@kya-os/checkpoint-wasm-runtime 1.3.0 → 1.4.1

package/dist/orchestrator.d.mts

@@ -1,8 +1,218 @@
-import { VerifyRequestOpts, IncomingHttpLike } from './orchestrator-node.mjs';
-export { BuildAgentRequestOpts, RenderedResponse, buildAgentRequest, extractAgentDid, extractCredentialStatusUrl, extractIssuer, hasMalformedJwsBody, makeVerifyRequest, renderDecisionAsResponse, verifyRequest } from './orchestrator-node.mjs';
-import { V as VerifyResult } from './types-ByrdPLL2.mjs';
+import { d as DidDocument, D as Decision, E as EnforcementMode, A as AgentRequest, C as ContextSpec, V as VerifyResult, e as EngineConfig } from './types-C3RniIOM.mjs';
 import '@kya-os/checkpoint-shared';
 
+/**
+ * DidResolver adapter — sub-phase B.1.
+ *
+ * Resolves `did:key:*` (in-memory multibase decode) and `did:web:*`
+ * (HTTPS fetch of `.well-known/did.json`) into the engine's
+ * `DidDocument` shape. The async half does any required I/O; the
+ * adapter's output is plain data that the host wrapper bundles into
+ * `ContextSpec.didDocs` before calling `engineVerify`.
+ *
+ * Phase 1 supports only Ed25519 verification methods (the engine's
+ * `KeyType` is `#[non_exhaustive]` with `Ed25519` as its single
+ * variant). Non-Ed25519 methods on a resolved doc are silently
+ * filtered out — the engine wouldn't accept them as a valid Stage 2
+ * key match anyway.
+ *
+ * **`kid` for `did:key`**: the verification-method id is
+ * `<did>#<multibase>` per mcp-i-core PR #16. **NOT** `<did>#keys-1`.
+ * H-1's `stage2_did_key_fragment_resolution` test pins this.
+ */
+
+interface DidResolverAdapter {
+    resolve(did: string): Promise<DidDocument>;
+}
+
+interface StatusListCacheAdapter {
+    /**
+     * Fetch the status list at `url`, decode it, and return the sorted
+     * set of revoked credential indices.
+     *
+     * @throws {StatusListUnavailable} on transport / non-2xx response.
+     * @throws {StatusListTimeout} when the fetch budget is exceeded.
+     * @throws {MalformedStatusList} when the VC is unparseable.
+     */
+    fetch(url: string): Promise<number[]>;
+}
+
+/**
+ * ReputationOracle adapter — sub-phase B.3.
+ *
+ * Resolves a per-DID reputation score in `[0.0, 1.0]`. Phase 1 wires
+ * an optional HTTP endpoint (Argus). Unavailable / misconfigured /
+ * out-of-range responses degrade to a baseline score so infrastructure
+ * blips can't silently DOS Adobe-class traffic. The engine's Stage 6
+ * compares the returned score against the tenant-configured threshold
+ * (Phase B.4 builds the threshold via `PolicyEvaluator`).
+ *
+ * **Degrade-to-trust** (Phase B § 4.5). Reputation is best-effort;
+ * Argus outages do not block traffic. The adapter returns the
+ * configured baseline (default 1.0 = "no signal, treat as trusted")
+ * and logs loudly. The engine's `LowReputation` block fires only
+ * when score < threshold from tenant policy; baseline-1.0 ensures
+ * no traffic is silently rejected just because Argus went down.
+ */
+interface ReputationOracleAdapter {
+    /**
+     * Return the agent's reputation in `[0.0, 1.0]`. Higher is better.
+     *
+     * **Does not throw.** Network / parse / range failures degrade to
+     * the baseline + log; the engine should never see a thrown error
+     * from this adapter.
+     */
+    score(agentDid: string): Promise<number>;
+}
+
+/**
+ * PolicyEvaluator adapter — sub-phase B.4.
