@humanagencyp/hap-core 0.4.1 → 0.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +9 -7
- package/dist/index.mjs +9 -7
- package/package.json +1 -1
- package/src/gatekeeper.ts +13 -9
package/dist/index.js
CHANGED
|
@@ -371,7 +371,7 @@ async function verifyV3(request, profile, publicKeyHex, now, executionLog, error
|
|
|
371
371
|
async function verifyV4(request, profile, publicKeyHex, now, executionLog) {
|
|
372
372
|
const errors = [];
|
|
373
373
|
const bounds = request.frame;
|
|
374
|
-
const context = request.context
|
|
374
|
+
const context = request.context;
|
|
375
375
|
let expectedBoundsHash;
|
|
376
376
|
let expectedContextHash;
|
|
377
377
|
try {
|
|
@@ -379,10 +379,12 @@ async function verifyV4(request, profile, publicKeyHex, now, executionLog) {
|
|
|
379
379
|
} catch (err) {
|
|
380
380
|
return { approved: false, errors: [{ code: "BOUNDS_MISMATCH", message: `Bounds hash computation failed: ${err}` }] };
|
|
381
381
|
}
|
|
382
|
-
|
|
383
|
-
|
|
384
|
-
|
|
385
|
-
|
|
382
|
+
if (context && Object.keys(context).length > 0) {
|
|
383
|
+
try {
|
|
384
|
+
expectedContextHash = computeContextHash(context, profile);
|
|
385
|
+
} catch (err) {
|
|
386
|
+
return { approved: false, errors: [{ code: "CONTEXT_MISMATCH", message: `Context hash computation failed: ${err}` }] };
|
|
387
|
+
}
|
|
386
388
|
}
|
|
387
389
|
const requiredDomains = [];
|
|
388
390
|
const coveredDomains = /* @__PURE__ */ new Set();
|
|
@@ -406,7 +408,7 @@ async function verifyV4(request, profile, publicKeyHex, now, executionLog) {
|
|
|
406
408
|
errors.push({ code: "BOUNDS_MISMATCH", message: "Attestation bounds_hash does not match computed bounds_hash" });
|
|
407
409
|
continue;
|
|
408
410
|
}
|
|
409
|
-
if (isV4Attestation(attestation)) {
|
|
411
|
+
if (isV4Attestation(attestation) && expectedContextHash) {
|
|
410
412
|
try {
|
|
411
413
|
verifyContextHash(attestation, expectedContextHash);
|
|
412
414
|
} catch {
|
|
@@ -443,7 +445,7 @@ async function verifyV4(request, profile, publicKeyHex, now, executionLog) {
|
|
|
443
445
|
if (boundsErrors.length > 0) {
|
|
444
446
|
return { approved: false, errors: boundsErrors };
|
|
445
447
|
}
|
|
446
|
-
if (profile.contextSchema && Object.keys(profile.contextSchema.fields).length > 0) {
|
|
448
|
+
if (context && profile.contextSchema && Object.keys(profile.contextSchema.fields).length > 0) {
|
|
447
449
|
const contextErrors = checkContextConstraints(context, request.execution, profile);
|
|
448
450
|
if (contextErrors.length > 0) {
|
|
449
451
|
return { approved: false, errors: contextErrors };
|
package/dist/index.mjs
CHANGED
|
@@ -309,7 +309,7 @@ async function verifyV3(request, profile, publicKeyHex, now, executionLog, error
|
|
|
309
309
|
async function verifyV4(request, profile, publicKeyHex, now, executionLog) {
|
|
310
310
|
const errors = [];
|
|
311
311
|
const bounds = request.frame;
|
|
312
|
-
const context = request.context
|
|
312
|
+
const context = request.context;
|
|
313
313
|
let expectedBoundsHash;
|
|
314
314
|
let expectedContextHash;
|
|
315
315
|
try {
|
|
@@ -317,10 +317,12 @@ async function verifyV4(request, profile, publicKeyHex, now, executionLog) {
|
|
|
317
317
|
} catch (err) {
|
|
318
318
|
return { approved: false, errors: [{ code: "BOUNDS_MISMATCH", message: `Bounds hash computation failed: ${err}` }] };
|
|
319
319
|
}
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
320
|
+
if (context && Object.keys(context).length > 0) {
|
|
321
|
+
try {
|
|
322
|
+
expectedContextHash = computeContextHash(context, profile);
|
|
323
|
+
} catch (err) {
|
|
324
|
+
return { approved: false, errors: [{ code: "CONTEXT_MISMATCH", message: `Context hash computation failed: ${err}` }] };
|
|
325
|
+
}
|
|
324
326
|
}
|
|
325
327
|
const requiredDomains = [];
|
|
326
328
|
