npm - @kya-os/mcp-i-core - Versions diffs - 1.1.13-canary.2 → 1.2.1-canary.0 - Mend

@kya-os/mcp-i-core 1.1.13-canary.2 → 1.2.1-canary.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

package/dist/__tests__/utils/mock-providers.d.ts +5 -3
package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
package/dist/__tests__/utils/mock-providers.js +23 -12
package/dist/__tests__/utils/mock-providers.js.map +1 -1
package/dist/index.d.ts +33 -22
package/dist/index.d.ts.map +1 -1
package/dist/index.js +20 -1
package/dist/index.js.map +1 -1
package/dist/providers/base.d.ts +18 -3
package/dist/providers/base.d.ts.map +1 -1
package/dist/providers/base.js +5 -1
package/dist/providers/base.js.map +1 -1
package/dist/providers/memory.d.ts +2 -2
package/dist/providers/memory.d.ts.map +1 -1
package/dist/providers/memory.js +9 -5
package/dist/providers/memory.js.map +1 -1
package/dist/runtime/base.d.ts +40 -1
package/dist/runtime/base.d.ts.map +1 -1
package/dist/runtime/base.js +148 -20
package/dist/runtime/base.js.map +1 -1
package/dist/services/access-control.service.d.ts +121 -0
package/dist/services/access-control.service.d.ts.map +1 -0
package/dist/services/access-control.service.js +458 -0
package/dist/services/access-control.service.js.map +1 -0
package/dist/services/crypto.service.d.ts +69 -0
package/dist/services/crypto.service.d.ts.map +1 -0
package/dist/services/crypto.service.js +225 -0
package/dist/services/crypto.service.js.map +1 -0
package/dist/services/errors.d.ts +49 -0
package/dist/services/errors.d.ts.map +1 -0
package/dist/services/errors.js +66 -0
package/dist/services/errors.js.map +1 -0
package/dist/services/index.d.ts +5 -0
package/dist/services/index.d.ts.map +1 -0
package/dist/services/index.js +8 -0
package/dist/services/index.js.map +1 -0
package/dist/services/proof-verifier.d.ts +98 -0
package/dist/services/proof-verifier.d.ts.map +1 -0
package/dist/services/proof-verifier.js +319 -0
package/dist/services/proof-verifier.js.map +1 -0
package/dist/services/storage.service.d.ts +116 -0
package/dist/services/storage.service.d.ts.map +1 -0
package/dist/services/storage.service.js +405 -0
package/dist/services/storage.service.js.map +1 -0
package/dist/utils/base64.d.ts +31 -0
package/dist/utils/base64.d.ts.map +1 -0
package/dist/utils/base64.js +138 -0
package/dist/utils/base64.js.map +1 -0
package/dist/utils/index.d.ts +3 -1
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +2 -0
package/dist/utils/index.js.map +1 -1
package/dist/utils/storage-keys.d.ts +120 -0
package/dist/utils/storage-keys.d.ts.map +1 -0
package/dist/utils/storage-keys.js +217 -0
package/dist/utils/storage-keys.js.map +1 -0
package/package.json +5 -4
package/dist/compliance/schema-verifier-v2.d.ts +0 -110
package/dist/compliance/schema-verifier-v2.d.ts.map +0 -1
package/dist/compliance/schema-verifier-v2.js +0 -510
package/dist/compliance/schema-verifier-v2.js.map +0 -1
package/dist/did/resolver.d.ts +0 -92
package/dist/did/resolver.d.ts.map +0 -1
package/dist/did/resolver.js +0 -203
package/dist/did/resolver.js.map +0 -1
package/dist/proof/proof-engine.d.ts +0 -89
package/dist/proof/proof-engine.d.ts.map +0 -1
package/dist/proof/proof-engine.js +0 -249
package/dist/proof/proof-engine.js.map +0 -1
package/dist/runtime/base-v2.d.ts +0 -117
package/dist/runtime/base-v2.d.ts.map +0 -1
package/dist/runtime/base-v2.js +0 -328
package/dist/runtime/base-v2.js.map +0 -1
package/dist/types/providers.d.ts +0 -142
package/dist/types/providers.d.ts.map +0 -1
package/dist/types/providers.js +0 -43
package/dist/types/providers.js.map +0 -1
package/dist/verification/interfaces.d.ts +0 -125
package/dist/verification/interfaces.d.ts.map +0 -1
package/dist/verification/interfaces.js +0 -101
package/dist/verification/interfaces.js.map +0 -1

