@kya-os/contracts 1.3.2 → 1.3.3

package/dist/proof/proof-record.js

@@ -1,42 +1,19 @@
 "use strict";
-/**
- * Proof Record (Archive)
- *
- * Schema for proof records stored in KV/archive for audit trails
- *
- * Related Spec: MCP-I §5
- * Python Reference: Edge-Delegation-Verification.md
- */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DEFAULT_PROOF_RECORD_TTL_MS = exports.ProofRecordSchema = exports.VerificationInfoSchema = exports.CrispInfoSchema = exports.LinkageInfoSchema = exports.ProofDetailsSchema = exports.ResponseInfoSchema = exports.RequestInfoSchema = void 0;
 exports.validateProofRecord = validateProofRecord;
 exports.isProofRecordExpired = isProofRecordExpired;
 const zod_1 = require("zod");
-/**
- * Request Info Schema
- *
- * Information about the request that was proven
- */
 exports.RequestInfoSchema = zod_1.z.object({
     method: zod_1.z.string(),
     url: zod_1.z.string().url(),
     bodyHash: zod_1.z.string().optional(),
     headersHash: zod_1.z.string().optional(),
 });
-/**
- * Response Info Schema
- *
- * Information about the response
- */
 exports.ResponseInfoSchema = zod_1.z.object({
     status: zod_1.z.number().int(),
     bodyHash: zod_1.z.string().optional(),
 });
-/**
- * Proof Details Schema
- *
- * Core proof information
- */
 exports.ProofDetailsSchema = zod_1.z.object({
     timestamp: zod_1.z.number().int().positive(),
     nonce: zod_1.z.string().min(1),
@@ -48,87 +25,36 @@ exports.ProofDetailsSchema = zod_1.z.object({
     request: exports.RequestInfoSchema.optional(),
     response: exports.ResponseInfoSchema.optional(),
 });
-/**
- * Linkage Info Schema
- *
- * Links to delegations and credentials
- */
 exports.LinkageInfoSchema = zod_1.z.object({
     delegationId: zod_1.z.string().optional(),
     credentialId: zod_1.z.string().optional(),
     chainDepth: zod_1.z.number().int().nonnegative().optional(),
 });
-/**
- * CRISP Info Schema
- *
- * CRISP spending information
- */
 exports.CrispInfoSchema = zod_1.z.object({
     unit: zod_1.z.enum(['USD', 'ops', 'points']),
     delta: zod_1.z.number().optional(),
     remaining: zod_1.z.number().optional(),
 });
-/**
- * Verification Info Schema
- *
- * Verification result for the proof
- */
 exports.VerificationInfoSchema = zod_1.z.object({
     result: zod_1.z.enum(['pending', 'pass', 'fail']),
     reason: zod_1.z.string().optional(),
     checkedAt: zod_1.z.number().int().positive().optional(),
 });
-/**
- * Proof Record Schema
- *
- * Complete proof record for archive/KV storage
- */
 exports.ProofRecordSchema = zod_1.z.object({
-    /** Unique identifier for the proof record */
     id: zod_1.z.string().min(1),
-    /** Tool/service name that created the proof */
     toolName: zod_1.z.string().min(1),
-    /** Timestamp when stored (milliseconds since epoch) */
     storedAt: zod_1.z.number().int().positive(),
-    /** Expiration timestamp (milliseconds since epoch) */
     expiresAt: zod_1.z.number().int().positive(),
-    /** Core proof details */
     proof: exports.ProofDetailsSchema,
-    /** Optional linkage to delegations/credentials */
     linkage: exports.LinkageInfoSchema.optional(),
-    /** Optional CRISP spending info */
     crisp: exports.CrispInfoSchema.optional(),
