@holoscript/core 8.0.14 → 8.0.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -13
- package/bin/holo-decision.mjs +0 -0
- package/bin/holoscript.cjs +0 -0
- package/dist/{GLTFPipeline-6LS3UDYX.js → GLTFPipeline-FRBZIATS.js} +6 -6
- package/dist/{GLTFPipeline-VTI6PRRQ.cjs → GLTFPipeline-MTPP444P.cjs} +10 -10
- package/dist/{HoloCompositionParser-GILABNN3.js → HoloCompositionParser-2GVQAZ2X.js} +7 -7
- package/dist/HoloCompositionParser-3NDF6BMX.cjs +45 -0
- package/dist/HoloScriptPlusParser-URSIBEAW.cjs +30 -0
- package/dist/HoloScriptPlusParser-YCV6L7GI.js +13 -0
- package/dist/{HoloScriptRuntime-YBYXJHJN.cjs → HoloScriptRuntime-CRWI6C3P.cjs} +5 -5
- package/dist/{HoloScriptRuntime-UTRLJI5L.js → HoloScriptRuntime-IAZGHPFP.js} +4 -4
- package/dist/{SceneIRCompiler-VX75RB6H.js → SceneIRCompiler-BJQMKLWL.js} +6 -6
- package/dist/{SceneIRCompiler-7KQ5NKAU.cjs → SceneIRCompiler-RTPPDQAV.cjs} +11 -11
- package/dist/{chunk-Y2OCKXVD.js → chunk-22AULOAL.js} +5 -5
- package/dist/{chunk-D44CEFY4.cjs → chunk-2DJIS7TH.cjs} +5 -5
- package/dist/{chunk-LHUDAJQT.cjs → chunk-2PVEXEOL.cjs} +5 -5
- package/dist/{chunk-M7XR3F53.js → chunk-2UP2J3OK.js} +4 -4
- package/dist/{chunk-3KHRZTNW.js → chunk-3AUYBQ5I.js} +3 -3
- package/dist/{chunk-UKEK2NZJ.js → chunk-3MQAOMKD.js} +3 -3
- package/dist/{chunk-FWKEY4LD.js → chunk-4AGNARX6.js} +3 -3
- package/dist/{chunk-7ITJP33Q.cjs → chunk-4CQ7ULXZ.cjs} +3 -3
- package/dist/{chunk-47XZ62KM.js → chunk-4UA5OBWR.js} +5 -5
- package/dist/{chunk-ORBVCOTC.js → chunk-5LCJDX5A.js} +3 -3
- package/dist/{chunk-IK6Z2HNC.js → chunk-6OQHLNTT.js} +2 -2
- package/dist/{chunk-EI3J6LTW.cjs → chunk-6RDHWSZM.cjs} +217 -217
- package/dist/{chunk-73EDVY5D.js → chunk-7AY66PZP.js} +3 -3
- package/dist/{chunk-6FCNMTL5.js → chunk-7HDRN5BW.js} +4 -4
- package/dist/{chunk-N7MIIDLI.cjs → chunk-7IBXTJP7.cjs} +8 -8
- package/dist/{chunk-R5VKLUMR.js → chunk-AAUQTR7I.js} +4 -4
- package/dist/{chunk-HCONR4J6.cjs → chunk-AN3ZH7M7.cjs} +38 -38
- package/dist/{chunk-YW3I2FQL.js → chunk-ANMME7XT.js} +4 -2
- package/dist/{chunk-W4AJMMQR.js → chunk-AUF7HFOO.js} +60 -22
- package/dist/{chunk-SKVBUGMC.cjs → chunk-AUMTQV64.cjs} +7 -7
- package/dist/{chunk-7ZKQ32XK.js → chunk-B5K3WHJ4.js} +4 -4
- package/dist/{chunk-QQFB4RT2.cjs → chunk-BTVHY3UB.cjs} +2 -2
- package/dist/{chunk-SE2Y5BSL.cjs → chunk-CMEINO5I.cjs} +186 -70
- package/dist/{chunk-YMI3ED3B.cjs → chunk-CRUIGXF7.cjs} +5 -5
- package/dist/chunk-DDBYJJZK.js +1571 -0
- package/dist/{chunk-2E6PP5UE.cjs → chunk-E2SNPMBO.cjs} +11 -11
- package/dist/{chunk-GI5YYZH6.js → chunk-E4YS5SIZ.js} +90 -25
- package/dist/{chunk-62OYZT6Q.js → chunk-EKNWUSGW.js} +3 -3
- package/dist/{chunk-RVN7OPCP.js → chunk-ETIJOUIO.js} +4 -4
- package/dist/chunk-EUNELE7Y.cjs +1605 -0
- package/dist/{chunk-C73GVAYC.js → chunk-F33KLYOS.js} +5 -5
- package/dist/{chunk-4CRMVEON.cjs → chunk-F47FEV4X.cjs} +40 -40
- package/dist/{chunk-FGXJPJ3W.cjs → chunk-FCGTI7FO.cjs} +4 -4
- package/dist/{chunk-OSKGCXAQ.cjs → chunk-FGTXAVKG.cjs} +5 -5
- package/dist/{chunk-XZC75AJ4.cjs → chunk-FPGYWNNA.cjs} +5 -5
- package/dist/{chunk-5B2AJKA5.cjs → chunk-FQ4MYZYU.cjs} +20 -20
- package/dist/{chunk-KOGPVAP6.js → chunk-FT4FGTR6.js} +3 -3
- package/dist/{chunk-N7IYRAFG.cjs → chunk-FVNV4WHQ.cjs} +14 -14
- package/dist/{chunk-SJIRCTIS.cjs → chunk-HSGJFCVJ.cjs} +2 -2
- package/dist/{chunk-TKDDIE3T.cjs → chunk-ILO2KMER.cjs} +4 -4
- package/dist/{chunk-GGH3ZYDB.cjs → chunk-IPBSNGAN.cjs} +92 -27
- package/dist/{chunk-JQCXLKAU.js → chunk-IX2U3RQT.js} +3 -3
- package/dist/{chunk-P65OIMJT.cjs → chunk-IYK6LMQ7.cjs} +7 -7
- package/dist/{chunk-NWKARJM2.js → chunk-J3VVM6GV.js} +4 -4
- package/dist/{chunk-FOM36K5I.cjs → chunk-J74S4ZMF.cjs} +18 -18
