@kya-os/mcp-i-core 1.1.13-canary.1 → 1.1.14-canary.1

package/dist/services/proof-verifier.js

@@ -0,0 +1,318 @@
+"use strict";
+/**
+ * ProofVerifier
+ *
+ * Centralized proof verification service that validates DetachedProof
+ * signatures, enforces nonce replay protection, and checks timestamp skew.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProofVerifier = void 0;
+const crypto_service_js_1 = require("./crypto.service.js");
+const proof_1 = require("@kya-os/contracts/proof");
+const json_canonicalize_1 = require("json-canonicalize");
+const errors_js_1 = require("./errors.js");
+class ProofVerifier {
+    cryptoService;
+    clock;
+    nonceCache;
+    fetch;
+    timestampSkewSeconds;
+    nonceTtlSeconds;
+    constructor(config) {
+        this.cryptoService = new crypto_service_js_1.CryptoService(config.cryptoProvider);
+        this.clock = config.clockProvider;
+        this.nonceCache = config.nonceCacheProvider;
+        this.fetch = config.fetchProvider;
+        this.timestampSkewSeconds = config.timestampSkewSeconds ?? 120; // Default 2 minutes
+        this.nonceTtlSeconds = config.nonceTtlSeconds ?? 300; // Default 5 minutes
+    }
+    /**
+     * Verify a DetachedProof
+     * Automatically reconstructs canonical payload from proof.meta for signature verification
+     * @param proof - The proof to verify
+     * @param publicKeyJwk - Ed25519 public key in JWK format (from DID document)
+     * @returns Verification result
+     */
+    async verifyProof(proof, publicKeyJwk) {
+        try {
+            // 1. Validate proof structure
+            const structureValidation = await this.validateProofStructure(proof);
+            if (!structureValidation.valid) {
+                return structureValidation;
+            }
+            const validatedProof = structureValidation.proof;
+            // 2. Check nonce replay protection
+            const nonceValidation = await this.validateNonce(validatedProof.meta.nonce);
+            if (!nonceValidation.valid) {
+                return nonceValidation;
+            }
+            // 3. Check timestamp skew
+            const timestampValidation = await this.validateTimestamp(validatedProof.meta.ts);
+            if (!timestampValidation.valid) {
+                return timestampValidation;
+            }
+            // 4. Reconstruct canonical payload from proof meta
+            const canonicalPayloadString = this.buildCanonicalPayload(validatedProof.meta);
+            const canonicalPayloadBytes = new TextEncoder().encode(canonicalPayloadString);
+            // 5. Verify JWS signature with detached canonical payload
+            const signatureValidation = await this.verifySignature(validatedProof.jws, publicKeyJwk, canonicalPayloadBytes, validatedProof.meta.kid);
+            if (!signatureValidation.valid) {
+                return signatureValidation;
+            }
+            // 6. Add nonce to cache to prevent replay
+            await this.addNonceToCache(validatedProof.meta.nonce);
+            return {
+                valid: true,
+            };
+        }
+        catch (error) {
+            // Security-safe failure: never throw, always return error result
+            return {
+                valid: false,
+                reason: "Proof verification error",
+                errorCode: errors_js_1.PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_ERROR,
+                error: error instanceof Error ? error : new Error(String(error)),
+                details: {
+                    errorMessage: error instanceof Error ? error.message : String(error),
+                },
+            };
+        }
+    }
+    /**
+     * Verify proof with detached payload (for CLI/verifier compatibility)
+     * @param proof - The proof to verify
+     * @param canonicalPayload - Canonical JSON payload (for detached JWS) as string or Uint8Array
+     * @param publicKeyJwk - Ed25519 public key in JWK format
+     * @returns Verification result
+     */
+    async verifyProofDetached(proof, canonicalPayload, publicKeyJwk) {
+        try {
+            // 1. Validate proof structure
+            const structureValidation = await this.validateProofStructure(proof);
+            if (!structureValidation.valid) {
+                return structureValidation;
+            }
+            const validatedProof = structureValidation.proof;
+            // 2. Check nonce replay protection
+            const nonceValidation = await this.validateNonce(validatedProof.meta.nonce);
+            if (!nonceValidation.valid) {
+                return nonceValidation;
+            }
+            // 3. Check timestamp skew
+            const timestampValidation = await this.validateTimestamp(validatedProof.meta.ts);
+            if (!timestampValidation.valid) {
+                return timestampValidation;
+            }
+            // 4. Convert canonical payload to Uint8Array if needed
+            const canonicalPayloadBytes = canonicalPayload instanceof Uint8Array
+                ? canonicalPayload
+                : new TextEncoder().encode(canonicalPayload);
+            // 5. Verify JWS signature with detached payload
+            const signatureValidation = await this.verifySignature(validatedProof.jws, publicKeyJwk, canonicalPayloadBytes, validatedProof.meta.kid);
+            if (!signatureValidation.valid) {
+                return signatureValidation;
+            }
+            // 6. Add nonce to cache
+            await this.addNonceToCache(validatedProof.meta.nonce);
+            return {
+                valid: true,
+            };
+        }
+        catch (error) {
+            // Security-safe failure: never throw, always return error result
+            return {
+                valid: false,
+                reason: "Proof verification error",
+                errorCode: errors_js_1.PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_ERROR,
+                error: error instanceof Error ? error : new Error(String(error)),
+                details: {
+                    errorMessage: error instanceof Error ? error.message : String(error),
+                },
+            };
+        }
+    }
+    /**
+     * Validate proof structure using Zod schema
+     * @private
+     */
+    async validateProofStructure(proof) {
+        const validationResult = proof_1.DetachedProofSchema.safeParse(proof);
+        if (!validationResult.success) {
+            return {
+                valid: false,
+                reason: "Invalid proof structure",
+                errorCode: errors_js_1.PROOF_VERIFICATION_ERROR_CODES.INVALID_PROOF_STRUCTURE,
+                error: new Error(`Proof validation failed: ${validationResult.error.message}`),
+                details: {
+                    zodErrors: validationResult.error.errors,
+                },
+            };
+        }
+        return {
+            valid: true,
+            proof: validationResult.data,
+        };
+    }
+    /**
+     * Validate nonce replay protection
+     * @private
+     */
+    async validateNonce(nonce) {
+        const nonceUsed = await this.nonceCache.has(nonce);
+        if (nonceUsed) {
+            return {
+                valid: false,
+                reason: "Nonce already used (replay attack detected)",
