@kya-os/mcp-i-core 1.1.13-canary.2 → 1.1.14-canary.1

package/dist/services/crypto.service.d.ts

@@ -0,0 +1,69 @@
+/**
+ * CryptoService
+ *
+ * Centralized cryptographic operations service that provides consistent
+ * signature verification across all platforms (Cloudflare, Node.js, etc.).
+ *
+ * This service eliminates code duplication and ensures cryptographic operations
+ * behave identically everywhere.
+ */
+import { CryptoProvider } from "../providers/base.js";
+/**
+ * Minimal JWK interface to avoid external dependencies
+ */
+export interface Ed25519JWK {
+    kty: "OKP";
+    crv: "Ed25519";
+    x: string;
+    kid?: string;
+    use?: string;
+}
+/**
+ * JWS parsing result
+ */
+export interface ParsedJWS {
+    header: Record<string, unknown>;
+    payload?: Record<string, unknown>;
+    signatureBytes: Uint8Array;
+    signingInput: string;
+}
+export declare class CryptoService {
+    private cryptoProvider;
+    constructor(cryptoProvider: CryptoProvider);
+    /**
+     * Verify raw Ed25519 signature
+     * @param data - Data that was signed
+     * @param signature - Signature bytes
+     * @param publicKey - Base64 encoded Ed25519 public key (32 bytes)
+     */
+    verifyEd25519(data: Uint8Array, signature: Uint8Array, publicKey: string): Promise<boolean>;
+    /**
+     * Parse JWS into components
+     * @param jws - Full compact JWS string (header.payload.signature)
+     * @returns Parsed JWS components
+     */
+    parseJWS(jws: string): ParsedJWS;
+    /**
+     * Verify JWS signature (full compact format: header.payload.signature)
+     * @param jws - Full compact JWS string (or detached format: header..signature)
+     * @param publicKeyJwk - Ed25519 public key in JWK format
+     * @param options - Verification options
+     * @param options.detachedPayload - Optional detached payload (Uint8Array or string) for detached JWS format
+     * @param options.expectedKid - Optional expected key ID to validate
+     * @param options.alg - Optional expected algorithm (defaults to 'EdDSA')
+     */
+    verifyJWS(jws: string, publicKeyJwk: Ed25519JWK, options?: {
+        detachedPayload?: Uint8Array | string;
+        expectedKid?: string;
+        alg?: "EdDSA";
+    }): Promise<boolean>;
+    /**
+     * Validate Ed25519 JWK format
+     */
+    private isValidEd25519JWK;
+    /**
+     * Convert Ed25519 JWK to base64 encoded public key
+     */
+    private jwkToBase64PublicKey;
+}
+//# sourceMappingURL=crypto.service.d.ts.map

package/dist/services/crypto.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.service.d.ts","sourceRoot":"","sources":["../../src/services/crypto.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAStD;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,KAAK,CAAC;IACX,GAAG,EAAE,SAAS,CAAC;IACf,CAAC,EAAE,MAAM,CAAC;IACV,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,cAAc,EAAE,UAAU,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,aAAa;IACZ,OAAO,CAAC,cAAc;gBAAd,cAAc,EAAE,cAAc;IAElD;;;;;OAKG;IACG,aAAa,CACjB,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC;IAgBnB;;;;OAIG;IACH,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS;IA4DhC;;;;;;;;OAQG;IACG,SAAS,CACb,GAAG,EAAE,MAAM,EACX,YAAY,EAAE,UAAU,EACxB,OAAO,CAAC,EAAE;QACR,eAAe,CAAC,EAAE,UAAU,GAAG,MAAM,CAAC;QACtC,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,GAAG,CAAC,EAAE,OAAO,CAAC;KACf,GACA,OAAO,CAAC,OAAO,CAAC;IAoHnB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAczB;;OAEG;IACH,OAAO,CAAC,oBAAoB;CAc7B"}

