npm - @kya-os/mcp-i-core - Versions diffs - 1.2.3-canary.7 → 1.3.1 - Mend

@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (225) hide show

package/.claude/settings.local.json +9 -0
package/.turbo/turbo-build.log +4 -0
package/.turbo/turbo-test.log +2979 -0
package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
package/Composer 3.md +615 -0
package/GPT-5.md +1169 -0
package/OPUS-plan.md +352 -0
package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
package/PHASE_3_SUMMARY.md +317 -0
package/PHASE_4.1.3_SUMMARY.md +428 -0
package/PHASE_4.1_COMPLETE.md +525 -0
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
package/TEST_PLAN.md +571 -0
package/coverage/coverage-final.json +57 -0
package/dist/__tests__/utils/mock-providers.d.ts +1 -2
package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
package/dist/__tests__/utils/mock-providers.js.map +1 -1
package/dist/cache/oauth-config-cache.d.ts +69 -0
package/dist/cache/oauth-config-cache.d.ts.map +1 -0
package/dist/cache/oauth-config-cache.js +76 -0
package/dist/cache/oauth-config-cache.js.map +1 -0
package/dist/identity/idp-token-resolver.d.ts +53 -0
package/dist/identity/idp-token-resolver.d.ts.map +1 -0
package/dist/identity/idp-token-resolver.js +108 -0
package/dist/identity/idp-token-resolver.js.map +1 -0
package/dist/identity/idp-token-storage.interface.d.ts +42 -0
package/dist/identity/idp-token-storage.interface.d.ts.map +1 -0
package/dist/identity/idp-token-storage.interface.js +12 -0
package/dist/identity/idp-token-storage.interface.js.map +1 -0
package/dist/identity/user-did-manager.d.ts +39 -1
package/dist/identity/user-did-manager.d.ts.map +1 -1
package/dist/identity/user-did-manager.js +69 -3
package/dist/identity/user-did-manager.js.map +1 -1
package/dist/index.d.ts +22 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +39 -1
package/dist/index.js.map +1 -1
package/dist/runtime/audit-logger.d.ts +37 -0
package/dist/runtime/audit-logger.d.ts.map +1 -0
package/dist/runtime/audit-logger.js +9 -0
package/dist/runtime/audit-logger.js.map +1 -0
package/dist/runtime/base.d.ts +58 -2
package/dist/runtime/base.d.ts.map +1 -1
package/dist/runtime/base.js +266 -11
package/dist/runtime/base.js.map +1 -1
package/dist/services/access-control.service.d.ts.map +1 -1
package/dist/services/access-control.service.js +200 -35
package/dist/services/access-control.service.js.map +1 -1
package/dist/services/authorization/authorization-registry.d.ts +29 -0
package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
package/dist/services/authorization/authorization-registry.js +57 -0
package/dist/services/authorization/authorization-registry.js.map +1 -0
package/dist/services/authorization/types.d.ts +53 -0
package/dist/services/authorization/types.d.ts.map +1 -0
package/dist/services/authorization/types.js +10 -0
package/dist/services/authorization/types.js.map +1 -0
package/dist/services/batch-delegation.service.d.ts +53 -0
package/dist/services/batch-delegation.service.d.ts.map +1 -0
package/dist/services/batch-delegation.service.js +95 -0
package/dist/services/batch-delegation.service.js.map +1 -0
package/dist/services/oauth-config.service.d.ts +53 -0
package/dist/services/oauth-config.service.d.ts.map +1 -0
package/dist/services/oauth-config.service.js +119 -0
package/dist/services/oauth-config.service.js.map +1 -0
package/dist/services/oauth-provider-registry.d.ts +88 -0
package/dist/services/oauth-provider-registry.d.ts.map +1 -0
package/dist/services/oauth-provider-registry.js +128 -0
package/dist/services/oauth-provider-registry.js.map +1 -0
package/dist/services/oauth-service.d.ts +77 -0
package/dist/services/oauth-service.d.ts.map +1 -0
package/dist/services/oauth-service.js +348 -0
package/dist/services/oauth-service.js.map +1 -0
package/dist/services/oauth-token-retrieval.service.d.ts +49 -0
package/dist/services/oauth-token-retrieval.service.d.ts.map +1 -0
package/dist/services/oauth-token-retrieval.service.js +150 -0
package/dist/services/oauth-token-retrieval.service.js.map +1 -0
package/dist/services/provider-resolver.d.ts +48 -0
package/dist/services/provider-resolver.d.ts.map +1 -0
package/dist/services/provider-resolver.js +121 -0
package/dist/services/provider-resolver.js.map +1 -0
package/dist/services/provider-validator.d.ts +55 -0
package/dist/services/provider-validator.d.ts.map +1 -0
package/dist/services/provider-validator.js +135 -0
package/dist/services/provider-validator.js.map +1 -0
package/dist/services/tool-context-builder.d.ts +57 -0
package/dist/services/tool-context-builder.d.ts.map +1 -0
package/dist/services/tool-context-builder.js +125 -0
package/dist/services/tool-context-builder.js.map +1 -0
package/dist/services/tool-protection.service.d.ts +87 -10
