@kya-os/mcp-i-core 1.0.0 → 1.1.1-canary.0

package/dist/delegation/utils.js

@@ -0,0 +1,48 @@
+"use strict";
+/**
+ * Delegation Utilities
+ *
+ * Shared utility functions for delegation credential operations.
+ * Following DRY (Don't Repeat Yourself) principle.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.canonicalizeJSON = canonicalizeJSON;
+/**
+ * JSON canonicalization (RFC 8785)
+ *
+ * Creates a deterministic representation of JSON for signing.
+ * Per W3C VC spec, canonicalization ensures identical VCs produce identical signatures.
+ *
+ * DRY: Single implementation shared across vc-issuer and statuslist-manager.
+ *
+ * @param obj - The object to canonicalize
+ * @returns Canonical JSON string
+ */
+function canonicalizeJSON(obj) {
+    if (obj === null)
+        return 'null';
+    if (typeof obj === 'boolean')
+        return obj.toString();
+    if (typeof obj === 'number') {
+        if (!isFinite(obj)) {
+            throw new Error('Cannot canonicalize non-finite number');
+        }
+        return JSON.stringify(obj);
+    }
+    if (typeof obj === 'string')
+        return JSON.stringify(obj);
+    if (Array.isArray(obj)) {
+        const elements = obj.map((item) => canonicalizeJSON(item));
+        return '[' + elements.join(',') + ']';
+    }
+    if (typeof obj === 'object') {
+        const keys = Object.keys(obj).sort();
+        const pairs = keys.map((key) => {
+            const value = canonicalizeJSON(obj[key]);
+            return JSON.stringify(key) + ':' + value;
+        });
+        return '{' + pairs.join(',') + '}';
+    }
+    throw new Error(`Cannot canonicalize type: ${typeof obj}`);
+}
+//# sourceMappingURL=utils.js.map

package/dist/delegation/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/delegation/utils.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAaH,4CAuBC;AAlCD;;;;;;;;;;GAUG;AACH,SAAgB,gBAAgB,CAAC,GAAQ;IACvC,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,OAAO,GAAG,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;IACpD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IACxD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC3D,OAAO,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACxC,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACrC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YAC7B,MAAM,KAAK,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,GAAG,GAAG,KAAK,CAAC;QAC3C,CAAC,CAAC,CAAC;QACH,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACrC,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,GAAG,EAAE,CAAC,CAAC;AAC7D,CAAC"}

package/dist/delegation/vc-issuer.d.ts

@@ -0,0 +1,135 @@
+/**
+ * Delegation Credential Issuer (Platform-Agnostic)
+ *
+ * Issues W3C Verifiable Credentials for delegations with Ed25519 signatures.
+ * Follows the Python POC design (Delegation-Service.md:136-163) where
+ * delegations are issued AS W3C VCs.
+ *
+ * Related Spec: MCP-I §4.1, §4.2, W3C VC Data Model 1.1
+ * Python Reference: Delegation-Service.md
+ */
+import type { DelegationCredential, DelegationRecord, CredentialStatus, Proof } from '@kya-os/contracts';
+/**
+ * Options for issuing a delegation credential
+ */
+export interface IssueDelegationOptions {
+    /** VC ID (optional, will be generated if not provided) */
+    id?: string;
+    /** Issuance date (optional, defaults to now) */
+    issuanceDate?: string;
+    /** Expiration date (optional, derived from constraints if not provided) */
+    expirationDate?: string;
+    /** Credential status for StatusList2021 (optional) */
+    credentialStatus?: CredentialStatus;
+    /** Additional context URIs (optional) */
+    additionalContexts?: string[];
+}
+/**
+ * Signing function interface
+ *
+ * Platform-specific implementations provide this function to sign VCs.
