@kya-os/mcp-i-core 1.1.13-canary.2 → 1.2.1-canary.0

package/dist/services/proof-verifier.js

@@ -0,0 +1,319 @@
+"use strict";
+/**
+ * ProofVerifier
+ *
+ * Centralized proof verification service that validates DetachedProof
+ * signatures, enforces nonce replay protection, and checks timestamp skew.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProofVerifier = void 0;
+const crypto_service_js_1 = require("./crypto.service.js");
+const proof_1 = require("@kya-os/contracts/proof");
+const json_canonicalize_1 = require("json-canonicalize");
+const errors_js_1 = require("./errors.js");
+class ProofVerifier {
+    cryptoService;
+    clock;
+    nonceCache;
+    fetch;
+    timestampSkewSeconds;
+    nonceTtlSeconds;
+    constructor(config) {
+        this.cryptoService = new crypto_service_js_1.CryptoService(config.cryptoProvider);
+        this.clock = config.clockProvider;
+        this.nonceCache = config.nonceCacheProvider;
+        this.fetch = config.fetchProvider;
+        this.timestampSkewSeconds = config.timestampSkewSeconds ?? 120; // Default 2 minutes
+        this.nonceTtlSeconds = config.nonceTtlSeconds ?? 300; // Default 5 minutes
+    }
+    /**
+     * Verify a DetachedProof
+     * Automatically reconstructs canonical payload from proof.meta for signature verification
+     * @param proof - The proof to verify
+     * @param publicKeyJwk - Ed25519 public key in JWK format (from DID document)
+     * @returns Verification result
+     */
+    async verifyProof(proof, publicKeyJwk) {
+        try {
+            // 1. Validate proof structure
+            const structureValidation = await this.validateProofStructure(proof);
+            if (!structureValidation.valid) {
+                return structureValidation;
+            }
+            const validatedProof = structureValidation.proof;
+            // 2. Check nonce replay protection (scoped to agent DID to prevent cross-agent replay attacks)
+            const nonceValidation = await this.validateNonce(validatedProof.meta.nonce, validatedProof.meta.did);
+            if (!nonceValidation.valid) {
+                return nonceValidation;
+            }
+            // 3. Check timestamp skew
+            const timestampValidation = await this.validateTimestamp(validatedProof.meta.ts);
+            if (!timestampValidation.valid) {
+                return timestampValidation;
+            }
+            // 4. Reconstruct canonical payload from proof meta
+            const canonicalPayloadString = this.buildCanonicalPayload(validatedProof.meta);
+            const canonicalPayloadBytes = new TextEncoder().encode(canonicalPayloadString);
+            // 5. Verify JWS signature with detached canonical payload
+            const signatureValidation = await this.verifySignature(validatedProof.jws, publicKeyJwk, canonicalPayloadBytes, validatedProof.meta.kid);
+            if (!signatureValidation.valid) {
+                return signatureValidation;
+            }
+            // 6. Add nonce to cache to prevent replay (scoped to agent DID)
+            await this.addNonceToCache(validatedProof.meta.nonce, validatedProof.meta.did);
+            return {
+                valid: true,
+            };
+        }
+        catch (error) {
+            // Security-safe failure: never throw, always return error result
+            return {
+                valid: false,
+                reason: "Proof verification error",
+                errorCode: errors_js_1.PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_ERROR,
+                error: error instanceof Error ? error : new Error(String(error)),
+                details: {
+                    errorMessage: error instanceof Error ? error.message : String(error),
+                },
+            };
+        }
+    }
+    /**
+     * Verify proof with detached payload (for CLI/verifier compatibility)
+     * @param proof - The proof to verify
+     * @param canonicalPayload - Canonical JSON payload (for detached JWS) as string or Uint8Array
+     * @param publicKeyJwk - Ed25519 public key in JWK format
+     * @returns Verification result
+     */
+    async verifyProofDetached(proof, canonicalPayload, publicKeyJwk) {
+        try {
+            // 1. Validate proof structure
+            const structureValidation = await this.validateProofStructure(proof);
+            if (!structureValidation.valid) {
+                return structureValidation;