+ *
+ * Computes the **tenant verdict** on the JS side and hands the engine
+ * a constant `Decision` for the WASM `WasmConstantPolicy` to echo as
+ * Stage 7's contribution. The engine's cross-stage priority order
+ * (locked in D-design § 6 row 4) handles how Stage 7 interacts with
+ * Stages 2 / 3 / 4 / 5.
+ *
+ * **Sync-engine / async-host invariant.** The JS adapter is async (it
+ * fetches tenant policy from the Checkpoint dashboard); the engine
+ * sees only the resolved `Decision`. Cedar-1 will replace this
+ * adapter's implementation without touching the surrounding orchestrator.
+ *
+ * **Cedar-1 forward-compat.** [`PolicyEvaluatorAdapter`] is the
+ * Cedar-swappable interface: `(input) → Decision`. The Phase 1 stub
+ * is a reputation-threshold check; Cedar-1 will replace the
+ * implementation, not the surface. Don't bake Cedar internals into
+ * this seam.
+ *
+ * **Degrade-to-permit.** Per Phase B § 4.5: when the dashboard policy
+ * endpoint is unreachable, fall back to `defaultPolicy` (caller-supplied)
+ * or `permit-by-default`. Loud log; no silent block.
+ */
+
+/**
+ * Pre-fetched inputs the JS host knows before calling the engine.
+ * Phase 1's evaluator only consumes `reputation` + `tenantHost`; later
+ * implementations (Cedar-1) may extend.
+ */
+interface PolicyEvalInput {
+    tenantHost: string;
+    reputation: number;
+}
+interface PolicyEvaluatorAdapter {
+    evaluate(input: PolicyEvalInput): Promise<Decision>;
+}
+
+/**
+ * Clock adapter — sub-phase B.5.
+ *
+ * Provides the Unix-seconds timestamp the engine's `Clock` trait needs
+ * for Stage 4 expiration checks. Trivial; the trait shape exists so
+ * tests can inject a frozen clock (and so the engine's sync-trait
+ * surface is satisfied without a JS callback crossing the WASM
+ * boundary — `ContextSpec.nowUnix` carries the value).
+ */
+interface ClockAdapter {
+    nowUnix(): number;
+}
+
+/**
+ * Framework-agnostic HTTP request shape.
+ *
+ * Next.js / Express / Cloudflare Workers / Hono adapters marshal
+ * their native request type into this shape before calling
+ * `verifyRequest`. The shape is intentionally minimal — only what
+ * the engine needs to make a verdict.
+ */
+interface IncomingHttpLike {
+    method: string;
+    /** Path + query string (no scheme + host). */
+    url: string;
+    headers: Record<string, string | string[] | undefined>;
+    /**
+     * Parsed body if the framework has already parsed it (Next.js
+     * with `await req.json()`, Express with `body-parser`). Falsy if
+     * the caller hasn't materialised the body — the orchestrator
+     * treats that as "no MCP-I envelope present" and routes to
+     * PlainHttp.
+     */
+    body?: Buffer | string | object | null;
+    /** Client IP if the framework surfaces one (Express `req.ip`). */
+    remoteAddress?: string;
+}
+/**
+ * Options the host wrapper passes per-`verifyRequest`-construction.
+ * The five adapters + clock + tenant identifier + enforcement mode.
+ */
+interface VerifyRequestOpts {
+    didResolver: DidResolverAdapter;
+    statusListCache: StatusListCacheAdapter;
+    reputationOracle: ReputationOracleAdapter;
+    policyEvaluator: PolicyEvaluatorAdapter;
+    clock: ClockAdapter;
+    /** Tenant identifier — the host customer this request targets. */
+    tenantHost: string;
+    enforcementMode: EnforcementMode;
+    /** Returned to the PolicyEvaluator when the request has no agent DID. Default 1.0. */
+    reputationBaseline?: number;
+    /**
+     * **Envelope-1 (#2537) coordination flag.** Pre-Envelope-1 the TS
+     * bouncer ships MCP-I proofs as `{protected,payload,signature}` JSON
+     * in a `KYA-Delegation` header. Post-Envelope-1 they ship compact
+     * JWS in `_meta.proof.jws` of the body. When this flag is true the
+     * orchestrator also accepts the legacy header form. **Default off.**
+     * Delete this flag once Envelope-1 ships end-to-end.
