@kya-os/contracts 1.8.1 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (331) hide show
  1. package/dist/__fixtures__/index.d.ts +8 -0
  2. package/dist/__fixtures__/index.d.ts.map +1 -0
  3. package/dist/__fixtures__/index.js +29 -0
  4. package/dist/__fixtures__/index.js.map +1 -0
  5. package/dist/__fixtures__/proof/ed25519-fixtures.d.ts +253 -0
  6. package/dist/__fixtures__/proof/ed25519-fixtures.d.ts.map +1 -0
  7. package/dist/__fixtures__/proof/ed25519-fixtures.js +247 -0
  8. package/dist/__fixtures__/proof/ed25519-fixtures.js.map +1 -0
  9. package/dist/__fixtures__/proof/keys-and-payloads.json +103 -0
  10. package/dist/agent-deployment-utils.d.ts +1 -0
  11. package/dist/agent-deployment-utils.d.ts.map +1 -0
  12. package/dist/agent-deployment-utils.js +1 -0
  13. package/dist/agent-deployment-utils.js.map +1 -0
  14. package/dist/agent-deployment.d.ts +1 -0
  15. package/dist/agent-deployment.d.ts.map +1 -0
  16. package/dist/agent-deployment.js +1 -0
  17. package/dist/agent-deployment.js.map +1 -0
  18. package/dist/agentshield-api/admin-schemas.d.ts +1 -0
  19. package/dist/agentshield-api/admin-schemas.d.ts.map +1 -0
  20. package/dist/agentshield-api/admin-schemas.js +1 -0
  21. package/dist/agentshield-api/admin-schemas.js.map +1 -0
  22. package/dist/agentshield-api/admin-types.d.ts +1 -0
  23. package/dist/agentshield-api/admin-types.d.ts.map +1 -0
  24. package/dist/agentshield-api/admin-types.js +1 -0
  25. package/dist/agentshield-api/admin-types.js.map +1 -0
  26. package/dist/agentshield-api/endpoints.d.ts +1 -0
  27. package/dist/agentshield-api/endpoints.d.ts.map +1 -0
  28. package/dist/agentshield-api/endpoints.js +1 -0
  29. package/dist/agentshield-api/endpoints.js.map +1 -0
  30. package/dist/agentshield-api/index.d.ts +1 -0
  31. package/dist/agentshield-api/index.d.ts.map +1 -0
  32. package/dist/agentshield-api/index.js.map +1 -0
  33. package/dist/agentshield-api/schemas.d.ts +187 -180
  34. package/dist/agentshield-api/schemas.d.ts.map +1 -0
  35. package/dist/agentshield-api/schemas.js.map +1 -0
  36. package/dist/agentshield-api/types.d.ts +1 -0
  37. package/dist/agentshield-api/types.d.ts.map +1 -0
  38. package/dist/agentshield-api/types.js.map +1 -0
  39. package/dist/audit/index.d.ts +21 -21
  40. package/dist/audit/index.d.ts.map +1 -0
  41. package/dist/audit/index.js.map +1 -0
  42. package/dist/cli.d.ts +1 -0
  43. package/dist/cli.d.ts.map +1 -0
  44. package/dist/cli.js +1 -0
  45. package/dist/cli.js.map +1 -0
  46. package/dist/compute-binding.d.ts +1 -0
  47. package/dist/compute-binding.d.ts.map +1 -0
  48. package/dist/compute-binding.js +1 -0
  49. package/dist/compute-binding.js.map +1 -0
  50. package/dist/compute.d.ts +47 -16
  51. package/dist/compute.d.ts.map +1 -0
  52. package/dist/compute.js +23 -0
  53. package/dist/compute.js.map +1 -0
  54. package/dist/config/base.d.ts +1 -0
  55. package/dist/config/base.d.ts.map +1 -0
  56. package/dist/config/base.js +1 -0
  57. package/dist/config/base.js.map +1 -0
  58. package/dist/config/builder.d.ts +1 -0
  59. package/dist/config/builder.d.ts.map +1 -0
  60. package/dist/config/builder.js +1 -0
  61. package/dist/config/builder.js.map +1 -0
  62. package/dist/config/client-messages.d.ts +1 -0
  63. package/dist/config/client-messages.d.ts.map +1 -0
  64. package/dist/config/client-messages.js +1 -0
  65. package/dist/config/client-messages.js.map +1 -0
  66. package/dist/config/delegation.d.ts +1 -0
  67. package/dist/config/delegation.d.ts.map +1 -0
  68. package/dist/config/delegation.js +1 -0
  69. package/dist/config/delegation.js.map +1 -0
  70. package/dist/config/identity.d.ts +1 -0
  71. package/dist/config/identity.d.ts.map +1 -0
  72. package/dist/config/identity.js +1 -0
  73. package/dist/config/identity.js.map +1 -0
  74. package/dist/config/index.d.ts +1 -0