+            }
+            const validatedProof = structureValidation.proof;
+            // 2. Check nonce replay protection (scoped to agent DID to prevent cross-agent replay attacks)
+            const nonceValidation = await this.validateNonce(validatedProof.meta.nonce, validatedProof.meta.did);
+            if (!nonceValidation.valid) {
+                return nonceValidation;
+            }
+            // 3. Check timestamp skew
+            const timestampValidation = await this.validateTimestamp(validatedProof.meta.ts);
+            if (!timestampValidation.valid) {
+                return timestampValidation;
+            }
+            // 4. Convert canonical payload to Uint8Array if needed
+            const canonicalPayloadBytes = canonicalPayload instanceof Uint8Array
+                ? canonicalPayload
+                : new TextEncoder().encode(canonicalPayload);
+            // 5. Verify JWS signature with detached payload
+            const signatureValidation = await this.verifySignature(validatedProof.jws, publicKeyJwk, canonicalPayloadBytes, validatedProof.meta.kid);
+            if (!signatureValidation.valid) {
+                return signatureValidation;
+            }
+            // 6. Add nonce to cache (scoped to agent DID)
+            await this.addNonceToCache(validatedProof.meta.nonce, validatedProof.meta.did);
+            return {
+                valid: true,
+            };
+        }
+        catch (error) {
+            // Security-safe failure: never throw, always return error result
+            return {
+                valid: false,
+                reason: "Proof verification error",
+                errorCode: errors_js_1.PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_ERROR,
+                error: error instanceof Error ? error : new Error(String(error)),
+                details: {
+                    errorMessage: error instanceof Error ? error.message : String(error),
+                },
+            };
+        }
+    }
+    /**
+     * Validate proof structure using Zod schema
+     * @private
+     */
+    async validateProofStructure(proof) {
+        const validationResult = proof_1.DetachedProofSchema.safeParse(proof);
+        if (!validationResult.success) {
+            return {
+                valid: false,
+                reason: "Invalid proof structure",
+                errorCode: errors_js_1.PROOF_VERIFICATION_ERROR_CODES.INVALID_PROOF_STRUCTURE,
+                error: new Error(`Proof validation failed: ${validationResult.error.message}`),
+                details: {
+                    zodErrors: validationResult.error.errors,
+                },
+            };
+        }
+        return {
+            valid: true,
+            proof: validationResult.data,
+        };
+    }
+    /**
+     * Validate nonce replay protection
+     * @private
+     */
+    async validateNonce(nonce, agentDid) {
+        const nonceUsed = await this.nonceCache.has(nonce, agentDid);
+        if (nonceUsed) {
+            return {
+                valid: false,
+                reason: "Nonce already used (replay attack detected)",
+                errorCode: errors_js_1.PROOF_VERIFICATION_ERROR_CODES.NONCE_REPLAY_DETECTED,
+                details: {
+                    nonce,
+                    agentDid,
+                },
+            };
+        }
+        return { valid: true };
+    }
+    /**
+     * Validate timestamp skew
+     * @private
+     */
+    async validateTimestamp(timestamp) {
+        // Convert seconds to milliseconds for clock provider (which uses Date.now())
+        const timestampMs = timestamp * 1000;
+        if (!this.clock.isWithinSkew(timestampMs, this.timestampSkewSeconds)) {
+            return {
+                valid: false,
+                reason: `Timestamp out of skew window (skew: ${this.timestampSkewSeconds}s)`,
+                errorCode: errors_js_1.PROOF_VERIFICATION_ERROR_CODES.TIMESTAMP_SKEW_EXCEEDED,
+                details: {
+                    timestamp,
+                    timestampMs,
+                    skewSeconds: this.timestampSkewSeconds,
+                    currentTime: this.clock.now(),
+                },
+            };
+        }
+        return { valid: true };
+    }
+    /**
+     * Verify JWS signature
+     * @private
+     */
+    async verifySignature(jws, publicKeyJwk, canonicalPayloadBytes, expectedKid) {