+                errorCode: errors_js_1.PROOF_VERIFICATION_ERROR_CODES.NONCE_REPLAY_DETECTED,
+                details: {
+                    nonce,
+                },
+            };
+        }
+        return { valid: true };
+    }
+    /**
+     * Validate timestamp skew
+     * @private
+     */
+    async validateTimestamp(timestamp) {
+        // Convert seconds to milliseconds for clock provider (which uses Date.now())
+        const timestampMs = timestamp * 1000;
+        if (!this.clock.isWithinSkew(timestampMs, this.timestampSkewSeconds)) {
+            return {
+                valid: false,
+                reason: `Timestamp out of skew window (skew: ${this.timestampSkewSeconds}s)`,
+                errorCode: errors_js_1.PROOF_VERIFICATION_ERROR_CODES.TIMESTAMP_SKEW_EXCEEDED,
+                details: {
+                    timestamp,
+                    timestampMs,
+                    skewSeconds: this.timestampSkewSeconds,
+                    currentTime: this.clock.now(),
+                },
+            };
+        }
+        return { valid: true };
+    }
+    /**
+     * Verify JWS signature
+     * @private
+     */
+    async verifySignature(jws, publicKeyJwk, canonicalPayloadBytes, expectedKid) {
+        const signatureValid = await this.cryptoService.verifyJWS(jws, publicKeyJwk, {
+            detachedPayload: canonicalPayloadBytes,
+            expectedKid,
+            alg: "EdDSA",
+        });
+        if (!signatureValid) {
+            return {
+                valid: false,
+                reason: "Invalid JWS signature",
+                errorCode: errors_js_1.PROOF_VERIFICATION_ERROR_CODES.INVALID_JWS_SIGNATURE,
+                details: {
+                    jwsLength: jws.length,
+                    expectedKid,
+                    actualKid: publicKeyJwk.kid,
+                },
+            };
+        }
+        return { valid: true };
+    }
+    /**
+     * Add nonce to cache to prevent replay
+     * @private
+     */
+    async addNonceToCache(nonce) {
+        const expiresAt = this.clock.calculateExpiry(this.nonceTtlSeconds);
+        await this.nonceCache.add(nonce, expiresAt);
+    }
+    /**
+     * Fetch public key from DID document
+     * @param did - DID to resolve
+     * @param kid - Key ID (optional, defaults to first verification method)
+     * @returns Ed25519 JWK or null if not found
+     * @throws {ProofVerificationError} If DID resolution fails with specific error code
+     */
+    async fetchPublicKeyFromDID(did, kid) {
+        try {
+            const didDoc = await this.fetch.resolveDID(did);
+            if (!didDoc) {
+                throw new errors_js_1.ProofVerificationError(errors_js_1.PROOF_VERIFICATION_ERROR_CODES.DID_DOCUMENT_NOT_FOUND, `DID document not found: ${did}`, { did });
+            }
+            if (!didDoc.verificationMethod ||
+                didDoc.verificationMethod.length === 0) {
+                throw new errors_js_1.ProofVerificationError(errors_js_1.PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_METHOD_NOT_FOUND, `No verification methods found in DID document: ${did}`, { did });
+            }
+            // Find verification method by kid or use first one
+            let verificationMethod;
+            if (kid) {
+                const kidWithHash = kid.startsWith("#") ? kid : `#${kid}`;
+                verificationMethod = didDoc.verificationMethod.find((vm) => vm.id === kidWithHash || vm.id === `${did}${kidWithHash}`);
+                if (!verificationMethod) {
+                    throw new errors_js_1.ProofVerificationError(errors_js_1.PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_METHOD_NOT_FOUND, `Verification method not found for kid: ${kid}`, {
+                        did,
+                        kid,
+                        availableKids: didDoc.verificationMethod.map((vm) => vm.id),
+                    });
+                }
+            }
+            else {
+                verificationMethod = didDoc.verificationMethod[0];
+            }
+            if (!verificationMethod?.publicKeyJwk) {
+                throw new errors_js_1.ProofVerificationError(errors_js_1.PROOF_VERIFICATION_ERROR_CODES.PUBLIC_KEY_NOT_FOUND, `Public key JWK not found in verification method`, { did, kid, verificationMethodId: verificationMethod?.id });
+            }
+            const jwk = verificationMethod.publicKeyJwk;
+            // Validate it's an Ed25519 key
+            if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519" || !jwk.x) {
+                throw new errors_js_1.ProofVerificationError(errors_js_1.PROOF_VERIFICATION_ERROR_CODES.INVALID_JWK_FORMAT, `Unsupported key type or curve: kty=${jwk.kty}, crv=${jwk.crv}`, { did, kid, jwk: { kty: jwk.kty, crv: jwk.crv } });
+            }
+            return jwk;
+        }
+        catch (error) {
+            if (error instanceof errors_js_1.ProofVerificationError) {
+                throw error;
+            }
+            console.error("[ProofVerifier] Failed to fetch public key from DID:", error);
+            throw new errors_js_1.ProofVerificationError(errors_js_1.PROOF_VERIFICATION_ERROR_CODES.DID_RESOLUTION_FAILED, `DID resolution failed: ${error instanceof Error ? error.message : String(error)}`, {
+                did,
+                kid,
+                originalError: error instanceof Error ? error.message : String(error),
+            });
+        }
+    }
+    /**
+     * Build canonical payload from proof meta
+     *
+     * CRITICAL: This must reconstruct the exact JWS payload structure that was originally signed.
+     * The original JWS payload uses standard JWT claims (aud, sub, iss) plus custom proof claims,
+     * NOT the proof.meta structure directly.
+     *
+     * @param meta - Proof metadata
+     * @returns Canonical JSON string matching the original JWS payload structure
+     */
+    buildCanonicalPayload(meta) {
+        // Reconstruct the original JWS payload structure that was signed
+        // This matches the structure used in proof generation (proof.ts, proof-generator.ts)
+        const payload = {
+            // Standard JWT claims (RFC 7519) - these are what was actually signed
+            aud: meta.audience, // Audience (who the token is for)
+            sub: meta.did, // Subject (agent DID)
+            iss: meta.did, // Issuer (agent DID - self-issued)
+            // Custom MCP-I proof claims
+            requestHash: meta.requestHash,
+            responseHash: meta.responseHash,
+            ts: meta.ts,
+            nonce: meta.nonce,
+            sessionId: meta.sessionId,
+            // Optional claims (only include if present)
+            ...(meta.scopeId && { scopeId: meta.scopeId }),
+            ...(meta.delegationRef && { delegationRef: meta.delegationRef }),
+            ...(meta.clientDid && { clientDid: meta.clientDid }),
+        };
+        // Canonicalize the reconstructed payload using the same function as proof generation
+        // CRITICAL: Must use json-canonicalize canonicalize() to match proof.ts exactly
+        return (0, json_canonicalize_1.canonicalize)(payload);
+    }
+}
+exports.ProofVerifier = ProofVerifier;
+//# sourceMappingURL=proof-verifier.js.map