-    /** Optional verification info */
     verification: exports.VerificationInfoSchema.optional(),
-    /** Optional metadata */
     metadata: zod_1.z.record(zod_1.z.any()).optional(),
 }).passthrough();
-/**
- * Validation Helpers
- */
-/**
- * Validate a proof record
- *
- * @param record - The record to validate
- * @returns Validation result
- */
 function validateProofRecord(record) {
     return exports.ProofRecordSchema.safeParse(record);
 }
-/**
- * Check if proof record is expired
- *
- * @param record - The record to check
- * @returns true if expired
- */
 function isProofRecordExpired(record) {
     return Date.now() > record.expiresAt;
 }
-/**
- * Constants
- */
-/**
- * Default proof record TTL (30 days in milliseconds)
- */
 exports.DEFAULT_PROOF_RECORD_TTL_MS = 30 * 24 * 60 * 60 * 1000;
-//# sourceMappingURL=proof-record.js.map

package/dist/proof/signing-spec.d.ts

@@ -1,61 +1,33 @@
-/**
- * Proof Signing Specification
- *
- * Canonical signing order and detached JWS contracts for proofs
- *
- * Related Spec: MCP-I §5
- * Python Reference: Edge-Delegation-Verification.md
- */
 import { z } from 'zod';
-/**
- * Canonical Request Parts Schema
- *
- * Parts of a request that are canonically signed
- */
 export declare const CanonicalRequestPartsSchema: z.ZodObject<{
-    /** HTTP method (uppercased) */
     method: z.ZodString;
-    /** Absolute URL */
     url: z.ZodString;
-    /** Optional body hash (base64url of SHA-256) */
     bodyHash: z.ZodOptional<z.ZodString>;
-    /** Optional headers hash (base64url of SHA-256 of allowlisted headers) */
     headersHash: z.ZodOptional<z.ZodString>;
-    /** Nonce (base64) */
     nonce: z.ZodString;
-    /** Timestamp (milliseconds since epoch) */
     timestamp: z.ZodNumber;
-    /** Audience (e.g., 'mcp-client') */
     audience: z.ZodString;
 }, "strip", z.ZodTypeAny, {
-    method: string;
-    url: string;
     nonce: string;
-    timestamp: number;
     audience: string;
+    timestamp: number;
+    url: string;
+    method: string;
     bodyHash?: string | undefined;
     headersHash?: string | undefined;
 }, {
-    method: string;
-    url: string;
     nonce: string;
-    timestamp: number;
     audience: string;
+    timestamp: number;
+    url: string;
+    method: string;
     bodyHash?: string | undefined;
     headersHash?: string | undefined;
 }>;
 export type CanonicalRequestParts = z.infer<typeof CanonicalRequestPartsSchema>;
-/**
- * Detached JWS Schema
- *
- * Detached JSON Web Signature for proofs
- */
 export declare const DetachedJwsSchema: z.ZodObject<{
-    /** Algorithm (Ed25519 or ES256) */
     alg: z.ZodEnum<["Ed25519", "ES256"]>;
-    /** Optional key ID (fragment from DID) */
     kid: z.ZodOptional<z.ZodString>;
-    /** Base64url-encoded signature */
     signature: z.ZodString;
 }, "strip", z.ZodTypeAny, {
     signature: string;
@@ -67,49 +39,25 @@ export declare const DetachedJwsSchema: z.ZodObject<{
     kid?: string | undefined;
 }>;
 export type DetachedJws = z.infer<typeof DetachedJwsSchema>;
-/**
- * Signing Order
- *
- * **CRITICAL**: This order MUST be used for canonical string generation.
- * Changing this order breaks signature verification.