package/dist/services/crypto.service.js ADDED Viewed

@@ -0,0 +1,225 @@
+"use strict";
+/**
+ * CryptoService
+ *
+ * Centralized cryptographic operations service that provides consistent
+ * signature verification across all platforms (Cloudflare, Node.js, etc.).
+ *
+ * This service eliminates code duplication and ensures cryptographic operations
+ * behave identically everywhere.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CryptoService = void 0;
+const base64_js_1 = require("../utils/base64.js");
+class CryptoService {
+    cryptoProvider;
+    constructor(cryptoProvider) {
+        this.cryptoProvider = cryptoProvider;
+    }
+    /**
+     * Verify raw Ed25519 signature
+     * @param data - Data that was signed
+     * @param signature - Signature bytes
+     * @param publicKey - Base64 encoded Ed25519 public key (32 bytes)
+     */
+    async verifyEd25519(data, signature, publicKey) {
+        try {
+            const result = await this.cryptoProvider.verify(data, signature, publicKey);
+            // Ensure we always return a boolean (handle undefined from unmocked providers)
+            return result === true;
+        }
+        catch (error) {
+            // Log error for debugging but return false for invalid signatures
+            console.error("[CryptoService] Ed25519 verification error:", error);
+            return false;
+        }
+    }
+    /**
+     * Parse JWS into components
+     * @param jws - Full compact JWS string (header.payload.signature)
+     * @returns Parsed JWS components
+     */
+    parseJWS(jws) {
+        const parts = jws.split(".");
+        if (parts.length !== 3) {
+            throw new Error("Invalid JWS format: expected header.payload.signature");
+        }
+        const [headerB64, payloadB64, signatureB64] = parts;
+        // Decode header
+        let header;
+        try {
+            header = JSON.parse((0, base64_js_1.base64urlDecodeToString)(headerB64));
+        }
+        catch (error) {
+            throw new Error(`Invalid header base64: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        // Decode payload (optional, may be detached)
+        let payload;
+        if (payloadB64) {
+            try {
+                payload = JSON.parse((0, base64_js_1.base64urlDecodeToString)(payloadB64));
+            }
+            catch (error) {
+                // Payload decoding failed - this is an error for non-detached JWS
+                // Re-throw to let caller handle it (they can check if it's detached format)
+                throw new Error(`Invalid payload base64: ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        // Decode signature bytes
+        let signatureBytes;
+        try {
+            signatureBytes = (0, base64_js_1.base64urlDecodeToBytes)(signatureB64);
+        }
+        catch (error) {
+            // Invalid signature base64 - this is a fatal error
+            throw new Error(`Invalid signature base64: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        // Create signing input (header.payload)
+        const signingInput = `${headerB64}.${payloadB64}`;
+        return {
+            header,
+            payload,
+            signatureBytes,
+            signingInput,
+        };
+    }
+    /**
+     * Verify JWS signature (full compact format: header.payload.signature)
+     * @param jws - Full compact JWS string (or detached format: header..signature)
+     * @param publicKeyJwk - Ed25519 public key in JWK format
+     * @param options - Verification options
+     * @param options.detachedPayload - Optional detached payload (Uint8Array or string) for detached JWS format
+     * @param options.expectedKid - Optional expected key ID to validate
+     * @param options.alg - Optional expected algorithm (defaults to 'EdDSA')
+     */
+    async verifyJWS(jws, publicKeyJwk, options) {
+        try {
+            // Validate JWK format
+            if (!this.isValidEd25519JWK(publicKeyJwk)) {
+                console.error("[CryptoService] Invalid Ed25519 JWK format");
+                return false;
+            }
+            // Validate expected kid if provided
+            if (options?.expectedKid && publicKeyJwk.kid !== options.expectedKid) {
+                console.error("[CryptoService] Key ID mismatch");
+                return false;
+            }
+            // Parse JWS components - handle malformed JWS gracefully
+            let parsed;
+            try {
+                parsed = this.parseJWS(jws);
+            }
+            catch (error) {
+                // Malformed JWS - check if it's detached format with provided payload
+                if (options?.detachedPayload !== undefined) {
+                    const parts = jws.split(".");
+                    if (parts.length === 3 && parts[1] === "") {