  75. package/dist/config/index.d.ts.map +1 -0
  76. package/dist/config/index.js +1 -0
  77. package/dist/config/index.js.map +1 -0
  78. package/dist/config/proofing.d.ts +1 -0
  79. package/dist/config/proofing.d.ts.map +1 -0
  80. package/dist/config/proofing.js +1 -0
  81. package/dist/config/proofing.js.map +1 -0
  82. package/dist/config/tool-context.d.ts +1 -0
  83. package/dist/config/tool-context.d.ts.map +1 -0
  84. package/dist/config/tool-context.js +1 -0
  85. package/dist/config/tool-context.js.map +1 -0
  86. package/dist/config/tool-protection.d.ts +1 -0
  87. package/dist/config/tool-protection.d.ts.map +1 -0
  88. package/dist/config/tool-protection.js.map +1 -0
  89. package/dist/consent/index.d.ts.map +1 -0
  90. package/dist/consent/index.js.map +1 -0
  91. package/dist/consent/schemas.d.ts +1 -0
  92. package/dist/consent/schemas.d.ts.map +1 -0
  93. package/dist/consent/schemas.js +1 -0
  94. package/dist/consent/schemas.js.map +1 -0
  95. package/dist/consent/types.d.ts +1 -0
  96. package/dist/consent/types.d.ts.map +1 -0
  97. package/dist/consent/types.js +1 -0
  98. package/dist/consent/types.js.map +1 -0
  99. package/dist/dashboard-config/default-config.d.ts +1 -0
  100. package/dist/dashboard-config/default-config.d.ts.map +1 -0
  101. package/dist/dashboard-config/default-config.js.map +1 -0
  102. package/dist/dashboard-config/index.d.ts +1 -0
  103. package/dist/dashboard-config/index.d.ts.map +1 -0
  104. package/dist/dashboard-config/index.js.map +1 -0
  105. package/dist/dashboard-config/schemas.d.ts +2428 -2428
  106. package/dist/dashboard-config/schemas.d.ts.map +1 -0
  107. package/dist/dashboard-config/schemas.js.map +1 -0
  108. package/dist/dashboard-config/types.d.ts +1 -0
  109. package/dist/dashboard-config/types.d.ts.map +1 -0
  110. package/dist/dashboard-config/types.js.map +1 -0
  111. package/dist/delegation/constraints.d.ts +1 -0
  112. package/dist/delegation/constraints.d.ts.map +1 -0
  113. package/dist/delegation/constraints.js +1 -0
  114. package/dist/delegation/constraints.js.map +1 -0
  115. package/dist/delegation/index.d.ts +1 -0
  116. package/dist/delegation/index.d.ts.map +1 -0
  117. package/dist/delegation/index.js +1 -0
  118. package/dist/delegation/index.js.map +1 -0
  119. package/dist/delegation/schemas.d.ts +1 -0
  120. package/dist/delegation/schemas.d.ts.map +1 -0
  121. package/dist/delegation/schemas.js +1 -0
  122. package/dist/delegation/schemas.js.map +1 -0
  123. package/dist/deploy/index.d.ts +1 -0
  124. package/dist/deploy/index.d.ts.map +1 -0
  125. package/dist/deploy/index.js +1 -0
  126. package/dist/deploy/index.js.map +1 -0
  127. package/dist/deploy/schemas.d.ts +1 -0
  128. package/dist/deploy/schemas.d.ts.map +1 -0
  129. package/dist/deploy/schemas.js +1 -0
  130. package/dist/deploy/schemas.js.map +1 -0
  131. package/dist/deploy/types.d.ts +1 -0
  132. package/dist/deploy/types.d.ts.map +1 -0
  133. package/dist/deploy/types.js +1 -0
  134. package/dist/deploy/types.js.map +1 -0
  135. package/dist/did/index.d.ts +1 -0
  136. package/dist/did/index.d.ts.map +1 -0
  137. package/dist/did/index.js +1 -0
  138. package/dist/did/index.js.map +1 -0
  139. package/dist/did/resolve-contract.d.ts +1 -0
  140. package/dist/did/resolve-contract.d.ts.map +1 -0
  141. package/dist/did/resolve-contract.js +1 -0
  142. package/dist/did/resolve-contract.js.map +1 -0
  143. package/dist/did/schemas.d.ts +1 -0
  144. package/dist/did/schemas.d.ts.map +1 -0
  145. package/dist/did/schemas.js +1 -0
  146. package/dist/did/schemas.js.map +1 -0
  147. package/dist/did/types.d.ts +1 -0
  148. package/dist/did/types.d.ts.map +1 -0
  149. package/dist/did/types.js +1 -0
  150. package/dist/did/types.js.map +1 -0
  151. package/dist/env/constants.d.ts +1 -0