+ * For example:
+ * - Node.js: Uses jose library with importPKCS8
+ * - Cloudflare: Uses Web Crypto API
+ */
+export interface VCSigningFunction {
+    /**
+     * Sign a canonicalized VC
+     *
+     * @param canonicalVC - The canonical JSON string to sign
+     * @param issuerDid - The DID of the issuer
+     * @param kid - The key ID
+     * @returns Ed25519Signature2020 proof
+     */
+    (canonicalVC: string, issuerDid: string, kid: string): Promise<Proof>;
+}
+/**
+ * Identity provider interface
+ *
+ * Platform-specific implementations provide identity details.
+ */
+export interface IdentityProvider {
+    /** Get the DID of this identity */
+    getDid(): string;
+    /** Get the key ID of this identity */
+    getKeyId(): string;
+    /** Get the private key (base64 encoded) */
+    getPrivateKey(): string;
+}
+/**
+ * Delegation Credential Issuer (Platform-Agnostic)
+ *
+ * Issues W3C Verifiable Credentials for delegations.
+ * Per Python POC (Delegation-Service.md:136-146):
+ * - Every delegation MUST be issued as a VC
+ * - VC is signed with Ed25519 (Ed25519Signature2020)
+ * - StatusList2021 support for efficient revocation
+ */
+export declare class DelegationCredentialIssuer {
+    private identity;
+    private signingFunction;
+    constructor(identity: IdentityProvider, signingFunction: VCSigningFunction);
+    /**
+     * Issue a delegation credential
+     *
+     * Creates a W3C Verifiable Credential from a delegation record.
+     * Signs it with Ed25519 and returns the complete DelegationCredential.
+     *
+     * @param delegation - The delegation record to issue as a VC
+     * @param options - Issuance options
+     * @returns Signed DelegationCredential
+     */
+    issueDelegationCredential(delegation: DelegationRecord, options?: IssueDelegationOptions): Promise<DelegationCredential>;
+    /**
+     * Create a delegation record and issue it as a VC in one step
+     *
+     * Convenience method for creating a new delegation from scratch.
+     *
+     * @param params - Delegation parameters
+     * @param options - Issuance options
+     * @returns Signed DelegationCredential
+     */
+    createAndIssueDelegation(params: {
+        id: string;
+        issuerDid: string;
+        subjectDid: string;
+        controller?: string;
+        parentId?: string;
+        constraints: DelegationRecord['constraints'];
+        status?: DelegationRecord['status'];
+        metadata?: Record<string, any>;
+    }, options?: IssueDelegationOptions): Promise<DelegationCredential>;
+    /**
+     * Canonicalize VC for signing
+     *
+     * Uses JCS (JSON Canonicalization Scheme, RFC 8785) to create
+     * a deterministic representation of the VC.
+     *
+     * @param vc - The unsigned VC
+     * @returns Canonical JSON string
+     */
+    private canonicalizeVC;
+    /**
+     * Get issuer DID
+     *
+     * @returns The DID of this issuer
+     */
+    getIssuerDid(): string;
+    /**
+     * Get issuer key ID
+     *
+     * @returns The key ID of this issuer
+     */
+    getIssuerKeyId(): string;
+}
+/**
+ * Create a delegation credential issuer
+ *
+ * Convenience factory function.
