@kya-os/mcp-i-core 1.2.2-canary.25 → 1.2.2-canary.26

package/src/compliance/index.ts

@@ -0,0 +1,8 @@
+/**
+ * Schema Compliance Module
+ *
+ * Automated verification against canonical schemas from schemas.kya-os.ai
+ */
+
+export * from './schema-verifier';
+export * from './schema-registry';

package/src/compliance/schema-registry.ts

@@ -0,0 +1,460 @@
+/**
+ * Schema Registry
+ *
+ * Canonical list of all schemas from schemas.kya-os.ai
+ * Used for automated compliance verification.
+ *
+ * Auto-generated from https://schemas.kya-os.ai/schema-index.json
+ * Last updated: 2025-10-17
+ */
+
+import type { SchemaMetadata } from './schema-verifier';
+
+const SCHEMAS_BASE_URL = 'https://schemas.kya-os.ai/xmcp-i';
+
+/**
+ * Complete registry of schemas from schemas.kya-os.ai
+ *
+ * As of 2025-10-17, there are 38 schemas covering:
+ * - W3C Verifiable Credentials
+ * - MCP-I Protocol (Handshake, Proof, Session)
+ * - Delegation System
+ * - Agent Registry
+ * - CLI & Runtime
+ * - TLKRC (Tool-Level Key Rotation)
+ */
+export const SCHEMA_REGISTRY: SchemaMetadata[] = [
+  // ===================================================================
+  // W3C Verifiable Credentials
+  // ===================================================================
+  {
+    id: 'verifiable-credential',
+    url: `${SCHEMAS_BASE_URL}/vc/verifiable-credential.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'VerifiableCredential',
+    description: 'W3C Verifiable Credential Data Model',
+  },
+  {
+    id: 'verifiable-presentation',
+    url: `${SCHEMAS_BASE_URL}/vc/verifiable-presentation.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'VerifiablePresentation',
+    description: 'W3C Verifiable Presentation',
+  },
+  {
+    id: 'statuslist2021-credential',
+    url: `${SCHEMAS_BASE_URL}/vc/statuslist-2021-credential.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'StatusList2021Credential',
+    description: 'StatusList2021 Credential for efficient revocation',
+  },
+  {
+    id: 'statuslist2021-credential-subject',
+    url: `${SCHEMAS_BASE_URL}/vc/statuslist-2021-credential-subject.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'StatusList2021CredentialSubject',
+    description: 'StatusList2021 Credential Subject',
+  },
+
+  // ===================================================================
+  // Delegation Credentials
+  // ===================================================================
+  {
+    id: 'delegation-credential',
+    url: `${SCHEMAS_BASE_URL}/credentials/delegation/v1.0.0.json`,
+    version: '1.0.0',
+    type: 'DelegationCredential',
+    description: 'W3C VC-based delegation credential',
+  },
+
+  // ===================================================================
+  // Delegation System
+  // ===================================================================
+  {
+    id: 'delegation-record',
+    url: `${SCHEMAS_BASE_URL}/delegation/delegation-record.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'DelegationRecord',
+    description: 'Internal delegation record',
+  },
+  {
+    id: 'delegation-constraints',
+    url: `${SCHEMAS_BASE_URL}/delegation/constraints.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'DelegationConstraints',
+    description: 'CRISP constraints for delegations',
+  },
+  {
+    id: 'delegation-chain',
+    url: `${SCHEMAS_BASE_URL}/delegation/delegation-chain.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'DelegationChain',
+    description: 'Delegation chain for hierarchy tracking',
+  },
+  {
+    id: 'delegation-creation-request',
+    url: `${SCHEMAS_BASE_URL}/delegation/delegation-creation-request.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'DelegationCreationRequest',
+    description: 'Request to create a delegation',
+  },
+  {
+    id: 'delegation-verification-result',
+    url: `${SCHEMAS_BASE_URL}/delegation/delegation-verification-result.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'DelegationVerificationResult',
+    description: 'Result of delegation verification',
+  },
+
+  // ===================================================================
+  // MCP-I Protocol - Handshake
+  // ===================================================================
+  {
+    id: 'handshake-request',
+    url: `${SCHEMAS_BASE_URL}/handshake/handshake-request.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'HandshakeRequest',
+    description: 'MCP-I handshake request',
+  },
+  {
+    id: 'session-context',
+    url: `${SCHEMAS_BASE_URL}/handshake/session-context.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'SessionContext',
+    description: 'MCP-I session context',
+  },
+  {
+    id: 'nonce-cache-config',
+    url: `${SCHEMAS_BASE_URL}/handshake/nonce-cache-config.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'NonceCacheConfig',