- package/dist/{chunk-36NPLOI4.cjs → chunk-JERWCCEJ.cjs} +4 -2
- package/dist/{chunk-VXHB6ZHY.js → chunk-JTDDLCSP.js} +4 -4
- package/dist/{chunk-GYJLP4BO.cjs → chunk-K53L47NH.cjs} +30 -30
- package/dist/{chunk-FHR2AVMA.cjs → chunk-LJTM5ONX.cjs} +23 -23
- package/dist/{chunk-JCVSCKUH.js → chunk-LJVVOVA6.js} +4 -4
- package/dist/{chunk-LQNL3IYV.cjs → chunk-LNJKBQ2B.cjs} +38 -38
- package/dist/{chunk-2GKF7JQ6.js → chunk-M2GDE3NV.js} +3 -3
- package/dist/{chunk-Z7NUL73U.js → chunk-MSZNGI5P.js} +3 -3
- package/dist/{chunk-B6JHTTMR.cjs → chunk-N2BOTBPG.cjs} +15 -15
- package/dist/{chunk-L4DBUX3N.cjs → chunk-NFALJJCH.cjs} +12 -12
- package/dist/{chunk-YBM34FUJ.cjs → chunk-NRZRBK25.cjs} +6 -6
- package/dist/{chunk-SNMQUWIO.cjs → chunk-NTSLNIY7.cjs} +10 -10
- package/dist/{chunk-645EWDZW.cjs → chunk-NZJOAWJM.cjs} +4 -4
- package/dist/{chunk-LGRKBTPM.js → chunk-OG7RKWWX.js} +3 -3
- package/dist/{chunk-OOP4S3GU.cjs → chunk-OQVHCYY4.cjs} +5 -5
- package/dist/{chunk-TMNAKNV2.cjs → chunk-PEBNX3VM.cjs} +5 -5
- package/dist/{chunk-5T6BWIB7.js → chunk-PFZ5WLIP.js} +4 -4
- package/dist/{chunk-CESMPUEZ.cjs → chunk-PHLNABJD.cjs} +159 -145
- package/dist/{chunk-CHIZSMWD.js → chunk-PLK3DLTF.js} +3 -3
- package/dist/{chunk-4NEPHK2K.js → chunk-PMACVMHL.js} +3 -3
- package/dist/{chunk-EYHPTJ3F.js → chunk-PV2OXNP5.js} +40 -26
- package/dist/{chunk-KLM6QD6D.cjs → chunk-Q6VW7MGX.cjs} +14 -14
- package/dist/{chunk-YDSNDCV3.js → chunk-QC3CAVFN.js} +186 -69
- package/dist/{chunk-REN3LHO6.cjs → chunk-QKLEDRHN.cjs} +19 -19
- package/dist/{chunk-2EGGAZT3.js → chunk-QS27OYBU.js} +3 -3
- package/dist/{chunk-4376VHNJ.js → chunk-RUB7WL6C.js} +3 -3
- package/dist/chunk-S2BSXG3B.js +3308 -0
- package/dist/{chunk-TZQKJOPC.js → chunk-TW2AH2ZS.js} +3 -3
- package/dist/{chunk-Q4J2K7FI.js → chunk-TZM6DKSJ.js} +6 -6
- package/dist/{chunk-ESSEF6U2.js → chunk-U227RWXB.js} +3 -3
- package/dist/{chunk-ERYKKPHW.cjs → chunk-U6CQOM5Q.cjs} +13 -13
- package/dist/{chunk-VMCR5QVI.js → chunk-ULT2QAV5.js} +4 -4
- package/dist/chunk-VQOTDNFL.cjs +3337 -0
- package/dist/{chunk-VZI7S7P6.cjs → chunk-VSO6HPDZ.cjs} +7 -7
- package/dist/{chunk-QLPRI3QW.js → chunk-WQJMSSJT.js} +4 -4
- package/dist/{chunk-GILYQ5VH.cjs → chunk-WXSDBWGM.cjs} +4 -4
- package/dist/{chunk-42Z3SVHQ.js → chunk-X5PMMK7H.js} +3 -3
- package/dist/{chunk-ML4V5PVU.cjs → chunk-X5ZLSPU2.cjs} +74 -32
- package/dist/{chunk-PSWCJQS4.js → chunk-X727CQ7X.js} +5 -5
- package/dist/{chunk-YM7UUYR5.cjs → chunk-XHZYS4QO.cjs} +5 -5
- package/dist/{chunk-PZ46WRHX.cjs → chunk-XRQCTTDC.cjs} +8 -8
- package/dist/{chunk-IXFNA5TT.js → chunk-YBIHSN55.js} +4 -4
- package/dist/{chunk-BLCWQ225.js → chunk-Z574GVI3.js} +4 -4
- package/dist/{chunk-ZVQMKUGJ.js → chunk-Z5V3KA7L.js} +2 -2
- package/dist/{chunk-VTFLKSJL.cjs → chunk-ZHW6TDZ6.cjs} +14 -14
- package/dist/{chunk-KYJD2UMV.js → chunk-ZPHCTPR6.js} +4 -4
- package/dist/{chunk-VA7THINF.cjs → chunk-ZXXC2GXB.cjs} +38 -38
- package/dist/cli/holoscript-runner.cjs +168 -19
- package/dist/cli/holoscript-runner.js +162 -13
- package/dist/compiler/agent-inference.cjs +7 -7
- package/dist/compiler/agent-inference.js +3 -3
- package/dist/compiler/android-xr.cjs +6 -6
- package/dist/compiler/android-xr.js +4 -4
- package/dist/compiler/android.cjs +5 -5
- package/dist/compiler/android.js +3 -3
- package/dist/compiler/context.cjs +5 -5
- package/dist/compiler/context.js +2 -2
- package/dist/compiler/daimon-seed.cjs +8 -8
- package/dist/compiler/daimon-seed.js +3 -3
- package/dist/compiler/domain-block-utils.cjs +164 -164
- package/dist/compiler/domain-block-utils.js +3 -3
- package/dist/compiler/dtdl.cjs +6 -6
- package/dist/compiler/dtdl.js +3 -3