- */
 export declare const SIGNING_ORDER: readonly ["method", "url", "bodyHash", "headersHash", "nonce", "timestamp", "audience"];
-/**
- * Type for signing order fields
- */
 export type SigningOrderField = (typeof SIGNING_ORDER)[number];
-/**
- * Validation Helpers
- */
-/**
- * Validate canonical request parts
- *
- * @param parts - The parts to validate
- * @returns Validation result
- */
 export declare function validateCanonicalRequestParts(parts: unknown): z.SafeParseReturnType<{
-    method: string;
-    url: string;
     nonce: string;
-    timestamp: number;
     audience: string;
+    timestamp: number;
+    url: string;
+    method: string;
     bodyHash?: string | undefined;
     headersHash?: string | undefined;
 }, {
-    method: string;
-    url: string;
     nonce: string;
-    timestamp: number;
     audience: string;
+    timestamp: number;
+    url: string;
+    method: string;
     bodyHash?: string | undefined;
     headersHash?: string | undefined;
 }>;
-/**
- * Validate detached JWS
- *
- * @param jws - The JWS to validate
- * @returns Validation result
- */
 export declare function validateDetachedJws(jws: unknown): z.SafeParseReturnType<{
     signature: string;
     alg: "Ed25519" | "ES256";
@@ -119,29 +67,7 @@ export declare function validateDetachedJws(jws: unknown): z.SafeParseReturnType
     alg: "Ed25519" | "ES256";
     kid?: string | undefined;
 }>;
-/**
- * Generate canonical signing string from parts
- *
- * **NOTE**: This is a type-level spec. Actual implementation
- * requires runtime string concatenation.
- *
- * @param parts - Canonical request parts
- * @returns Canonical string for signing
- */
 export declare function getCanonicalSigningString(parts: CanonicalRequestParts): string;
-/**
- * Constants
- */
-/**
- * Supported signing algorithms
- */
 export declare const SUPPORTED_SIGNING_ALGORITHMS: readonly ["Ed25519", "ES256"];
-/**
- * Hash algorithm for body/headers
- */
 export declare const SIGNING_HASH_ALGORITHM = "SHA-256";
-/**
- * Base64url pattern for validation
- */
 export declare const BASE64URL_PATTERN: RegExp;
-//# sourceMappingURL=signing-spec.d.ts.map

package/dist/proof/signing-spec.js

@@ -1,58 +1,24 @@
 "use strict";
-/**
- * Proof Signing Specification
- *
- * Canonical signing order and detached JWS contracts for proofs
- *
- * Related Spec: MCP-I §5
- * Python Reference: Edge-Delegation-Verification.md
- */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.BASE64URL_PATTERN = exports.SIGNING_HASH_ALGORITHM = exports.SUPPORTED_SIGNING_ALGORITHMS = exports.SIGNING_ORDER = exports.DetachedJwsSchema = exports.CanonicalRequestPartsSchema = void 0;
 exports.validateCanonicalRequestParts = validateCanonicalRequestParts;
 exports.validateDetachedJws = validateDetachedJws;
 exports.getCanonicalSigningString = getCanonicalSigningString;
 const zod_1 = require("zod");
-/**
- * Canonical Request Parts Schema
- *
- * Parts of a request that are canonically signed
- */
 exports.CanonicalRequestPartsSchema = zod_1.z.object({
-    /** HTTP method (uppercased) */
     method: zod_1.z.string().toUpperCase(),
-    /** Absolute URL */
     url: zod_1.z.string().url(),
-    /** Optional body hash (base64url of SHA-256) */
     bodyHash: zod_1.z.string().regex(/^[A-Za-z0-9_-]+$/).optional(),
-    /** Optional headers hash (base64url of SHA-256 of allowlisted headers) */
     headersHash: zod_1.z.string().regex(/^[A-Za-z0-9_-]+$/).optional(),
-    /** Nonce (base64) */
     nonce: zod_1.z.string().min(1),
-    /** Timestamp (milliseconds since epoch) */
     timestamp: zod_1.z.number().int().positive(),
-    /** Audience (e.g., 'mcp-client') */
     audience: zod_1.z.string().min(1),
 });
-/**
- * Detached JWS Schema
- *
- * Detached JSON Web Signature for proofs
- */
 exports.DetachedJwsSchema = zod_1.z.object({
-    /** Algorithm (Ed25519 or ES256) */
     alg: zod_1.z.enum(['Ed25519', 'ES256']),
-    /** Optional key ID (fragment from DID) */
     kid: zod_1.z.string().optional(),
-    /** Base64url-encoded signature */
     signature: zod_1.z.string().regex(/^[A-Za-z0-9_-]+$/),
 });
-/**
- * Signing Order
- *
- * **CRITICAL**: This order MUST be used for canonical string generation.