package/dist/services/proof-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proof-verifier.js","sourceRoot":"","sources":["../../src/services/proof-verifier.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEH,2DAAqE;AAKrE,mDAGiC;AACjC,yDAAiD;AACjD,2CAIqB;AAmBrB,MAAa,aAAa;IAChB,aAAa,CAAgB;IAC7B,KAAK,CAAgB;IACrB,UAAU,CAAqB;IAC/B,KAAK,CAAgB;IACrB,oBAAoB,CAAS;IAC7B,eAAe,CAAS;IAEhC,YAAY,MAA2B;QACrC,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC9D,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,aAAa,CAAC;QAClC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,kBAAkB,CAAC;QAC5C,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,aAAa,CAAC;QAClC,IAAI,CAAC,oBAAoB,GAAG,MAAM,CAAC,oBAAoB,IAAI,GAAG,CAAC,CAAC,oBAAoB;QACpF,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,IAAI,GAAG,CAAC,CAAC,oBAAoB;IAC5E,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,WAAW,CACf,KAAoB,EACpB,YAAwB;QAExB,IAAI,CAAC;YACH,8BAA8B;YAC9B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC;YACrE,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YACD,MAAM,cAAc,GAAG,mBAAmB,CAAC,KAAM,CAAC;YAElD,mCAAmC;YACnC,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,aAAa,CAC9C,cAAc,CAAC,IAAI,CAAC,KAAK,CAC1B,CAAC;YACF,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;gBAC3B,OAAO,eAAe,CAAC;YACzB,CAAC;YAED,0BAA0B;YAC1B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,iBAAiB,CACtD,cAAc,CAAC,IAAI,CAAC,EAAE,CACvB,CAAC;YACF,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YAED,mDAAmD;YACnD,MAAM,sBAAsB,GAAG,IAAI,CAAC,qBAAqB,CACvD,cAAc,CAAC,IAAI,CACpB,CAAC;YACF,MAAM,qBAAqB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACpD,sBAAsB,CACvB,CAAC;YAEF,0DAA0D;YAC1D,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,eAAe,CACpD,cAAc,CAAC,GAAG,EAClB,YAAY,EACZ,qBAAqB,EACrB,cAAc,CAAC,IAAI,CAAC,GAAG,CACxB,CAAC;YACF,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YAED,0CAA0C;YAC1C,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAEtD,OAAO;gBACL,KAAK,EAAE,IAAI;aACZ,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,iEAAiE;YACjE,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,0BAA0B;gBAClC,SAAS,EAAE,0CAA8B,CAAC,kBAAkB;gBAC5D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAChE,OAAO,EAAE;oBACP,YAAY,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBACrE;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,mBAAmB,CACvB,KAAoB,EACpB,gBAAqC,EACrC,YAAwB;QAExB,IAAI,CAAC;YACH,8BAA8B;YAC9B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC;YACrE,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YACD,MAAM,cAAc,GAAG,mBAAmB,CAAC,KAAM,CAAC;YAElD,mCAAmC;YACnC,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,aAAa,CAC9C,cAAc,CAAC,IAAI,CAAC,KAAK,CAC1B,CAAC;YACF,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;gBAC3B,OAAO,eAAe,CAAC;YACzB,CAAC;YAED,0BAA0B;YAC1B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,iBAAiB,CACtD,cAAc,CAAC,IAAI,CAAC,EAAE,CACvB,CAAC;YACF,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YAED,uDAAuD;YACvD,MAAM,qBAAqB,GACzB,gBAAgB,YAAY,UAAU;gBACpC,CAAC,CAAC,gBAAgB;gBAClB,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YAEjD,gDAAgD;YAChD,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,eAAe,CACpD,cAAc,CAAC,GAAG,EAClB,YAAY,EACZ,qBAAqB,EACrB,cAAc,CAAC,IAAI,CAAC,GAAG,CACxB,CAAC;YACF,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YAED,wBAAwB;YACxB,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAEtD,OAAO;gBACL,KAAK,EAAE,IAAI;aACZ,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,iEAAiE;YACjE,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,0BAA0B;gBAClC,SAAS,EAAE,0CAA8B,CAAC,kBAAkB;gBAC5D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAChE,OAAO,EAAE;oBACP,YAAY,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBACrE;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,sBAAsB,CAClC,KAAoB;QAEpB,MAAM,gBAAgB,GAAG,2BAAmB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9D,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC9B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,yBAAyB;gBACjC,SAAS,EAAE,0CAA8B,CAAC,uBAAuB;gBACjE,KAAK,EAAE,IAAI,KAAK,CACd,4BAA4B,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,CAC7D;gBACD,OAAO,EAAE;oBACP,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC,MAAM;iBACzC;aACF,CAAC;QACJ,CAAC;QACD,OAAO;YACL,KAAK,EAAE,IAAI;YACX,KAAK,EAAE,gBAAgB,CAAC,IAAI;SAC7B,