@kya-os/mcp-i-core 1.1.0 → 1.1.1-canary.0

package/dist/delegation/delegation-graph.d.ts

@@ -0,0 +1,178 @@
+/**
+ * Delegation Graph Manager
+ *
+ * Tracks parent-child relationships between delegation credentials.
+ * Critical for cascading revocation per Delegation-Revocation.md.
+ *
+ * SOLID Principles:
+ * - Single Responsibility: Only manages delegation relationships
+ * - Open/Closed: Extensible via storage provider interface
+ * - Liskov Substitution: Any storage provider can be used
+ * - Interface Segregation: Minimal graph operations interface
+ * - Dependency Inversion: Depends on storage abstraction
+ *
+ * Related Spec: MCP-I §4.4, Delegation Chains
+ * Python Reference: Delegation-Revocation.md:45-67
+ */
+/**
+ * Delegation node in the graph
+ */
+export interface DelegationNode {
+    /** Delegation credential ID */
+    id: string;
+    /** Parent delegation ID (null for root) */
+    parentId: string | null;
+    /** Child delegation IDs */
+    children: string[];
+    /** Issuer DID */
+    issuerDid: string;
+    /** Subject DID */
+    subjectDid: string;
+    /** Credential status reference (for revocation) */
+    credentialStatusId?: string;
+}
+/**
+ * Storage provider interface for delegation graphs
+ *
+ * Platform-specific implementations (CloudflareKV, DynamoDB, etc.)
+ */
+export interface DelegationGraphStorageProvider {
+    /**
+     * Get a delegation node by ID
+     */
+    getNode(delegationId: string): Promise<DelegationNode | null>;
+    /**
+     * Save a delegation node
+     */
+    setNode(node: DelegationNode): Promise<void>;
+    /**
+     * Get all children of a delegation
+     */
+    getChildren(delegationId: string): Promise<DelegationNode[]>;
+    /**
+     * Get the full chain from root to this delegation
+     */
+    getChain(delegationId: string): Promise<DelegationNode[]>;
+    /**
+     * Get all descendants (children, grandchildren, etc.)
+     */
+    getDescendants(delegationId: string): Promise<DelegationNode[]>;
+    /**
+     * Delete a node (used for cleanup)
+     */
+    deleteNode(delegationId: string): Promise<void>;
+}
+/**
+ * Delegation Graph Manager
+ *
+ * Manages the tree/graph structure of delegations.
+ * Per Delegation-Revocation.md:
+ * - Track parent-child relationships
+ * - Support chain validation
+ * - Enable cascading revocation
+ */
+export declare class DelegationGraphManager {
+    private storage;
+    constructor(storage: DelegationGraphStorageProvider);
+    /**
+     * Register a new delegation in the graph
+     *
+     * @param delegation - The delegation to register
+     * @returns The created node
+     */
+    registerDelegation(params: {
+        id: string;
+        parentId: string | null;
+        issuerDid: string;
+        subjectDid: string;
+        credentialStatusId?: string;
+    }): Promise<DelegationNode>;
+    /**
+     * Add a child to a parent node
+     *
+     * @param parentId - Parent delegation ID
+     * @param childId - Child delegation ID
+     */
+    private addChildToParent;
+    /**
+     * Get a delegation node
+     *
+     * @param delegationId - The delegation ID
+     * @returns The node, or null if not found
+     */
+    getNode(delegationId: string): Promise<DelegationNode | null>;
+    /**
+     * Get all direct children of a delegation
+     *
+     * @param delegationId - The parent delegation ID
+     * @returns Array of child nodes
+     */
+    getChildren(delegationId: string): Promise<DelegationNode[]>;
+    /**
+     * Get all descendants (children, grandchildren, etc.)
+     *
+     * Used for cascading revocation.
+     * Per Delegation-Revocation.md:56-67
+     *
+     * @param delegationId - The parent delegation ID
+     * @returns Array of all descendant nodes
+     */
+    getDescendants(delegationId: string): Promise<DelegationNode[]>;
+    /**
+     * Get the full delegation chain from root to this node
+     *
+     * Used for chain validation.
+     *
+     * @param delegationId - The delegation ID
+     * @returns Array of nodes from root to this node
+     */
+    getChain(delegationId: string): Promise<DelegationNode[]>;
+    /**
+     * Check if delegation A is an ancestor of delegation B
+     *
+     * @param ancestorId - Potential ancestor ID
+     * @param descendantId - Potential descendant ID
+     * @returns true if ancestorId is an ancestor of descendantId
+     */
+    isAncestor(ancestorId: string, descendantId: string): Promise<boolean>;
+    /**
+     * Get the depth of a delegation in the tree
+     *
+     * @param delegationId - The delegation ID
+     * @returns Depth (0 for root, 1 for immediate child, etc.)
+     */
+    getDepth(delegationId: string): Promise<number>;
+    /**
+     * Validate that a delegation chain is properly formed
+     *
+     * Checks that:
+     * - Each child's issuer is the parent's subject
+     * - No cycles exist
+     * - Chain is continuous
+     *
+     * @param delegationId - The delegation ID to validate
+     * @returns Validation result
+     */
+    validateChain(delegationId: string): Promise<{
+        valid: boolean;
+        reason?: string;
+    }>;
+    /**
+     * Remove a delegation from the graph
+     *
+     * Note: This doesn't cascade - use CascadingRevocationManager for that.
+     *
+     * @param delegationId - The delegation ID to remove
+     */
+    removeDelegation(delegationId: string): Promise<void>;
+}
+/**
+ * Create a delegation graph manager
+ *
+ * Convenience factory function.
+ *
+ * @param storage - Storage provider
+ * @returns DelegationGraphManager instance
+ */
+export declare function createDelegationGraph(storage: DelegationGraphStorageProvider): DelegationGraphManager;
+//# sourceMappingURL=delegation-graph.d.ts.map