- * Changing this order breaks signature verification.
- */
 exports.SIGNING_ORDER = Object.freeze([
     'method',
     'url',
@@ -62,36 +28,12 @@ exports.SIGNING_ORDER = Object.freeze([
     'timestamp',
     'audience',
 ]);
-/**
- * Validation Helpers
- */
-/**
- * Validate canonical request parts
- *
- * @param parts - The parts to validate
- * @returns Validation result
- */
 function validateCanonicalRequestParts(parts) {
     return exports.CanonicalRequestPartsSchema.safeParse(parts);
 }
-/**
- * Validate detached JWS
- *
- * @param jws - The JWS to validate
- * @returns Validation result
- */
 function validateDetachedJws(jws) {
     return exports.DetachedJwsSchema.safeParse(jws);
 }
-/**
- * Generate canonical signing string from parts
- *
- * **NOTE**: This is a type-level spec. Actual implementation
- * requires runtime string concatenation.
- *
- * @param parts - Canonical request parts
- * @returns Canonical string for signing
- */
 function getCanonicalSigningString(parts) {
     const values = [];
     for (const field of exports.SIGNING_ORDER) {
@@ -105,19 +47,6 @@ function getCanonicalSigningString(parts) {
     }
     return values.join('\n');
 }
-/**
- * Constants
- */
-/**
- * Supported signing algorithms
- */
 exports.SUPPORTED_SIGNING_ALGORITHMS = ['Ed25519', 'ES256'];
-/**
- * Hash algorithm for body/headers
- */
 exports.SIGNING_HASH_ALGORITHM = 'SHA-256';
-/**
- * Base64url pattern for validation
- */
 exports.BASE64URL_PATTERN = /^[A-Za-z0-9_-]+$/;
-//# sourceMappingURL=signing-spec.js.map

package/dist/proof.d.ts

@@ -1,14 +1,4 @@
 import { z } from "zod";
-/**
- * Proof and signature schemas for MCP-I
- *
- * Note: The type name "DetachedProof" is maintained for backward compatibility,
- * but the JWS format is actually FULL compact JWS (header.payload.signature),
- * not detached format (header..signature).
- *
- * The JWS payload contains JWT standard claims (aud, sub, iss) plus custom
- * proof claims (requestHash, responseHash, nonce, etc.).
- */
 export declare const ProofMetaSchema: z.ZodObject<{
     did: z.ZodString;
     kid: z.ZodString;
@@ -23,10 +13,10 @@ export declare const ProofMetaSchema: z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     did: string;
     kid: string;
-    ts: number;
     nonce: string;
     audience: string;
     sessionId: string;
+    ts: number;
     requestHash: string;
     responseHash: string;
     scopeId?: string | undefined;
@@ -34,10 +24,10 @@ export declare const ProofMetaSchema: z.ZodObject<{
 }, {
     did: string;
     kid: string;
-    ts: number;
     nonce: string;
     audience: string;
     sessionId: string;
+    ts: number;
     requestHash: string;
     responseHash: string;
     scopeId?: string | undefined;
@@ -59,10 +49,10 @@ export declare const DetachedProofSchema: z.ZodObject<{
     }, "strip", z.ZodTypeAny, {
         did: string;
         kid: string;
-        ts: number;
         nonce: string;
         audience: string;
         sessionId: string;
+        ts: number;
         requestHash: string;
         responseHash: string;
         scopeId?: string | undefined;
@@ -70,10 +60,10 @@ export declare const DetachedProofSchema: z.ZodObject<{
     }, {
         did: string;
         kid: string;
-        ts: number;
         nonce: string;
         audience: string;
         sessionId: string;
+        ts: number;
         requestHash: string;
         responseHash: string;
         scopeId?: string | undefined;
@@ -84,10 +74,10 @@ export declare const DetachedProofSchema: z.ZodObject<{
     meta: {
         did: string;
         kid: string;
-        ts: number;
         nonce: string;
         audience: string;
         sessionId: string;
+        ts: number;
         requestHash: string;
         responseHash: string;
         scopeId?: string | undefined;
@@ -98,10 +88,10 @@ export declare const DetachedProofSchema: z.ZodObject<{
     meta: {
         did: string;
         kid: string;