+                        // Detached format: header..signature
+                        try {
+                            const headerB64 = parts[0];
+                            const signatureB64 = parts[2];
+                            const header = JSON.parse((0, base64_js_1.base64urlDecodeToString)(headerB64));
+                            const signatureBytes = (0, base64_js_1.base64urlDecodeToBytes)(signatureB64);
+                            parsed = {
+                                header,
+                                payload: undefined,
+                                signatureBytes,
+                                signingInput: "", // Will be reconstructed below
+                            };
+                        }
+                        catch {
+                            console.error("[CryptoService] Invalid detached JWS format");
+                            return false;
+                        }
+                    }
+                    else {
+                        console.error("[CryptoService] Invalid JWS format:", error);
+                        return false;
+                    }
+                }
+                else {
+                    console.error("[CryptoService] Invalid JWS format:", error);
+                    return false;
+                }
+            }
+            // Validate algorithm
+            const expectedAlg = options?.alg || "EdDSA";
+            if (parsed.header.alg !== expectedAlg) {
+                console.error(`[CryptoService] Unsupported algorithm: ${parsed.header.alg}, expected ${expectedAlg}`);
+                return false;
+            }
+            // Handle detached payload if provided
+            let signingInput;
+            let signingInputBytes;
+            if (options?.detachedPayload !== undefined) {
+                // Detached format: reconstruct signing input from header + detached payload
+                const headerB64 = jws.split(".")[0];
+                let payloadB64;
+                if (options.detachedPayload instanceof Uint8Array) {
+                    // Uint8Array payload
+                    payloadB64 = (0, base64_js_1.base64urlEncodeFromBytes)(options.detachedPayload);
+                }
+                else {
+                    // String payload (backward compatibility)
+                    payloadB64 = (0, base64_js_1.base64urlEncodeFromBytes)(new TextEncoder().encode(options.detachedPayload));
+                }
+                signingInput = `${headerB64}.${payloadB64}`;
+                signingInputBytes = new TextEncoder().encode(signingInput);
+            }
+            else {
+                // Full compact format: use parsed signing input
+                if (!parsed.signingInput) {
+                    console.error("[CryptoService] Missing signing input for compact JWS");
+                    return false;
+                }
+                signingInput = parsed.signingInput;
+                signingInputBytes = new TextEncoder().encode(signingInput);
+            }
+            // Extract raw public key from JWK
+            let publicKeyBase64;
+            try {
+                publicKeyBase64 = this.jwkToBase64PublicKey(publicKeyJwk);
+            }
+            catch (error) {
+                console.error("[CryptoService] Failed to extract public key:", error);
+                return false;
+            }
+            // Verify signature
+            return await this.verifyEd25519(signingInputBytes, parsed.signatureBytes, publicKeyBase64);
+        }
+        catch (error) {
+            // Security-safe failure: never throw, always return false
+            console.error("[CryptoService] JWS verification error:", error);
+            return false;
+        }
+    }
+    /**
+     * Validate Ed25519 JWK format
+     */
+    isValidEd25519JWK(jwk) {
+        return (typeof jwk === "object" &&
+            jwk !== null &&
+            "kty" in jwk &&
+            jwk.kty === "OKP" &&
+            "crv" in jwk &&
+            jwk.crv === "Ed25519" &&
+            "x" in jwk &&
+            typeof jwk.x === "string" &&
+            jwk.x.length > 0);
+    }
+    /**
+     * Convert Ed25519 JWK to base64 encoded public key
+     */
+    jwkToBase64PublicKey(jwk) {
+        // The 'x' field contains the base64url encoded public key
+        // Convert from base64url to standard base64
+        const publicKeyBytes = (0, base64_js_1.base64urlDecodeToBytes)(jwk.x);
+        // Verify key length (Ed25519 public keys are 32 bytes)
+        if (publicKeyBytes.length !== 32) {
+            throw new Error(`Invalid Ed25519 public key length: ${publicKeyBytes.length}`);
+        }
+        return (0, base64_js_1.bytesToBase64)(publicKeyBytes);
+    }
+}
+exports.CryptoService = CryptoService;
+//# sourceMappingURL=crypto.service.js.map