package/dist/delegation/delegation-graph.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"delegation-graph.d.ts","sourceRoot":"","sources":["../../src/delegation/delegation-graph.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,+BAA+B;IAC/B,EAAE,EAAE,MAAM,CAAC;IAEX,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IAExB,2BAA2B;IAC3B,QAAQ,EAAE,MAAM,EAAE,CAAC;IAEnB,iBAAiB;IACjB,SAAS,EAAE,MAAM,CAAC;IAElB,kBAAkB;IAClB,UAAU,EAAE,MAAM,CAAC;IAEnB,mDAAmD;IACnD,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,MAAM,WAAW,8BAA8B;IAC7C;;OAEG;IACH,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;IAE9D;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7C;;OAEG;IACH,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;IAE7D;;OAEG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;IAE1D;;OAEG;IACH,cAAc,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;IAEhE;;OAEG;IACH,UAAU,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjD;AAED;;;;;;;;GAQG;AACH,qBAAa,sBAAsB;IACrB,OAAO,CAAC,OAAO;gBAAP,OAAO,EAAE,8BAA8B;IAE3D;;;;;OAKG;IACG,kBAAkB,CAAC,MAAM,EAAE;QAC/B,EAAE,EAAE,MAAM,CAAC;QACX,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,EAAE,MAAM,CAAC;QACnB,kBAAkB,CAAC,EAAE,MAAM,CAAC;KAC7B,GAAG,OAAO,CAAC,cAAc,CAAC;IAqB3B;;;;;OAKG;YACW,gBAAgB;IAgB9B;;;;;OAKG;IACG,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAInE;;;;;OAKG;IACG,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAIlE;;;;;;;;OAQG;IACG,cAAc,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAIrE;;;;;;;OAOG;IACG,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAI/D;;;;;;OAMG;IACG,UAAU,CACd,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC;IAKnB;;;;;OAKG;IACG,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAKrD;;;;;;;;;;OAUG;IACG,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC;QACjD,KAAK,EAAE,OAAO,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IAgCF;;;;;;OAMG;IACG,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAgB5D;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,8BAA8B,GACtC,sBAAsB,CAExB"}