const coveredDomains = /* @__PURE__ */ new Set();
|
|
@@ -344,7 +346,7 @@ async function verifyV4(request, profile, publicKeyHex, now, executionLog) {
|
|
|
344
346
|
errors.push({ code: "BOUNDS_MISMATCH", message: "Attestation bounds_hash does not match computed bounds_hash" });
|
|
345
347
|
continue;
|
|
346
348
|
}
|
|
347
|
-
if (isV4Attestation(attestation)) {
|
|
349
|
+
if (isV4Attestation(attestation) && expectedContextHash) {
|
|
348
350
|
try {
|
|
349
351
|
verifyContextHash(attestation, expectedContextHash);
|
|
350
352
|
} catch {
|
|
@@ -381,7 +383,7 @@ async function verifyV4(request, profile, publicKeyHex, now, executionLog) {
|
|
|
381
383
|
if (boundsErrors.length > 0) {
|
|
382
384
|
return { approved: false, errors: boundsErrors };
|
|
383
385
|
}
|
|
384
|
-
if (profile.contextSchema && Object.keys(profile.contextSchema.fields).length > 0) {
|
|
386
|
+
if (context && profile.contextSchema && Object.keys(profile.contextSchema.fields).length > 0) {
|
|
385
387
|
const contextErrors = checkContextConstraints(context, request.execution, profile);
|
|
386
388
|
if (contextErrors.length > 0) {
|
|
387
389
|
return { approved: false, errors: contextErrors };
|
package/package.json
CHANGED
package/src/gatekeeper.ts
CHANGED
|
@@ -181,11 +181,11 @@ async function verifyV4(
|
|
|
181
181
|
|
|
182
182
|
// In v0.4 the `frame` param carries bounds; `context` carries context params
|
|
183
183
|
const bounds = request.frame as AgentBoundsParams;
|
|
184
|
-
const context: AgentContextParams = request.context
|
|
184
|
+
const context: AgentContextParams | undefined = request.context;
|
|
185
185
|
|
|
186
186
|
// Compute expected hashes
|
|
187
187
|
let expectedBoundsHash: string;
|
|
188
|
-
let expectedContextHash: string;
|
|
188
|
+
let expectedContextHash: string | undefined;
|
|
189
189
|
|
|
190
190
|
try {
|
|
191
191
|
expectedBoundsHash = computeBoundsHash(bounds, profile);
|
|
@@ -193,10 +193,14 @@ async function verifyV4(
|
|
|
193
193
|
return { approved: false, errors: [{ code: 'BOUNDS_MISMATCH', message: `Bounds hash computation failed: ${err}` }] };
|
|
194
194
|
}
|
|
195
195
|
|
|
196
|
-
|
|
197
|
-
|
|
198
|
-
|
|
199
|
-
|
|
196
|
+
// Context hash is only computed when context is explicitly provided.
|
|
197
|
+
// At execution time, context is not re-verified — it was checked at authorization time.
|
|
198
|
+
if (context && Object.keys(context).length > 0) {
|
|
199
|
+
try {
|
|
200
|
+
expectedContextHash = computeContextHash(context, profile);
|
|
201
|
+
} catch (err) {
|
|
202
|
+
return { approved: false, errors: [{ code: 'CONTEXT_MISMATCH', message: `Context hash computation failed: ${err}` }] };
|
|
203
|
+
}
|
|
200
204
|
}
|
|
201
205
|
|
|
202
206
|
// Verify attestations (domains come from SP group config, not profile)
|
|
@@ -227,8 +231,8 @@ async function verifyV4(
|
|
|
227
231
|
continue;
|
|
228
232
|
}
|
|
229
233
|
|
|
230
|
-
// Verify context hash (only
|
|
231
|
-
if (isV4Attestation(attestation)) {
|
|
234
|
+
// Verify context hash (only when context was provided and hash was computed)
|
|
235
|
+
if (isV4Attestation(attestation) && expectedContextHash) {
|
|
232
236
|
try {
|
|
233
237
|
verifyContextHash(attestation, expectedContextHash);
|
|
234
238
|
} catch {
|
|
@@ -275,7 +279,7 @@ async function verifyV4(
|
|
|
275
279
|
}
|
|
276
280
|
|
|
277
281
|
// Check context constraints using contextSchema
|
|
278
|
-
if (profile.contextSchema && Object.keys(profile.contextSchema.fields).length > 0) {
|
|
282
|
+
if (context && profile.contextSchema && Object.keys(profile.contextSchema.fields).length > 0) {
|
|
279
283
|
const contextErrors = checkContextConstraints(context, request.execution, profile);
|
|
280
284
|
if (contextErrors.length > 0) {
|
|
281
285
|
return { approved: false, errors: contextErrors };
|