package/dist/services/crypto.service.js

@@ -0,0 +1,225 @@
+"use strict";
+/**
+ * CryptoService
+ *
+ * Centralized cryptographic operations service that provides consistent
+ * signature verification across all platforms (Cloudflare, Node.js, etc.).
+ *
+ * This service eliminates code duplication and ensures cryptographic operations
+ * behave identically everywhere.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CryptoService = void 0;
+const base64_js_1 = require("../utils/base64.js");
+class CryptoService {
+    cryptoProvider;
+    constructor(cryptoProvider) {
+        this.cryptoProvider = cryptoProvider;
+    }
+    /**
+     * Verify raw Ed25519 signature
+     * @param data - Data that was signed
+     * @param signature - Signature bytes
+     * @param publicKey - Base64 encoded Ed25519 public key (32 bytes)
+     */
+    async verifyEd25519(data, signature, publicKey) {
+        try {
+            const result = await this.cryptoProvider.verify(data, signature, publicKey);
+            // Ensure we always return a boolean (handle undefined from unmocked providers)
+            return result === true;
+        }
+        catch (error) {
+            // Log error for debugging but return false for invalid signatures
+            console.error("[CryptoService] Ed25519 verification error:", error);
+            return false;
+        }
+    }
+    /**
+     * Parse JWS into components
+     * @param jws - Full compact JWS string (header.payload.signature)
+     * @returns Parsed JWS components
+     */
+    parseJWS(jws) {
+        const parts = jws.split(".");
+        if (parts.length !== 3) {
+            throw new Error("Invalid JWS format: expected header.payload.signature");
+        }
+        const [headerB64, payloadB64, signatureB64] = parts;
+        // Decode header
+        let header;
+        try {
+            header = JSON.parse((0, base64_js_1.base64urlDecodeToString)(headerB64));
+        }
+        catch (error) {
+            throw new Error(`Invalid header base64: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        // Decode payload (optional, may be detached)
+        let payload;
+        if (payloadB64) {
+            try {
+                payload = JSON.parse((0, base64_js_1.base64urlDecodeToString)(payloadB64));
+            }
+            catch (error) {
+                // Payload decoding failed - this is an error for non-detached JWS
+                // Re-throw to let caller handle it (they can check if it's detached format)
+                throw new Error(`Invalid payload base64: ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        // Decode signature bytes
+        let signatureBytes;
+        try {
+            signatureBytes = (0, base64_js_1.base64urlDecodeToBytes)(signatureB64);
+        }
+        catch (error) {
+            // Invalid signature base64 - this is a fatal error
+            throw new Error(`Invalid signature base64: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        // Create signing input (header.payload)
+        const signingInput = `${headerB64}.${payloadB64}`;
+        return {
+            header,
+            payload,
+            signatureBytes,
+            signingInput,
+        };
+    }
+    /**
+     * Verify JWS signature (full compact format: header.payload.signature)
+     * @param jws - Full compact JWS string (or detached format: header..signature)
+     * @param publicKeyJwk - Ed25519 public key in JWK format
+     * @param options - Verification options
+     * @param options.detachedPayload - Optional detached payload (Uint8Array or string) for detached JWS format
+     * @param options.expectedKid - Optional expected key ID to validate
+     * @param options.alg - Optional expected algorithm (defaults to 'EdDSA')
+     */
+    async verifyJWS(jws, publicKeyJwk, options) {
+        try {
+            // Validate JWK format
+            if (!this.isValidEd25519JWK(publicKeyJwk)) {
+                console.error("[CryptoService] Invalid Ed25519 JWK format");
+                return false;
+            }
+            // Validate expected kid if provided
+            if (options?.expectedKid && publicKeyJwk.kid !== options.expectedKid) {
+                console.error("[CryptoService] Key ID mismatch");
+                return false;
+            }
+            // Parse JWS components - handle malformed JWS gracefully
+            let parsed;
+            try {
+                parsed = this.parseJWS(jws);
+            }
+            catch (error) {
+                // Malformed JWS - check if it's detached format with provided payload
+                if (options?.detachedPayload !== undefined) {
+                    const parts = jws.split(".");
+                    if (parts.length === 3 && parts[1] === "") {