+     */
+    legacyEnvelopeFallback?: boolean;
+    /**
+     * Argus URL — passed only so the orchestrator can detect "Argus
+     * not configured" at construction time and log the one-shot
+     * warning. The actual reputation fetch goes through `reputationOracle`.
+     */
+    argusUrl?: string;
+    /** Injectable for the once-only Argus configuration warning. */
+    logger?: (msg: string) => void;
+    /**
+     * Override the engine WASM-bridge function used during the sync
+     * `verify()` call. Defaults to the wasm-bindgen `--target bundler`
+     * variant imported by `./verify-request.ts` from `'../index'`.
+     *
+     * The `./orchestrator/node` subpath (SDK-Next.js-Integration-Audit-1
+     * / #2618 safety net) injects the `--target nodejs` variant here so
+     * Webpack-without-asyncWebAssembly consumers don't transitively pull
+     * the bundler artifact through the orchestrator's verify call.
+     */
+    engineVerifyFn?: (input: AgentRequest, ctx: ContextSpec) => VerifyResult;
+    /**
+     * Engine-default behaviour knobs forwarded onto every composed
+     * `ContextSpec`. Defaults to `{ tier3Action: 'monitor' }` so a host
+     * installing `@kya-os/checkpoint-*` with minimal config preserves
+     * 1.3.0 behaviour — tenant policy is the arbiter, the engine does
+     * not short-circuit known-agent UAs with an engine-default Block.
+     *
+     * Host wrappers that want the calibrated engine-default block opt
+     * into `{ tier3Action: 'block' }`. The bench harness is the
+     * canonical opt-in consumer. See the wasm-runtime 1.4.0 CHANGELOG.
+     */
+    engineConfig?: EngineConfig;
+}
+/**
+ * Transport-agnostic response shape `renderDecisionAsResponse`
+ * produces. Host wrappers adapt this to their framework's response
+ * type (NextResponse / Express `res` / Cloudflare Response).
+ *
+ * `status === null` means "pass through" — the request continues to
+ * the next handler. Happens in two cases:
+ *   1. `Decision::Permit` (no block in Enforce mode).
+ *   2. **Any verdict in Observe mode** — Observe never blocks, but
+ *      the response headers still carry the would-have-been verdict.
+ */
+interface RenderedResponse {
+    status: number | null;
+    headers: Record<string, string>;
+    body?: string | object;
+}
+
 /**
  * `kya-os-engine` WASM bridge for edge runtimes — Edge-WASM-1.
  *
@@ -43,6 +253,121 @@ import '@kya-os/checkpoint-shared';
  */
 declare function initEngineEdge(moduleOrPath?: WebAssembly.Module | URL | string | Request | BufferSource): Promise<void>;
 
+/**
+ * HTTP-to-`AgentRequest` translator — Phase C.1.
+ *
+ * Detects which engine protocol the request belongs to and builds
+ * the typed `AgentRequest` the WASM consumes. Conservative
+ * detection: never escalates an ambiguous request into a higher
+ * verification tier. Anonymous PlainHttp is the default.
+ *
+ * **What this layer parses and what it doesn't.** It parses *only
+ * what's needed to drive conditional pre-fetch* — header presence,
+ * the MCP-I envelope's payload segment (to extract `iss` + `sub` +
+ * optional credentialStatus URL). It does **not** verify
+ * signatures, decode VC chains for revocation bits, or evaluate
+ * scope. Those live in the engine (H-1's parser + Stages 2-5).