package/dist/delegation/delegation-graph.js

@@ -0,0 +1,209 @@
+"use strict";
+/**
+ * Delegation Graph Manager
+ *
+ * Tracks parent-child relationships between delegation credentials.
+ * Critical for cascading revocation per Delegation-Revocation.md.
+ *
+ * SOLID Principles:
+ * - Single Responsibility: Only manages delegation relationships
+ * - Open/Closed: Extensible via storage provider interface
+ * - Liskov Substitution: Any storage provider can be used
+ * - Interface Segregation: Minimal graph operations interface
+ * - Dependency Inversion: Depends on storage abstraction
+ *
+ * Related Spec: MCP-I §4.4, Delegation Chains
+ * Python Reference: Delegation-Revocation.md:45-67
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DelegationGraphManager = void 0;
+exports.createDelegationGraph = createDelegationGraph;
+/**
+ * Delegation Graph Manager
+ *
+ * Manages the tree/graph structure of delegations.
+ * Per Delegation-Revocation.md:
+ * - Track parent-child relationships
+ * - Support chain validation
+ * - Enable cascading revocation
+ */
+class DelegationGraphManager {
+    storage;
+    constructor(storage) {
+        this.storage = storage;
+    }
+    /**
+     * Register a new delegation in the graph
+     *
+     * @param delegation - The delegation to register
+     * @returns The created node
+     */
+    async registerDelegation(params) {
+        const node = {
+            id: params.id,
+            parentId: params.parentId,
+            children: [],
+            issuerDid: params.issuerDid,
+            subjectDid: params.subjectDid,
+            credentialStatusId: params.credentialStatusId,
+        };
+        // Save the node
+        await this.storage.setNode(node);
+        // If has parent, add this as a child to parent
+        if (params.parentId) {
+            await this.addChildToParent(params.parentId, params.id);
+        }
+        return node;
+    }
+    /**
+     * Add a child to a parent node
+     *
+     * @param parentId - Parent delegation ID
+     * @param childId - Child delegation ID
+     */
+    async addChildToParent(parentId, childId) {
+        const parent = await this.storage.getNode(parentId);
+        if (!parent) {
+            throw new Error(`Parent delegation not found: ${parentId}`);
+        }
+        // Add child if not already present
+        if (!parent.children.includes(childId)) {
+            parent.children.push(childId);
+            await this.storage.setNode(parent);
+        }
+    }
+    /**
+     * Get a delegation node
+     *
+     * @param delegationId - The delegation ID
+     * @returns The node, or null if not found
+     */
+    async getNode(delegationId) {
+        return this.storage.getNode(delegationId);
+    }
+    /**
+     * Get all direct children of a delegation
+     *
+     * @param delegationId - The parent delegation ID
+     * @returns Array of child nodes
+     */
+    async getChildren(delegationId) {
+        return this.storage.getChildren(delegationId);
+    }
+    /**
+     * Get all descendants (children, grandchildren, etc.)
+     *
+     * Used for cascading revocation.
+     * Per Delegation-Revocation.md:56-67
+     *
+     * @param delegationId - The parent delegation ID
+     * @returns Array of all descendant nodes
+     */
+    async getDescendants(delegationId) {
+        return this.storage.getDescendants(delegationId);
+    }
+    /**
+     * Get the full delegation chain from root to this node
+     *
+     * Used for chain validation.
+     *
+     * @param delegationId - The delegation ID
+     * @returns Array of nodes from root to this node
+     */
+    async getChain(delegationId) {
+        return this.storage.getChain(delegationId);
+    }
+    /**
+     * Check if delegation A is an ancestor of delegation B
+     *
+     * @param ancestorId - Potential ancestor ID
+     * @param descendantId - Potential descendant ID
+     * @returns true if ancestorId is an ancestor of descendantId
+     */
+    async isAncestor(ancestorId, descendantId) {
+        const chain = await this.getChain(descendantId);
+        return chain.some((node) => node.id === ancestorId);
+    }
+    /**
+     * Get the depth of a delegation in the tree
+     *
+     * @param delegationId - The delegation ID
+     * @returns Depth (0 for root, 1 for immediate child, etc.)
+     */
+    async getDepth(delegationId) {
+        const chain = await this.getChain(delegationId);
+        return chain.length - 1; // -1 because chain includes the node itself
+    }
+    /**
+     * Validate that a delegation chain is properly formed
+     *
+     * Checks that:
+     * - Each child's issuer is the parent's subject
+     * - No cycles exist
+     * - Chain is continuous
+     *
+     * @param delegationId - The delegation ID to validate
+     * @returns Validation result
+     */
+    async validateChain(delegationId) {
+        const chain = await this.getChain(delegationId);
+        if (chain.length === 0) {
+            return { valid: false, reason: 'Delegation not found' };
+        }
+        // Check each link in the chain
+        for (let i = 1; i < chain.length; i++) {
+            const parent = chain[i - 1];
+            const child = chain[i];
+            // Child's issuer must be parent's subject
+            if (child.issuerDid !== parent.subjectDid) {
+                return {
+                    valid: false,
+                    reason: `Invalid chain: ${child.id} issued by ${child.issuerDid} but parent ${parent.id} subject is ${parent.subjectDid}`,
+                };
+            }
+            // Child's parent pointer must match parent's ID
+            if (child.parentId !== parent.id) {
+                return {
+                    valid: false,
+                    reason: `Invalid chain: ${child.id} parentId=${child.parentId} but actual parent is ${parent.id}`,
+                };
+            }
+        }
+        return { valid: true };
+    }
+    /**
+     * Remove a delegation from the graph
+     *
+     * Note: This doesn't cascade - use CascadingRevocationManager for that.
+     *
+     * @param delegationId - The delegation ID to remove
+     */
+    async removeDelegation(delegationId) {
+        const node = await this.storage.getNode(delegationId);
+        if (!node)
+            return;
+        // Remove from parent's children list
+        if (node.parentId) {
+            const parent = await this.storage.getNode(node.parentId);
+            if (parent) {
+                parent.children = parent.children.filter((id) => id !== delegationId);
+                await this.storage.setNode(parent);
+            }
+        }
+        // Delete the node
+        await this.storage.deleteNode(delegationId);
+    }
+}
+exports.DelegationGraphManager = DelegationGraphManager;
+/**
+ * Create a delegation graph manager
+ *
+ * Convenience factory function.
+ *
+ * @param storage - Storage provider
+ * @returns DelegationGraphManager instance
+ */
+function createDelegationGraph(storage) {
+    return new DelegationGraphManager(storage);
+}
+//# sourceMappingURL=delegation-graph.js.map