+                        // Detached format: header..signature
+                        try {
+                            const headerB64 = parts[0];
+                            const signatureB64 = parts[2];
+                            const header = JSON.parse((0, base64_js_1.base64urlDecodeToString)(headerB64));
+                            const signatureBytes = (0, base64_js_1.base64urlDecodeToBytes)(signatureB64);
+                            parsed = {
+                                header,
+                                payload: undefined,
+                                signatureBytes,
+                                signingInput: "", // Will be reconstructed below
+                            };
+                        }
+                        catch {
+                            console.error("[CryptoService] Invalid detached JWS format");
+                            return false;
+                        }
+                    }
+                    else {
+                        console.error("[CryptoService] Invalid JWS format:", error);
+                        return false;
+                    }
+                }
+                else {
+                    console.error("[CryptoService] Invalid JWS format:", error);
+                    return false;
+                }
+            }
+            // Validate algorithm
+            const expectedAlg = options?.alg || "EdDSA";
+            if (parsed.header.alg !== expectedAlg) {
+                console.error(`[CryptoService] Unsupported algorithm: ${parsed.header.alg}, expected ${expectedAlg}`);
+                return false;
+            }
+            // Handle detached payload if provided
+            let signingInput;
+            let signingInputBytes;
+            if (options?.detachedPayload !== undefined) {
+                // Detached format: reconstruct signing input from header + detached payload
+                const headerB64 = jws.split(".")[0];
+                let payloadB64;
+                if (options.detachedPayload instanceof Uint8Array) {
+                    // Uint8Array payload
+                    payloadB64 = (0, base64_js_1.base64urlEncodeFromBytes)(options.detachedPayload);
+                }
+                else {
+                    // String payload (backward compatibility)
+                    payloadB64 = (0, base64_js_1.base64urlEncodeFromBytes)(new TextEncoder().encode(options.detachedPayload));
+                }
+                signingInput = `${headerB64}.${payloadB64}`;
+                signingInputBytes = new TextEncoder().encode(signingInput);
+            }
+            else {
+                // Full compact format: use parsed signing input
+                if (!parsed.signingInput) {
+                    console.error("[CryptoService] Missing signing input for compact JWS");
+                    return false;
+                }
+                signingInput = parsed.signingInput;
+                signingInputBytes = new TextEncoder().encode(signingInput);
+            }
+            // Extract raw public key from JWK
+            let publicKeyBase64;
+            try {
+                publicKeyBase64 = this.jwkToBase64PublicKey(publicKeyJwk);
+            }
+            catch (error) {
+                console.error("[CryptoService] Failed to extract public key:", error);
+                return false;
+            }
+            // Verify signature
+            return await this.verifyEd25519(signingInputBytes, parsed.signatureBytes, publicKeyBase64);
+        }
+        catch (error) {
+            // Security-safe failure: never throw, always return false
+            console.error("[CryptoService] JWS verification error:", error);
+            return false;
+        }
+    }
+    /**
+     * Validate Ed25519 JWK format
+     */
+    isValidEd25519JWK(jwk) {
+        return (typeof jwk === "object" &&
+            jwk !== null &&
+            "kty" in jwk &&
+            jwk.kty === "OKP" &&
+            "crv" in jwk &&
+            jwk.crv === "Ed25519" &&
+            "x" in jwk &&
+            typeof jwk.x === "string" &&
+            jwk.x.length > 0);
+    }
+    /**
+     * Convert Ed25519 JWK to base64 encoded public key
+     */
+    jwkToBase64PublicKey(jwk) {
+        // The 'x' field contains the base64url encoded public key
+        // Convert from base64url to standard base64
+        const publicKeyBytes = (0, base64_js_1.base64urlDecodeToBytes)(jwk.x);
+        // Verify key length (Ed25519 public keys are 32 bytes)
+        if (publicKeyBytes.length !== 32) {
+            throw new Error(`Invalid Ed25519 public key length: ${publicKeyBytes.length}`);
+        }
+        return (0, base64_js_1.bytesToBase64)(publicKeyBytes);
+    }
+}
+exports.CryptoService = CryptoService;
+//# sourceMappingURL=crypto.service.js.map