- package/dist/compiler/gltf-pipeline.cjs +8 -8
- package/dist/compiler/gltf-pipeline.js +1 -1
- package/dist/compiler/godot.cjs +5 -5
- package/dist/compiler/godot.js +4 -4
- package/dist/compiler/incremental.cjs +7 -7
- package/dist/compiler/incremental.js +2 -2
- package/dist/compiler/index.cjs +1603 -204
- package/dist/compiler/index.d.ts +8 -0
- package/dist/compiler/index.js +1431 -55
- package/dist/compiler/ios.cjs +5 -5
- package/dist/compiler/ios.js +3 -3
- package/dist/compiler/llm-provider-capabilities.cjs +5 -5
- package/dist/compiler/llm-provider-capabilities.js +2 -2
- package/dist/compiler/openxr.cjs +5 -5
- package/dist/compiler/openxr.js +4 -4
- package/dist/compiler/sdf.cjs +6 -6
- package/dist/compiler/sdf.js +4 -4
- package/dist/compiler/state.cjs +5 -5
- package/dist/compiler/state.js +3 -3
- package/dist/compiler/trait-composition.cjs +6 -6
- package/dist/compiler/trait-composition.js +2 -2
- package/dist/compiler/unity.cjs +5 -5
- package/dist/compiler/unity.js +4 -4
- package/dist/compiler/unreal.cjs +6 -6
- package/dist/compiler/unreal.js +4 -4
- package/dist/compiler/urdf.cjs +13 -13
- package/dist/compiler/urdf.js +4 -4
- package/dist/compiler/usd-physics.cjs +6 -6
- package/dist/compiler/usd-physics.js +3 -3
- package/dist/compiler/visionos.cjs +5 -5
- package/dist/compiler/visionos.js +4 -4
- package/dist/compiler/vrchat.cjs +6 -6
- package/dist/compiler/vrchat.js +4 -4
- package/dist/compiler/wasm.cjs +9 -9
- package/dist/compiler/wasm.js +4 -4
- package/dist/compiler/webgpu.cjs +5 -5
- package/dist/compiler/webgpu.js +4 -4
- package/dist/constants.cjs +99 -99
- package/dist/constants.js +3 -3
- package/dist/debugger.cjs +5 -5
- package/dist/debugger.js +3 -3
- package/dist/{dist-GRMOP2UL.cjs → dist-YGATNURH.cjs} +705 -9
- package/dist/{dist-ZBUKU2JG.js → dist-ZEZXRCBG.js} +701 -10
- package/dist/entries/scripting.cjs +8 -8
- package/dist/entries/scripting.js +4 -4
- package/dist/evolution/index.cjs +20 -20
- package/dist/evolution/index.js +8 -8
- package/dist/index.cjs +871 -809
- package/dist/index.d.ts +8 -0
- package/dist/index.js +132 -70
- package/dist/parser/HoloCompositionTypes.d.ts +1 -1
- package/dist/parser.cjs +21 -21
- package/dist/parser.js +7 -7
- package/dist/reconstruction/index.cjs +63 -63
- package/dist/reconstruction/index.js +7 -7
- package/dist/runtime.cjs +9 -9
- package/dist/runtime.js +3 -3
- package/dist/traits/botanical-lotus.d.ts +61 -0
- package/dist/traits/index.cjs +664 -671
- package/dist/traits/index.d.ts +65 -0
- package/dist/traits/index.js +14 -21
- package/dist/types/HoloScriptPlus.d.ts +1 -1
- package/package.json +65 -63
- package/dist/HoloCompositionParser-ZVRYVEA5.cjs +0 -45
- package/dist/HoloScriptPlusParser-WTPRPRPR.cjs +0 -30
- package/dist/HoloScriptPlusParser-ZP53ECSL.js +0 -13
|
@@ -7,7 +7,6 @@ var chunkZHPMP447_cjs = require('./chunk-ZHPMP447.cjs');
|
|
|
7
7
|
var crypto3 = require('crypto');
|
|
8
8
|
var util = require('util');
|
|
9
9
|
var zod = require('zod');
|
|
10
|
-
var jwt = require('jsonwebtoken');
|
|
11
10
|
var path = require('path');
|
|
12
11
|
|
|
13
12
|
function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
|
|
@@ -31,7 +30,6 @@ function _interopNamespace(e) {
|
|
|
31
30
|
}
|
|
32
31
|
|
|
33
32
|
var crypto3__namespace = /*#__PURE__*/_interopNamespace(crypto3);
|
|
34
|
-
var jwt__default = /*#__PURE__*/_interopDefault(jwt);
|
|
35
33
|
var path__default = /*#__PURE__*/_interopDefault(path);
|
|
36
34
|
|
|
37
35
|
function calculateJwkThumbprint(publicKeyPem) {
|
|
@@ -1262,16 +1260,42 @@ var init_CapabilityTokenIssuer = chunkZHPMP447_cjs.__esm({
|
|
|
1262
1260
|
globalCapabilityIssuer = null;