package/dist/delegation/delegation-graph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"delegation-graph.js","sourceRoot":"","sources":["../../src/delegation/delegation-graph.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AAuRH,sDAIC;AA7ND;;;;;;;;GAQG;AACH,MAAa,sBAAsB;IACb;IAApB,YAAoB,OAAuC;QAAvC,YAAO,GAAP,OAAO,CAAgC;IAAG,CAAC;IAE/D;;;;;OAKG;IACH,KAAK,CAAC,kBAAkB,CAAC,MAMxB;QACC,MAAM,IAAI,GAAmB;YAC3B,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,EAAE;YACZ,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;SAC9C,CAAC;QAEF,gBAAgB;QAChB,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAEjC,+CAA+C;QAC/C,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,gBAAgB,CAC5B,QAAgB,EAChB,OAAe;QAEf,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,mCAAmC;QACnC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACvC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9B,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,YAAoB;QAChC,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,WAAW,CAAC,YAAoB;QACpC,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;IAChD,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,cAAc,CAAC,YAAoB;QACvC,OAAO,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC;IACnD,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,CAAC,YAAoB;QACjC,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;IAC7C,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,UAAU,CACd,UAAkB,EAClB,YAAoB;QAEpB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;IACtD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,QAAQ,CAAC,YAAoB;QACjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,4CAA4C;IACvE,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,aAAa,CAAC,YAAoB;QAItC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QAEhD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;QAC1D,CAAC;QAED,+BAA+B;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC5B,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAEvB,0CAA0C;YAC1C,IAAI,KAAK,CAAC,SAAS,KAAK,MAAM,CAAC,UAAU,EAAE,CAAC;gBAC1C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,kBAAkB,KAAK,CAAC,EAAE,cAAc,KAAK,CAAC,SAAS,eAAe,MAAM,CAAC,EAAE,eAAe,MAAM,CAAC,UAAU,EAAE;iBAC1H,CAAC;YACJ,CAAC;YAED,gDAAgD;YAChD,IAAI,KAAK,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC;gBACjC,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,kBAAkB,KAAK,CAAC,EAAE,aAAa,KAAK,CAAC,QAAQ,yBAAyB,MAAM,CAAC,EAAE,EAAE;iBAClG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,gBAAgB,CAAC,YAAoB;QACzC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACtD,IAAI,CAAC,IAAI;YAAE,OAAO;QAElB,qCAAqC;QACrC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzD,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;gBACtE,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,kBAAkB;QAClB,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;IAC9C,CAAC;CACF;AAtMD,wDAsMC;AAED;;;;;;;GAOG;AACH,SAAgB,qBAAqB,CACnC,OAAuC;IAEvC,OAAO,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAC;AAC7C,CAAC"}