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,aAAa,CAAC,KAAa;QACvC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnD,IAAI,SAAS,EAAE,CAAC;YACd,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,6CAA6C;gBACrD,SAAS,EAAE,0CAA8B,CAAC,qBAAqB;gBAC/D,OAAO,EAAE;oBACP,KAAK;iBACN;aACF,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,iBAAiB,CAC7B,SAAiB;QAEjB,6EAA6E;QAC7E,MAAM,WAAW,GAAG,SAAS,GAAG,IAAI,CAAC;QACrC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,WAAW,EAAE,IAAI,CAAC,oBAAoB,CAAC,EAAE,CAAC;YACrE,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,uCAAuC,IAAI,CAAC,oBAAoB,IAAI;gBAC5E,SAAS,EAAE,0CAA8B,CAAC,uBAAuB;gBACjE,OAAO,EAAE;oBACP,SAAS;oBACT,WAAW;oBACX,WAAW,EAAE,IAAI,CAAC,oBAAoB;oBACtC,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE;iBAC9B;aACF,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,eAAe,CAC3B,GAAW,EACX,YAAwB,EACxB,qBAAiC,EACjC,WAAoB;QAEpB,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CACvD,GAAG,EACH,YAAY,EACZ;YACE,eAAe,EAAE,qBAAqB;YACtC,WAAW;YACX,GAAG,EAAE,OAAO;SACb,CACF,CAAC;QAEF,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,uBAAuB;gBAC/B,SAAS,EAAE,0CAA8B,CAAC,qBAAqB;gBAC/D,OAAO,EAAE;oBACP,SAAS,EAAE,GAAG,CAAC,MAAM;oBACrB,WAAW;oBACX,SAAS,EAAE,YAAY,CAAC,GAAG;iBAC5B;aACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,eAAe,CAAC,KAAa;QACzC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACnE,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IAC9C,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,qBAAqB,CACzB,GAAW,EACX,GAAY;QAEZ,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;YAEhD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,kCAAsB,CAC9B,0CAA8B,CAAC,sBAAsB,EACrD,2BAA2B,GAAG,EAAE,EAChC,EAAE,GAAG,EAAE,CACR,CAAC;YACJ,CAAC;YAED,IACE,CAAC,MAAM,CAAC,kBAAkB;gBAC1B,MAAM,CAAC,kBAAkB,CAAC,MAAM,KAAK,CAAC,EACtC,CAAC;gBACD,MAAM,IAAI,kCAAsB,CAC9B,0CAA8B,CAAC,6BAA6B,EAC5D,kDAAkD,GAAG,EAAE,EACvD,EAAE,GAAG,EAAE,CACR,CAAC;YACJ,CAAC;YAED,mDAAmD;YACnD,IAAI,kBAES,CAAC;YACd,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,WAAW,GAAG,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,CAAC;gBAC1D,kBAAkB,GAAG,MAAM,CAAC,kBAAkB,CAAC,IAAI,CACjD,CAAC,EAAkB,EAAE,EAAE,CACrB,EAAE,CAAC,EAAE,KAAK,WAAW,IAAI,EAAE,CAAC,EAAE,KAAK,GAAG,GAAG,GAAG,WAAW,EAAE,CAC5D,CAAC;gBAEF,IAAI,CAAC,kBAAkB,EAAE,CAAC;oBACxB,MAAM,IAAI,kCAAsB,CAC9B,0CAA8B,CAAC,6BAA6B,EAC5D,0CAA0C,GAAG,EAAE,EAC/C;wBACE,GAAG;wBACH,GAAG;wBACH,aAAa,EAAE,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAC1C,CAAC,EAAkB,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAC9B;qBACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,kBAAkB,GAAG,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC;YACpD,CAAC;YAED,IAAI,CAAC,kBAAkB,EAAE,YAAY,EAAE,CAAC;gBACtC,MAAM,IAAI,kCAAsB,CAC9B,0CAA8B,CAAC,oBAAoB,EACnD,iDAAiD,EACjD,EAAE,GAAG,EAAE,GAAG,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,EAAE,EAAE,CAC3D,CAAC;YACJ,CAAC;YAED,MAAM,GAAG,GAAG,kBAAkB,CAAC,YAK9B,CAAC;YAEF,+BAA+B;YAC/B,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;gBACzD,MAAM,IAAI,kCAAsB,CAC9B,0CAA8B,CAAC,kBAAkB,EACjD,sCAAsC,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,GAAG,EAAE,EAC/D,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,EAAE,CAClD,CAAC;YACJ,CAAC;YAED,OAAO,GAAiB,CAAC;QAC3B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,kCAAsB,EAAE,CAAC;gBAC5C,MAAM,KAAK,CAAC;YACd,CAAC;YACD,OAAO,CAAC,KAAK,CACX,sDAAsD,EACtD,KAAK,CACN,CAAC;YACF,MAAM,IAAI,kCAAsB,CAC9B,0CAA8B,CAAC,qBAAqB,EACpD,0BAA0B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EAClF;gBACE,GAAG;gBACH,GAAG;gBACH,aAAa,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aACtE,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACH,qBAAqB,CAAC,IAA2B;QAC/C,iEAAiE;QACjE,qFAAqF;QACrF,MAAM,OAAO,GAAG;YACd,sEAAsE;YACtE,GAAG,EAAE,IAAI,CAAC,QAAQ,EAAE,kCAAkC;YACtD,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,sBAAsB;YACrC,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,mCAAmC;YAElD,4BAA4B;YAC5B,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS,EAAE,IAAI,CAAC,SAAS;YAEzB,4CAA4C;YAC5C,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;YAC9C,GAAG,CAAC,IAAI,CAAC,aAAa,IAAI,EAAE,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC;YAChE,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC;SACrD,CAAC;QAEF,qFAAqF;QACrF,gFAAgF;QAChF,OAAO,IAAA,gCAAY,EAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;CACF;AAtaD,sCAsaC"}