+        const signatureValid = await this.cryptoService.verifyJWS(jws, publicKeyJwk, {
+            detachedPayload: canonicalPayloadBytes,
+            expectedKid,
+            alg: "EdDSA",
+        });
+        if (!signatureValid) {
+            return {
+                valid: false,
+                reason: "Invalid JWS signature",
+                errorCode: errors_js_1.PROOF_VERIFICATION_ERROR_CODES.INVALID_JWS_SIGNATURE,
+                details: {
+                    jwsLength: jws.length,
+                    expectedKid,
+                    actualKid: publicKeyJwk.kid,
+                },
+            };
+        }
+        return { valid: true };
+    }
+    /**
+     * Add nonce to cache to prevent replay (scoped to agent DID)
+     * @private
+     */
+    async addNonceToCache(nonce, agentDid) {
+        // Pass TTL in seconds, not absolute timestamp
+        await this.nonceCache.add(nonce, this.nonceTtlSeconds, agentDid);
+    }
+    /**
+     * Fetch public key from DID document
+     * @param did - DID to resolve
+     * @param kid - Key ID (optional, defaults to first verification method)
+     * @returns Ed25519 JWK or null if not found
+     * @throws {ProofVerificationError} If DID resolution fails with specific error code
+     */
+    async fetchPublicKeyFromDID(did, kid) {
+        try {
+            const didDoc = await this.fetch.resolveDID(did);
+            if (!didDoc) {
+                throw new errors_js_1.ProofVerificationError(errors_js_1.PROOF_VERIFICATION_ERROR_CODES.DID_DOCUMENT_NOT_FOUND, `DID document not found: ${did}`, { did });
+            }
+            if (!didDoc.verificationMethod ||
+                didDoc.verificationMethod.length === 0) {
+                throw new errors_js_1.ProofVerificationError(errors_js_1.PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_METHOD_NOT_FOUND, `No verification methods found in DID document: ${did}`, { did });
+            }
+            // Find verification method by kid or use first one
+            let verificationMethod;
+            if (kid) {
+                const kidWithHash = kid.startsWith("#") ? kid : `#${kid}`;
+                verificationMethod = didDoc.verificationMethod.find((vm) => vm.id === kidWithHash || vm.id === `${did}${kidWithHash}`);
+                if (!verificationMethod) {
+                    throw new errors_js_1.ProofVerificationError(errors_js_1.PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_METHOD_NOT_FOUND, `Verification method not found for kid: ${kid}`, {
+                        did,
+                        kid,
+                        availableKids: didDoc.verificationMethod.map((vm) => vm.id),
+                    });
+                }
+            }
+            else {
+                verificationMethod = didDoc.verificationMethod[0];
+            }
+            if (!verificationMethod?.publicKeyJwk) {
+                throw new errors_js_1.ProofVerificationError(errors_js_1.PROOF_VERIFICATION_ERROR_CODES.PUBLIC_KEY_NOT_FOUND, `Public key JWK not found in verification method`, { did, kid, verificationMethodId: verificationMethod?.id });
+            }
+            const jwk = verificationMethod.publicKeyJwk;
+            // Validate it's an Ed25519 key
+            if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519" || !jwk.x) {
+                throw new errors_js_1.ProofVerificationError(errors_js_1.PROOF_VERIFICATION_ERROR_CODES.INVALID_JWK_FORMAT, `Unsupported key type or curve: kty=${jwk.kty}, crv=${jwk.crv}`, { did, kid, jwk: { kty: jwk.kty, crv: jwk.crv } });
+            }
+            return jwk;
+        }
+        catch (error) {
+            if (error instanceof errors_js_1.ProofVerificationError) {
+                throw error;
+            }
+            console.error("[ProofVerifier] Failed to fetch public key from DID:", error);
+            throw new errors_js_1.ProofVerificationError(errors_js_1.PROOF_VERIFICATION_ERROR_CODES.DID_RESOLUTION_FAILED, `DID resolution failed: ${error instanceof Error ? error.message : String(error)}`, {
+                did,
+                kid,
+                originalError: error instanceof Error ? error.message : String(error),
+            });
+        }
+    }
+    /**
+     * Build canonical payload from proof meta
+     *
+     * CRITICAL: This must reconstruct the exact JWS payload structure that was originally signed.