  152. package/dist/env/constants.d.ts.map +1 -0
  153. package/dist/env/constants.js +1 -0
  154. package/dist/env/constants.js.map +1 -0
  155. package/dist/env/index.d.ts +1 -0
  156. package/dist/env/index.d.ts.map +1 -0
  157. package/dist/env/index.js +1 -0
  158. package/dist/env/index.js.map +1 -0
  159. package/dist/gateway/agents.d.ts +1 -0
  160. package/dist/gateway/agents.d.ts.map +1 -0
  161. package/dist/gateway/agents.js +1 -0
  162. package/dist/gateway/agents.js.map +1 -0
  163. package/dist/gateway/cron.d.ts +1 -0
  164. package/dist/gateway/cron.d.ts.map +1 -0
  165. package/dist/gateway/cron.js +1 -0
  166. package/dist/gateway/cron.js.map +1 -0
  167. package/dist/gateway/index.d.ts +1 -0
  168. package/dist/gateway/index.d.ts.map +1 -0
  169. package/dist/gateway/index.js +1 -0
  170. package/dist/gateway/index.js.map +1 -0
  171. package/dist/gateway/sessions.d.ts +1 -0
  172. package/dist/gateway/sessions.d.ts.map +1 -0
  173. package/dist/gateway/sessions.js +1 -0
  174. package/dist/gateway/sessions.js.map +1 -0
  175. package/dist/gateway/skills.d.ts +1 -0
  176. package/dist/gateway/skills.d.ts.map +1 -0
  177. package/dist/gateway/skills.js +1 -0
  178. package/dist/gateway/skills.js.map +1 -0
  179. package/dist/gateway/usage.d.ts +1 -0
  180. package/dist/gateway/usage.d.ts.map +1 -0
  181. package/dist/gateway/usage.js +1 -0
  182. package/dist/gateway/usage.js.map +1 -0
  183. package/dist/handshake.d.ts +28 -27
  184. package/dist/handshake.d.ts.map +1 -0
  185. package/dist/handshake.js +4 -3
  186. package/dist/handshake.js.map +1 -0
  187. package/dist/identity/index.d.ts +1 -0
  188. package/dist/identity/index.d.ts.map +1 -0
  189. package/dist/identity/index.js +1 -0
  190. package/dist/identity/index.js.map +1 -0
  191. package/dist/identity/schemas.d.ts +1 -0
  192. package/dist/identity/schemas.d.ts.map +1 -0
  193. package/dist/identity/schemas.js +1 -0
  194. package/dist/identity/schemas.js.map +1 -0
  195. package/dist/index.d.ts +1 -0
  196. package/dist/index.d.ts.map +1 -0
  197. package/dist/index.js.map +1 -0
  198. package/dist/molti/admin-ws.d.ts +1 -0
  199. package/dist/molti/admin-ws.d.ts.map +1 -0
  200. package/dist/molti/admin-ws.js +1 -0
  201. package/dist/molti/admin-ws.js.map +1 -0
  202. package/dist/molti/index.d.ts +1 -0
  203. package/dist/molti/index.d.ts.map +1 -0
  204. package/dist/molti/index.js +1 -0
  205. package/dist/molti/index.js.map +1 -0
  206. package/dist/molti/schemas.d.ts +1 -0
  207. package/dist/molti/schemas.d.ts.map +1 -0
  208. package/dist/molti/schemas.js +1 -0
  209. package/dist/molti/schemas.js.map +1 -0
  210. package/dist/molti/types.d.ts +1 -0
  211. package/dist/molti/types.d.ts.map +1 -0
  212. package/dist/molti/types.js +1 -0
  213. package/dist/molti/types.js.map +1 -0
  214. package/dist/openclaw/index.d.ts +20 -0
  215. package/dist/openclaw/index.js +28 -0
  216. package/dist/openclaw/types.d.ts +714 -0
  217. package/dist/openclaw/types.js +122 -0
  218. package/dist/org-secret-definitions.d.ts +18 -0
  219. package/dist/org-secret-definitions.js +72 -0
  220. package/dist/pairing/index.d.ts +1 -0
  221. package/dist/pairing/index.d.ts.map +1 -0
  222. package/dist/pairing/index.js +1 -0
  223. package/dist/pairing/index.js.map +1 -0
  224. package/dist/policy/index.d.ts +1 -0
  225. package/dist/policy/index.d.ts.map +1 -0
  226. package/dist/policy/index.js +1 -0
  227. package/dist/policy/index.js.map +1 -0
  228. package/dist/policy/schemas.d.ts +1 -0
  229. package/dist/policy/schemas.d.ts.map +1 -0
  230. package/dist/policy/schemas.js +1 -0
  231. package/dist/policy/schemas.js.map +1 -0
  232. package/dist/proof/index.d.ts +3 -3
  233. package/dist/proof/index.d.ts.map +1 -0
  234. package/dist/proof/index.js +2 -1
  235. package/dist/proof/index.js.map +1 -0