package/dist/utils/base64.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Base64URL Encoding/Decoding Utilities
+ *
+ * Environment-aware base64url helpers that work in both Node.js and Cloudflare Workers.
+ * Uses Buffer in Node.js, TextEncoder/Decoder fallback for Workers.
+ */
+/**
+ * Decode base64url string to string
+ */
+export declare function base64urlDecodeToString(input: string): string;
+/**
+ * Decode base64url string to Uint8Array
+ */
+export declare function base64urlDecodeToBytes(input: string): Uint8Array;
+/**
+ * Encode string to base64url
+ */
+export declare function base64urlEncodeFromString(input: string): string;
+/**
+ * Encode Uint8Array to base64url
+ */
+export declare function base64urlEncodeFromBytes(bytes: Uint8Array): string;
+/**
+ * Convert bytes to standard base64 (not base64url)
+ */
+export declare function bytesToBase64(bytes: Uint8Array): string;
+/**
+ * Convert standard base64 to bytes
+ */
+export declare function base64ToBytes(base64: string): Uint8Array;
+//# sourceMappingURL=base64.d.ts.map

package/dist/utils/base64.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64.d.ts","sourceRoot":"","sources":["../../src/utils/base64.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CA+B7D;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,CAuBhE;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAU/D;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAalE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAWvD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAaxD"}