|
|
1263
1261
|
}
|
|
1264
1262
|
});
|
|
1263
|
+
function sha256Hex(value) {
|
|
1264
|
+
return crypto3__namespace.createHash("sha256").update(value, "utf8").digest("hex");
|
|
1265
|
+
}
|
|
1266
|
+
function decodeJsonSegment(segment) {
|
|
1267
|
+
try {
|
|
1268
|
+
const parsed = JSON.parse(Buffer.from(segment, "base64url").toString("utf8"));
|
|
1269
|
+
if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
|
|
1270
|
+
return parsed;
|
|
1271
|
+
}
|
|
1272
|
+
return void 0;
|
|
1273
|
+
} catch {
|
|
1274
|
+
return void 0;
|
|
1275
|
+
}
|
|
1276
|
+
}
|
|
1277
|
+
function asRecord(value) {
|
|
1278
|
+
if (value !== null && typeof value === "object" && !Array.isArray(value)) {
|
|
1279
|
+
return value;
|
|
1280
|
+
}
|
|
1281
|
+
return void 0;
|
|
1282
|
+
}
|
|
1283
|
+
function asString(value) {
|
|
1284
|
+
return typeof value === "string" && value.length > 0 ? value : void 0;
|
|
1285
|
+
}
|
|
1286
|
+
function isIntentTokenPayload(value) {
|
|
1287
|
+
const record = asRecord(value);
|
|
1288
|
+
if (!record) return false;
|
|
1289
|
+
const intent = asRecord(record.intent);
|
|
1290
|
+
return typeof record.iss === "string" && typeof record.sub === "string" && typeof record.aud === "string" && typeof record.exp === "number" && typeof record.agent_role === "string" && asRecord(record.agent_checksum) !== void 0 && Array.isArray(record.permissions) && intent !== void 0 && typeof intent.workflow_id === "string" && typeof intent.workflow_step === "string";
|
|
1291
|
+
}
|
|
1265
1292
|
function getTokenIssuer(config) {
|
|
1266
1293
|
if (!globalIssuer) {
|
|
1267
|
-
globalIssuer = new AgentTokenIssuer(
|
|
1268
|
-
...config,
|
|
1269
|
-
jwtSecret: process.env.AGENT_JWT_SECRET
|
|
1270
|
-
});
|
|
1294
|
+
globalIssuer = new AgentTokenIssuer(config);
|
|
1271
1295
|
}
|
|
1272
1296
|
return globalIssuer;
|
|
1273
1297
|
}
|
|
1274
|
-
var DEFAULT_ISSUER,
|
|
1298
|
+
var DEFAULT_ISSUER, DEFAULT_TOKEN_EXPIRATION, LEGACY_AUDIENCE, intentPresentationCache, AgentTokenIssuer, globalIssuer;
|
|
1275
1299
|
var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
|
|
1276
1300
|
"src/compiler/identity/AgentTokenIssuer.ts"() {
|
|
1277
1301
|
init_AgentIdentity();
|
|
@@ -1279,31 +1303,25 @@ var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
|
|
|
1279
1303
|
init_CapabilityToken();
|
|
1280
1304
|
init_CapabilityTokenIssuer();
|
|
1281
1305
|
DEFAULT_ISSUER = "holoscript-orchestrator";
|
|
1282
|
-
DEFAULT_JWT_SECRET = process.env.AGENT_JWT_SECRET || "dev-secret-change-in-production";
|
|
1283
1306
|
DEFAULT_TOKEN_EXPIRATION = "24h";
|
|
1307
|
+
LEGACY_AUDIENCE = "holoscript-compiler";
|
|
1308
|
+
intentPresentationCache = /* @__PURE__ */ new Map();
|
|
1284
1309
|
AgentTokenIssuer = class {
|
|
1285
1310
|
constructor(config = {}) {
|
|
1286
1311
|
/** Active workflow state (for validation) */
|
|
1287
1312
|
this.workflowState = /* @__PURE__ */ new Map();
|
|
1288
1313
|
this.issuer = config.issuer || DEFAULT_ISSUER;
|
|
1289
|
-
this.jwtSecret = config.jwtSecret || DEFAULT_JWT_SECRET;
|
|
1290
1314
|
this.tokenExpiration = config.tokenExpiration || DEFAULT_TOKEN_EXPIRATION;
|
|
1291
1315
|
this.strictWorkflowValidation = config.strictWorkflowValidation ?? true;
|
|
1292
|
-
if (this.jwtSecret === DEFAULT_JWT_SECRET && process.env.NODE_ENV === "production") {
|
|
1293
|
-
console.error(
|
|
1294
|
-
"[TOKEN_ISSUER] Using default JWT secret in production! Set AGENT_JWT_SECRET environment variable."
|
|
1295
|
-
);
|
|
1296
|
-
}
|
|
1297
1316
|
}
|
|
1298
1317
|
/**
|
|
1299
|
-
* Issue intent token for agent
|
|
1318
|
+
* Issue an intent token for an agent.