  236. package/dist/proof/proof-record.d.ts +1 -0
  237. package/dist/proof/proof-record.d.ts.map +1 -0
  238. package/dist/proof/proof-record.js +1 -0
  239. package/dist/proof/proof-record.js.map +1 -0
  240. package/dist/proof/signing-spec.d.ts +1 -0
  241. package/dist/proof/signing-spec.d.ts.map +1 -0
  242. package/dist/proof/signing-spec.js +1 -0
  243. package/dist/proof/signing-spec.js.map +1 -0
  244. package/dist/proof.d.ts +86 -54
  245. package/dist/proof.d.ts.map +1 -0
  246. package/dist/proof.js +29 -1
  247. package/dist/proof.js.map +1 -0
  248. package/dist/registry.d.ts +1 -0
  249. package/dist/registry.d.ts.map +1 -0
  250. package/dist/registry.js +1 -0
  251. package/dist/registry.js.map +1 -0
  252. package/dist/reputation/api.d.ts +1 -0
  253. package/dist/reputation/api.d.ts.map +1 -0
  254. package/dist/reputation/api.js +1 -0
  255. package/dist/reputation/api.js.map +1 -0
  256. package/dist/reputation/constants.d.ts +1 -0
  257. package/dist/reputation/constants.d.ts.map +1 -0
  258. package/dist/reputation/constants.js +1 -0
  259. package/dist/reputation/constants.js.map +1 -0
  260. package/dist/reputation/credentials.d.ts +1 -0
  261. package/dist/reputation/credentials.d.ts.map +1 -0
  262. package/dist/reputation/credentials.js +1 -0
  263. package/dist/reputation/credentials.js.map +1 -0
  264. package/dist/reputation/index.d.ts +1 -0
  265. package/dist/reputation/index.d.ts.map +1 -0
  266. package/dist/reputation/index.js +1 -0
  267. package/dist/reputation/index.js.map +1 -0
  268. package/dist/reputation/schemas.d.ts +1 -0
  269. package/dist/reputation/schemas.d.ts.map +1 -0
  270. package/dist/reputation/schemas.js +1 -0
  271. package/dist/reputation/schemas.js.map +1 -0
  272. package/dist/runtime/errors.d.ts +1 -0
  273. package/dist/runtime/errors.d.ts.map +1 -0
  274. package/dist/runtime/errors.js +1 -0
  275. package/dist/runtime/errors.js.map +1 -0
  276. package/dist/runtime/headers.d.ts +16 -12
  277. package/dist/runtime/headers.d.ts.map +1 -0
  278. package/dist/runtime/headers.js +16 -12
  279. package/dist/runtime/headers.js.map +1 -0
  280. package/dist/runtime/index.d.ts +1 -0
  281. package/dist/runtime/index.d.ts.map +1 -0
  282. package/dist/runtime/index.js.map +1 -0
  283. package/dist/test.d.ts +1 -0
  284. package/dist/test.d.ts.map +1 -0
  285. package/dist/test.js +1 -0
  286. package/dist/test.js.map +1 -0
  287. package/dist/tlkrc/index.d.ts +1 -0
  288. package/dist/tlkrc/index.d.ts.map +1 -0
  289. package/dist/tlkrc/index.js +1 -0
  290. package/dist/tlkrc/index.js.map +1 -0
  291. package/dist/tlkrc/rotation.d.ts +1 -0
  292. package/dist/tlkrc/rotation.d.ts.map +1 -0
  293. package/dist/tlkrc/rotation.js +1 -0
  294. package/dist/tlkrc/rotation.js.map +1 -0
  295. package/dist/tool-protection/index.d.ts +36 -36
  296. package/dist/tool-protection/index.d.ts.map +1 -0
  297. package/dist/tool-protection/index.js.map +1 -0
  298. package/dist/utils/validation.d.ts +1 -0
  299. package/dist/utils/validation.d.ts.map +1 -0
  300. package/dist/utils/validation.js +1 -0
  301. package/dist/utils/validation.js.map +1 -0
  302. package/dist/vault/schemas.d.ts +2 -2
  303. package/dist/vc/index.d.ts +1 -0
  304. package/dist/vc/index.d.ts.map +1 -0
  305. package/dist/vc/index.js +1 -0
  306. package/dist/vc/index.js.map +1 -0
  307. package/dist/vc/schemas.d.ts +1 -0
  308. package/dist/vc/schemas.d.ts.map +1 -0
  309. package/dist/vc/schemas.js +1 -0
  310. package/dist/vc/schemas.js.map +1 -0
  311. package/dist/vc/statuslist.d.ts +1 -0
  312. package/dist/vc/statuslist.d.ts.map +1 -0
  313. package/dist/vc/statuslist.js +1 -0
  314. package/dist/vc/statuslist.js.map +1 -0
  315. package/dist/verifier/index.d.ts +1 -0
  316. package/dist/verifier/index.d.ts.map +1 -0
  317. package/dist/verifier/index.js.map +1 -0