package/dist/services/crypto.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.service.js","sourceRoot":"","sources":["../../src/services/crypto.service.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAGH,kDAM4B;AAuB5B,MAAa,aAAa;IACJ;IAApB,YAAoB,cAA8B;QAA9B,mBAAc,GAAd,cAAc,CAAgB;IAAG,CAAC;IAEtD;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CACjB,IAAgB,EAChB,SAAqB,EACrB,SAAiB;QAEjB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAC7C,IAAI,EACJ,SAAS,EACT,SAAS,CACV,CAAC;YACF,+EAA+E;YAC/E,OAAO,MAAM,KAAK,IAAI,CAAC;QACzB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,kEAAkE;YAClE,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,KAAK,CAAC,CAAC;YACpE,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,QAAQ,CAAC,GAAW;QAClB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC3E,CAAC;QAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;QAEpD,gBAAgB;QAChB,IAAI,MAA+B,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,mCAAuB,EAAC,SAAS,CAAC,CAGrD,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,0BAA0B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACnF,CAAC;QACJ,CAAC;QAED,6CAA6C;QAC7C,IAAI,OAA4C,CAAC;QACjD,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,CAAC;gBACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,mCAAuB,EAAC,UAAU,CAAC,CAGvD,CAAC;YACJ,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,kEAAkE;gBAClE,4EAA4E;gBAC5E,MAAM,IAAI,KAAK,CACb,2BAA2B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACpF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,yBAAyB;QACzB,IAAI,cAA0B,CAAC;QAC/B,IAAI,CAAC;YACH,cAAc,GAAG,IAAA,kCAAsB,EAAC,YAAY,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,mDAAmD;YACnD,MAAM,IAAI,KAAK,CACb,6BAA6B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACtF,CAAC;QACJ,CAAC;QAED,wCAAwC;QACxC,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QAElD,OAAO;YACL,MAAM;YACN,OAAO;YACP,cAAc;YACd,YAAY;SACb,CAAC;IACJ,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,SAAS,CACb,GAAW,EACX,YAAwB,EACxB,OAIC;QAED,IAAI,CAAC;YACH,sBAAsB;YACtB,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC1C,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;gBAC5D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,oCAAoC;YACpC,IAAI,OAAO,EAAE,WAAW,IAAI,YAAY,CAAC,GAAG,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC;gBACrE,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;gBACjD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,yDAAyD;YACzD,IAAI,MAAiB,CAAC;YACtB,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9B,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,sEAAsE;gBACtE,IAAI,OAAO,EAAE,eAAe,KAAK,SAAS,EAAE,CAAC;oBAC3C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;wBAC1C,qCAAqC;wBACrC,IAAI,CAAC;4BACH,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;4BAC3B,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;4BAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,IAAA,mCAAuB,EAAC,SAAS,CAAC,CACR,CAAC;4BAC7B,MAAM,cAAc,GAAG,IAAA,kCAAsB,EAAC,YAAY,CAAC,CAAC;4BAE5D,MAAM,GAAG;gCACP,MAAM;gCACN,OAAO,EAAE,SAAS;gCAClB,cAAc;gCACd,YAAY,EAAE,EAAE,EAAE,8BAA8B;6BACjD,CAAC;wBACJ,CAAC;wBAAC,MAAM,CAAC;4BACP,OAAO,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;4BAC7D,OAAO,KAAK,CAAC;wBACf,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;wBAC5D,OAAO,KAAK,CAAC;oBACf,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;oBAC5D,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAED,qBAAqB;YACrB,MAAM,WAAW,GAAG,OAAO,EAAE,GAAG,IAAI,OAAO,CAAC;YAC5C,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;gBACtC,OAAO,CAAC,KAAK,CACX,0CAA0C,MAAM,CAAC,MAAM,CAAC,GAAG,cAAc,WAAW,EAAE,CACvF,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,sCAAsC;YACtC,IAAI,YAAoB,CAAC;YACzB,IAAI,iBAA6B,CAAC;YAElC,IAAI,OAAO,EAAE,eAAe,KAAK,SAAS,EAAE,CAAC;gBAC3C,4EAA4E;gBAC5E,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpC,IAAI,UAAkB,CAAC;gBAEvB,IAAI,OAAO,CAAC,eAAe,YAAY,UAAU,EAAE,CAAC;oBAClD,qBAAqB;oBACrB,UAAU,GAAG,IAAA,oCAAwB,EAAC,OAAO,CAAC,eAAe,CAAC,CAAC;gBACjE,CAAC;qBAAM,CAAC;oBACN,0CAA0C;oBAC1C,UAAU,GAAG,IAAA,oCAAwB,EACnC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAClD,CAAC;gBACJ,CAAC;gBAED,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;gBAC5C,iBAAiB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC7D,CAAC;iBAAM,CAAC;gBACN,gDAAgD;gBAChD,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;oBACzB,OAAO,CAAC,KAAK,CACX,uDAAuD,CACxD,CAAC;oBACF,OAAO,KAAK,CAAC;gBACf,CAAC;gBACD,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;gBACnC,iBAAiB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC7D,CAAC;YAED,kCAAkC;YAClC,IAAI,eAAuB,CAAC;YAC5B,IAAI,CAAC;gBACH,eAAe,GAAG,IAAI,CAAC,oBAAoB,CAAC,YAAY,CAAC,CAAC;YAC5D,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;gBACtE,OAAO,KAAK,CAAC;YACf,CAAC;YAED,mBAAmB;YACnB,OAAO,MAAM,IAAI,CAAC,aAAa,CAC7B,iBAAiB,EACjB,MAAM,CAAC,cAAc,EACrB,eAAe,CAChB,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,0DAA0D;YAC1D,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;YAChE,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,GAAY;QACpC,OAAO,CACL,OAAO,GAAG,KAAK,QAAQ;YACvB,GAAG,KAAK,IAAI;YACZ,KAAK,IAAI,GAAG;YACZ,GAAG,CAAC,GAAG,KAAK,KAAK;YACjB,KAAK,IAAI,GAAG;YACZ,GAAG,CAAC,GAAG,KAAK,SAAS;YACrB,GAAG,IAAI,GAAG;YACV,OAAO,GAAG,CAAC,CAAC,KAAK,QAAQ;YACzB,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CACjB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,oBAAoB,CAAC,GAAe;QAC1C,0DAA0D;QAC1D,4CAA4C;QAC5C,MAAM,cAAc,GAAG,IAAA,kCAAsB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAErD,uDAAuD;QACvD,IAAI,cAAc,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CACb,sCAAsC,cAAc,CAAC,MAAM,EAAE,CAC9D,CAAC;QACJ,CAAC;QAED,OAAO,IAAA,yBAAa,EAAC,cAAc,CAAC,CAAC;IACvC,CAAC;CACF;AArQD,sCAqQC"}