|
|
1300
1319
|
*
|
|
1301
|
-
*
|
|
1302
|
-
*
|
|
1303
|
-
*
|
|
1304
|
-
*
|
|
1305
|
-
*
|
|
1306
|
-
* - PoP binding (JWK thumbprint)
|
|
1320
|
+
* SOVEREIGN PATH: the token on the wire is an EdDSA UCAN capability token
|
|
1321
|
+
* signed with the request's Ed25519 key pair via `CapabilityTokenIssuer`.
|
|
1322
|
+
* The full legacy `IntentTokenPayload` view (standard claims, agent
|
|
1323
|
+
* identity/checksum, permissions, intent metadata, PoP binding) travels in
|
|
1324
|
+
* the token facts and is reconstructed verbatim by `verifyToken`.
|
|
1307
1325
|
*/
|
|
1308
1326
|
async issueToken(request) {
|
|
1309
1327
|
const {
|
|
@@ -1327,12 +1345,13 @@ var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
|
|
|
1327
1345
|
const permissions = getDefaultPermissions(agentConfig.role);
|
|
1328
1346
|
const updatedDelegationChain = [...delegationChain, agentConfig.role];
|
|
1329
1347
|
const now = Math.floor(Date.now() / 1e3);
|
|
1348
|
+
const lifetimeSec = typeof this.tokenExpiration === "string" ? this.parseExpiration(this.tokenExpiration) : this.tokenExpiration;
|
|
1330
1349
|
const payload = {
|
|
1331
|
-
// Standard
|
|
1350
|
+
// Standard claims
|
|
1332
1351
|
iss: this.issuer,
|
|
1333
1352
|
sub: `agent:${agentConfig.role}:${agentConfig.name}`,
|
|
1334
|
-
aud:
|
|
1335
|
-
exp:
|
|
1353
|
+
aud: LEGACY_AUDIENCE,
|
|
1354
|
+
exp: now + lifetimeSec,
|
|
1336
1355
|
iat: now,
|
|
1337
1356
|
jti: crypto3__namespace.randomUUID(),
|
|
1338
1357
|
// Agent-specific claims
|
|
@@ -1356,70 +1375,131 @@ var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
|
|
|
1356
1375
|
// Ed25519 public key for HTTP Message Signature verification
|
|
1357
1376
|
publicKey: keyPair.publicKey
|
|
1358
1377
|
};
|
|
1359
|
-
const
|
|
1360
|
-
|
|
1361
|
-
|
|
1378
|
+
const resource = agentConfig.scope ? `${HOLOSCRIPT_RESOURCE_SCHEME}${agentConfig.scope}` : HOLOSCRIPT_RESOURCE_ALL;
|
|
1379
|
+
const capabilities = permissions.map((perm) => ({
|
|
1380
|
+
with: resource,
|
|
1381
|
+
can: PERMISSION_TO_ACTION[perm] || perm
|
|
1382
|
+
}));
|
|
1383
|
+
const capToken = await this.getCapabilityTokenIssuer().issueRoot(
|
|
1384
|
+
{
|
|
1385
|
+
issuer: payload.sub,
|
|
1386
|
+
audience: LEGACY_AUDIENCE,
|
|
1387
|
+
capabilities,
|
|
1388
|
+
lifetimeSec,
|
|
1389
|
+
facts: {
|
|
1390
|
+
intent_payload: payload,
|
|
1391
|
+
publicKey: keyPair.publicKey
|
|
1392
|
+
}
|
|
1393
|
+
},
|
|
1394
|
+
keyPair
|
|
1395
|
+
);
|
|
1362
1396
|
this.workflowState.set(workflowId, workflowStep);
|
|
1363
1397
|
const keystore = getKeystore();
|
|
1364
1398
|
await keystore.storeCredential({
|
|
1365
1399
|
role: agentConfig.role,
|
|
1366
|
-
token,
|
|
1400
|
+
token: capToken.raw,
|
|
1367
1401
|
keyPair,
|
|
1368
1402
|
createdAt: new Date(now * 1e3),
|
|
1369
|
-
expiresAt: new Date(payload.exp * 1e3)
|
|
1403
|
+
expiresAt: new Date(capToken.payload.exp * 1e3)
|
|
1370
1404
|
});
|
|
1371
|
-
return
|
|
1405
|
+
return capToken.raw;
|
|
1372
1406
|
}
|
|
1373
1407
|
/**
|
|
1374
|
-
* Verify agent token
|
|
1408
|
+
* Verify an agent token — FAIL CLOSED.
|
|
1375
1409
|
*
|
|
1376
1410
|
* Validates:
|
|
1377
|
-
* -
|
|
1378
|
-
*
|
|
1379
|
-
* -
|
|
1411
|
+
* - EdDSA capability-token structure (legacy HS256 jsonwebtoken envelopes
|
|
1412
|
+
* are rejected with `LEGACY_JWT_REJECTED`, never verified)
|
|
1413
|
+
* - Ed25519 signature against the embedded verification key
|
|
1414
|
+
* - Expiration
|
|
1415
|
+
* - Issuer / audience claims
|
|
1416
|
+
* - Required legacy claims structure
|
|
1380
1417
|
* - Workflow step sequence (if strict mode)
|
|
1418
|
+
*
|
|
1419
|
+
* Never throws — every failure mode maps to a rejected result.