  318. package/dist/verifier.d.ts +26 -15
  319. package/dist/verifier.d.ts.map +1 -0
  320. package/dist/verifier.js +20 -9
  321. package/dist/verifier.js.map +1 -0
  322. package/dist/well-known/index.d.ts +1 -0
  323. package/dist/well-known/index.d.ts.map +1 -0
  324. package/dist/well-known/index.js +1 -0
  325. package/dist/well-known/index.js.map +1 -0
  326. package/package.json +2 -1
  327. package/parity-vectors/delegation-conformance.json +265 -0
  328. package/parity-vectors/did-key.json +134 -0
  329. package/parity-vectors/index.ts +253 -0
  330. package/parity-vectors/scope-matching.json +330 -0
  331. package/parity-vectors/vc-jwt.json +210 -0
@@ -0,0 +1,330 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "name": "Scope matching test vectors",
4
+ "description": "Test vectors for delegation scope matching parity between TypeScript and Rust",
5
+ "version": "1.0.0",
6
+ "vectors": [
7
+ {
8
+ "id": "exact-match",
9
+ "description": "Exact scope match",
10
+ "input": {
11
+ "requested": "read:email",
12
+ "granted": ["read:email"]
13
+ },
14
+ "expected": {
15
+ "permitted": true,
16
+ "matchType": "exact",
17
+ "matchedBy": "read:email"
18
+ }
19
+ },
20
+ {
21
+ "id": "exact-no-match",
22
+ "description": "Exact scope does not match",
23
+ "input": {
24
+ "requested": "write:email",
25
+ "granted": ["read:email"]
26
+ },
27
+ "expected": {
28
+ "permitted": false,
29
+ "matchType": "none",
30
+ "matchedBy": null
31
+ }
32
+ },
33
+ {
34
+ "id": "full-access",
35
+ "description": "Full access wildcard matches anything",
36
+ "input": {
37
+ "requested": "any:thing:at:all",
38
+ "granted": ["*"]
39
+ },
40
+ "expected": {
41
+ "permitted": true,
42
+ "matchType": "fullAccess",
43
+ "matchedBy": "*"
44
+ }
45
+ },
46
+ {
47
+ "id": "wildcard-action",
48
+ "description": "Wildcard action matches any action in resource",
49
+ "input": {
50
+ "requested": "read:email",
51
+ "granted": ["read:*"]
52
+ },
53
+ "expected": {
54
+ "permitted": true,
55
+ "matchType": "wildcard",
56
+ "matchedBy": "read:*"
57
+ }
58
+ },
59
+ {
60
+ "id": "wildcard-resource",
61
+ "description": "Wildcard resource matches any resource for action",
62
+ "input": {
63
+ "requested": "read:email",
64
+ "granted": ["*:email"]
65
+ },
66
+ "expected": {
67
+ "permitted": true,
68
+ "matchType": "wildcard",
69
+ "matchedBy": "*:email"
70
+ }
71
+ },
72
+ {
73
+ "id": "wildcard-depth-mismatch",
74
+ "description": "Wildcard does not match different depth",
75
+ "input": {
76
+ "requested": "read:email:inbox",
77
+ "granted": ["read:*"]
78
+ },
79
+ "expected": {
80
+ "permitted": false,
81
+ "matchType": "none",
82
+ "matchedBy": null
83
+ }
84
+ },
85
+ {
86
+ "id": "prefix-match-three-segments",
87
+ "description": "Prefix match with trailing wildcard (3 segments)",
88
+ "input": {
89
+ "requested": "read:email:inbox",
90
+ "granted": ["read:email:*"]
91
+ },
92
+ "expected": {
93
+ "permitted": true,
94
+ "matchType": "prefix",
95
+ "matchedBy": "read:email:*"
96
+ }
97
+ },
98
+ {
99
+ "id": "prefix-match-four-segments",
100
+ "description": "Prefix match with trailing wildcard (4 segments)",
101
+ "input": {
102
+ "requested": "read:email:inbox:unread",
103
+ "granted": ["read:email:inbox:*"]
104
+ },
105
+ "expected": {
106
+ "permitted": true,
107
+ "matchType": "prefix",
108
+ "matchedBy": "read:email:inbox:*"
109
+ }
110
+ },
111
+ {
112
+ "id": "deep-prefix-one-level",
113
+ "description": "Deep prefix wildcard matches one level below",
114
+ "input": {
115
+ "requested": "read:email",
116
+ "granted": ["read:**"]
117
+ },
118
+ "expected": {
119
+ "permitted": true,
120
+ "matchType": "prefix",
121
+ "matchedBy": "read:**"
122
+ }
123
+ },
124
+ {
125
+ "id": "deep-prefix-two-levels",
126
+ "description": "Deep prefix wildcard matches two levels below",
127