package/dist/services/errors.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Proof Verification Error Codes and Types
+ *
+ * Specific error codes for proof verification failures to enable
+ * better error handling and debugging.
+ */
+/**
+ * Error codes for proof verification
+ */
+export declare const PROOF_VERIFICATION_ERROR_CODES: {
+    readonly INVALID_PROOF_STRUCTURE: "INVALID_PROOF_STRUCTURE";
+    readonly MISSING_REQUIRED_FIELD: "MISSING_REQUIRED_FIELD";
+    readonly NONCE_REPLAY_DETECTED: "NONCE_REPLAY_DETECTED";
+    readonly TIMESTAMP_SKEW_EXCEEDED: "TIMESTAMP_SKEW_EXCEEDED";
+    readonly TIMESTAMP_INVALID: "TIMESTAMP_INVALID";
+    readonly INVALID_JWS_SIGNATURE: "INVALID_JWS_SIGNATURE";
+    readonly INVALID_JWS_FORMAT: "INVALID_JWS_FORMAT";
+    readonly INVALID_JWS_HEADER: "INVALID_JWS_HEADER";
+    readonly INVALID_JWS_PAYLOAD: "INVALID_JWS_PAYLOAD";
+    readonly INVALID_JWS_SIGNATURE_BASE64: "INVALID_JWS_SIGNATURE_BASE64";
+    readonly UNSUPPORTED_ALGORITHM: "UNSUPPORTED_ALGORITHM";
+    readonly INVALID_JWK_FORMAT: "INVALID_JWK_FORMAT";
+    readonly INVALID_JWK_KTY: "INVALID_JWK_KTY";
+    readonly INVALID_JWK_CRV: "INVALID_JWK_CRV";
+    readonly INVALID_JWK_X_FIELD: "INVALID_JWK_X_FIELD";
+    readonly INVALID_JWK_KEY_LENGTH: "INVALID_JWK_KEY_LENGTH";
+    readonly JWK_KID_MISMATCH: "JWK_KID_MISMATCH";
+    readonly DID_RESOLUTION_FAILED: "DID_RESOLUTION_FAILED";
+    readonly DID_DOCUMENT_NOT_FOUND: "DID_DOCUMENT_NOT_FOUND";
+    readonly VERIFICATION_METHOD_NOT_FOUND: "VERIFICATION_METHOD_NOT_FOUND";
+    readonly PUBLIC_KEY_NOT_FOUND: "PUBLIC_KEY_NOT_FOUND";
+    readonly UNSUPPORTED_DID_METHOD: "UNSUPPORTED_DID_METHOD";
+    readonly VERIFICATION_ERROR: "VERIFICATION_ERROR";
+    readonly INTERNAL_ERROR: "INTERNAL_ERROR";
+};
+export type ProofVerificationErrorCode = typeof PROOF_VERIFICATION_ERROR_CODES[keyof typeof PROOF_VERIFICATION_ERROR_CODES];
+/**
+ * Proof verification error with specific error code
+ */
+export declare class ProofVerificationError extends Error {
+    readonly code: ProofVerificationErrorCode;
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(code: ProofVerificationErrorCode, message: string, details?: Record<string, unknown> | undefined);
+}
+/**
+ * Create a proof verification error
+ */
+export declare function createProofVerificationError(code: ProofVerificationErrorCode, message: string, details?: Record<string, unknown>): ProofVerificationError;
+//# sourceMappingURL=errors.d.ts.map