package/dist/delegation/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Delegation Module Exports (Platform-Agnostic)
+ *
+ * W3C VC-based delegation issuance and verification.
+ * Platform-specific adapters (Node.js, Cloudflare) provide signing/verification functions.
+ */
+export * from './vc-issuer';
+export * from './vc-verifier';
+export * from './bitstring';
+export * from './statuslist-manager';
+export * from './delegation-graph';
+export * from './cascading-revocation';
+export * from './utils';
+//# sourceMappingURL=index.d.ts.map

package/dist/delegation/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/delegation/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,cAAc,aAAa,CAAC;AAC5B,cAAc,sBAAsB,CAAC;AACrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,wBAAwB,CAAC;AACvC,cAAc,SAAS,CAAC"}

package/dist/delegation/index.js

@@ -0,0 +1,30 @@
+"use strict";
+/**
+ * Delegation Module Exports (Platform-Agnostic)
+ *
+ * W3C VC-based delegation issuance and verification.
+ * Platform-specific adapters (Node.js, Cloudflare) provide signing/verification functions.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./vc-issuer"), exports);
+__exportStar(require("./vc-verifier"), exports);
+__exportStar(require("./bitstring"), exports);
+__exportStar(require("./statuslist-manager"), exports);
+__exportStar(require("./delegation-graph"), exports);
+__exportStar(require("./cascading-revocation"), exports);
+__exportStar(require("./utils"), exports);
+//# sourceMappingURL=index.js.map

package/dist/delegation/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/delegation/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;AAEH,8CAA4B;AAC5B,gDAA8B;AAC9B,8CAA4B;AAC5B,uDAAqC;AACrC,qDAAmC;AACnC,yDAAuC;AACvC,0CAAwB"}