+     * The original JWS payload uses standard JWT claims (aud, sub, iss) plus custom proof claims,
+     * NOT the proof.meta structure directly.
+     *
+     * @param meta - Proof metadata
+     * @returns Canonical JSON string matching the original JWS payload structure
+     */
+    buildCanonicalPayload(meta) {
+        // Reconstruct the original JWS payload structure that was signed
+        // This matches the structure used in proof generation (proof.ts, proof-generator.ts)
+        const payload = {
+            // Standard JWT claims (RFC 7519) - these are what was actually signed
+            aud: meta.audience, // Audience (who the token is for)
+            sub: meta.did, // Subject (agent DID)
+            iss: meta.did, // Issuer (agent DID - self-issued)
+            // Custom MCP-I proof claims
+            requestHash: meta.requestHash,
+            responseHash: meta.responseHash,
+            ts: meta.ts,
+            nonce: meta.nonce,
+            sessionId: meta.sessionId,
+            // Optional claims (only include if present)
+            ...(meta.scopeId && { scopeId: meta.scopeId }),
+            ...(meta.delegationRef && { delegationRef: meta.delegationRef }),
+            ...(meta.clientDid && { clientDid: meta.clientDid }),
+        };
+        // Canonicalize the reconstructed payload using the same function as proof generation
+        // CRITICAL: Must use json-canonicalize canonicalize() to match proof.ts exactly
+        return (0, json_canonicalize_1.canonicalize)(payload);
+    }
+}
+exports.ProofVerifier = ProofVerifier;
+//# sourceMappingURL=proof-verifier.js.map

package/dist/services/proof-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proof-verifier.js","sourceRoot":"","sources":["../../src/services/proof-verifier.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEH,2DAAqE;AAKrE,mDAGiC;AACjC,yDAAiD;AACjD,2CAIqB;AAmBrB,MAAa,aAAa;IAChB,aAAa,CAAgB;IAC7B,KAAK,CAAgB;IACrB,UAAU,CAAqB;IAC/B,KAAK,CAAgB;IACrB,oBAAoB,CAAS;IAC7B,eAAe,CAAS;IAEhC,YAAY,MAA2B;QACrC,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC9D,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,aAAa,CAAC;QAClC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,kBAAkB,CAAC;QAC5C,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,aAAa,CAAC;QAClC,IAAI,CAAC,oBAAoB,GAAG,MAAM,CAAC,oBAAoB,IAAI,GAAG,CAAC,CAAC,oBAAoB;QACpF,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,IAAI,GAAG,CAAC,CAAC,oBAAoB;IAC5E,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,WAAW,CACf,KAAoB,EACpB,YAAwB;QAExB,IAAI,CAAC;YACH,8BAA8B;YAC9B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC;YACrE,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YACD,MAAM,cAAc,GAAG,mBAAmB,CAAC,KAAM,CAAC;YAElD,+FAA+F;YAC/F,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,aAAa,CAC9C,cAAc,CAAC,IAAI,CAAC,KAAK,EACzB,cAAc,CAAC,IAAI,CAAC,GAAG,CACxB,CAAC;YACF,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;gBAC3B,OAAO,eAAe,CAAC;YACzB,CAAC;YAED,0BAA0B;YAC1B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,iBAAiB,CACtD,cAAc,CAAC,IAAI,CAAC,EAAE,CACvB,CAAC;YACF,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YAED,mDAAmD;YACnD,MAAM,sBAAsB,GAAG,IAAI,CAAC,qBAAqB,CACvD,cAAc,CAAC,IAAI,CACpB,CAAC;YACF,MAAM,qBAAqB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACpD,sBAAsB,CACvB,CAAC;YAEF,0DAA0D;YAC1D,