|
|
1381
1420
|
*/
|
|
1382
1421
|
verifyToken(token) {
|
|
1383
1422
|
try {
|
|
1384
|
-
|
|
1385
|
-
issuer: this.issuer,
|
|
1386
|
-
audience: "holoscript-compiler"
|
|
1387
|
-
});
|
|
1388
|
-
if (!decoded.agent_role || !decoded.agent_checksum || !decoded.intent) {
|
|
1423
|
+
if (typeof token !== "string" || token.length === 0) {
|
|
1389
1424
|
return {
|
|
1390
1425
|
valid: false,
|
|
1391
|
-
error: "
|
|
1392
|
-
errorCode: "
|
|
1426
|
+
error: "Invalid signature or malformed token",
|
|
1427
|
+
errorCode: "INVALID_SIGNATURE"
|
|
1393
1428
|
};
|
|
1394
1429
|
}
|
|
1395
|
-
|
|
1396
|
-
|
|
1397
|
-
|
|
1398
|
-
|
|
1399
|
-
|
|
1400
|
-
|
|
1401
|
-
|
|
1402
|
-
};
|
|
1430
|
+
const tokenSha256 = sha256Hex(token);
|
|
1431
|
+
const cached = intentPresentationCache.get(tokenSha256);
|
|
1432
|
+
if (cached) {
|
|
1433
|
+
const now = Math.floor(Date.now() / 1e3);
|
|
1434
|
+
if (cached.exp <= now) {
|
|
1435
|
+
intentPresentationCache.delete(tokenSha256);
|
|
1436
|
+
return { valid: false, error: "Token expired", errorCode: "EXPIRED" };
|
|
1403
1437
|
}
|
|
1438
|
+
return this.checkClaimsAndWorkflow(structuredClone(cached));
|
|
1404
1439
|
}
|
|
1405
|
-
|
|
1406
|
-
|
|
1407
|
-
payload: decoded
|
|
1408
|
-
};
|
|
1409
|
-
} catch (error) {
|
|
1410
|
-
if (error instanceof Error && error.name === "TokenExpiredError") {
|
|
1440
|
+
const parts = token.split(".");
|
|
1441
|
+
if (parts.length !== 3 || parts.some((part) => part.length === 0)) {
|
|
1411
1442
|
return {
|
|
1412
1443
|
valid: false,
|
|
1413
|
-
error: "
|
|
1414
|
-
errorCode: "
|
|
1444
|
+
error: "Invalid signature or malformed token",
|
|
1445
|
+
errorCode: "INVALID_SIGNATURE"
|
|
1415
1446
|
};
|
|
1416
|
-
}
|
|
1447
|
+
}
|
|
1448
|
+
const header = decodeJsonSegment(parts[0]);
|
|
1449
|
+
if (!header || typeof header.alg !== "string") {
|
|
1417
1450
|
return {
|
|
1418
1451
|
valid: false,
|
|
1419
|
-
error: "
|
|
1452
|
+
error: "Malformed token: header segment is not decodable JSON with an alg claim.",
|
|
1453
|
+
errorCode: "INVALID_SIGNATURE"
|
|
1454
|
+
};
|
|
1455
|
+
}
|
|
1456
|
+
if (header.alg !== "EdDSA") {
|
|
1457
|
+
return {
|
|
1458
|
+
valid: false,
|
|
1459
|
+
error: `Legacy ${header.alg} jsonwebtoken envelope is no longer accepted. Reissue a sovereign capability token via issueToken.`,
|
|
1460
|
+
errorCode: "LEGACY_JWT_REJECTED"
|
|
1461
|
+
};
|
|
1462
|
+
}
|
|
1463
|
+
const rawPayload = decodeJsonSegment(parts[1]);
|
|
1464
|
+
if (!rawPayload) {
|
|
1465
|
+
return {
|
|
1466
|
+
valid: false,
|
|
1467
|
+
error: "Malformed token: payload segment is not decodable JSON.",
|
|
1468
|
+
errorCode: "INVALID_SIGNATURE"
|
|
1469
|
+
};
|
|
1470
|
+
}
|
|
1471
|
+
const facts = asRecord(rawPayload.fct);
|
|
1472
|
+
const verificationKey = asString(facts?.publicKey);
|
|
1473
|
+
if (!verificationKey) {
|
|
1474
|
+
return {
|
|
1475
|
+
valid: false,
|
|
1476
|
+
error: "Capability token does not embed its Ed25519 verification key (fct.publicKey). Fail closed.",
|
|
1477
|
+
errorCode: "INVALID_CLAIMS"
|
|
1478
|
+
};
|
|
1479
|
+
}
|
|
1480
|
+
const verification = this.getCapabilityTokenIssuer().verify(token, verificationKey);
|
|
1481
|
+
if (!verification.valid || !verification.payload) {
|
|
1482
|
+
if (verification.errorCode === "EXPIRED") {
|
|
1483
|
+
return { valid: false, error: "Token expired", errorCode: "EXPIRED" };
|
|
1484
|
+
}
|
|
1485
|
+
return {
|
|
1486
|
+
valid: false,
|
|
1487
|
+
error: verification.error ?? "Invalid signature or malformed token",
|
|
1420
1488
|
errorCode: "INVALID_SIGNATURE"
|
|
1421
1489
|
};
|
|
1422
1490
|
}
|
|
1491
|
+
const verifiedFacts = asRecord(verification.payload.fct);
|
|
1492
|
+
const intentPayload = verifiedFacts?.intent_payload;
|
|
1493
|
+
if (!isIntentTokenPayload(intentPayload)) {
|
|
1494
|
+
return {
|
|
1495
|
+
valid: false,
|
|
1496
|
+
error: "Missing required claims",
|
|
1497
|
+
errorCode: "INVALID_CLAIMS"
|
|
1498
|
+
};
|
|
1499
|
+
}
|
|
1500
|
+
intentPresentationCache.set(tokenSha256, intentPayload);
|
|
1501
|
+
return this.checkClaimsAndWorkflow(structuredClone(intentPayload));
|
|
1502
|
+
} catch (error) {
|
|
1423
1503
|
return {
|
|
1424
1504
|
valid: false,
|
|
1425
1505
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -1427,6 +1507,37 @@ var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
|
|
|
1427
1507
|
};
|
|
1428
1508
|
}
|
|
1429
1509
|
}
|
|
1510
|
+
/**
|
|
1511
|
+
* Issuer/audience claim checks + strict workflow sequencing — run on both
|
|
1512
|
+
* the fresh-verification and presentation-cache paths.