+ *
+ * @param identity - Identity provider
+ * @param signingFunction - Platform-specific signing function
+ * @returns DelegationCredentialIssuer instance
+ */
+export declare function createDelegationIssuer(identity: IdentityProvider, signingFunction: VCSigningFunction): DelegationCredentialIssuer;
+//# sourceMappingURL=vc-issuer.d.ts.map

package/dist/delegation/vc-issuer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vc-issuer.d.ts","sourceRoot":"","sources":["../../src/delegation/vc-issuer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EACV,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,KAAK,EACN,MAAM,mBAAmB,CAAC;AAI3B;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,0DAA0D;IAC1D,EAAE,CAAC,EAAE,MAAM,CAAC;IAEZ,gDAAgD;IAChD,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,2EAA2E;IAC3E,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,sDAAsD;IACtD,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC,yCAAyC;IACzC,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC/B;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;;;;;OAOG;IACH,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;CACvE;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,mCAAmC;IACnC,MAAM,IAAI,MAAM,CAAC;IAEjB,sCAAsC;IACtC,QAAQ,IAAI,MAAM,CAAC;IAEnB,2CAA2C;IAC3C,aAAa,IAAI,MAAM,CAAC;CACzB;AAED;;;;;;;;GAQG;AACH,qBAAa,0BAA0B;IAEnC,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,eAAe;gBADf,QAAQ,EAAE,gBAAgB,EAC1B,eAAe,EAAE,iBAAiB;IAG5C;;;;;;;;;OASG;IACG,yBAAyB,CAC7B,UAAU,EAAE,gBAAgB,EAC5B,OAAO,GAAE,sBAA2B,GACnC,OAAO,CAAC,oBAAoB,CAAC;IAqChC;;;;;;;;OAQG;IACG,wBAAwB,CAC5B,MAAM,EAAE;QACN,EAAE,EAAE,MAAM,CAAC;QACX,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,EAAE,MAAM,CAAC;QACnB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,WAAW,EAAE,gBAAgB,CAAC,aAAa,CAAC,CAAC;QAC7C,MAAM,CAAC,EAAE,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QACpC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;KAChC,EACD,OAAO,GAAE,sBAA2B,GACnC,OAAO,CAAC,oBAAoB,CAAC;IAsBhC;;;;;;;;OAQG;IACH,OAAO,CAAC,cAAc;IAKtB;;;;OAIG;IACH,YAAY,IAAI,MAAM;IAItB;;;;OAIG;IACH,cAAc,IAAI,MAAM;CAGzB;AAED;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,gBAAgB,EAC1B,eAAe,EAAE,iBAAiB,GACjC,0BAA0B,CAE5B"}

package/dist/delegation/vc-issuer.js

@@ -0,0 +1,140 @@
+"use strict";
+/**
+ * Delegation Credential Issuer (Platform-Agnostic)
+ *
+ * Issues W3C Verifiable Credentials for delegations with Ed25519 signatures.
+ * Follows the Python POC design (Delegation-Service.md:136-163) where
+ * delegations are issued AS W3C VCs.
+ *
+ * Related Spec: MCP-I §4.1, §4.2, W3C VC Data Model 1.1
+ * Python Reference: Delegation-Service.md
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DelegationCredentialIssuer = void 0;
+exports.createDelegationIssuer = createDelegationIssuer;
+const contracts_1 = require("@kya-os/contracts");
+const utils_1 = require("./utils");
+/**
+ * Delegation Credential Issuer (Platform-Agnostic)
+ *
+ * Issues W3C Verifiable Credentials for delegations.
+ * Per Python POC (Delegation-Service.md:136-146):
+ * - Every delegation MUST be issued as a VC
+ * - VC is signed with Ed25519 (Ed25519Signature2020)
+ * - StatusList2021 support for efficient revocation
+ */
+class DelegationCredentialIssuer {
+    identity;
+    signingFunction;
+    constructor(identity, signingFunction) {
+        this.identity = identity;
+        this.signingFunction = signingFunction;
+    }
+    /**
+     * Issue a delegation credential
+     *
+     * Creates a W3C Verifiable Credential from a delegation record.
+     * Signs it with Ed25519 and returns the complete DelegationCredential.
+     *
+     * @param delegation - The delegation record to issue as a VC
+     * @param options - Issuance options
+     * @returns Signed DelegationCredential
+     */
+    async issueDelegationCredential(delegation, options = {}) {
+        // Step 1: Create unsigned VC
+        let unsignedVC = (0, contracts_1.wrapDelegationAsVC)(delegation, {
+            id: options.id,
+            issuanceDate: options.issuanceDate,
+            expirationDate: options.expirationDate,
+            credentialStatus: options.credentialStatus,
+        });
+        // Add additional contexts if provided
+        if (options.additionalContexts && options.additionalContexts.length > 0) {
+            const existingContexts = unsignedVC['@context'];
+            unsignedVC = {
+                ...unsignedVC,
+                '@context': [...existingContexts, ...options.additionalContexts],
+            };
+        }
+        // Step 2: Canonicalize VC (for signing)
+        const canonicalVC = this.canonicalizeVC(unsignedVC);
+        // Step 3: Sign with Ed25519 using platform-specific signing function
+        const proof = await this.signingFunction(canonicalVC, this.identity.getDid(), this.identity.getKeyId());
+        // Step 4: Return signed VC
+        return {
+            ...unsignedVC,
+            proof,
+        };
+    }
+    /**
+     * Create a delegation record and issue it as a VC in one step
+     *
+     * Convenience method for creating a new delegation from scratch.