+ "input": {
128
+ "requested": "read:email:inbox",
129
+ "granted": ["read:**"]
130
+ },
131
+ "expected": {
132
+ "permitted": true,
133
+ "matchType": "prefix",
134
+ "matchedBy": "read:**"
135
+ }
136
+ },
137
+ {
138
+ "id": "deep-prefix-many-levels",
139
+ "description": "Deep prefix wildcard matches many levels below",
140
+ "input": {
141
+ "requested": "read:email:inbox:unread:important",
142
+ "granted": ["read:**"]
143
+ },
144
+ "expected": {
145
+ "permitted": true,
146
+ "matchType": "prefix",
147
+ "matchedBy": "read:**"
148
+ }
149
+ },
150
+ {
151
+ "id": "deep-prefix-no-self-match",
152
+ "description": "Deep prefix wildcard does NOT match same level (strictly below)",
153
+ "input": {
154
+ "requested": "read",
155
+ "granted": ["read:**"]
156
+ },
157
+ "expected": {
158
+ "permitted": false,
159
+ "matchType": "none",
160
+ "matchedBy": null
161
+ }
162
+ },
163
+ {
164
+ "id": "deep-prefix-wrong-prefix",
165
+ "description": "Deep prefix wildcard does not match wrong prefix",
166
+ "input": {
167
+ "requested": "write:email",
168
+ "granted": ["read:**"]
169
+ },
170
+ "expected": {
171
+ "permitted": false,
172
+ "matchType": "none",
173
+ "matchedBy": null
174
+ }
175
+ },
176
+ {
177
+ "id": "multiple-scopes-first-match",
178
+ "description": "Multiple granted scopes, first match wins",
179
+ "input": {
180
+ "requested": "read:email",
181
+ "granted": ["write:calendar", "read:email"]
182
+ },
183
+ "expected": {
184
+ "permitted": true,
185
+ "matchType": "exact",
186
+ "matchedBy": "read:email"
187
+ }
188
+ },
189
+ {
190
+ "id": "multiple-scopes-full-access-wins",
191
+ "description": "Full access wins when present",
192
+ "input": {
193
+ "requested": "read:email",
194
+ "granted": ["write:calendar", "*"]
195
+ },
196
+ "expected": {
197
+ "permitted": true,
198
+ "matchType": "fullAccess",
199
+ "matchedBy": "*"
200
+ }
201
+ },
202
+ {
203
+ "id": "empty-scope-error",
204
+ "description": "Empty scope should error",
205
+ "input": {
206
+ "requested": "",
207
+ "granted": ["read:email"]
208
+ },
209
+ "expected": {
210
+ "permitted": false,
211
+ "error": true,
212
+ "errorType": "EmptyScope"
213
+ }
214
+ },
215
+ {
216
+ "id": "wildcard-middle-segment",
217
+ "description": "Wildcard in middle segment",
218
+ "input": {
219
+ "requested": "read:email:inbox",
220
+ "granted": ["read:*:inbox"]
221
+ },
222
+ "expected": {
223
+ "permitted": true,
224
+ "matchType": "wildcard",
225
+ "matchedBy": "read:*:inbox"
226
+ }
227
+ },
228
+ {
229
+ "id": "wildcard-first-segment",
230
+ "description": "Wildcard in first segment",
231
+ "input": {
232
+ "requested": "read:email:inbox",
233
+ "granted": ["*:email:inbox"]
234
+ },
235
+ "expected": {
236
+ "permitted": true,
237
+ "matchType": "wildcard",
238
+ "matchedBy": "*:email:inbox"
239
+ }
240
+ },
241
+ {
242
+ "id": "empty-granted-no-match",
243
+ "description": "No granted scopes means no match",
244
+ "input": {
245
+ "requested": "read:email",
246
+ "granted": []
247
+ },
248
+ "expected": {
249
+ "permitted": false,
250
+ "matchType": "none",
251
+ "matchedBy": null
252
+ }
253
+ },
254
+ {
255
+ "id": "single-segment-scope",
256
+ "description": "Single segment scope exact match",
257
+ "input": {
258
+ "requested": "admin",
259
+ "granted": ["admin"]
260
+ },
261
+ "expected": {
262
+ "permitted": true,
263
+ "matchType": "exact",
264
+ "matchedBy": "admin"
265
+ }
266
+ }
267
+ ],
268
+ "timeBoundaryVectors": [
269
+ {
270
+ "id": "valid-time-window",
271
+ "description": "Current time within valid window",
272
+ "input": {
273
+ "requested": "read:email",
274
+ "granted": ["read:email"],
275
+ "notBefore": 1704067200,
276
+ "notAfter": 1767225600,
277
+ "currentTime": 1735689600
278
+ },
279
+ "expected": {
280
+ "permitted": true
281
+ }
282
+ },
283
+ {
284
+ "id": "expired-delegation",