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,eAAe,CACpD,cAAc,CAAC,GAAG,EAClB,YAAY,EACZ,qBAAqB,EACrB,cAAc,CAAC,IAAI,CAAC,GAAG,CACxB,CAAC;YACF,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YAED,gEAAgE;YAChE,MAAM,IAAI,CAAC,eAAe,CACxB,cAAc,CAAC,IAAI,CAAC,KAAK,EACzB,cAAc,CAAC,IAAI,CAAC,GAAG,CACxB,CAAC;YAEF,OAAO;gBACL,KAAK,EAAE,IAAI;aACZ,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,iEAAiE;YACjE,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,0BAA0B;gBAClC,SAAS,EAAE,0CAA8B,CAAC,kBAAkB;gBAC5D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAChE,OAAO,EAAE;oBACP,YAAY,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBACrE;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,mBAAmB,CACvB,KAAoB,EACpB,gBAAqC,EACrC,YAAwB;QAExB,IAAI,CAAC;YACH,8BAA8B;YAC9B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC;YACrE,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YACD,MAAM,cAAc,GAAG,mBAAmB,CAAC,KAAM,CAAC;YAElD,+FAA+F;YAC/F,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,aAAa,CAC9C,cAAc,CAAC,IAAI,CAAC,KAAK,EACzB,cAAc,CAAC,IAAI,CAAC,GAAG,CACxB,CAAC;YACF,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;gBAC3B,OAAO,eAAe,CAAC;YACzB,CAAC;YAED,0BAA0B;YAC1B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,iBAAiB,CACtD,cAAc,CAAC,IAAI,CAAC,EAAE,CACvB,CAAC;YACF,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YAED,uDAAuD;YACvD,MAAM,qBAAqB,GACzB,gBAAgB,YAAY,UAAU;gBACpC,CAAC,CAAC,gBAAgB;gBAClB,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YAEjD,gDAAgD;YAChD,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,eAAe,CACpD,cAAc,CAAC,GAAG,EAClB,YAAY,EACZ,qBAAqB,EACrB,cAAc,CAAC,IAAI,CAAC,GAAG,CACxB,CAAC;YACF,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YAED,8CAA8C;YAC9C,MAAM,IAAI,CAAC,eAAe,CACxB,cAAc,CAAC,IAAI,CAAC,KAAK,EACzB,cAAc,CAAC,IAAI,CAAC,GAAG,CACxB,CAAC;YAEF,OAAO;gBACL,KAAK,EAAE,IAAI;aACZ,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,iEAAiE;YACjE,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,0BAA0B;gBAClC,SAAS,EAAE,0CAA8B,CAAC,kBAAkB;gBAC5D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAChE,OAAO,EAAE;oBACP,YAAY,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBACrE;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,sBAAsB,CAClC,KAAoB;QAEpB,MAAM,gBAAgB,GAAG,2BAAmB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9D,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC9B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,yBAAyB;gBACjC,SAAS,EAAE,0CAA8B,CAAC,uBAAuB;gBACjE,KAAK,EAAE,IAAI,KAAK,CACd,4BAA4B,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,CAC7D;gBACD,OAAO,EAAE;oBACP,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC,MAAM;iBACzC;aACF,CAAC;QACJ,CAAC;QACD,OAAO;YACL,KAAK,EAAE,IAAI;YACX,KAAK,EAAE,gBAAgB,CAAC,IAAI;SAC7B,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,aAAa,CACzB,KAAa,EACb,QAAiB;QAEjB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC7D,IAAI,SAAS,EAAE,CAAC;YACd,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,6CAA6C;gBACrD,SAAS,EAAE,0CAA8B,CAAC,qBAAqB;gBAC/D,OAAO,EAAE;oBACP,KAAK;oBACL,QAAQ;iBACT;aACF,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,iBAAiB,CAC7B,SAAiB;QAEjB,6EAA6E;QAC7E,MAAM,WAAW,GAAG,SAAS,GAAG,IAAI,CAAC;QACrC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,WAAW,EAAE,IAAI,CAAC,oBAAoB,CAAC,EAAE,CAAC;YACrE,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,uCAAuC,IAAI,CAAC,oBAAoB,IAAI;gBAC5E,SAAS,EAAE,0CAA8B,CAAC,uBAAuB;gBACjE,OAAO,EAAE;oBACP,SAAS;oBACT,WAAW;oBACX,WAAW,EAAE,IAAI,CAAC,oBAAoB;oBACtC,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE;iBAC9B;aACF,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,eAAe,CAC3B,GAAW,EACX,YAAwB,EACxB,qBAAiC,EACjC,WAAoB;QAEpB,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CACvD,GAAG,EACH,YAAY,EACZ;YACE,eAAe,EAAE,qBAAqB;YACtC,WAAW;YACX,GAAG,EAAE,OAAO;SACb,CACF,CAAC;QAEF,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,uBAAuB;gBAC/B,SAAS,EAAE,0CAA8B,CAAC,qBAAqB;gBAC/D,OAAO,EAAE;oBACP,SAAS,EAAE,GAAG,CAAC,MAAM;oBACrB,WAAW;oBACX,SAAS,EAAE,YAAY,CAAC,GAAG;iBAC5B;aACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,eAAe,CAC3B,KAAa,EACb,QAAgB;QAEhB,8CAA8C;QAC9C,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;IACnE,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,qBAAqB,CACzB,GAAW,EACX,GAAY;QAEZ,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;YAEhD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,kCAAsB,CAC9B,0CAA8B,CAAC,sBAAsB,EACrD,2BAA2B,GAAG,EAAE,EAChC,EAAE,GAAG,EAAE,CACR,CAAC;YACJ,CAAC;YAED,IACE,CAAC,MAAM,CAAC,kBAAkB;gBAC1B,MAAM,CAAC,kBAAkB,CAAC,MAAM,KAAK,CAAC,EACtC,CAAC;gBACD,MAAM,IAAI,kCAAsB,CAC9B,0CAA8B,CAAC,6BAA6B,EAC5D,kDAAkD,GAAG,EAAE,EACvD,EAAE,GAAG,EAAE,CACR,CAAC;YACJ,CAAC;YAED,mDAAmD;YACnD,IAAI,kBAES,CAAC;YACd,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,WAAW,GAAG,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,CAAC;gBAC1D,kBAAkB,GAAG,MAAM,CAAC,kBAAkB,CAAC,IAAI,CACjD,CAAC,EAAkB,EAAE,EAAE,CACrB,EAAE,CAAC,EAAE,KAAK,WAAW,IAAI,EAAE,CAAC,EAAE,KAAK,GAAG,GAAG,GAAG,WAAW,EAAE,CAC5D,CAAC;gBAEF,IAAI,CAAC,kBAAkB,EAAE,CAAC;oBACxB,MAAM,IAAI,kCAAsB,CAC9B,0CAA8B,CAAC,6BAA6B,EAC5D,0CAA0C,GAAG,EAAE,EAC/C;wBACE,GAAG;wBACH,GAAG;wBACH,aAAa,EAAE,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAC1C,CAAC,EAAkB,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAC9B;qBACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,kBAAkB,GAAG,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC;YACpD,CAAC;YAED,IAAI,CAAC,kBAAkB,EAAE,YAAY,EAAE,CAAC;gBACtC,MAAM,IAAI,kCAAsB,CAC9B,0CAA8B,CAAC,oBAAoB,EACnD,iDAAiD,EACjD,EAAE,GAAG,EAAE,GAAG,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,EAAE,EAAE,CAC3D,CAAC;YACJ,CAAC;YAED,MAAM,GAAG,GAAG,kBAAkB,CAAC,YAK9B,CAAC;YAEF,+BAA+B;YAC/B,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;gBACzD,MAAM,IAAI,kCAAsB,CAC9B,0CAA8B,CAAC,kBAAkB,EACjD,sCAAsC,GAAG,CAAC,GAAG,SAAS,GAAG,CAAC,GAAG,EAAE,EAC/D,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,EAAE,CAClD,CAAC;YACJ,CAAC;YAED,OAAO,GAAiB,CAAC;QAC3B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,kCAAsB,EAAE,CAAC;gBAC5C,MAAM,KAAK,CAAC;YACd,CAAC;YACD,OAAO,CAAC,KAAK,CACX,sDAAsD,EACtD,KAAK,CACN,CAAC;YACF,MAAM,IAAI,kCAAsB,CAC9B,0CAA8B,CAAC,qBAAqB,EACpD,0BAA0B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EAClF;gBACE,GAAG;gBACH,GAAG;gBACH,aAAa,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aACtE,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACH,qBAAqB,CAAC,IAA2B;QAC/C,iEAAiE;QACjE,qFAAqF;QACrF,MAAM,OAAO,GAAG;YACd,sEAAsE;YACtE,GAAG,EAAE,IAAI,CAAC,QAAQ,EAAE,kCAAkC;YACtD,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,sBAAsB;YACrC,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,mCAAmC;YAElD,4BAA4B;YAC5B,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS,EAAE,IAAI,CAAC,SAAS;YAEzB,4CAA4C;YAC5C,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;YAC9C,GAAG,CAAC,IAAI,CAAC,aAAa,IAAI,EAAE,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC;YAChE,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC;SACrD,CAAC;QAEF,qFAAqF;QACrF,gFAAgF;QAChF,OAAO,IAAA,gCAAY,EAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;CACF;AArbD,sCAqbC"}

