1424
1504
  valid: false,
1425
1505
  error: error instanceof Error ? error.message : String(error),
@@ -1427,6 +1507,37 @@ var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
1427
1507
  };
1428
1508
  }
1429
1509
  }
1510
+ /**
1511
+ * Issuer/audience claim checks + strict workflow sequencing — run on both
1512
+ * the fresh-verification and presentation-cache paths.
1513
+ */
1514
+ checkClaimsAndWorkflow(payload) {
1515
+ if (payload.iss !== this.issuer || payload.aud !== LEGACY_AUDIENCE) {
1516
+ return {
1517
+ valid: false,
1518
+ error: `Token issuer/audience mismatch: expected ${this.issuer}/${LEGACY_AUDIENCE}`,
1519
+ errorCode: "INVALID_CLAIMS"
1520
+ };
1521
+ }
1522
+ if (!payload.agent_role || !payload.agent_checksum || !payload.intent) {
1523
+ return {
1524
+ valid: false,
1525
+ error: "Missing required claims",
1526
+ errorCode: "INVALID_CLAIMS"
1527
+ };
1528
+ }
1529
+ if (this.strictWorkflowValidation) {
1530
+ const currentStep = this.workflowState.get(payload.intent.workflow_id);
1531
+ if (currentStep && currentStep !== payload.intent.workflow_step) {
1532
+ return {
1533
+ valid: false,
1534
+ error: `Workflow step mismatch: expected ${currentStep}, got ${payload.intent.workflow_step}`,
1535
+ errorCode: "WORKFLOW_VIOLATION"
1536
+ };
1537
+ }
1538
+ }
1539
+ return { valid: true, payload };
1540
+ }
1430
1541
  /**
1431
1542
  * Extract token from Authorization header
1432
1543
  */
@@ -1467,8 +1578,8 @@ var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
1467
1578
  *
1468
1579
  * Maps the agent's role to capabilities using the PERMISSION_TO_ACTION bridge
1469
1580
  * constants defined in CapabilityToken.ts. This enables agents that currently
1470
- * use JWT tokens to obtain equivalent UCAN capability tokens for the gradual
1471
- * migration to capability-based authorization.
1581
+ * use legacy tokens to obtain equivalent UCAN capability tokens for the
1582
+ * gradual migration to capability-based authorization.
1472
1583
  *
1473
1584
  * @param options Capability token issuance options
1474
1585
  * @returns Signed UCAN CapabilityToken
@@ -1499,21 +1610,22 @@ var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
1499
1610
  );
1500
1611
  }
1501
1612
  /**
1502
- * Issue both a JWT token and a UCAN capability token for the same agent
1503
- * and intent context.
1613
+ * Issue both a legacy-view token and a UCAN capability token for the same
1614
+ * agent and intent context.
1504
1615
  *
1505
- * This method enables gradual migration from JWT-only authorization to
1506
- * UCAN capability-based authorization. Consuming services can validate
1507
- * either token during the transition period.
1616
+ * This method enables gradual migration from `IntentTokenPayload`-view
1617
+ * authorization to UCAN capability-based authorization. Consuming services
1618
+ * can validate either token during the transition period. Both members are
1619
+ * EdDSA-signed on the sovereign path.
1508
1620
  *
1509
- * @param request Standard JWT token request parameters
1621
+ * @param request Standard token request parameters
1510
1622
  * @param capabilityOptions Additional options for the capability token
1511
1623
  * (audience defaults to 'holoscript-compiler')
1512
1624
  * @returns HybridTokenResult with both tokens
1513
1625
  */
1514
1626
  async issueHybridToken(request, capabilityOptions) {
1515
1627
  const jwtToken = await this.issueToken(request);
1516
- const audience = capabilityOptions?.audience ?? "holoscript-compiler";
1628
+ const audience = capabilityOptions?.audience ?? LEGACY_AUDIENCE;
1517
1629
  const capabilityToken = await this.issueCapabilityToken({
1518
1630
  agentConfig: request.agentConfig,
1519
1631
  audience,
@@ -3978,6 +4090,7 @@ var init_ANSNamespace = chunkZHPMP447_cjs.__esm({
3978
4090
  AGENT_INFERENCE: "/compile/ai/agent-inference",
3979
4091