package/dist/services/tool-protection.service.d.ts.map +1 -1
package/dist/services/tool-protection.service.js +282 -112
package/dist/services/tool-protection.service.js.map +1 -1
package/dist/types/oauth-required-error.d.ts +40 -0
package/dist/types/oauth-required-error.d.ts.map +1 -0
package/dist/types/oauth-required-error.js +40 -0
package/dist/types/oauth-required-error.js.map +1 -0
package/dist/utils/did-helpers.d.ts +33 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +40 -0
package/dist/utils/did-helpers.js.map +1 -1
package/dist/utils/index.d.ts +1 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +1 -0
package/dist/utils/index.js.map +1 -1
package/docs/API_REFERENCE.md +1362 -0
package/docs/COMPLIANCE_MATRIX.md +691 -0
package/docs/STATUSLIST2021_GUIDE.md +696 -0
package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
package/package.json +24 -50
package/scripts/audit-compliance.ts +724 -0
package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
package/src/__tests__/delegation-e2e.test.ts +690 -0
package/src/__tests__/identity/user-did-manager.test.ts +213 -0
package/src/__tests__/index.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +776 -0
package/src/__tests__/integration.test.ts +281 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +319 -0
package/src/__tests__/regression/phase2-regression.test.ts +429 -0
package/src/__tests__/runtime/audit-logger.test.ts +154 -0
package/src/__tests__/runtime/base-extensions.test.ts +593 -0
package/src/__tests__/runtime/base.test.ts +869 -0
package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
package/src/__tests__/runtime/route-interception.test.ts +686 -0
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
package/src/__tests__/services/agentshield-integration.test.ts +784 -0
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +591 -0
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
package/src/__tests__/utils/mock-providers.ts +340 -0
package/src/cache/oauth-config-cache.d.ts +69 -0
package/src/cache/oauth-config-cache.d.ts.map +1 -0
package/src/cache/oauth-config-cache.js.map +1 -0
package/src/cache/oauth-config-cache.ts +123 -0
package/src/cache/tool-protection-cache.ts +171 -0
package/src/compliance/EXAMPLE.md +412 -0
package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
package/src/compliance/index.ts +8 -0
package/src/compliance/schema-registry.ts +460 -0
package/src/compliance/schema-verifier.ts +708 -0
package/src/config/__tests__/remote-config.spec.ts +268 -0
package/src/config/remote-config.ts +174 -0
package/src/config.ts +309 -0
package/src/delegation/__tests__/audience-validator.test.ts +112 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
package/src/delegation/__tests__/utils.test.ts +152 -0
package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
package/src/delegation/audience-validator.ts +52 -0
package/src/delegation/bitstring.ts +278 -0
package/src/delegation/cascading-revocation.ts +370 -0
package/src/delegation/delegation-graph.ts +299 -0
package/src/delegation/index.ts +14 -0
package/src/delegation/statuslist-manager.ts +353 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/index.ts +9 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
package/src/delegation/utils.ts +42 -0
package/src/delegation/vc-issuer.ts +232 -0
package/src/delegation/vc-verifier.ts +568 -0
package/src/identity/idp-token-resolver.ts +147 -0
package/src/identity/idp-token-storage.interface.ts +59 -0
package/src/identity/user-did-manager.ts +370 -0
package/src/index.ts +260 -0
package/src/providers/base.d.ts +91 -0
package/src/providers/base.d.ts.map +1 -0
package/src/providers/base.js.map +1 -0
package/src/providers/base.ts +96 -0
package/src/providers/memory.ts +142 -0
package/src/runtime/audit-logger.ts +39 -0
package/src/runtime/base.ts +1329 -0
package/src/services/__tests__/access-control.integration.test.ts +443 -0
package/src/services/__tests__/access-control.proof-response-validation.test.ts +578 -0
package/src/services/__tests__/access-control.service.test.ts +970 -0
package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
package/src/services/__tests__/crypto.service.test.ts +531 -0
package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
package/src/services/__tests__/proof-verifier.test.ts +489 -0
package/src/services/__tests__/provider-resolution.integration.test.ts +202 -0
package/src/services/__tests__/provider-resolver.test.ts +213 -0
package/src/services/__tests__/storage.service.test.ts +358 -0
package/src/services/access-control.service.ts +990 -0
package/src/services/authorization/authorization-registry.ts +66 -0
package/src/services/authorization/types.ts +71 -0