package/dist/services/crypto.service.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"crypto.service.js","sourceRoot":"","sources":["../../src/services/crypto.service.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAGH,kDAM4B;AAuB5B,MAAa,aAAa;IACJ;IAApB,YAAoB,cAA8B;QAA9B,mBAAc,GAAd,cAAc,CAAgB;IAAG,CAAC;IAEtD;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CACjB,IAAgB,EAChB,SAAqB,EACrB,SAAiB;QAEjB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAC7C,IAAI,EACJ,SAAS,EACT,SAAS,CACV,CAAC;YACF,+EAA+E;YAC/E,OAAO,MAAM,KAAK,IAAI,CAAC;QACzB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,kEAAkE;YAClE,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,KAAK,CAAC,CAAC;YACpE,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,QAAQ,CAAC,GAAW;QAClB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC3E,CAAC;QAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;QAEpD,gBAAgB;QAChB,IAAI,MAA+B,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,mCAAuB,EAAC,SAAS,CAAC,CAGrD,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,0BAA0B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACnF,CAAC;QACJ,CAAC;QAED,6CAA6C;QAC7C,IAAI,OAA4C,CAAC;QACjD,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,CAAC;gBACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,mCAAuB,EAAC,UAAU,CAAC,CAGvD,CAAC;YACJ,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,kEAAkE;gBAClE,4EAA4E;gBAC5E,MAAM,IAAI,KAAK,CACb,2BAA2B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACpF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,yBAAyB;QACzB,IAAI,cAA0B,CAAC;QAC/B,IAAI,CAAC;YACH,cAAc,GAAG,IAAA,kCAAsB,EAAC,YAAY,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,mDAAmD;YACnD,MAAM,IAAI,KAAK,CACb,6BAA6B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACtF,CAAC;QACJ,CAAC;QAED,wCAAwC;QACxC,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QAElD,OAAO;YACL,MAAM;YACN,OAAO;YACP,cAAc;YACd,YAAY;SACb,CAAC;IACJ,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,SAAS,CACb,GAAW,EACX,YAAwB,EACxB,OAIC;QAED,IAAI,CAAC;YACH,sBAAsB;YACtB,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC1C,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;gBAC5D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,oCAAoC;YACpC,IAAI,OAAO,EAAE,WAAW,IAAI,YAAY,CAAC,GAAG,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC;gBACrE,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;gBACjD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,yDAAyD;YACzD,IAAI,MAAiB,CAAC;YACtB,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9B,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,sEAAsE;gBACtE,IAAI,OAAO,EAAE,eAAe,KAAK,SAAS,EAAE,CAAC;oBAC3C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;wBAC1C,qCAAqC;wBACrC,IAAI,CAAC;4BACH,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;4BAC3B,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;4BAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,IAAA,mCAAuB,EAAC,SAAS,CAAC,CACR,CAAC;4BAC7B,MAAM,cAAc,GAAG,IAAA,kCAAsB,EAAC,YAAY,CAAC,CAAC;4BAE5D,MAAM,GAAG;gCACP,MAAM;gCACN,OAAO,EAAE,SAAS;gCAClB,cAAc;gCACd,YAAY,EAAE,EAAE,EAAE,8BAA8B;6BACjD,CAAC;wBACJ,CAAC;wBAAC,MAAM,CAAC;4BACP,OAAO,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;4BAC7D,OAAO,KAAK,CAAC;wBACf,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;wBAC5D,OAAO,KAAK,CAAC;oBACf,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;oBAC5D,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAED,qBAAqB;YACrB,MAAM,WAAW,GAAG,OAAO,EAAE,GAAG,IAAI,OAAO,CAAC;YAC5C,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;gBACtC,OAAO,CAAC,KAAK,CACX,0CAA0C,MAAM,CAAC,MAAM,CAAC,GAAG,cAAc,WAAW,EAAE,CACvF,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,sCAAsC;YACtC,IAAI,YAAoB,CAAC;YACzB,IAAI,iBAA6B,CAAC;YAElC,IAAI,OAAO,EAAE,eAAe,KAAK,SAAS,EAAE,CAAC;gBAC3C,4EAA4E;gBAC5E,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpC,IAAI,UAAkB,CAAC;gBAEvB,IAAI,OAAO,CAAC,eAAe,YAAY,UAAU,EAAE,CAAC;oBAClD,qBAAqB;oBACrB,UAAU,GAAG,IAAA,oCAAwB,EAAC,OAAO,CAAC,eAAe,CAAC,CAAC;gBACjE,CAAC;qBAAM,CAAC;oBACN,0CAA0C;oBAC1C,UAAU,GAAG,IAAA,oCAAwB,EACnC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAClD,CAAC;gBACJ,CAAC;gBAED,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;gBAC5C,iBAAiB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC7D,CAAC;iBAAM,CAAC;gBACN,gDAAgD;gBAChD,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;oBACzB,OAAO,CAAC,KAAK,CACX,uDAAuD,CACxD,CAAC;oBACF,OAAO,KAAK,CAAC;gBACf,CAAC;gBACD,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;gBACnC,iBAAiB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC7D,CAAC;YAED,kCAAkC;YAClC,IAAI,eAAuB,CAAC;YAC5B,IAAI,CAAC;gBACH,eAAe,GAAG,IAAI,CAAC,oBAAoB,CAAC,YAAY,CAAC,CAAC;YAC5D,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;gBACtE,OAAO,KAAK,CAAC;YACf,CAAC;YAED,mBAAmB;YACnB,OAAO,MAAM,IAAI,CAAC,aAAa,CAC7B,iBAAiB,EACjB,MAAM,CAAC,cAAc,EACrB,eAAe,CAChB,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,0DAA0D;YAC1D,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;YAChE,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,GAAY;QACpC,OAAO,CACL,OAAO,GAAG,KAAK,QAAQ;YACvB,GAAG,KAAK,IAAI;YACZ,KAAK,IAAI,GAAG;YACZ,GAAG,CAAC,GAAG,KAAK,KAAK;YACjB,KAAK,IAAI,GAAG;YACZ,GAAG,CAAC,GAAG,KAAK,SAAS;YACrB,GAAG,IAAI,GAAG;YACV,OAAO,GAAG,CAAC,CAAC,KAAK,QAAQ;YACzB,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CACjB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,oBAAoB,CAAC,GAAe;QAC1C,0DAA0D;QAC1D,4CAA4C;QAC5C,MAAM,cAAc,GAAG,IAAA,kCAAsB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAErD,uDAAuD;QACvD,IAAI,cAAc,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CACb,sCAAsC,cAAc,CAAC,MAAM,EAAE,CAC9D,CAAC;QACJ,CAAC;QAED,OAAO,IAAA,yBAAa,EAAC,cAAc,CAAC,CAAC;IACvC,CAAC;CACF;AArQD,sCAqQC"}