package/dist/utils/base64.js

@@ -0,0 +1,138 @@
+"use strict";
+/**
+ * Base64URL Encoding/Decoding Utilities
+ *
+ * Environment-aware base64url helpers that work in both Node.js and Cloudflare Workers.
+ * Uses Buffer in Node.js, TextEncoder/Decoder fallback for Workers.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.base64urlDecodeToString = base64urlDecodeToString;
+exports.base64urlDecodeToBytes = base64urlDecodeToBytes;
+exports.base64urlEncodeFromString = base64urlEncodeFromString;
+exports.base64urlEncodeFromBytes = base64urlEncodeFromBytes;
+exports.bytesToBase64 = bytesToBase64;
+exports.base64ToBytes = base64ToBytes;
+/**
+ * Decode base64url string to string
+ */
+function base64urlDecodeToString(input) {
+    const padded = addPadding(input);
+    const base64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+    // For platforms that don't have Buffer (e.g., Cloudflare Workers)
+    if (typeof atob !== "undefined") {
+        try {
+            return atob(base64);
+        }
+        catch (error) {
+            throw new Error(`Invalid base64url string: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    // For Node.js environments - Buffer.from doesn't throw for invalid base64
+    // We need to validate by checking if the input contains only valid base64 characters
+    // Base64 characters: A-Z, a-z, 0-9, +, /, = (padding)
+    const base64Regex = /^[A-Za-z0-9+/]*={0,2}$/;
+    if (!base64Regex.test(base64)) {
+        throw new Error("Invalid base64url string: contains invalid characters");
+    }
+    try {
+        const decoded = Buffer.from(base64, "base64").toString("utf-8");
+        return decoded;
+    }
+    catch (error) {
+        throw new Error(`Invalid base64url string: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+/**
+ * Decode base64url string to Uint8Array
+ */
+function base64urlDecodeToBytes(input) {
+    const padded = addPadding(input);
+    const base64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+    // For platforms that don't have Buffer (e.g., Cloudflare Workers)
+    if (typeof atob !== "undefined") {
+        try {
+            const binaryString = atob(base64);
+            const bytes = new Uint8Array(binaryString.length);
+            for (let i = 0; i < binaryString.length; i++) {
+                bytes[i] = binaryString.charCodeAt(i);
+            }
+            return bytes;
+        }
+        catch (error) {
+            throw new Error(`Invalid base64url string: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    // For Node.js environments - Buffer.from doesn't throw, so we can't validate here
+    // The caller should validate the result if needed
+    return new Uint8Array(Buffer.from(base64, "base64"));
+}
+/**
+ * Encode string to base64url
+ */
+function base64urlEncodeFromString(input) {
+    // For platforms that don't have Buffer
+    if (typeof btoa !== "undefined") {
+        const base64 = btoa(input);
+        return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    }
+    // For Node.js environments
+    const base64 = Buffer.from(input, "utf-8").toString("base64");
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+/**
+ * Encode Uint8Array to base64url
+ */
+function base64urlEncodeFromBytes(bytes) {
+    // For platforms that don't have Buffer
+    if (typeof btoa !== "undefined") {
+        const binaryString = Array.from(bytes)
+            .map((byte) => String.fromCharCode(byte))
+            .join("");
+        const base64 = btoa(binaryString);
+        return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    }
+    // For Node.js environments
+    const base64 = Buffer.from(bytes).toString("base64");
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+/**
+ * Convert bytes to standard base64 (not base64url)
+ */
+function bytesToBase64(bytes) {
+    // For platforms that don't have Buffer
+    if (typeof btoa !== "undefined") {
+        const binaryString = Array.from(bytes)
+            .map((byte) => String.fromCharCode(byte))
+            .join("");
+        return btoa(binaryString);
+    }
+    // For Node.js environments
+    return Buffer.from(bytes).toString("base64");
+}
+/**
+ * Convert standard base64 to bytes
+ */
+function base64ToBytes(base64) {
+    // For platforms that don't have Buffer
+    if (typeof atob !== "undefined") {
+        const binaryString = atob(base64);
+        const bytes = new Uint8Array(binaryString.length);
+        for (let i = 0; i < binaryString.length; i++) {
+            bytes[i] = binaryString.charCodeAt(i);
+        }
+        return bytes;
+    }
+    // For Node.js environments
+    return new Uint8Array(Buffer.from(base64, "base64"));
+}
+/**
+ * Add padding to base64url string if needed
+ */
+function addPadding(input) {
+    const remainder = input.length % 4;
+    if (remainder === 0) {
+        return input;
+    }
+    return input + "=".repeat((4 - remainder) % 4);
+}
+//# sourceMappingURL=base64.js.map