package/dist/services/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/services/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;CAoCjC,CAAC;AAEX,MAAM,MAAM,0BAA0B,GACpC,OAAO,8BAA8B,CAAC,MAAM,OAAO,8BAA8B,CAAC,CAAC;AAErF;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,KAAK;aAE7B,IAAI,EAAE,0BAA0B;aAEhC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;gBAFjC,IAAI,EAAE,0BAA0B,EAChD,OAAO,EAAE,MAAM,EACC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,YAAA;CAKpD;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAC1C,IAAI,EAAE,0BAA0B,EAChC,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,sBAAsB,CAExB"}

package/dist/services/errors.js

@@ -0,0 +1,66 @@
+"use strict";
+/**
+ * Proof Verification Error Codes and Types
+ *
+ * Specific error codes for proof verification failures to enable
+ * better error handling and debugging.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProofVerificationError = exports.PROOF_VERIFICATION_ERROR_CODES = void 0;
+exports.createProofVerificationError = createProofVerificationError;
+/**
+ * Error codes for proof verification
+ */
+exports.PROOF_VERIFICATION_ERROR_CODES = {
+    // Proof structure errors
+    INVALID_PROOF_STRUCTURE: "INVALID_PROOF_STRUCTURE",
+    MISSING_REQUIRED_FIELD: "MISSING_REQUIRED_FIELD",
+    // Security errors
+    NONCE_REPLAY_DETECTED: "NONCE_REPLAY_DETECTED",
+    TIMESTAMP_SKEW_EXCEEDED: "TIMESTAMP_SKEW_EXCEEDED",
+    TIMESTAMP_INVALID: "TIMESTAMP_INVALID",
+    // Signature errors
+    INVALID_JWS_SIGNATURE: "INVALID_JWS_SIGNATURE",
+    INVALID_JWS_FORMAT: "INVALID_JWS_FORMAT",
+    INVALID_JWS_HEADER: "INVALID_JWS_HEADER",
+    INVALID_JWS_PAYLOAD: "INVALID_JWS_PAYLOAD",
+    INVALID_JWS_SIGNATURE_BASE64: "INVALID_JWS_SIGNATURE_BASE64",
+    UNSUPPORTED_ALGORITHM: "UNSUPPORTED_ALGORITHM",
+    // JWK errors
+    INVALID_JWK_FORMAT: "INVALID_JWK_FORMAT",
+    INVALID_JWK_KTY: "INVALID_JWK_KTY",
+    INVALID_JWK_CRV: "INVALID_JWK_CRV",
+    INVALID_JWK_X_FIELD: "INVALID_JWK_X_FIELD",
+    INVALID_JWK_KEY_LENGTH: "INVALID_JWK_KEY_LENGTH",
+    JWK_KID_MISMATCH: "JWK_KID_MISMATCH",
+    // DID resolution errors
+    DID_RESOLUTION_FAILED: "DID_RESOLUTION_FAILED",
+    DID_DOCUMENT_NOT_FOUND: "DID_DOCUMENT_NOT_FOUND",
+    VERIFICATION_METHOD_NOT_FOUND: "VERIFICATION_METHOD_NOT_FOUND",
+    PUBLIC_KEY_NOT_FOUND: "PUBLIC_KEY_NOT_FOUND",
+    UNSUPPORTED_DID_METHOD: "UNSUPPORTED_DID_METHOD",
+    // Generic errors
+    VERIFICATION_ERROR: "VERIFICATION_ERROR",
+    INTERNAL_ERROR: "INTERNAL_ERROR",
+};
+/**
+ * Proof verification error with specific error code
+ */
+class ProofVerificationError extends Error {
+    code;
+    details;
+    constructor(code, message, details) {
+        super(message);
+        this.code = code;
+        this.details = details;
+        this.name = "ProofVerificationError";
+    }
+}
+exports.ProofVerificationError = ProofVerificationError;
+/**
+ * Create a proof verification error
+ */
+function createProofVerificationError(code, message, details) {
+    return new ProofVerificationError(code, message, details);
+}
+//# sourceMappingURL=errors.js.map