+     *
+     * @param params - Delegation parameters
+     * @param options - Issuance options
+     * @returns Signed DelegationCredential
+     */
+    async createAndIssueDelegation(params, options = {}) {
+        const now = Date.now();
+        // Create delegation record
+        const delegation = {
+            id: params.id,
+            issuerDid: params.issuerDid,
+            subjectDid: params.subjectDid,
+            controller: params.controller,
+            vcId: options.id || `urn:uuid:${params.id}`,
+            parentId: params.parentId,
+            constraints: params.constraints,
+            signature: '', // Will be filled by VC proof
+            status: params.status || 'active',
+            createdAt: now,
+            metadata: params.metadata,
+        };
+        // Issue as VC
+        return this.issueDelegationCredential(delegation, options);
+    }
+    /**
+     * Canonicalize VC for signing
+     *
+     * Uses JCS (JSON Canonicalization Scheme, RFC 8785) to create
+     * a deterministic representation of the VC.
+     *
+     * @param vc - The unsigned VC
+     * @returns Canonical JSON string
+     */
+    canonicalizeVC(vc) {
+        // DRY: Use shared canonicalization utility
+        return (0, utils_1.canonicalizeJSON)(vc);
+    }
+    /**
+     * Get issuer DID
+     *
+     * @returns The DID of this issuer
+     */
+    getIssuerDid() {
+        return this.identity.getDid();
+    }
+    /**
+     * Get issuer key ID
+     *
+     * @returns The key ID of this issuer
+     */
+    getIssuerKeyId() {
+        return this.identity.getKeyId();
+    }
+}
+exports.DelegationCredentialIssuer = DelegationCredentialIssuer;
+/**
+ * Create a delegation credential issuer
+ *
+ * Convenience factory function.
+ *
+ * @param identity - Identity provider
+ * @param signingFunction - Platform-specific signing function
+ * @returns DelegationCredentialIssuer instance
+ */
+function createDelegationIssuer(identity, signingFunction) {
+    return new DelegationCredentialIssuer(identity, signingFunction);
+}
+//# sourceMappingURL=vc-issuer.js.map

package/dist/delegation/vc-issuer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vc-issuer.js","sourceRoot":"","sources":["../../src/delegation/vc-issuer.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;AAyNH,wDAKC;AAtND,iDAAuD;AACvD,mCAA2C;AA0D3C;;;;;;;;GAQG;AACH,MAAa,0BAA0B;IAE3B;IACA;IAFV,YACU,QAA0B,EAC1B,eAAkC;QADlC,aAAQ,GAAR,QAAQ,CAAkB;QAC1B,oBAAe,GAAf,eAAe,CAAmB;IACzC,CAAC;IAEJ;;;;;;;;;OASG;IACH,KAAK,CAAC,yBAAyB,CAC7B,UAA4B,EAC5B,UAAkC,EAAE;QAEpC,6BAA6B;QAC7B,IAAI,UAAU,GAAG,IAAA,8BAAkB,EAAC,UAAU,EAAE;YAC9C,EAAE,EAAE,OAAO,CAAC,EAAE;YACd,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;SAC3C,CAAC,CAAC;QAEH,sCAAsC;QACtC,IAAI,OAAO,CAAC,kBAAkB,IAAI,OAAO,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxE,MAAM,gBAAgB,GAAG,UAAU,CAAC,UAAU,CAE7C,CAAC;YACF,UAAU,GAAG;gBACX,GAAG,UAAU;gBACb,UAAU,EAAE,CAAC,GAAG,gBAAgB,EAAE,GAAG,OAAO,CAAC,kBAAkB,CAAC;aACjE,CAAC;QACJ,CAAC;QAED,wCAAwC;QACxC,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QAEpD,qEAAqE;QACrE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,eAAe,CACtC,WAAW,EACX,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,EACtB,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CACzB,CAAC;QAEF,2BAA2B;QAC3B,OAAO;YACL,GAAG,UAAU;YACb,KAAK;SACkB,CAAC;IAC5B,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,wBAAwB,CAC5B,MASC,EACD,UAAkC,EAAE;QAEpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,2BAA2B;QAC3B,MAAM,UAAU,GAAqB;YACnC,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,IAAI,EAAE,OAAO,CAAC,EAAE,IAAI,YAAY,MAAM,CAAC,EAAE,EAAE;YAC3C,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS,EAAE,EAAE,EAAE,6BAA6B;YAC5C,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