|
|
1513
|
+
*/
|
|
1514
|
+
checkClaimsAndWorkflow(payload) {
|
|
1515
|
+
if (payload.iss !== this.issuer || payload.aud !== LEGACY_AUDIENCE) {
|
|
1516
|
+
return {
|
|
1517
|
+
valid: false,
|
|
1518
|
+
error: `Token issuer/audience mismatch: expected ${this.issuer}/${LEGACY_AUDIENCE}`,
|
|
1519
|
+
errorCode: "INVALID_CLAIMS"
|
|
1520
|
+
};
|
|
1521
|
+
}
|
|
1522
|
+
if (!payload.agent_role || !payload.agent_checksum || !payload.intent) {
|
|
1523
|
+
return {
|
|
1524
|
+
valid: false,
|
|
1525
|
+
error: "Missing required claims",
|
|
1526
|
+
errorCode: "INVALID_CLAIMS"
|
|
1527
|
+
};
|
|
1528
|
+
}
|
|
1529
|
+
if (this.strictWorkflowValidation) {
|
|
1530
|
+
const currentStep = this.workflowState.get(payload.intent.workflow_id);
|
|
1531
|
+
if (currentStep && currentStep !== payload.intent.workflow_step) {
|
|
1532
|
+
return {
|
|
1533
|
+
valid: false,
|
|
1534
|
+
error: `Workflow step mismatch: expected ${currentStep}, got ${payload.intent.workflow_step}`,
|
|
1535
|
+
errorCode: "WORKFLOW_VIOLATION"
|
|
1536
|
+
};
|
|
1537
|
+
}
|
|
1538
|
+
}
|
|
1539
|
+
return { valid: true, payload };
|
|
1540
|
+
}
|
|
1430
1541
|
/**
|
|
1431
1542
|
* Extract token from Authorization header
|
|
1432
1543
|
*/
|
|
@@ -1467,8 +1578,8 @@ var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
|
|
|
1467
1578
|
*
|
|
1468
1579
|
* Maps the agent's role to capabilities using the PERMISSION_TO_ACTION bridge
|
|
1469
1580
|
* constants defined in CapabilityToken.ts. This enables agents that currently
|
|
1470
|
-
* use
|
|
1471
|
-
* migration to capability-based authorization.
|
|
1581
|
+
* use legacy tokens to obtain equivalent UCAN capability tokens for the
|
|
1582
|
+
* gradual migration to capability-based authorization.
|
|
1472
1583
|
*
|
|
1473
1584
|
* @param options Capability token issuance options
|
|
1474
1585
|
* @returns Signed UCAN CapabilityToken
|
|
@@ -1499,21 +1610,22 @@ var init_AgentTokenIssuer = chunkZHPMP447_cjs.__esm({
|
|
|
1499
1610
|
);
|
|
1500
1611
|
}
|
|
1501
1612
|
/**
|
|
1502
|
-
* Issue both a
|
|
1503
|
-
* and intent context.
|
|
1613
|
+
* Issue both a legacy-view token and a UCAN capability token for the same
|
|
1614
|
+
* agent and intent context.
|
|
1504
1615
|
*
|
|
1505
|
-
* This method enables gradual migration from
|
|
1506
|
-
* UCAN capability-based authorization. Consuming services
|
|
1507
|
-
* either token during the transition period.
|
|
1616
|
+
* This method enables gradual migration from `IntentTokenPayload`-view
|
|
1617
|
+
* authorization to UCAN capability-based authorization. Consuming services
|
|
1618
|
+
* can validate either token during the transition period. Both members are
|
|
1619
|
+
* EdDSA-signed on the sovereign path.
|
|
1508
1620
|
*
|
|
1509
|
-
* @param request Standard
|
|
1621
|
+
* @param request Standard token request parameters
|
|
1510
1622
|
* @param capabilityOptions Additional options for the capability token
|
|
1511
1623
|
* (audience defaults to 'holoscript-compiler')
|
|
1512
1624
|
* @returns HybridTokenResult with both tokens
|
|
1513
1625
|
*/
|
|
1514
1626
|
async issueHybridToken(request, capabilityOptions) {
|
|
1515
1627
|
const jwtToken = await this.issueToken(request);
|
|
1516
|
-
const audience = capabilityOptions?.audience ??