package/dist/services/storage.service.d.ts

@@ -0,0 +1,116 @@
+/**
+ * Storage Service Factory
+ *
+ * Auto-selects storage providers based on available configuration.
+ * Priority: Redis > Cloudflare KV > Cloudflare Durable Objects > Memory
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import { StorageProvider, NonceCacheProvider } from "../providers/base.js";
+/**
+ * Storage service configuration
+ */
+export interface StorageServiceConfig {
+    /** Redis URL (e.g., "redis://localhost:6379") */
+    redisUrl?: string;
+    /** Cloudflare KV namespace */
+    kvNamespace?: {
+        get(key: string): Promise<string | null>;
+        put(key: string, value: string, options?: {
+            expirationTtl?: number;
+        }): Promise<void>;
+        delete(key: string): Promise<void>;
+        list(options?: {
+            prefix?: string;
+        }): Promise<{
+            keys: Array<{
+                name: string;
+            }>;
+        }>;
+    };
+    /** Cloudflare Durable Object state */
+    durableObjectState?: {
+        storage: {
+            get(key: string): Promise<string | undefined>;
+            put(key: string, value: string): Promise<void>;
+            delete(key: string): Promise<void>;
+            list(options?: {
+                prefix?: string;
+            }): Promise<Map<string, string>>;
+        };
+    };
+    /** Fallback to memory if no external storage configured (default: true) */
+    fallbackToMemory?: boolean;
+}
+/**
+ * Storage providers result
+ */
+export interface StorageProviders {
+    storageProvider: StorageProvider;
+    nonceCacheProvider: NonceCacheProvider;
+}
+/**
+ * Key helper functions for consistent key formatting
+ */
+export declare class StorageKeyHelpers {
+    /**
+     * Build delegation key using composite format
+     * Format: delegation:${userDid}:${agentDid}:${projectId}
+     */
+    static buildDelegationKey(userDid: string, agentDid: string, projectId: string): string;
+    /**
+     * Build session key
+     * Format: session:${sessionId}
+     */
+    static buildSessionKey(sessionId: string): string;
+    /**
+     * Build nonce key
+     * Format: nonce:${agentDid}:${nonce}
+     */
+    static buildNonceKey(agentDid: string, nonce: string): string;
+    /**
+     * Parse delegation key back into components
+     *
+     * Format: delegation:${userDid}:${agentDid}:${projectId}
+     *
+     * Note: DIDs contain colons (e.g., did:key:z123), so we can't simply split by ":"
+     * Instead, we:
+     * 1. Check that key starts with "delegation:"
+     * 2. Take the last part as projectId (doesn't contain colons)
+     * 3. Find where agentDid starts (look for "did:" pattern)
+     * 4. Everything before agentDid is userDid, everything between agentDid and projectId is agentDid
+     *
+     * Strategy: Since DIDs always start with "did:", we can find the second occurrence of "did:"
+     * to determine where agentDid begins. However, this assumes userDid and agentDid both start with "did:".