,QAAQ;YACjC,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC;QAEF,cAAc;QACd,OAAO,IAAI,CAAC,yBAAyB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC7D,CAAC;IAED;;;;;;;;OAQG;IACK,cAAc,CAAC,EAAuC;QAC5D,2CAA2C;QAC3C,OAAO,IAAA,wBAAgB,EAAC,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED;;;;OAIG;IACH,YAAY;QACV,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;IAChC,CAAC;IAED;;;;OAIG;IACH,cAAc;QACZ,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;IAClC,CAAC;CACF;AAlID,gEAkIC;AAED;;;;;;;;GAQG;AACH,SAAgB,sBAAsB,CACpC,QAA0B,EAC1B,eAAkC;IAElC,OAAO,IAAI,0BAA0B,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;AACnE,CAAC"}

package/dist/delegation/vc-verifier.d.ts

@@ -0,0 +1,213 @@
+/**
+ * Delegation Credential Verifier (Platform-Agnostic)
+ *
+ * Progressive enhancement verification for W3C Delegation Credentials.
+ * Follows the Edge-Delegation-Verification.md pattern:
+ *
+ * Stage 1: Fast basic checks (no network, early rejection)
+ * Stage 2: Parallel advanced checks (signature, status)
+ * Stage 3: Combined results
+ *
+ * Related Spec: MCP-I §4.3, W3C VC Data Model 1.1
+ * Python Reference: Edge-Delegation-Verification.md
+ */
+import type { DelegationCredential, CredentialStatus } from '@kya-os/contracts';
+/**
+ * Verification result for delegation credentials
+ */
+export interface DelegationVCVerificationResult {
+    /** Whether the delegation credential is valid */
+    valid: boolean;
+    /** Reason for invalid result (if valid=false) */
+    reason?: string;
+    /** Stage at which verification completed */
+    stage: 'basic' | 'signature' | 'status' | 'complete';
+    /** Whether result came from cache */
+    cached?: boolean;
+    /** Performance metrics */
+    metrics?: {
+        basicCheckMs?: number;
+        signatureCheckMs?: number;
+        statusCheckMs?: number;
+        totalMs: number;
+    };
+    /** Details about what was checked */
+    checks?: {
+        basicValid?: boolean;
+        signatureValid?: boolean;
+        statusValid?: boolean;
+    };
+}
+/**
+ * Options for verification
+ */
+export interface VerifyDelegationVCOptions {
+    /** Skip cache and force fresh verification */
+    skipCache?: boolean;
+    /** Skip signature verification (faster, less secure) */
+    skipSignature?: boolean;
+    /** Skip status checking (faster, may miss revocations) */
+    skipStatus?: boolean;
+    /** DID resolver for fetching public keys */
+    didResolver?: DIDResolver;
+    /** Status list resolver for checking revocation */
+    statusListResolver?: StatusListResolver;
+}
+/**
+ * DID Resolver interface
+ */
+export interface DIDResolver {
+    /**
+     * Resolve a DID to get the DID Document
+     * @param did - The DID to resolve
+     * @returns DID Document with verification methods
+     */
+    resolve(did: string): Promise<DIDDocument | null>;
+}
+/**
+ * DID Document (simplified)
+ */
+export interface DIDDocument {
+    id: string;
+    verificationMethod?: VerificationMethod[];
+    authentication?: (string | VerificationMethod)[];
+    assertionMethod?: (string | VerificationMethod)[];
+}
+/**
+ * Verification Method
+ */
+export interface VerificationMethod {
+    id: string;
+    type: string;
+    controller: string;
+    publicKeyJwk?: any;
+    publicKeyBase58?: string;
+    publicKeyMultibase?: string;
+}
+/**
+ * Status List Resolver interface
+ */
+export interface StatusListResolver {
+    /**
+     * Check if a credential is revoked via StatusList2021
+     * @param status - The credential status entry
+     * @returns true if revoked, false otherwise
+     */
+    checkStatus(status: CredentialStatus): Promise<boolean>;
+}
+/**
+ * Signature verification function interface
+ *
+ * Platform-specific implementations provide this function.