|
|
1628
|
+
const audience = capabilityOptions?.audience ?? LEGACY_AUDIENCE;
|
|
1517
1629
|
const capabilityToken = await this.issueCapabilityToken({
|
|
1518
1630
|
agentConfig: request.agentConfig,
|
|
1519
1631
|
audience,
|
|
@@ -3978,6 +4090,7 @@ var init_ANSNamespace = chunkZHPMP447_cjs.__esm({
|
|
|
3978
4090
|
AGENT_INFERENCE: "/compile/ai/agent-inference",
|
|
3979
4091
|
OMNIGENT_AGENT_YAML: "/compile/ai/omnigent-agent-yaml",
|
|
3980
4092
|
DAIMON_SEED: "/compile/ai/daimon-seed",
|
|
4093
|
+
HSI_IR: "/compile/ai/hsi-ir",
|
|
3981
4094
|
MCP_CONFIG: "/compile/ai/mcp-config",
|
|
3982
4095
|
MCP_SERVER: "/compile/ai/mcp-server",
|
|
3983
4096
|
// ── neuromorphic ─────────────────────────────────────────────────────
|
|
@@ -4042,6 +4155,7 @@ var init_ANSNamespace = chunkZHPMP447_cjs.__esm({
|
|
|
4042
4155
|
"agent-inference": ANSDomain.AI,
|
|
4043
4156
|
"omnigent-agent-yaml": ANSDomain.AI,
|
|
4044
4157
|
"daimon-seed": ANSDomain.AI,
|
|
4158
|
+
"hsi-ir": ANSDomain.AI,
|
|
4045
4159
|
"mcp-config": ANSDomain.AI,
|
|
4046
4160
|
"mcp-server": ANSDomain.AI,
|
|
4047
4161
|
// neuromorphic
|
|
@@ -4097,6 +4211,7 @@ var init_ANSNamespace = chunkZHPMP447_cjs.__esm({
|
|
|
4097
4211
|
"agent-inference": exports.ANSCapabilityPath.AGENT_INFERENCE,
|
|
4098
4212
|
"omnigent-agent-yaml": exports.ANSCapabilityPath.OMNIGENT_AGENT_YAML,
|
|
4099
4213
|
"daimon-seed": exports.ANSCapabilityPath.DAIMON_SEED,
|
|
4214
|
+
"hsi-ir": exports.ANSCapabilityPath.HSI_IR,
|
|
4100
4215
|
"mcp-config": exports.ANSCapabilityPath.MCP_CONFIG,
|
|
4101
4216
|
"mcp-server": exports.ANSCapabilityPath.MCP_SERVER,
|
|
4102
4217
|
nir: exports.ANSCapabilityPath.NIR,
|
|
@@ -5555,6 +5670,7 @@ var init_CompilerBase = chunkZHPMP447_cjs.__esm({
|
|
|
5555
5670
|
AgentInferenceCompiler: "agent-inference",
|
|
5556
5671
|
OmnigentAgentYamlCompiler: "omnigent-agent-yaml",
|
|
5557
5672
|
DaimonSeedCompiler: "daimon-seed",
|
|
5673
|
+
HSIIRCompiler: "hsi-ir",
|
|
5558
5674
|
CodeEditorCompiler: "code-editor",
|
|
5559
5675
|
SVGCompiler: "svg"
|
|
5560
5676
|
};
|
|
@@ -6067,5 +6183,5 @@ exports.isCapabilityTokenCredential = isCapabilityTokenCredential;
|
|
|
6067
6183
|
exports.normalizeNormProvenance = normalizeNormProvenance;
|
|
6068
6184
|
exports.normsByCategory = normsByCategory;
|
|
6069
6185
|
exports.serializeNormProvenance = serializeNormProvenance;
|
|
6070
|
-
//# sourceMappingURL=chunk-
|
|
6071
|
-
//# sourceMappingURL=chunk-
|
|
6186
|
+
//# sourceMappingURL=chunk-CMEINO5I.cjs.map
|
|
6187
|
+
//# sourceMappingURL=chunk-CMEINO5I.cjs.map
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
|
-
var
|
|
3
|
+
var chunkCMEINO5I_cjs = require('./chunk-CMEINO5I.cjs');
|
|
4
4
|
var chunkZHPMP447_cjs = require('./chunk-ZHPMP447.cjs');
|
|
5
5
|
var ans = require('@holoscript/core-types/ans');
|
|
6
6
|
|
|
@@ -24,7 +24,7 @@ function createPythonAgentInferenceCompiler(options) {
|
|
|
24
24
|
var DEFAULT_MODEL_CONFIG, ANTHROPIC_MODELS_NO_SAMPLING_PARAMS, AGENT_TRAIT_NAMES; exports.AgentInferenceCompiler = void 0; exports.AgentInferenceExportTarget_default = void 0;
|
|
25
25
|
var init_AgentInferenceExportTarget = chunkZHPMP447_cjs.__esm({
|
|
26
26
|
"src/compiler/AgentInferenceExportTarget.ts"() {
|
|
27
|
-
|
|
27
|
+
chunkCMEINO5I_cjs.init_CompilerBase();
|
|
28
28
|
DEFAULT_MODEL_CONFIG = {
|
|
29
29
|
provider: "anthropic",
|
|
30
30
|
// Default to Opus 4.7 — most capable Claude. Users override per-agent via
|
|
@@ -54,7 +54,7 @@ var init_AgentInferenceExportTarget = chunkZHPMP447_cjs.__esm({
|
|
|
54
54
|
"memory",
|
|
55
55
|
"persona"
|
|
56
56
|
]);
|
|
57
|
-
exports.AgentInferenceCompiler = class extends
|
|
57
|
+
exports.AgentInferenceCompiler = class extends chunkCMEINO5I_cjs.CompilerBase {
|
|
58
58
|
constructor(options = {}) {
|
|
59
59
|
super();
|
|
60
60
|
this.compilerName = "AgentInferenceCompiler";
|
|
@@ -1009,5 +1009,5 @@ exports.AgentInferenceExportTarget_exports = AgentInferenceExportTarget_exports;
|
|
|
1009
1009
|
exports.createAgentInferenceCompiler = createAgentInferenceCompiler;
|
|
1010
1010
|
exports.createPythonAgentInferenceCompiler = createPythonAgentInferenceCompiler;
|
|
1011
1011
|
exports.init_AgentInferenceExportTarget = init_AgentInferenceExportTarget;
|
|
1012
|
-
//# sourceMappingURL=chunk-
|
|
1013
|
-
//# sourceMappingURL=chunk-
|
|
1012
|
+
//# sourceMappingURL=chunk-CRUIGXF7.cjs.map
|
|
1013
|
+
//# sourceMappingURL=chunk-CRUIGXF7.cjs.map
|