package/dist/services/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/services/errors.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AA+DH,oEAMC;AAnED;;GAEG;AACU,QAAA,8BAA8B,GAAG;IAC5C,yBAAyB;IACzB,uBAAuB,EAAE,yBAAyB;IAClD,sBAAsB,EAAE,wBAAwB;IAEhD,kBAAkB;IAClB,qBAAqB,EAAE,uBAAuB;IAC9C,uBAAuB,EAAE,yBAAyB;IAClD,iBAAiB,EAAE,mBAAmB;IAEtC,mBAAmB;IACnB,qBAAqB,EAAE,uBAAuB;IAC9C,kBAAkB,EAAE,oBAAoB;IACxC,kBAAkB,EAAE,oBAAoB;IACxC,mBAAmB,EAAE,qBAAqB;IAC1C,4BAA4B,EAAE,8BAA8B;IAC5D,qBAAqB,EAAE,uBAAuB;IAE9C,aAAa;IACb,kBAAkB,EAAE,oBAAoB;IACxC,eAAe,EAAE,iBAAiB;IAClC,eAAe,EAAE,iBAAiB;IAClC,mBAAmB,EAAE,qBAAqB;IAC1C,sBAAsB,EAAE,wBAAwB;IAChD,gBAAgB,EAAE,kBAAkB;IAEpC,wBAAwB;IACxB,qBAAqB,EAAE,uBAAuB;IAC9C,sBAAsB,EAAE,wBAAwB;IAChD,6BAA6B,EAAE,+BAA+B;IAC9D,oBAAoB,EAAE,sBAAsB;IAC5C,sBAAsB,EAAE,wBAAwB;IAEhD,iBAAiB;IACjB,kBAAkB,EAAE,oBAAoB;IACxC,cAAc,EAAE,gBAAgB;CACxB,CAAC;AAKX;;GAEG;AACH,MAAa,sBAAuB,SAAQ,KAAK;IAE7B;IAEA;IAHlB,YACkB,IAAgC,EAChD,OAAe,EACC,OAAiC;QAEjD,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,SAAI,GAAJ,IAAI,CAA4B;QAEhC,YAAO,GAAP,OAAO,CAA0B;QAGjD,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACvC,CAAC;CACF;AATD,wDASC;AAED;;GAEG;AACH,SAAgB,4BAA4B,CAC1C,IAAgC,EAChC,OAAe,EACf,OAAiC;IAEjC,OAAO,IAAI,sBAAsB,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AAC5D,CAAC"}

package/dist/services/index.d.ts

@@ -0,0 +1,5 @@
+export { CryptoService } from './crypto.service.js';
+export type { Ed25519JWK, ParsedJWS } from './crypto.service.js';
+export { AccessControlApiService } from './access-control.service.js';
+export type { AccessControlApiServiceConfig, AccessControlApiServiceMetrics, } from './access-control.service.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/services/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/services/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAEjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AACtE,YAAY,EACV,6BAA6B,EAC7B,8BAA8B,GAC/B,MAAM,6BAA6B,CAAC"}

package/dist/services/index.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessControlApiService = exports.CryptoService = void 0;
+var crypto_service_js_1 = require("./crypto.service.js");
+Object.defineProperty(exports, "CryptoService", { enumerable: true, get: function () { return crypto_service_js_1.CryptoService; } });
+var access_control_service_js_1 = require("./access-control.service.js");
+Object.defineProperty(exports, "AccessControlApiService", { enumerable: true, get: function () { return access_control_service_js_1.AccessControlApiService; } });
+//# sourceMappingURL=index.js.map

package/dist/services/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/services/index.ts"],"names":[],"mappings":";;;AAAA,yDAAoD;AAA3C,kHAAA,aAAa,OAAA;AAGtB,yEAAsE;AAA7D,oIAAA,uBAAuB,OAAA"}