+ *
+ * **Buffer-portability note.** This module uses `Buffer.from(...)` and
+ * `Buffer.isBuffer(...)` at multiple call sites (the JWS preflight
+ * `hasMalformedJwsBody`, both `tryBuildMcpIFromBody` variants, the
+ * legacy-header reconstitution path, and `bodyAsBytes`). All of these
+ * assume the Node `Buffer` global is available — provided natively by
+ * the Node runtime, polyfilled on Vercel Edge, and gated behind
+ * `nodejs_compat` on Cloudflare Workers. Bare-Edge and pure-browser
+ * embedders would need a `Buffer` polyfill or a refactor to
+ * `TextEncoder` / `Uint8Array.from`. Tracked as a follow-up since
+ * Phase D's Vercel Node + Vercel Edge targets are both covered today.
+ */
+
+interface BuildAgentRequestOpts {
+    /** See `VerifyRequestOpts.legacyEnvelopeFallback`. */
+    legacyEnvelopeFallback?: boolean;
+}
+/**
+ * Translate an HTTP-like request into the engine's `AgentRequest`.
+ *
+ * Detection order (conservative — never escalate ambiguous input):
+ *   1. MCP-I L2 detached proof in `_meta.proof.jws` (spec form).
+ *   2. (Legacy, opt-in) MCP-I in `KYA-Delegation` header
+ *      (Envelope-1 #2537 transition window only).
+ *   3. RFC 9421 HTTP Message Signatures (`Signature-Input` header).
+ *   4. PlainHttp (default — anonymous traffic).
+ */
+declare function buildAgentRequest(req: IncomingHttpLike, opts?: BuildAgentRequestOpts): AgentRequest;
+/**
+ * Preflight check — does the request body carry a `_meta.proof.jws`
+ * string that `parseJwsPayloadStruct` cannot project into a typed
+ * `McpIPayload`?
+ *
+ * The caller declared intent (an MCP-I envelope) by including the
+ * JWS field; structural failure to extract the payload means the
+ * envelope is malformed, not absent. Without this preflight, the
+ * orchestrator would silently fall through to PlainHttp — pre-#2560
+ * that happened to also Block (engine returned `Block(ParseError)`
+ * for every PlainHttp), so the regression was invisible; post-#2560
+ * the engine's Stage 1 + stub policy returns `Permit` for anonymous
+ * PlainHttp and tampered envelopes would be silently accepted.
+ *
+ * Returns `true` when the orchestrator should synthesize
+ * `Block(ParseError)` BEFORE calling `buildAgentRequest`.
+ */
+declare function hasMalformedJwsBody(req: IncomingHttpLike): boolean;
+/**
+ * Issuer DID — Stage 1 (identity resolution) targets this. `null`
+ * for PlainHttp (anonymous → no DID to resolve).
+ */
+declare function extractIssuer(request: AgentRequest): string | null;
+/**
+ * Agent DID — used by ReputationOracle. Defaults to `payload.sub`
+ * for MCP-I (subject = the agent the proof is *about*).
+ */
+declare function extractAgentDid(request: AgentRequest): string | null;
+/**
+ * Status-list URL for revocation pre-fetch. Pulled from the JWS
+ * payload's `vc.credentialStatus.id` (W3C VC Data Model 1.1).
+ * `null` when the envelope is L1 (no VC chain) — Stage 3 will skip.
+ */
+declare function extractCredentialStatusUrl(request: AgentRequest): string | null;
+
+/**
+ * Transport-agnostic `Decision` → HTTP renderer — Phase C.3.
+ *
+ * Translates a `VerifyResult` into a framework-neutral
+ * `{ status, headers, body }` shape. Phase D (Next.js) adapts this
+ * to `NextResponse`; Phase E (Express) adapts it to `res.status().set().send()`.
+ * One source of truth for the verdict→HTTP mapping.