package/dist/delegation/statuslist-manager.d.ts

@@ -0,0 +1,148 @@
+/**
+ * StatusList2021 Manager
+ *
+ * Manages StatusList2021 credentials for efficient delegation revocation.
+ * Follows the Python POC design from Delegation-Revocation.md.
+ *
+ * SOLID Principles:
+ * - Single Responsibility: Manages status list allocation and updates
+ * - Open/Closed: Extensible via storage provider interface
+ * - Liskov Substitution: Any storage provider can be used
+ * - Interface Segregation: Minimal storage interface
+ * - Dependency Inversion: Depends on abstractions (storage, signing)
+ *
+ * Related Spec: W3C StatusList2021
+ * Python Reference: Delegation-Revocation.md
+ */
+import type { StatusList2021Credential, CredentialStatus } from '@kya-os/contracts';
+import { CompressionFunction, DecompressionFunction } from './bitstring';
+import { VCSigningFunction } from './vc-issuer';
+/**
+ * Storage provider interface for status lists
+ *
+ * Platform-specific implementations (CloudflareKV, DynamoDB, Redis, etc.)
+ * implement this interface.
+ */
+export interface StatusListStorageProvider {
+    /**
+     * Get a status list credential by ID
+     *
+     * @param statusListId - The status list URL
+     * @returns The status list credential, or null if not found
+     */
+    getStatusList(statusListId: string): Promise<StatusList2021Credential | null>;
+    /**
+     * Save a status list credential
+     *
+     * @param statusListId - The status list URL
+     * @param credential - The status list credential
+     */
+    setStatusList(statusListId: string, credential: StatusList2021Credential): Promise<void>;
+    /**
+     * Allocate a new index in a status list
+     *
+     * Thread-safe allocation of the next available index.
+     *
+     * @param statusListId - The status list URL
+     * @returns The allocated index
+     */
+    allocateIndex(statusListId: string): Promise<number>;
+}
+/**
+ * Identity provider for signing status list credentials
+ */
+export interface StatusListIdentityProvider {
+    /** Get the DID of this identity */
+    getDid(): string;
+    /** Get the key ID of this identity */
+    getKeyId(): string;
+}
+/**
+ * StatusList2021 Manager
+ *
+ * Manages status lists for efficient delegation revocation.
+ * Per Delegation-Revocation.md:
+ * - StatusList2021 for efficient revocation distribution
+ * - Compressed bitstrings for scalability
+ * - Separate lists for revocation vs suspension
+ */
+export declare class StatusList2021Manager {
+    private storage;
+    private identity;
+    private signingFunction;
+    private compressor;
+    private decompressor;
+    private statusListBaseUrl;
+    private defaultListSize;
+    constructor(storage: StatusListStorageProvider, identity: StatusListIdentityProvider, signingFunction: VCSigningFunction, compressor: CompressionFunction, decompressor: DecompressionFunction, options?: {
+        /** Base URL for status lists (e.g., "https://example.com/status") */
+        statusListBaseUrl?: string;
+        /** Default size for new status lists (number of entries) */
+        defaultListSize?: number;
+    });
+    /**
+     * Allocate a status entry for a new delegation credential
+     *
+     * Per Delegation-Revocation.md: Each delegation gets a unique status list entry.
+     *
+     * @param purpose - "revocation" or "suspension"
+     * @returns CredentialStatus entry for the delegation VC
+     */
+    allocateStatusEntry(purpose: 'revocation' | 'suspension'): Promise<CredentialStatus>;
+    /**
+     * Revoke or suspend a delegation by updating its status
+     *
+     * @param credentialStatus - The credential status entry from the VC
+     * @param revoked - true to revoke/suspend, false to restore
+     */
+    updateStatus(credentialStatus: CredentialStatus, revoked: boolean): Promise<void>;
+    /**
+     * Check if a credential is revoked
+     *
+     * @param credentialStatus - The credential status entry
+     * @returns true if revoked/suspended, false otherwise
+     */
+    checkStatus(credentialStatus: CredentialStatus): Promise<boolean>;
+    /**
+     * Get all revoked indices in a status list
+     *
+     * Useful for debugging or auditing.
+     *
+     * @param statusListId - The status list URL
+     * @returns Array of revoked indices
+     */
+    getRevokedIndices(statusListId: string): Promise<number[]>;
+    /**
+     * Ensure a status list exists, creating it if needed
+     *
+     * @param statusListId - The status list URL
+     * @param purpose - "revocation" or "suspension"
+     */
+    private ensureStatusListExists;
+    /**
+     * Get the status list base URL
+     */
+    getStatusListBaseUrl(): string;
+    /**
+     * Get the default list size
+     */
+    getDefaultListSize(): number;
+}
+/**
+ * Create a StatusList2021 manager
+ *
+ * Convenience factory function.
+ *
+ * @param storage - Storage provider
+ * @param identity - Identity provider
+ * @param signingFunction - VC signing function
+ * @param compressor - Compression function
+ * @param decompressor - Decompression function
+ * @param options - Manager options
+ * @returns StatusList2021Manager instance
+ */
+export declare function createStatusListManager(storage: StatusListStorageProvider, identity: StatusListIdentityProvider, signingFunction: VCSigningFunction, compressor: CompressionFunction, decompressor: DecompressionFunction, options?: {
+    statusListBaseUrl?: string;
+    defaultListSize?: number;
+}): StatusList2021Manager;
+//# sourceMappingURL=statuslist-manager.d.ts.map