+    description: 'Nonce cache configuration',
+  },
+  {
+    id: 'nonce-cache-entry',
+    url: `${SCHEMAS_BASE_URL}/handshake/nonce-cache-entry.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'NonceCacheEntry',
+    description: 'Nonce cache entry for replay protection',
+  },
+
+  // ===================================================================
+  // MCP-I Protocol - Proof
+  // ===================================================================
+  {
+    id: 'detached-proof',
+    url: `${SCHEMAS_BASE_URL}/proof/detached-proof.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'DetachedProof',
+    description: 'MCP-I detached proof with JWS',
+  },
+  {
+    id: 'proof-meta',
+    url: `${SCHEMAS_BASE_URL}/proof/proof-meta.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'ProofMeta',
+    description: 'Metadata for MCP-I proofs',
+  },
+  {
+    id: 'proof',
+    url: `${SCHEMAS_BASE_URL}/proof/v1.0.0.json`,
+    version: '1.0.0',
+    type: 'Proof',
+    description: 'Generic proof structure',
+  },
+  {
+    id: 'proof-w3c',
+    url: `${SCHEMAS_BASE_URL}/proof/w3c/v1.0.0.json`,
+    version: '1.0.0',
+    type: 'W3CProof',
+    description: 'W3C-compliant proof',
+  },
+  {
+    id: 'audit-record',
+    url: `${SCHEMAS_BASE_URL}/proof/audit-record.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'AuditRecord',
+    description: 'Audit trail record',
+  },
+  {
+    id: 'canonical-hashes',
+    url: `${SCHEMAS_BASE_URL}/proof/canonical-hashes.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'CanonicalHashes',
+    description: 'Canonical hashes for proof generation',
+  },
+
+  // ===================================================================
+  // Agent Registry
+  // ===================================================================
+  {
+    id: 'registration-input',
+    url: `${SCHEMAS_BASE_URL}/registry/registration-input.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'RegistrationInput',
+    description: 'Agent registration input',
+  },
+  {
+    id: 'registration-result',
+    url: `${SCHEMAS_BASE_URL}/registry/registration-result.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'RegistrationResult',
+    description: 'Agent registration result',
+  },
+  {
+    id: 'agent-status',
+    url: `${SCHEMAS_BASE_URL}/registry/agent-status.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'AgentStatus',
+    description: 'Agent status information',
+  },
+  {
+    id: 'claim-token',
+    url: `${SCHEMAS_BASE_URL}/registry/claim-token.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'ClaimToken',
+    description: 'Token for claiming agent ownership',
+  },
+  {
+    id: 'delegation-request',
+    url: `${SCHEMAS_BASE_URL}/registry/delegation-request.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'DelegationRequest',
+    description: 'Registry delegation request',
+  },
+  {
+    id: 'delegation-response',
+    url: `${SCHEMAS_BASE_URL}/registry/delegation-response.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'DelegationResponse',
+    description: 'Registry delegation response',
+  },
+  {
+    id: 'registry-delegation',
+    url: `${SCHEMAS_BASE_URL}/registry/delegation.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'RegistryDelegation',
+    description: 'Registry delegation object',
+  },
+  {
+    id: 'mirror-status',
+    url: `${SCHEMAS_BASE_URL}/registry/mirror-status.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'MirrorStatus',
+    description: 'Registry mirror status',
+  },
+  {
+    id: 'receipt',
+    url: `${SCHEMAS_BASE_URL}/registry/receipt.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'Receipt',
+    description: 'Registry receipt',
+  },
+
+  // ===================================================================
+  // Runtime
+  // ===================================================================
+  {
+    id: 'authorization-display',
+    url: `${SCHEMAS_BASE_URL}/runtime/authorization-display.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'AuthorizationDisplay',
+    description: 'Authorization display information',
+  },
+  {
+    id: 'needs-authorization-error',
+    url: `${SCHEMAS_BASE_URL}/runtime/needs-authorization-error.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'NeedsAuthorizationError',
+    description: 'Error indicating authorization is needed',
+  },
+  {
+    id: 'runtime-error',
+    url: `${SCHEMAS_BASE_URL}/runtime/runtime-error.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'RuntimeError',
+    description: 'Generic runtime error',
+  },
+
+  // ===================================================================
+  // CLI
+  // ===================================================================