+ *
+ * Mapping table (§ 4.5 of Phase C kickoff):
+ *
+ * | Decision                          | HTTP | Notes                                   |
+ * |-----------------------------------|------|-----------------------------------------|
+ * | Permit                            | null | Pass through to next handler            |
+ * | Block(Unauthenticated)            | 401  | WWW-Authenticate header                 |
+ * | Block(InvalidSignature)           | 403  |                                          |
+ * | Block(Revoked)                    | 403  |                                          |
+ * | Block(Expired)                    | 401  | Refresh-the-credential semantics        |
+ * | Block(OutOfScope)                 | 403  | Body carries requested + granted        |
+ * | Block(LowReputation)              | 403  | Body carries score + threshold          |
+ * | Block(PolicyDenied)               | 403  | Body carries detail                     |
+ * | Block(ParseError)                 | 400  | Body carries detail                     |
+ * | Block(AgentAttribution)           | 403  | Body carries vendor + tier + confidence |
+ * | Block(Tier3UAMatch)               | 403  | Body carries pattern_id + kind + conf   |
+ * | Challenge                         | 401  | Body carries ChallengeParams            |
+ * | Redirect                          | 302  | Location header                         |
+ * | Instruct                          | 422  | application/problem+json body           |
+ *
+ * Observe mode overrides: every verdict renders as `status: null`
+ * (pass through) with an `X-Checkpoint-Would-Have-Been` header
+ * carrying the verdict kind, plus the standard attribution headers.
+ *
+ * Every response carries the Phase 0.1 attribution headers:
+ * `X-Checkpoint-Engine`, `X-Checkpoint-Engine-Version`, and
+ * (when present) `X-Checkpoint-Ruleset-Hash`.
+ */
+
+declare function renderDecisionAsResponse(result: VerifyResult): RenderedResponse;
+
 /**
  * `verifyRequestEdge` async-init orchestrator — Edge-WASM-2 (folded into
  * Phase D's PR).
@@ -84,4 +409,33 @@ declare function makeVerifyRequestEdge(opts: VerifyRequestOpts): (req: IncomingH
  */
 declare function verifyRequestEdge(req: IncomingHttpLike, opts: VerifyRequestOpts): Promise<VerifyResult>;
 
-export { IncomingHttpLike, VerifyRequestOpts, initEngineEdge, makeVerifyRequestEdge, verifyRequestEdge };
+/**
+ * Phase C + Edge-WASM-2 orchestrator barrel.
+ *
+ * The async entry point Phase D / E / future host wrappers compose.
+ * Subpath: `@kya-os/checkpoint-wasm-runtime/orchestrator`.
+ *
+ * Two variants:
+ *
+ * - **Node** — sync engine via `engineVerify`. Use under Vercel Node-
+ *   runtime / serverless functions / long-lived Node servers. Exported:
+ *   `verifyRequest`, `makeVerifyRequest`.
+ *
+ * - **Edge** — async-init engine via `engineVerifyEdge`. Use under
+ *   Vercel Edge runtime / Cloudflare Workers / browser embedding.
+ *   Exported: `verifyRequestEdge`, `makeVerifyRequestEdge`,
+ *   `initEngineEdge`. The `edge-runtime` + `browser` conditions on
+ *   the `./orchestrator` subpath automatically route to this variant
+ *   for edge bundlers; consumers can also import explicitly from
+ *   `./orchestrator/edge`.
+ *
+ * The cross-target parity test in [[__tests__/verify-request-parity.test.ts]]
+ * pins the verdict-equivalence invariant: both variants produce
+ * identical `VerifyResult.decision` on identical inputs. Any change
+ * to `verify-request.ts` MUST be mirrored in `verify-request-edge.ts`
+ * (see the doc-comment header on both files).
+ */
+declare const verifyRequest: (req: IncomingHttpLike, opts: VerifyRequestOpts) => Promise<VerifyResult>;
+declare const makeVerifyRequest: (opts: VerifyRequestOpts) => (req: IncomingHttpLike) => Promise<VerifyResult>;
+
+export { type BuildAgentRequestOpts, type IncomingHttpLike, type RenderedResponse, type VerifyRequestOpts, buildAgentRequest, extractAgentDid, extractCredentialStatusUrl, extractIssuer, hasMalformedJwsBody, initEngineEdge, makeVerifyRequest, makeVerifyRequestEdge, renderDecisionAsResponse, verifyRequest, verifyRequestEdge };