  OMNIGENT_AGENT_YAML: "/compile/ai/omnigent-agent-yaml",
3980
4092
  DAIMON_SEED: "/compile/ai/daimon-seed",
4093
+ HSI_IR: "/compile/ai/hsi-ir",
3981
4094
  MCP_CONFIG: "/compile/ai/mcp-config",
3982
4095
  MCP_SERVER: "/compile/ai/mcp-server",
3983
4096
  // ── neuromorphic ─────────────────────────────────────────────────────
@@ -4042,6 +4155,7 @@ var init_ANSNamespace = chunkZHPMP447_cjs.__esm({
4042
4155
  "agent-inference": ANSDomain.AI,
4043
4156
  "omnigent-agent-yaml": ANSDomain.AI,
4044
4157
  "daimon-seed": ANSDomain.AI,
4158
+ "hsi-ir": ANSDomain.AI,
4045
4159
  "mcp-config": ANSDomain.AI,
4046
4160
  "mcp-server": ANSDomain.AI,
4047
4161
  // neuromorphic
@@ -4097,6 +4211,7 @@ var init_ANSNamespace = chunkZHPMP447_cjs.__esm({
4097
4211
  "agent-inference": exports.ANSCapabilityPath.AGENT_INFERENCE,
4098
4212
  "omnigent-agent-yaml": exports.ANSCapabilityPath.OMNIGENT_AGENT_YAML,
4099
4213
  "daimon-seed": exports.ANSCapabilityPath.DAIMON_SEED,
4214
+ "hsi-ir": exports.ANSCapabilityPath.HSI_IR,
4100
4215
  "mcp-config": exports.ANSCapabilityPath.MCP_CONFIG,
4101
4216
  "mcp-server": exports.ANSCapabilityPath.MCP_SERVER,
4102
4217
  nir: exports.ANSCapabilityPath.NIR,
@@ -5555,6 +5670,7 @@ var init_CompilerBase = chunkZHPMP447_cjs.__esm({
5555
5670
  AgentInferenceCompiler: "agent-inference",
5556
5671
  OmnigentAgentYamlCompiler: "omnigent-agent-yaml",
5557
5672
  DaimonSeedCompiler: "daimon-seed",
5673
+ HSIIRCompiler: "hsi-ir",
5558
5674
  CodeEditorCompiler: "code-editor",
5559
5675
  SVGCompiler: "svg"
5560
5676
  };
@@ -6067,5 +6183,5 @@ exports.isCapabilityTokenCredential = isCapabilityTokenCredential;
6067
6183
  exports.normalizeNormProvenance = normalizeNormProvenance;
6068
6184
  exports.normsByCategory = normsByCategory;
6069
6185
  exports.serializeNormProvenance = serializeNormProvenance;
6070
- //# sourceMappingURL=chunk-SE2Y5BSL.cjs.map
6071
- //# sourceMappingURL=chunk-SE2Y5BSL.cjs.map
6186
+ //# sourceMappingURL=chunk-CMEINO5I.cjs.map
6187
+ //# sourceMappingURL=chunk-CMEINO5I.cjs.map
@@ -1,6 +1,6 @@
1
1
  'use strict';
2
2
 
3
- var chunkSE2Y5BSL_cjs = require('./chunk-SE2Y5BSL.cjs');
3
+ var chunkCMEINO5I_cjs = require('./chunk-CMEINO5I.cjs');
4
4
  var chunkZHPMP447_cjs = require('./chunk-ZHPMP447.cjs');
5
5
  var ans = require('@holoscript/core-types/ans');
6
6
 
@@ -24,7 +24,7 @@ function createPythonAgentInferenceCompiler(options) {
24
24
  var DEFAULT_MODEL_CONFIG, ANTHROPIC_MODELS_NO_SAMPLING_PARAMS, AGENT_TRAIT_NAMES; exports.AgentInferenceCompiler = void 0; exports.AgentInferenceExportTarget_default = void 0;
25
25
  var init_AgentInferenceExportTarget = chunkZHPMP447_cjs.__esm({
26
26
  "src/compiler/AgentInferenceExportTarget.ts"() {
27
- chunkSE2Y5BSL_cjs.init_CompilerBase();
27
+ chunkCMEINO5I_cjs.init_CompilerBase();
28
28
  DEFAULT_MODEL_CONFIG = {
29
29
  provider: "anthropic",
30
30
  // Default to Opus 4.7 — most capable Claude. Users override per-agent via
@@ -54,7 +54,7 @@ var init_AgentInferenceExportTarget = chunkZHPMP447_cjs.__esm({
54
54
  "memory",
55
55
  "persona"
56
56
  ]);
57
- exports.AgentInferenceCompiler = class extends chunkSE2Y5BSL_cjs.CompilerBase {
57
+ exports.AgentInferenceCompiler = class extends chunkCMEINO5I_cjs.CompilerBase {
58
58
  constructor(options = {}) {
59
59
  super();
60
60
  this.compilerName = "AgentInferenceCompiler";
@@ -1009,5 +1009,5 @@ exports.AgentInferenceExportTarget_exports = AgentInferenceExportTarget_exports;
1009
1009
  exports.createAgentInferenceCompiler = createAgentInferenceCompiler;
1010
1010
  exports.createPythonAgentInferenceCompiler = createPythonAgentInferenceCompiler;
1011
1011
  exports.init_AgentInferenceExportTarget = init_AgentInferenceExportTarget;
1012
- //# sourceMappingURL=chunk-YMI3ED3B.cjs.map
1013
- //# sourceMappingURL=chunk-YMI3ED3B.cjs.map
1012
+ //# sourceMappingURL=chunk-CRUIGXF7.cjs.map
1013
+ //# sourceMappingURL=chunk-CRUIGXF7.cjs.map