package/dist/services/errors.d.ts ADDED Viewed

@@ -0,0 +1,49 @@
+/**
+ * Proof Verification Error Codes and Types
+ *
+ * Specific error codes for proof verification failures to enable
+ * better error handling and debugging.
+ */
+/**
+ * Error codes for proof verification
+ */
+export declare const PROOF_VERIFICATION_ERROR_CODES: {
+    readonly INVALID_PROOF_STRUCTURE: "INVALID_PROOF_STRUCTURE";
+    readonly MISSING_REQUIRED_FIELD: "MISSING_REQUIRED_FIELD";
+    readonly NONCE_REPLAY_DETECTED: "NONCE_REPLAY_DETECTED";
+    readonly TIMESTAMP_SKEW_EXCEEDED: "TIMESTAMP_SKEW_EXCEEDED";
+    readonly TIMESTAMP_INVALID: "TIMESTAMP_INVALID";
+    readonly INVALID_JWS_SIGNATURE: "INVALID_JWS_SIGNATURE";
+    readonly INVALID_JWS_FORMAT: "INVALID_JWS_FORMAT";
+    readonly INVALID_JWS_HEADER: "INVALID_JWS_HEADER";
+    readonly INVALID_JWS_PAYLOAD: "INVALID_JWS_PAYLOAD";
+    readonly INVALID_JWS_SIGNATURE_BASE64: "INVALID_JWS_SIGNATURE_BASE64";
+    readonly UNSUPPORTED_ALGORITHM: "UNSUPPORTED_ALGORITHM";
+    readonly INVALID_JWK_FORMAT: "INVALID_JWK_FORMAT";
+    readonly INVALID_JWK_KTY: "INVALID_JWK_KTY";
+    readonly INVALID_JWK_CRV: "INVALID_JWK_CRV";
+    readonly INVALID_JWK_X_FIELD: "INVALID_JWK_X_FIELD";
+    readonly INVALID_JWK_KEY_LENGTH: "INVALID_JWK_KEY_LENGTH";
+    readonly JWK_KID_MISMATCH: "JWK_KID_MISMATCH";
+    readonly DID_RESOLUTION_FAILED: "DID_RESOLUTION_FAILED";
+    readonly DID_DOCUMENT_NOT_FOUND: "DID_DOCUMENT_NOT_FOUND";
+    readonly VERIFICATION_METHOD_NOT_FOUND: "VERIFICATION_METHOD_NOT_FOUND";
+    readonly PUBLIC_KEY_NOT_FOUND: "PUBLIC_KEY_NOT_FOUND";
+    readonly UNSUPPORTED_DID_METHOD: "UNSUPPORTED_DID_METHOD";
+    readonly VERIFICATION_ERROR: "VERIFICATION_ERROR";
+    readonly INTERNAL_ERROR: "INTERNAL_ERROR";
+};
+export type ProofVerificationErrorCode = typeof PROOF_VERIFICATION_ERROR_CODES[keyof typeof PROOF_VERIFICATION_ERROR_CODES];
+/**
+ * Proof verification error with specific error code
+ */
+export declare class ProofVerificationError extends Error {
+    readonly code: ProofVerificationErrorCode;
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(code: ProofVerificationErrorCode, message: string, details?: Record<string, unknown> | undefined);
+}
+/**
+ * Create a proof verification error
+ */
+export declare function createProofVerificationError(code: ProofVerificationErrorCode, message: string, details?: Record<string, unknown>): ProofVerificationError;
+//# sourceMappingURL=errors.d.ts.map