-        ts: number;
         nonce: string;
         audience: string;
         sessionId: string;
+        ts: number;
         requestHash: string;
         responseHash: string;
         scopeId?: string | undefined;
@@ -130,22 +120,22 @@ export declare const AuditRecordSchema: z.ZodObject<{
     verified: z.ZodEnum<["yes", "no"]>;
     scope: z.ZodString;
 }, "strip", z.ZodTypeAny, {
+    version: "audit.v1";
     did: string;
     kid: string;
-    ts: number;
     audience: string;
-    version: "audit.v1";
+    ts: number;
     session: string;
     reqHash: string;
     resHash: string;
     verified: "yes" | "no";
     scope: string;
 }, {
+    version: "audit.v1";
     did: string;
     kid: string;
-    ts: number;
     audience: string;
-    version: "audit.v1";
+    ts: number;
     session: string;
     reqHash: string;
     resHash: string;
@@ -159,10 +149,6 @@ export type AuditRecord = z.infer<typeof AuditRecordSchema>;
 export declare const JWS_ALGORITHM = "EdDSA";
 export declare const HASH_ALGORITHM = "sha256";
 export declare const AUDIT_VERSION = "audit.v1";
-/**
- * Tool call context for AgentShield dashboard integration
- * Provides plaintext tool execution data alongside cryptographic proofs
- */
 export declare const ToolCallContextSchema: z.ZodObject<{
     tool: z.ZodString;
     args: z.ZodRecord<z.ZodString, z.ZodUnknown>;
@@ -182,10 +168,6 @@ export declare const ToolCallContextSchema: z.ZodObject<{
     result?: unknown;
     userId?: string | undefined;
 }>;
-/**
- * Proof submission context for AgentShield API
- * Includes tool calls and optional MCP server URL for tool discovery
- */
 export declare const ProofSubmissionContextSchema: z.ZodObject<{
     toolCalls: z.ZodArray<z.ZodObject<{
         tool: z.ZodString;
@@ -226,9 +208,6 @@ export declare const ProofSubmissionContextSchema: z.ZodObject<{
     }[];
     mcpServerUrl?: string | undefined;
 }>;
-/**
- * Complete proof submission request to AgentShield
- */
 export declare const ProofSubmissionRequestSchema: z.ZodObject<{
     session_id: z.ZodString;
     delegation_id: z.ZodOptional<z.ZodNullable<z.ZodString>>;
@@ -248,10 +227,10 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
         }, "strip", z.ZodTypeAny, {
             did: string;
             kid: string;
-            ts: number;
             nonce: string;
             audience: string;
             sessionId: string;
+            ts: number;
             requestHash: string;
             responseHash: string;
             scopeId?: string | undefined;
@@ -259,10 +238,10 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
         }, {
             did: string;
             kid: string;
-            ts: number;
             nonce: string;
             audience: string;
             sessionId: string;
+            ts: number;
             requestHash: string;
             responseHash: string;
             scopeId?: string | undefined;
@@ -273,10 +252,10 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
         meta: {
             did: string;
             kid: string;
-            ts: number;
             nonce: string;
             audience: string;
             sessionId: string;
+            ts: number;
             requestHash: string;
             responseHash: string;
             scopeId?: string | undefined;
@@ -287,10 +266,10 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
         meta: {
             did: string;
             kid: string;
-            ts: number;
             nonce: string;
             audience: string;
             sessionId: string;
+            ts: number;
             requestHash: string;
             responseHash: string;
             scopeId?: string | undefined;
@@ -344,10 +323,10 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
         meta: {
             did: string;
             kid: string;
-            ts: number;
             nonce: string;
             audience: string;