+ */
+export interface SignatureVerificationFunction {
+    /**
+     * Verify an Ed25519 signature on a VC
+     *
+     * @param vc - The VC to verify
+     * @param publicKeyJwk - The public key in JWK format
+     * @returns Verification result
+     */
+    (vc: DelegationCredential, publicKeyJwk: any): Promise<{
+        valid: boolean;
+        reason?: string;
+    }>;
+}
+/**
+ * Delegation Credential Verifier (Platform-Agnostic)
+ *
+ * Implements progressive enhancement pattern from Edge-Delegation-Verification.md:
+ * 1. Fast basic checks (no network) - early rejection
+ * 2. Parallel advanced checks (signature + status)
+ * 3. Combined results
+ */
+export declare class DelegationCredentialVerifier {
+    private didResolver?;
+    private statusListResolver?;
+    private signatureVerifier?;
+    private cache;
+    private cacheTtl;
+    constructor(options?: {
+        didResolver?: DIDResolver;
+        statusListResolver?: StatusListResolver;
+        signatureVerifier?: SignatureVerificationFunction;
+        cacheTtl?: number;
+    });
+    /**
+     * Verify a delegation credential with progressive enhancement
+     *
+     * Per Edge-Delegation-Verification.md:41-102
+     *
+     * @param vc - The delegation credential to verify
+     * @param options - Verification options
+     * @returns Verification result
+     */
+    verifyDelegationCredential(vc: DelegationCredential, options?: VerifyDelegationVCOptions): Promise<DelegationVCVerificationResult>;
+    /**
+     * Stage 1: Validate basic properties (no network calls)
+     *
+     * Fast path for early rejection of invalid delegations.
+     * Per Edge-Delegation-Verification.md:155-186
+     *
+     * @param vc - The delegation credential
+     * @returns Validation result
+     */
+    private validateBasicProperties;
+    /**
+     * Stage 2a: Verify signature
+     *
+     * Per Edge-Delegation-Verification.md:191-234
+     *
+     * @param vc - The delegation credential
+     * @param didResolver - Optional DID resolver
+     * @returns Verification result
+     */
+    private verifySignature;
+    /**
+     * Stage 2b: Check credential status via StatusList2021
+     *
+     * @param status - The credential status entry
+     * @param statusListResolver - Optional status list resolver
+     * @returns Status check result
+     */
+    private checkCredentialStatus;
+    /**
+     * Find verification method in DID document
+     *
+     * @param didDoc - The DID document
+     * @param verificationMethodId - The verification method ID
+     * @returns Verification method or undefined
+     */
+    private findVerificationMethod;
+    /**
+     * Get from cache
+     */
+    private getFromCache;
+    /**
+     * Set in cache
+     */
+    private setInCache;
+    /**
+     * Clear cache
+     */
+    clearCache(): void;
+    /**
+     * Clear cache entry for specific VC
+     */
+    clearCacheEntry(id: string): void;
+}
+/**
+ * Create a delegation credential verifier
+ *
+ * Convenience factory function.