package/dist/services/errors.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/services/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;CAoCjC,CAAC;AAEX,MAAM,MAAM,0BAA0B,GACpC,OAAO,8BAA8B,CAAC,MAAM,OAAO,8BAA8B,CAAC,CAAC;AAErF;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,KAAK;aAE7B,IAAI,EAAE,0BAA0B;aAEhC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;gBAFjC,IAAI,EAAE,0BAA0B,EAChD,OAAO,EAAE,MAAM,EACC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,YAAA;CAKpD;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAC1C,IAAI,EAAE,0BAA0B,EAChC,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,sBAAsB,CAExB"}

package/dist/services/errors.js ADDED Viewed

@@ -0,0 +1,66 @@
+"use strict";
+/**
+ * Proof Verification Error Codes and Types
+ *
+ * Specific error codes for proof verification failures to enable
+ * better error handling and debugging.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProofVerificationError = exports.PROOF_VERIFICATION_ERROR_CODES = void 0;
+exports.createProofVerificationError = createProofVerificationError;
+/**
+ * Error codes for proof verification
+ */
+exports.PROOF_VERIFICATION_ERROR_CODES = {
+    // Proof structure errors
+    INVALID_PROOF_STRUCTURE: "INVALID_PROOF_STRUCTURE",
+    MISSING_REQUIRED_FIELD: "MISSING_REQUIRED_FIELD",
+    // Security errors
+    NONCE_REPLAY_DETECTED: "NONCE_REPLAY_DETECTED",
+    TIMESTAMP_SKEW_EXCEEDED: "TIMESTAMP_SKEW_EXCEEDED",
+    TIMESTAMP_INVALID: "TIMESTAMP_INVALID",
+    // Signature errors
+    INVALID_JWS_SIGNATURE: "INVALID_JWS_SIGNATURE",
+    INVALID_JWS_FORMAT: "INVALID_JWS_FORMAT",
+    INVALID_JWS_HEADER: "INVALID_JWS_HEADER",
+    INVALID_JWS_PAYLOAD: "INVALID_JWS_PAYLOAD",
+    INVALID_JWS_SIGNATURE_BASE64: "INVALID_JWS_SIGNATURE_BASE64",
+    UNSUPPORTED_ALGORITHM: "UNSUPPORTED_ALGORITHM",
+    // JWK errors
+    INVALID_JWK_FORMAT: "INVALID_JWK_FORMAT",
+    INVALID_JWK_KTY: "INVALID_JWK_KTY",
+    INVALID_JWK_CRV: "INVALID_JWK_CRV",
+    INVALID_JWK_X_FIELD: "INVALID_JWK_X_FIELD",
+    INVALID_JWK_KEY_LENGTH: "INVALID_JWK_KEY_LENGTH",
+    JWK_KID_MISMATCH: "JWK_KID_MISMATCH",
+    // DID resolution errors
+    DID_RESOLUTION_FAILED: "DID_RESOLUTION_FAILED",
+    DID_DOCUMENT_NOT_FOUND: "DID_DOCUMENT_NOT_FOUND",
+    VERIFICATION_METHOD_NOT_FOUND: "VERIFICATION_METHOD_NOT_FOUND",
+    PUBLIC_KEY_NOT_FOUND: "PUBLIC_KEY_NOT_FOUND",
+    UNSUPPORTED_DID_METHOD: "UNSUPPORTED_DID_METHOD",
+    // Generic errors
+    VERIFICATION_ERROR: "VERIFICATION_ERROR",
+    INTERNAL_ERROR: "INTERNAL_ERROR",
+};
+/**
+ * Proof verification error with specific error code
+ */
+class ProofVerificationError extends Error {
+    code;
+    details;
+    constructor(code, message, details) {
+        super(message);
+        this.code = code;
+        this.details = details;
+        this.name = "ProofVerificationError";
+    }
+}
+exports.ProofVerificationError = ProofVerificationError;
+/**
+ * Create a proof verification error
+ */
+function createProofVerificationError(code, message, details) {
+    return new ProofVerificationError(code, message, details);
+}
+//# sourceMappingURL=errors.js.map