             sessionId: string;
+            ts: number;
             requestHash: string;
             responseHash: string;
             scopeId?: string | undefined;
@@ -372,10 +351,10 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
         meta: {
             did: string;
             kid: string;
-            ts: number;
             nonce: string;
             audience: string;
             sessionId: string;
+            ts: number;
             requestHash: string;
             responseHash: string;
             scopeId?: string | undefined;
@@ -397,4 +376,3 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
 export type ToolCallContext = z.infer<typeof ToolCallContextSchema>;
 export type ProofSubmissionContext = z.infer<typeof ProofSubmissionContextSchema>;
 export type ProofSubmissionRequest = z.infer<typeof ProofSubmissionRequestSchema>;
-//# sourceMappingURL=proof.d.ts.map

package/dist/proof.js

@@ -2,16 +2,6 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ProofSubmissionRequestSchema = exports.ProofSubmissionContextSchema = exports.ToolCallContextSchema = exports.AUDIT_VERSION = exports.HASH_ALGORITHM = exports.JWS_ALGORITHM = exports.AuditRecordSchema = exports.CanonicalHashesSchema = exports.DetachedProofSchema = exports.ProofMetaSchema = void 0;
 const zod_1 = require("zod");
-/**
- * Proof and signature schemas for MCP-I
- *
- * Note: The type name "DetachedProof" is maintained for backward compatibility,
- * but the JWS format is actually FULL compact JWS (header.payload.signature),
- * not detached format (header..signature).
- *
- * The JWS payload contains JWT standard claims (aud, sub, iss) plus custom
- * proof claims (requestHash, responseHash, nonce, etc.).
- */
 exports.ProofMetaSchema = zod_1.z.object({
     did: zod_1.z.string().min(1),
     kid: zod_1.z.string().min(1),
@@ -25,8 +15,8 @@ exports.ProofMetaSchema = zod_1.z.object({
     delegationRef: zod_1.z.string().optional(),
 });
 exports.DetachedProofSchema = zod_1.z.object({
-    jws: zod_1.z.string().min(1), // Full compact JWS format (header.payload.signature)
-    meta: exports.ProofMetaSchema, // Convenience metadata (duplicates signed payload data)
+    jws: zod_1.z.string().min(1),
+    meta: exports.ProofMetaSchema,
 });
 exports.CanonicalHashesSchema = zod_1.z.object({
     requestHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
@@ -42,16 +32,11 @@ exports.AuditRecordSchema = zod_1.z.object({
     reqHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
     resHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
     verified: zod_1.z.enum(["yes", "no"]),
-    scope: zod_1.z.string().min(1), // "-" for no scope
+    scope: zod_1.z.string().min(1),
 });
-// Constants
 exports.JWS_ALGORITHM = "EdDSA";
 exports.HASH_ALGORITHM = "sha256";
 exports.AUDIT_VERSION = "audit.v1";
-/**
- * Tool call context for AgentShield dashboard integration
- * Provides plaintext tool execution data alongside cryptographic proofs
- */
 exports.ToolCallContextSchema = zod_1.z.object({
     tool: zod_1.z.string().min(1),
     args: zod_1.z.record(zod_1.z.unknown()),
@@ -59,17 +44,10 @@ exports.ToolCallContextSchema = zod_1.z.object({
     scopeId: zod_1.z.string(),
     userId: zod_1.z.string().optional(),
 });
-/**
- * Proof submission context for AgentShield API
- * Includes tool calls and optional MCP server URL for tool discovery
- */
 exports.ProofSubmissionContextSchema = zod_1.z.object({
     toolCalls: zod_1.z.array(exports.ToolCallContextSchema),
     mcpServerUrl: zod_1.z.string().url().optional(),
 });
-/**
- * Complete proof submission request to AgentShield
- */
 exports.ProofSubmissionRequestSchema = zod_1.z.object({
     session_id: zod_1.z.string().min(1),
     delegation_id: zod_1.z.string().nullable().optional(),
@@ -79,4 +57,3 @@ exports.ProofSubmissionRequestSchema = zod_1.z.object({
     })),
     context: exports.ProofSubmissionContextSchema.optional(),
 });
-//# sourceMappingURL=proof.js.map