285
+ "description": "Current time after notAfter",
286
+ "input": {
287
+ "requested": "read:email",
288
+ "granted": ["read:email"],
289
+ "notBefore": null,
290
+ "notAfter": 1704067200,
291
+ "currentTime": 1735689600
292
+ },
293
+ "expected": {
294
+ "permitted": false,
295
+ "error": true,
296
+ "errorType": "Expired"
297
+ }
298
+ },
299
+ {
300
+ "id": "not-yet-valid",
301
+ "description": "Current time before notBefore",
302
+ "input": {
303
+ "requested": "read:email",
304
+ "granted": ["read:email"],
305
+ "notBefore": 1735689600,
306
+ "notAfter": null,
307
+ "currentTime": 1704067200
308
+ },
309
+ "expected": {
310
+ "permitted": false,
311
+ "error": true,
312
+ "errorType": "NotYetValid"
313
+ }
314
+ },
315
+ {
316
+ "id": "skip-time-check",
317
+ "description": "Time check skipped when currentTime is 0",
318
+ "input": {
319
+ "requested": "read:email",
320
+ "granted": ["read:email"],
321
+ "notBefore": 9999999999,
322
+ "notAfter": 1,
323
+ "currentTime": 0
324
+ },
325
+ "expected": {
326
+ "permitted": true
327
+ }
328
+ }
329
+ ]
330
+ }
@@ -0,0 +1,210 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "name": "VC-JWT verification test vectors",
4
+ "description": "Test vectors for VC-JWT parsing and verification parity between TypeScript and Rust",
5
+ "version": "1.0.0",
6
+ "vectors": [
7
+ {
8
+ "id": "valid-jwt-parse",
9
+ "description": "Parse a valid JWT structure",
10
+ "input": {
11
+ "jwt": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkaWQ6a2V5Ono2TWtoYVhnQlpEdm90RGtMNTI1N2ZhaXp0aUdpQzJRdEtMR3Bibm5FR3RhMmRvSyIsInN1YiI6ImRpZDprZXk6ejZNa2hhWGdCWkR2b3REa0w1MjU3ZmFpenRpR2lDMlF0S0xHcGJubkVHdGEyZG9LIiwiYXVkIjoidGVzdC1hdWRpZW5jZSIsImlhdCI6MTcwNDA2NzIwMH0.signature-placeholder"
12
+ },
13
+ "expected": {
14
+ "success": true,
15
+ "header": {
16
+ "alg": "EdDSA",
17
+ "typ": "JWT"
18
+ },
19
+ "payload": {
20
+ "iss": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
21
+ "sub": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
22
+ "aud": "test-audience"
23
+ }
24
+ }
25
+ },
26
+ {
27
+ "id": "valid-jwt-no-typ",
28
+ "description": "Parse JWT without typ header (allowed)",
29
+ "input": {
30
+ "jwt": "eyJhbGciOiJFZERTQSJ9.eyJpc3MiOiJkaWQ6a2V5Ono2TWtoYVhnQlpEdm90RGtMNTI1N2ZhaXp0aUdpQzJRdEtMR3Bibm5FR3RhMmRvSyJ9.signature"
31
+ },
32
+ "expected": {
33
+ "success": true,
34
+ "header": {
35
+ "alg": "EdDSA",
36
+ "typ": null
37
+ }
38
+ }
39
+ },
40
+ {
41
+ "id": "valid-jwt-typ-lowercase",
42
+ "description": "Parse JWT with lowercase typ (allowed)",
43
+ "input": {
44
+ "jwt": "eyJhbGciOiJFZERTQSIsInR5cCI6Imp3dCJ9.eyJpc3MiOiJkaWQ6a2V5Ono2TWtoYVhnQlpEdm90RGtMNTI1N2ZhaXp0aUdpQzJRdEtMR3Bibm5FR3RhMmRvSyJ9.signature"
45
+ },
46
+ "expected": {
47
+ "success": true,
48
+ "header": {
49
+ "alg": "EdDSA",
50
+ "typ": "jwt"
51
+ }
52
+ }
53
+ },
54
+ {
55
+ "id": "invalid-wrong-algorithm",
56
+ "description": "Reject JWT with wrong algorithm",
57
+ "input": {
58
+ "jwt": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkaWQ6a2V5Ono2TWsiLCJzdWIiOiJ0ZXN0In0.signature"
59
+ },
60
+ "expected": {
61
+ "success": false,
62
+ "errorType": "WrongAlgorithm",
63
+ "errorMessage": "Expected EdDSA, got RS256"
64
+ }
65
+ },
66
+ {
67
+ "id": "invalid-wrong-type",
68
+ "description": "Reject JWT with wrong type",
69
+ "input": {
70
+ "jwt": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXRSJ9.eyJpc3MiOiJkaWQ6a2V5Ono2TWsiLCJzdWIiOiJ0ZXN0In0.signature"
71
+ },
72
+ "expected": {
73
+ "success": false,
74
+ "errorType": "WrongType",
75
+ "errorMessage": "Expected JWT, got JWE"
76
+ }
77
+ },
78
+ {
79
+ "id": "invalid-malformed-not-three-parts",
80
+ "description": "Reject malformed JWT (not 3 parts)",
81
+ "input": {
82
+ "jwt": "header.payload"
83
+ },
84
+ "expected": {
85
+ "success": false,
86
+ "errorType": "InvalidFormat",
87