package/dist/services/errors.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/services/errors.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AA+DH,oEAMC;AAnED;;GAEG;AACU,QAAA,8BAA8B,GAAG;IAC5C,yBAAyB;IACzB,uBAAuB,EAAE,yBAAyB;IAClD,sBAAsB,EAAE,wBAAwB;IAEhD,kBAAkB;IAClB,qBAAqB,EAAE,uBAAuB;IAC9C,uBAAuB,EAAE,yBAAyB;IAClD,iBAAiB,EAAE,mBAAmB;IAEtC,mBAAmB;IACnB,qBAAqB,EAAE,uBAAuB;IAC9C,kBAAkB,EAAE,oBAAoB;IACxC,kBAAkB,EAAE,oBAAoB;IACxC,mBAAmB,EAAE,qBAAqB;IAC1C,4BAA4B,EAAE,8BAA8B;IAC5D,qBAAqB,EAAE,uBAAuB;IAE9C,aAAa;IACb,kBAAkB,EAAE,oBAAoB;IACxC,eAAe,EAAE,iBAAiB;IAClC,eAAe,EAAE,iBAAiB;IAClC,mBAAmB,EAAE,qBAAqB;IAC1C,sBAAsB,EAAE,wBAAwB;IAChD,gBAAgB,EAAE,kBAAkB;IAEpC,wBAAwB;IACxB,qBAAqB,EAAE,uBAAuB;IAC9C,sBAAsB,EAAE,wBAAwB;IAChD,6BAA6B,EAAE,+BAA+B;IAC9D,oBAAoB,EAAE,sBAAsB;IAC5C,sBAAsB,EAAE,wBAAwB;IAEhD,iBAAiB;IACjB,kBAAkB,EAAE,oBAAoB;IACxC,cAAc,EAAE,gBAAgB;CACxB,CAAC;AAKX;;GAEG;AACH,MAAa,sBAAuB,SAAQ,KAAK;IAE7B;IAEA;IAHlB,YACkB,IAAgC,EAChD,OAAe,EACC,OAAiC;QAEjD,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,SAAI,GAAJ,IAAI,CAA4B;QAEhC,YAAO,GAAP,OAAO,CAA0B;QAGjD,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACvC,CAAC;CACF;AATD,wDASC;AAED;;GAEG;AACH,SAAgB,4BAA4B,CAC1C,IAAgC,EAChC,OAAe,EACf,OAAiC;IAEjC,OAAO,IAAI,sBAAsB,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AAC5D,CAAC"}

package/dist/services/index.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export { CryptoService } from './crypto.service.js';
+export type { Ed25519JWK, ParsedJWS } from './crypto.service.js';
+export { AccessControlApiService } from './access-control.service.js';
+export type { AccessControlApiServiceConfig, AccessControlApiServiceMetrics, } from './access-control.service.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/services/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/services/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAEjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AACtE,YAAY,EACV,6BAA6B,EAC7B,8BAA8B,GAC/B,MAAM,6BAA6B,CAAC"}

package/dist/services/index.js ADDED Viewed

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessControlApiService = exports.CryptoService = void 0;
+var crypto_service_js_1 = require("./crypto.service.js");
+Object.defineProperty(exports, "CryptoService", { enumerable: true, get: function () { return crypto_service_js_1.CryptoService; } });
+var access_control_service_js_1 = require("./access-control.service.js");
+Object.defineProperty(exports, "AccessControlApiService", { enumerable: true, get: function () { return access_control_service_js_1.AccessControlApiService; } });
+//# sourceMappingURL=index.js.map

package/dist/services/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/services/index.ts"],"names":[],"mappings":";;;AAAA,yDAAoD;AAA3C,kHAAA,aAAa,OAAA;AAGtB,yEAAsE;AAA7D,oIAAA,uBAAuB,OAAA"}