package/dist/utils/base64.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64.js","sourceRoot":"","sources":["../../src/utils/base64.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAKH,0DA+BC;AAKD,wDAuBC;AAKD,8DAUC;AAKD,4DAaC;AAKD,sCAWC;AAKD,sCAaC;AAjID;;GAEG;AACH,SAAgB,uBAAuB,CAAC,KAAa;IACnD,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAE5D,kEAAkE;IAClE,IAAI,OAAO,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,6BAA6B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACtF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,qFAAqF;IACrF,sDAAsD;IACtD,MAAM,WAAW,GAAG,wBAAwB,CAAC;IAC7C,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAChE,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,6BAA6B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACtF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,sBAAsB,CAAC,KAAa;IAClD,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAE5D,kEAAkE;IAClE,IAAI,OAAO,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;YAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;YAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC7C,KAAK,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YACxC,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,6BAA6B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACtF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,kFAAkF;IAClF,kDAAkD;IAClD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,SAAgB,yBAAyB,CAAC,KAAa;IACrD,uCAAuC;IACvC,IAAI,OAAO,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3B,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,2BAA2B;IAC3B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC9D,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,SAAgB,wBAAwB,CAAC,KAAiB;IACxD,uCAAuC;IACvC,IAAI,OAAO,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;aACnC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;aACxC,IAAI,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;QAClC,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,2BAA2B;IAC3B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,SAAgB,aAAa,CAAC,KAAiB;IAC7C,uCAAuC;IACvC,IAAI,OAAO,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;aACnC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;aACxC,IAAI,CAAC,EAAE,CAAC,CAAC;QACZ,OAAO,IAAI,CAAC,YAAY,CAAC,CAAC;IAC5B,CAAC;IAED,2BAA2B;IAC3B,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,SAAgB,aAAa,CAAC,MAAc;IAC1C,uCAAuC;IACvC,IAAI,OAAO,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7C,KAAK,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,2BAA2B;IAC3B,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,KAAa;IAC/B,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IACnC,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;QACpB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;AACjD,CAAC"}

package/dist/utils/index.d.ts

@@ -1,5 +1,7 @@
 /**
  * Utility exports
  */
-export * from './cors';
+export * from "./cors";
+export * from "./base64";
+export * from "./storage-keys";
 //# sourceMappingURL=index.d.ts.map

package/dist/utils/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,QAAQ,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,QAAQ,CAAC;AACvB,cAAc,UAAU,CAAC;AACzB,cAAc,gBAAgB,CAAC"}

package/dist/utils/index.js

@@ -18,4 +18,6 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./cors"), exports);
+__exportStar(require("./base64"), exports);
+__exportStar(require("./storage-keys"), exports);
 //# sourceMappingURL=index.js.map