+ *
+ * @param options - Verifier options
+ * @returns DelegationCredentialVerifier instance
+ */
+export declare function createDelegationVerifier(options?: {
+    didResolver?: DIDResolver;
+    statusListResolver?: StatusListResolver;
+    signatureVerifier?: SignatureVerificationFunction;
+    cacheTtl?: number;
+}): DelegationCredentialVerifier;
+//# sourceMappingURL=vc-verifier.d.ts.map

package/dist/delegation/vc-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vc-verifier.d.ts","sourceRoot":"","sources":["../../src/delegation/vc-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,oBAAoB,EACpB,gBAAgB,EACjB,MAAM,mBAAmB,CAAC;AAO3B;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC7C,iDAAiD;IACjD,KAAK,EAAE,OAAO,CAAC;IAEf,iDAAiD;IACjD,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,4CAA4C;IAC5C,KAAK,EAAE,OAAO,GAAG,WAAW,GAAG,QAAQ,GAAG,UAAU,CAAC;IAErD,qCAAqC;IACrC,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB,0BAA0B;IAC1B,OAAO,CAAC,EAAE;QACR,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IAEF,qCAAqC;IACrC,MAAM,CAAC,EAAE;QACP,UAAU,CAAC,EAAE,OAAO,CAAC;QACrB,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,WAAW,CAAC,EAAE,OAAO,CAAC;KACvB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,8CAA8C;IAC9C,SAAS,CAAC,EAAE,OAAO,CAAC;IAEpB,wDAAwD;IACxD,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB,0DAA0D;IAC1D,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB,4CAA4C;IAC5C,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B,mDAAmD;IACnD,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;CACnD;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,kBAAkB,CAAC,EAAE,kBAAkB,EAAE,CAAC;IAC1C,cAAc,CAAC,EAAE,CAAC,MAAM,GAAG,kBAAkB,CAAC,EAAE,CAAC;IACjD,eAAe,CAAC,EAAE,CAAC,MAAM,GAAG,kBAAkB,CAAC,EAAE,CAAC;CACnD;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,GAAG,CAAC;IACnB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,WAAW,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACzD;AAED;;;;GAIG;AACH,MAAM,WAAW,6BAA6B;IAC5C;;;;;;OAMG;IACH,CAAC,EAAE,EAAE,oBAAoB,EAAE,YAAY,EAAE,GAAG,GAAG,OAAO,CAAC;QACrD,KAAK,EAAE,OAAO,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;CACJ;AAED;;;;;;;GAOG;AACH,qBAAa,4BAA4B;IACvC,OAAO,CAAC,WAAW,CAAC,CAAc;IAClC,OAAO,CAAC,kBAAkB,CAAC,CAAqB;IAChD,OAAO,CAAC,iBAAiB,CAAC,CAAgC;IAC1D,OAAO,CAAC,KAAK,CAGT;IACJ,OAAO,CAAC,QAAQ,CAAS;gBAEb,OAAO,CAAC,EAAE;QACpB,WAAW,CAAC,EAAE,WAAW,CAAC;QAC1B,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;QACxC,iBAAiB,CAAC,EAAE,6BAA6B,CAAC;QAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;IAOD;;;;;;;;OAQG;IACG,0BAA0B,CAC9B,EAAE,EAAE,oBAAoB,EACxB,OAAO,GAAE,yBAA8B,GACtC,OAAO,CAAC,8BAA8B,CAAC;IAgH1C;;;;;;;;OAQG;IACH,OAAO,CAAC,uBAAuB;IA4C/B;;;;;;;;OAQG;YACW,eAAe;IA0F7B;;;;;;OAMG;YACW,qBAAqB;IA0CnC;;;;;;OAMG;IACH,OAAO,CAAC,sBAAsB;IAS9B;;OAEG;IACH,OAAO,CAAC,YAAY;IAYpB;;OAEG;IACH,OAAO,CAAC,UAAU;IAOlB;;OAEG;IACH,UAAU,IAAI,IAAI;IAIlB;;OAEG;IACH,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;CAGlC;AAED;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,CAAC,EAAE;IACjD,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,iBAAiB,CAAC,EAAE,6BAA6B,CAAC;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,4BAA4B,CAE/B"}