+     *
+     * For keys like "delegation:did:key:user123:did:key:agent456:project-789":
+     * - Remove "delegation:" prefix → "did:key:user123:did:key:agent456:project-789"
+     * - Find last ":" → separates agentDid from projectId
+     * - projectId = "project-789"
+     * - Find second occurrence of "did:" → separates userDid from agentDid
+     * - userDid = "did:key:user123"
+     * - agentDid = "did:key:agent456"
+     */
+    static parseDelegationKey(key: string): {
+        userDid: string;
+        agentDid: string;
+        projectId: string;
+    } | null;
+}
+/**
+ * Create storage providers based on configuration
+ *
+ * Priority order:
+ * 1. Redis (if redisUrl provided)
+ * 2. Cloudflare KV (if kvNamespace provided)
+ * 3. Cloudflare Durable Objects (if durableObjectState provided)
+ * 4. In-memory fallback (if fallbackToMemory is true, default)
+ */
+export declare function createStorageProviders(config: StorageServiceConfig): Promise<StorageProviders>;
+/**
+ * Migration utility for legacy key formats
+ *
+ * Migrates keys from old format (e.g., `agent:${did}:delegation`) to new composite format
+ */
+export declare function migrateLegacyKeys(oldKeyPrefix: string, newKeyFormat: (oldKey: string) => string | null, storageProvider: StorageProvider, batchSize?: number): Promise<number>;
+//# sourceMappingURL=storage.service.d.ts.map

package/dist/services/storage.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.service.d.ts","sourceRoot":"","sources":["../../src/services/storage.service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,eAAe,EACf,kBAAkB,EACnB,MAAM,sBAAsB,CAAC;AAM9B;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,iDAAiD;IACjD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,8BAA8B;IAC9B,WAAW,CAAC,EAAE;QACZ,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QACzC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;YAAE,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QACrF,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,OAAO,CAAC,EAAE;YAAE,MAAM,CAAC,EAAE,MAAM,CAAA;SAAE,GAAG,OAAO,CAAC;YAAE,IAAI,EAAE,KAAK,CAAC;gBAAE,IAAI,EAAE,MAAM,CAAA;aAAE,CAAC,CAAA;SAAE,CAAC,CAAC;KACjF,CAAC;IAEF,sCAAsC;IACtC,kBAAkB,CAAC,EAAE;QACnB,OAAO,EAAE;YACP,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;YAC9C,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;YAC/C,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,CAAC,OAAO,CAAC,EAAE;gBAAE,MAAM,CAAC,EAAE,MAAM,CAAA;aAAE,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;SACnE,CAAC;KACH,CAAC;IAEF,2EAA2E;IAC3E,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,EAAE,kBAAkB,CAAC;CACxC;AAED;;GAEG;AACH,qBAAa,iBAAiB;IAC5B;;;OAGG;IACH,MAAM,CAAC,kBAAkB,CACvB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAChB,MAAM;IAIT;;;OAGG;IACH,MAAM,CAAC,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;IAIjD;;;OAGG;IACH,MAAM,CAAC,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM;IAI7D;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,MAAM,CAAC,kBAAkB,CACvB,GAAG,EAAE,MAAM,GACV;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CAgEnE;AAmMD;;;;;;;;GAQG;AACH,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,gBAAgB,CAAC,CAyG3B;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,YAAY,EAAE,MAAM,EACpB,YAAY,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,EAC/C,eAAe,EAAE,eAAe,EAChC,SAAS,SAAM,GACd,OAAO,CAAC,MAAM,CAAC,CA4CjB"}