+ "errorMessage": "JWT must have 3 parts"
88
+ }
89
+ },
90
+ {
91
+ "id": "invalid-malformed-empty",
92
+ "description": "Reject empty JWT",
93
+ "input": {
94
+ "jwt": ""
95
+ },
96
+ "expected": {
97
+ "success": false,
98
+ "errorType": "InvalidFormat"
99
+ }
100
+ },
101
+ {
102
+ "id": "invalid-malformed-too-many-parts",
103
+ "description": "Reject JWT with too many parts",
104
+ "input": {
105
+ "jwt": "a.b.c.d"
106
+ },
107
+ "expected": {
108
+ "success": false,
109
+ "errorType": "InvalidFormat",
110
+ "errorMessage": "JWT must have 3 parts"
111
+ }
112
+ },
113
+ {
114
+ "id": "invalid-bad-base64-header",
115
+ "description": "Reject JWT with invalid base64 in header",
116
+ "input": {
117
+ "jwt": "not-valid-base64!!!.eyJpc3MiOiJ0ZXN0In0.signature"
118
+ },
119
+ "expected": {
120
+ "success": false,
121
+ "errorType": "InvalidBase64"
122
+ }
123
+ },
124
+ {
125
+ "id": "invalid-bad-json-header",
126
+ "description": "Reject JWT with invalid JSON in header",
127
+ "input": {
128
+ "jwt": "bm90LWpzb24.eyJpc3MiOiJ0ZXN0In0.signature"
129
+ },
130
+ "expected": {
131
+ "success": false,
132
+ "errorType": "InvalidJson"
133
+ }
134
+ },
135
+ {
136
+ "id": "valid-extract-issuer-string",
137
+ "description": "Extract issuer from JWT payload (string format)",
138
+ "input": {
139
+ "jwt": "eyJhbGciOiJFZERTQSJ9.eyJpc3MiOiJkaWQ6a2V5Ono2TWtoYVhnQlpEdm90RGtMNTI1N2ZhaXp0aUdpQzJRdEtMR3Bibm5FR3RhMmRvSyJ9.sig"
140
+ },
141
+ "expected": {
142
+ "success": true,
143
+ "issuer": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK"
144
+ }
145
+ },
146
+ {
147
+ "id": "valid-extract-issuer-object",
148
+ "description": "Extract issuer from JWT payload (object format with id)",
149
+ "input": {
150
+ "jwt": "eyJhbGciOiJFZERTQSJ9.eyJpc3MiOnsiaWQiOiJkaWQ6a2V5Ono2TWtoYVhnQlpEdm90RGtMNTI1N2ZhaXp0aUdpQzJRdEtMR3Bibm5FR3RhMmRvSyJ9fQ.sig"
151
+ },
152
+ "expected": {
153
+ "success": true,
154
+ "issuer": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK"
155
+ }
156
+ },
157
+ {
158
+ "id": "invalid-missing-issuer",
159
+ "description": "Reject JWT without issuer",
160
+ "input": {
161
+ "jwt": "eyJhbGciOiJFZERTQSJ9.eyJzdWIiOiJ0ZXN0In0.signature"
162
+ },
163
+ "expected": {
164
+ "success": false,
165
+ "errorType": "MissingIssuer"
166
+ }
167
+ }
168
+ ],
169
+ "signatureVerificationVectors": [
170
+ {
171
+ "id": "verify-valid-signature",
172
+ "description": "Verify a JWT with valid Ed25519 signature",
173
+ "input": {
174
+ "jwt": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkaWQ6a2V5Ono2TWtoYVhnQlpEdm90RGtMNTI1N2ZhaXp0aUdpQzJRdEtMR3Bibm5FR3RhMmRvSyIsInN1YiI6InRlc3QiLCJpYXQiOjE3MDQwNjcyMDB9.ACTUAL_SIGNATURE_NEEDED",
175
+ "publicKeyHex": "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
176
+ },
177
+ "expected": {
178
+ "success": true,
179
+ "verified": true
180
+ },
181
+ "note": "This vector requires generating a real signature for end-to-end testing"
182
+ },
183
+ {
184
+ "id": "verify-invalid-signature",
185
+ "description": "Reject JWT with invalid signature",
186
+ "input": {
187
+ "jwt": "eyJhbGciOiJFZERTQSJ9.eyJpc3MiOiJkaWQ6a2V5Ono2TWsiLCJzdWIiOiJ0ZXN0In0.aW52YWxpZC1zaWduYXR1cmU",
188
+ "publicKeyHex": "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
189
+ },
190
+ "expected": {
191
+ "success": false,
192
+ "verified": false,
193
+ "errorType": "InvalidSignature"
194
+ }
195
+ },
196
+ {
197
+ "id": "verify-wrong-public-key",
198
+ "description": "Reject JWT verified with wrong public key",
199
+ "input": {
200
+ "jwt": "eyJhbGciOiJFZERTQSJ9.eyJpc3MiOiJkaWQ6a2V5Ono2TWsiLCJzdWIiOiJ0ZXN0In0.some-signature",
201
+ "publicKeyHex": "0000000000000000000000000000000000000000000000000000000000000000"
202
+ },
203
+ "expected": {
204
+ "success": false,
205
+ "verified": false,
206
+ "errorType": "InvalidSignature"
207
+ }
208
+ }
209
+ ]
210
+ }