+  {
+    id: 'register-output',
+    url: `${SCHEMAS_BASE_URL}/cli/register-output/v1.0.0.json`,
+    version: '1.0.0',
+    type: 'RegisterOutput',
+    description: 'CLI registration output',
+  },
+
+  // ===================================================================
+  // TLKRC (Tool-Level Key Rotation)
+  // ===================================================================
+  {
+    id: 'rotation-chain',
+    url: `${SCHEMAS_BASE_URL}/tlkrc/rotation-chain.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'RotationChain',
+    description: 'Key rotation chain',
+  },
+  {
+    id: 'rotation-event',
+    url: `${SCHEMAS_BASE_URL}/tlkrc/rotation-event.v1.0.0.json`,
+    version: '1.0.0',
+    type: 'RotationEvent',
+    description: 'Key rotation event',
+  },
+
+  // ===================================================================
+  // Verifier Service
+  // ===================================================================
+  {
+    id: 'verify-page',
+    url: `${SCHEMAS_BASE_URL}/verifier/verify-page/v1.0.0.json`,
+    version: '1.0.0',
+    type: 'VerifyPage',
+    description: 'Verifier page response',
+  },
+
+  // ===================================================================
+  // Well-Known
+  // ===================================================================
+  {
+    id: 'well-known-agent',
+    url: `${SCHEMAS_BASE_URL}/well-known/agent/v1.0.0.json`,
+    version: '1.0.0',
+    type: 'WellKnownAgent',
+    description: 'Agent well-known metadata',
+  },
+];
+
+/**
+ * Get all schemas
+ */
+export function getAllSchemas(): SchemaMetadata[] {
+  return SCHEMA_REGISTRY;
+}
+
+/**
+ * Get schemas by category
+ */
+export function getSchemasByCategory(category: string): SchemaMetadata[] {
+  const categoryMap: Record<string, string[]> = {
+    'vc': [
+      'verifiable-credential',
+      'verifiable-presentation',
+      'statuslist2021-credential',
+      'statuslist2021-credential-subject',
+    ],
+    'delegation': [
+      'delegation-credential',
+      'delegation-record',
+      'delegation-constraints',
+      'delegation-chain',
+      'delegation-creation-request',
+      'delegation-verification-result',
+    ],
+    'handshake': [
+      'handshake-request',
+      'session-context',
+      'nonce-cache-config',
+      'nonce-cache-entry',
+    ],
+    'proof': [
+      'detached-proof',
+      'proof-meta',
+      'proof',
+      'proof-w3c',
+      'audit-record',
+      'canonical-hashes',
+    ],
+    'registry': [
+      'registration-input',
+      'registration-result',
+      'agent-status',
+      'claim-token',
+      'delegation-request',
+      'delegation-response',
+      'registry-delegation',
+      'mirror-status',
+      'receipt',
+    ],
+    'runtime': [
+      'authorization-display',
+      'needs-authorization-error',
+      'runtime-error',
+    ],
+    'cli': ['register-output'],
+    'tlkrc': ['rotation-chain', 'rotation-event'],
+    'verifier': ['verify-page'],
+    'well-known': ['well-known-agent'],
+  };
+
+  const ids = categoryMap[category] || [];
+  return SCHEMA_REGISTRY.filter((s) => ids.includes(s.id));
+}
+
+/**
+ * Get schema by ID
+ */
+export function getSchemaById(id: string): SchemaMetadata | undefined {
+  return SCHEMA_REGISTRY.find((s) => s.id === id);
+}
+
+/**
+ * Get critical schemas (must be 100% compliant)
+ *
+ * These are the core schemas that power the MCP-I protocol and must
+ * be fully compliant for the system to function correctly.
+ */
+export function getCriticalSchemas(): SchemaMetadata[] {
+  const criticalIds = [
+    // W3C VC Core
+    'verifiable-credential',
+    'statuslist2021-credential',
+
+    // Delegation System
+    'delegation-credential',
+    'delegation-record',
+    'delegation-constraints',
+
+    // MCP-I Protocol
+    'detached-proof',
+    'proof-meta',
+    'handshake-request',
+    'session-context',
+
+    // Audit
+    'audit-record',
+  ];
+
+  return SCHEMA_REGISTRY.filter((s) => criticalIds.includes(s.id));
+}
+
+/**
+ * Get schema statistics
+ */
+export function getSchemaStats(): {
+  total: number;
+  byCategory: Record<string, number>;
+  byVersion: Record<string, number>;
+} {
+  const byCategory: Record<string, number> = {};
+  const byVersion: Record<string, number> = {};
+
+  for (const schema of SCHEMA_REGISTRY) {
+    // Category stats (inferred from URL)
+    const urlParts = schema.url.replace(SCHEMAS_BASE_URL + '/', '').split('/');
+    const category = urlParts[0] || 'unknown';
+    byCategory[category] = (byCategory[category] || 0) + 1;
+
+    // Version stats
+    byVersion[schema.version] = (byVersion[schema.version] || 0) + 1;
+  }
+
+  return {
+    total: SCHEMA_REGISTRY.length,
+    byCategory,
+    byVersion,
+  };
+}