package/dist/delegation/statuslist-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"statuslist-manager.d.ts","sourceRoot":"","sources":["../../src/delegation/statuslist-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EACV,wBAAwB,EACxB,gBAAgB,EACjB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAoB,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAC3F,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGhD;;;;;GAKG;AACH,MAAM,WAAW,yBAAyB;IACxC;;;;;OAKG;IACH,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAAC;IAE9E;;;;;OAKG;IACH,aAAa,CACX,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,wBAAwB,GACnC,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;;;;;OAOG;IACH,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACtD;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,mCAAmC;IACnC,MAAM,IAAI,MAAM,CAAC;IAEjB,sCAAsC;IACtC,QAAQ,IAAI,MAAM,CAAC;CACpB;AAED;;;;;;;;GAQG;AACH,qBAAa,qBAAqB;IAK9B,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,eAAe;IACvB,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,YAAY;IARtB,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,eAAe,CAAS;gBAGtB,OAAO,EAAE,yBAAyB,EAClC,QAAQ,EAAE,0BAA0B,EACpC,eAAe,EAAE,iBAAiB,EAClC,UAAU,EAAE,mBAAmB,EAC/B,YAAY,EAAE,qBAAqB,EAC3C,OAAO,CAAC,EAAE;QACR,qEAAqE;QACrE,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,4DAA4D;QAC5D,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B;IAMH;;;;;;;OAOG;IACG,mBAAmB,CACvB,OAAO,EAAE,YAAY,GAAG,YAAY,GACnC,OAAO,CAAC,gBAAgB,CAAC;IAsB5B;;;;;OAKG;IACG,YAAY,CAChB,gBAAgB,EAAE,gBAAgB,EAClC,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,IAAI,CAAC;IAoDhB;;;;;OAKG;IACG,WAAW,CAAC,gBAAgB,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;IAqBvE;;;;;;;OAOG;IACG,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAehE;;;;;OAKG;YACW,sBAAsB;IAqDpC;;OAEG;IACH,oBAAoB,IAAI,MAAM;IAI9B;;OAEG;IACH,kBAAkB,IAAI,MAAM;CAG7B;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,yBAAyB,EAClC,QAAQ,EAAE,0BAA0B,EACpC,eAAe,EAAE,iBAAiB,EAClC,UAAU,EAAE,mBAAmB,EAC/B,YAAY,EAAE,qBAAqB,EACnC,OAAO,CAAC,EAAE;IACR,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,GACA,qBAAqB,CASvB"}