package/dist/services/proof-verifier.d.ts ADDED Viewed

@@ -0,0 +1,98 @@
+/**
+ * ProofVerifier
+ *
+ * Centralized proof verification service that validates DetachedProof
+ * signatures, enforces nonce replay protection, and checks timestamp skew.
+ */
+import { type Ed25519JWK } from "./crypto.service.js";
+import { CryptoProvider } from "../providers/base.js";
+import { ClockProvider } from "../providers/base.js";
+import { NonceCacheProvider } from "../providers/base.js";
+import { FetchProvider } from "../providers/base.js";
+import { type DetachedProof } from "@kya-os/contracts/proof";
+import { type ProofVerificationErrorCode } from "./errors.js";
+export interface ProofVerificationResult {
+    valid: boolean;
+    reason?: string;
+    error?: Error;
+    errorCode?: ProofVerificationErrorCode;
+    details?: Record<string, unknown>;
+}
+export interface ProofVerifierConfig {
+    cryptoProvider: CryptoProvider;
+    clockProvider: ClockProvider;
+    nonceCacheProvider: NonceCacheProvider;
+    fetchProvider: FetchProvider;
+    timestampSkewSeconds?: number;
+    nonceTtlSeconds?: number;
+}
+export declare class ProofVerifier {
+    private cryptoService;
+    private clock;
+    private nonceCache;
+    private fetch;
+    private timestampSkewSeconds;
+    private nonceTtlSeconds;
+    constructor(config: ProofVerifierConfig);
+    /**
+     * Verify a DetachedProof
+     * Automatically reconstructs canonical payload from proof.meta for signature verification
+     * @param proof - The proof to verify
+     * @param publicKeyJwk - Ed25519 public key in JWK format (from DID document)
+     * @returns Verification result
+     */
+    verifyProof(proof: DetachedProof, publicKeyJwk: Ed25519JWK): Promise<ProofVerificationResult>;
+    /**
+     * Verify proof with detached payload (for CLI/verifier compatibility)
+     * @param proof - The proof to verify
+     * @param canonicalPayload - Canonical JSON payload (for detached JWS) as string or Uint8Array
+     * @param publicKeyJwk - Ed25519 public key in JWK format
+     * @returns Verification result
+     */
+    verifyProofDetached(proof: DetachedProof, canonicalPayload: string | Uint8Array, publicKeyJwk: Ed25519JWK): Promise<ProofVerificationResult>;
+    /**
+     * Validate proof structure using Zod schema
+     * @private
+     */
+    private validateProofStructure;
+    /**
+     * Validate nonce replay protection
+     * @private
+     */
+    private validateNonce;
+    /**
+     * Validate timestamp skew
+     * @private
+     */
+    private validateTimestamp;
+    /**
+     * Verify JWS signature
+     * @private
+     */
+    private verifySignature;
+    /**
+     * Add nonce to cache to prevent replay (scoped to agent DID)
+     * @private
+     */
+    private addNonceToCache;
+    /**
+     * Fetch public key from DID document
+     * @param did - DID to resolve
+     * @param kid - Key ID (optional, defaults to first verification method)
+     * @returns Ed25519 JWK or null if not found
+     * @throws {ProofVerificationError} If DID resolution fails with specific error code
+     */
+    fetchPublicKeyFromDID(did: string, kid?: string): Promise<Ed25519JWK | null>;
+    /**
+     * Build canonical payload from proof meta
+     *
+     * CRITICAL: This must reconstruct the exact JWS payload structure that was originally signed.
+     * The original JWS payload uses standard JWT claims (aud, sub, iss) plus custom proof claims,
+     * NOT the proof.meta structure directly.
+     *
+     * @param meta - Proof metadata
+     * @returns Canonical JSON string matching the original JWS payload structure
+     */
+    buildCanonicalPayload(meta: DetachedProof["meta"]): string;
+}
+//# sourceMappingURL=proof-verifier.d.ts.map

package/dist/services/proof-verifier.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"proof-verifier.d.ts","sourceRoot":"","sources":["../../src/services/proof-verifier.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAiB,KAAK,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAEL,KAAK,aAAa,EACnB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAGL,KAAK,0BAA0B,EAChC,MAAM,aAAa,CAAC;AAErB,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,SAAS,CAAC,EAAE,0BAA0B,CAAC;IACvC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,mBAAmB;IAClC,cAAc,EAAE,cAAc,CAAC;IAC/B,aAAa,EAAE,aAAa,CAAC;IAC7B,kBAAkB,EAAE,kBAAkB,CAAC;IACvC,aAAa,EAAE,aAAa,CAAC;IAC7B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,qBAAa,aAAa;IACxB,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,KAAK,CAAgB;IAC7B,OAAO,CAAC,UAAU,CAAqB;IACvC,OAAO,CAAC,KAAK,CAAgB;IAC7B,OAAO,CAAC,oBAAoB,CAAS;IACrC,OAAO,CAAC,eAAe,CAAS;gBAEpB,MAAM,EAAE,mBAAmB;IASvC;;;;;;OAMG;IACG,WAAW,CACf,KAAK,EAAE,aAAa,EACpB,YAAY,EAAE,UAAU,GACvB,OAAO,CAAC,uBAAuB,CAAC;IAoEnC;;;;;;OAMG;IACG,mBAAmB,CACvB,KAAK,EAAE,aAAa,EACpB,gBAAgB,EAAE,MAAM,GAAG,UAAU,EACrC,YAAY,EAAE,UAAU,GACvB,OAAO,CAAC,uBAAuB,CAAC;IAkEnC;;;OAGG;YACW,sBAAsB;IAuBpC;;;OAGG;YACW,aAAa;IAmB3B;;;OAGG;YACW,iBAAiB;IAqB/B;;;OAGG;YACW,eAAe;IAgC7B;;;OAGG;YACW,eAAe;IAQ7B;;;;;;OAMG;IACG,qBAAqB,CACzB,GAAG,EAAE,MAAM,EACX,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAgG7B;;;;;;;;;OASG;IACH,qBAAqB,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG,MAAM;CA0B3D"}