package/dist/services/proof-verifier.d.ts

@@ -0,0 +1,98 @@
+/**
+ * ProofVerifier
+ *
+ * Centralized proof verification service that validates DetachedProof
+ * signatures, enforces nonce replay protection, and checks timestamp skew.
+ */
+import { type Ed25519JWK } from "./crypto.service.js";
+import { CryptoProvider } from "../providers/base.js";
+import { ClockProvider } from "../providers/base.js";
+import { NonceCacheProvider } from "../providers/base.js";
+import { FetchProvider } from "../providers/base.js";
+import { type DetachedProof } from "@kya-os/contracts/proof";
+import { type ProofVerificationErrorCode } from "./errors.js";
+export interface ProofVerificationResult {
+    valid: boolean;
+    reason?: string;
+    error?: Error;
+    errorCode?: ProofVerificationErrorCode;
+    details?: Record<string, unknown>;
+}
+export interface ProofVerifierConfig {
+    cryptoProvider: CryptoProvider;
+    clockProvider: ClockProvider;
+    nonceCacheProvider: NonceCacheProvider;
+    fetchProvider: FetchProvider;
+    timestampSkewSeconds?: number;
+    nonceTtlSeconds?: number;
+}
+export declare class ProofVerifier {
+    private cryptoService;
+    private clock;
+    private nonceCache;
+    private fetch;
+    private timestampSkewSeconds;
+    private nonceTtlSeconds;
+    constructor(config: ProofVerifierConfig);
+    /**
+     * Verify a DetachedProof
+     * Automatically reconstructs canonical payload from proof.meta for signature verification
+     * @param proof - The proof to verify
+     * @param publicKeyJwk - Ed25519 public key in JWK format (from DID document)
+     * @returns Verification result
+     */
+    verifyProof(proof: DetachedProof, publicKeyJwk: Ed25519JWK): Promise<ProofVerificationResult>;
+    /**
+     * Verify proof with detached payload (for CLI/verifier compatibility)
+     * @param proof - The proof to verify
+     * @param canonicalPayload - Canonical JSON payload (for detached JWS) as string or Uint8Array
+     * @param publicKeyJwk - Ed25519 public key in JWK format
+     * @returns Verification result
+     */
+    verifyProofDetached(proof: DetachedProof, canonicalPayload: string | Uint8Array, publicKeyJwk: Ed25519JWK): Promise<ProofVerificationResult>;
+    /**
+     * Validate proof structure using Zod schema
+     * @private
+     */
+    private validateProofStructure;
+    /**
+     * Validate nonce replay protection
+     * @private
+     */
+    private validateNonce;
+    /**
+     * Validate timestamp skew
+     * @private
+     */
+    private validateTimestamp;
+    /**
+     * Verify JWS signature
+     * @private
+     */
+    private verifySignature;
+    /**
+     * Add nonce to cache to prevent replay
+     * @private
+     */
+    private addNonceToCache;
+    /**
+     * Fetch public key from DID document
+     * @param did - DID to resolve
+     * @param kid - Key ID (optional, defaults to first verification method)
+     * @returns Ed25519 JWK or null if not found
+     * @throws {ProofVerificationError} If DID resolution fails with specific error code
+     */
+    fetchPublicKeyFromDID(did: string, kid?: string): Promise<Ed25519JWK | null>;
+    /**
+     * Build canonical payload from proof meta
+     *
+     * CRITICAL: This must reconstruct the exact JWS payload structure that was originally signed.
+     * The original JWS payload uses standard JWT claims (aud, sub, iss) plus custom proof claims,
+     * NOT the proof.meta structure directly.
+     *
+     * @param meta - Proof metadata
+     * @returns Canonical JSON string matching the original JWS payload structure
+     */
+    buildCanonicalPayload(meta: DetachedProof["meta"]): string;
+}
+//# sourceMappingURL=proof-verifier.d.ts.map

package/dist/services/proof-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proof-verifier.d.ts","sourceRoot":"","sources":["../../src/services/proof-verifier.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAiB,KAAK,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAEL,KAAK,aAAa,EACnB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAGL,KAAK,0BAA0B,EAChC,MAAM,aAAa,CAAC;AAErB,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,SAAS,CAAC,EAAE,0BAA0B,CAAC;IACvC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,mBAAmB;IAClC,cAAc,EAAE,cAAc,CAAC;IAC/B,aAAa,EAAE,aAAa,CAAC;IAC7B,kBAAkB,EAAE,kBAAkB,CAAC;IACvC,aAAa,EAAE,aAAa,CAAC;IAC7B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,qBAAa,aAAa;IACxB,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,KAAK,CAAgB;IAC7B,OAAO,CAAC,UAAU,CAAqB;IACvC,OAAO,CAAC,KAAK,CAAgB;IAC7B,OAAO,CAAC,oBAAoB,CAAS;IACrC,OAAO,CAAC,eAAe,CAAS;gBAEpB,MAAM,EAAE,mBAAmB;IASvC;;;;;;OAMG;IACG,WAAW,CACf,KAAK,EAAE,aAAa,EACpB,YAAY,EAAE,UAAU,GACvB,OAAO,CAAC,uBAAuB,CAAC;IAgEnC;;;;;;OAMG;IACG,mBAAmB,CACvB,KAAK,EAAE,aAAa,EACpB,gBAAgB,EAAE,MAAM,GAAG,UAAU,EACrC,YAAY,EAAE,UAAU,GACvB,OAAO,CAAC,uBAAuB,CAAC;IA8DnC;;;OAGG;YACW,sBAAsB;IAuBpC;;;OAGG;YACW,aAAa;IAe3B;;;OAGG;YACW,iBAAiB;IAqB/B;;;OAGG;YACW,eAAe;IAgC7B;;;OAGG;YACW,eAAe;IAK7B;;;;;;OAMG;IACG,qBAAqB,CACzB,GAAG,EAAE,MAAM,EACX,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAgG7B;;;;;;;;;OASG;IACH,qBAAqB,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG,MAAM;CA0B3D"}