package/dist/utils/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;AAEH,yCAAuB"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;AAEH,yCAAuB;AACvB,2CAAyB;AACzB,iDAA+B"}

package/dist/utils/storage-keys.d.ts

@@ -0,0 +1,119 @@
+/**
+ * Storage Key Migration Utilities
+ *
+ * Provides utilities for migrating from old storage key formats to new composite formats.
+ * This supports Phase 3 Task 2 (StorageService) and Phase 4 (User DID identity linking).
+ *
+ * @package @kya-os/mcp-i-core
+ */
+/**
+ * Legacy storage key format (agent-only, causes multi-tenant conflicts)
+ * Format: `agent:${agentDid}:delegation`
+ */
+export declare function legacyDelegationKey(agentDid: string): string;
+/**
+ * New composite storage key format (user+agent scoped, prevents conflicts)
+ * Format: `delegation:user:${userDid}:agent:${agentDid}:project:${projectId}`
+ *
+ * Note: projectId is optional for backward compatibility
+ */
+export declare function compositeDelegationKey(userDid: string, agentDid: string, projectId?: string): string;
+/**
+ * Session cache key format
+ * Format: `session:${sessionId}`
+ */
+export declare function sessionKey(sessionId: string): string;
+/**
+ * User DID storage key format
+ * Format: `userDid:oauth:${provider}:${subject}`
+ */
+export declare function userDidKey(provider: string, subject: string): string;
+/**
+ * OAuth identity mapping key format
+ * Format: `oauth:${provider}:${subject}`
+ */
+export declare function oauthIdentityKey(provider: string, subject: string): string;
+/**
+ * Verification cache key format
+ * Format: `verified:${tokenHash}`
+ */
+export declare function verificationCacheKey(tokenHash: string): string;
+/**
+ * Nonce tracking key format
+ * Format: `nonce:${nonce}`
+ */
+export declare function nonceKey(nonce: string): string;
+/**
+ * Storage key migration result
+ */
+export interface MigrationResult {
+    /** Number of keys migrated */
+    migrated: number;
+    /** Number of keys that failed to migrate */
+    failed: number;
+    /** List of migrated key pairs (old -> new) */
+    migrations: Array<{
+        oldKey: string;
+        newKey: string;
+    }>;
+    /** List of errors encountered */
+    errors: Array<{
+        key: string;
+        error: string;
+    }>;
+}
+/**
+ * Storage provider interface for migration operations
+ *
+ * Matches the base StorageProvider abstract class contract.
+ */
+export interface StorageProvider {
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string): Promise<void>;
+    delete(key: string): Promise<void>;
+    list(prefix?: string): Promise<string[]>;
+}
+/**
+ * Migrate delegation keys from legacy format to composite format
+ *
+ * This function:
+ * 1. Finds all legacy keys (`agent:${did}:delegation`)
+ * 2. Attempts to extract userDid from session data or OAuth mappings
+ * 3. Creates new composite keys (`delegation:user:${userDid}:agent:${agentDid}`)
+ * 4. Copies values to new keys
+ * 5. Optionally deletes old keys (dry-run mode available)
+ *
+ * @param storage - Storage provider instance
+ * @param options - Migration options
+ * @returns Migration result with statistics
+ */
+export declare function migrateDelegationKeys(storage: StorageProvider, options?: {
+    /** If true, only report what would be migrated without making changes */
+    dryRun?: boolean;
+    /** If true, delete old keys after successful migration */
+    deleteOldKeys?: boolean;
+    /** Optional userDid resolver function (if not provided, attempts to extract from session) */
+    resolveUserDid?: (agentDid: string, sessionId?: string) => Promise<string | null>;
+}): Promise<MigrationResult>;
+/**
+ * Storage key constants for consistent namespace management
+ *
+ * These match the Phase 4 storage key architecture.
+ */
+export declare const STORAGE_KEYS: {
+    /** User DID storage (persistent - 90 days) */
+    readonly userDid: typeof userDidKey;
+    /** OAuth identity mapping (persistent - 90 days) */
+    readonly oauthIdentity: typeof oauthIdentityKey;
+    /** User+Agent delegation tokens (persistent - 7 days) */
+    readonly delegation: typeof compositeDelegationKey;
+    /** Session cache (temporary - 30 minutes) */
+    readonly session: typeof sessionKey;
+    /** Legacy delegation format (deprecated - 24 hours) */
+    readonly legacyDelegation: typeof legacyDelegationKey;
+    /** Verification cache (temporary - 5 minutes) */
+    readonly verificationCache: typeof verificationCacheKey;
+    /** Nonce tracking (temporary - 5 minutes) */
+    readonly nonce: typeof nonceKey;
+};
+//# sourceMappingURL=storage-keys.d.ts.map