package/src/services/batch-delegation.service.ts +137 -0
package/src/services/crypto.service.ts +302 -0
package/src/services/errors.ts +76 -0
package/src/services/index.ts +9 -0
package/src/services/oauth-config.service.d.ts +53 -0
package/src/services/oauth-config.service.d.ts.map +1 -0
package/src/services/oauth-config.service.js.map +1 -0
package/src/services/oauth-config.service.ts +169 -0
package/src/services/oauth-provider-registry.d.ts +57 -0
package/src/services/oauth-provider-registry.d.ts.map +1 -0
package/src/services/oauth-provider-registry.js.map +1 -0
package/src/services/oauth-provider-registry.ts +141 -0
package/src/services/oauth-service.ts +510 -0
package/src/services/oauth-token-retrieval.service.ts +245 -0
package/src/services/proof-verifier.ts +478 -0
package/src/services/provider-resolver.d.ts +48 -0
package/src/services/provider-resolver.d.ts.map +1 -0
package/src/services/provider-resolver.js.map +1 -0
package/src/services/provider-resolver.ts +146 -0
package/src/services/provider-validator.ts +170 -0
package/src/services/storage.service.ts +566 -0
package/src/services/tool-context-builder.ts +172 -0
package/src/services/tool-protection.service.ts +958 -0
package/src/types/oauth-required-error.ts +63 -0
package/src/types/tool-protection.ts +155 -0
package/src/utils/__tests__/did-helpers.test.ts +101 -0
package/src/utils/base64.ts +148 -0
package/src/utils/cors.ts +83 -0
package/src/utils/did-helpers.ts +150 -0
package/src/utils/index.ts +8 -0
package/src/utils/storage-keys.ts +278 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +56 -0

package/src/providers/base.d.ts ADDED Viewed

@@ -0,0 +1,91 @@
+/**
+ * Base Provider Classes
+ *
+ * Abstract classes that define the provider interfaces for
+ * platform-specific implementations.
+ */
+/**
+ * Cryptographic operations provider
+ */
+export declare abstract class CryptoProvider {
+    abstract sign(data: Uint8Array, privateKey: string): Promise<Uint8Array>;
+    abstract verify(data: Uint8Array, signature: Uint8Array, publicKey: string): Promise<boolean>;
+    abstract generateKeyPair(): Promise<{
+        privateKey: string;
+        publicKey: string;
+    }>;
+    abstract hash(data: Uint8Array): Promise<Uint8Array>;
+    abstract randomBytes(length: number): Promise<Uint8Array>;
+}
+/**
+ * Clock/timing operations provider
+ */
+export declare abstract class ClockProvider {
+    abstract now(): number;
+    abstract isWithinSkew(timestamp: number, skewSeconds: number): boolean;
+    abstract hasExpired(expiresAt: number): boolean;
+    abstract calculateExpiry(ttlSeconds: number): number;
+    abstract format(timestamp: number): string;
+}
+/**
+ * Network fetch operations provider
+ */
+export declare abstract class FetchProvider {
+    abstract resolveDID(did: string): Promise<any>;
+    abstract fetchStatusList(url: string): Promise<any>;
+    abstract fetchDelegationChain(id: string): Promise<any[]>;
+    abstract fetch(url: string, options?: any): Promise<Response>;
+}
+/**
+ * Storage operations provider
+ */
+export declare abstract class StorageProvider {
+    abstract get(key: string): Promise<string | null>;
+    abstract set(key: string, value: string): Promise<void>;
+    abstract delete(key: string): Promise<void>;
+    abstract exists(key: string): Promise<boolean>;
+    abstract list(prefix?: string): Promise<string[]>;
+}
+/**
+ * Nonce cache provider
+ * Handles replay prevention
+ *
+ * Nonces should be scoped per agent to prevent cross-agent replay attacks.
+ * When agentDid is provided, implementations should use agent-scoped keys.
+ */
+export declare abstract class NonceCacheProvider {
+    /**
+     * Check if a nonce has been used
+     * @param nonce - The nonce to check
+     * @param agentDid - Optional agent DID for scoping (prevents cross-agent replay attacks)
+     */
+    abstract has(nonce: string, agentDid?: string): Promise<boolean>;
+    /**
+     * Add a nonce to the cache
+     * @param nonce - The nonce to cache
+     * @param ttlSeconds - Time to live in seconds (callers now pass TTL, not absolute timestamp)
+     * @param agentDid - Optional agent DID for scoping (prevents cross-agent replay attacks)
+     */
+    abstract add(nonce: string, ttlSeconds: number, agentDid?: string): Promise<void>;
+    abstract cleanup(): Promise<void>;
+    abstract destroy(): Promise<void>;
+}
+/**
+ * Identity provider for managing agent identities
+ */
+export interface AgentIdentity {
+    did: string;
+    kid: string;
+    privateKey: string;
+    publicKey: string;
+    createdAt: string;
+    type: 'development' | 'production';
+    metadata?: Record<string, any>;
+}
+export declare abstract class IdentityProvider {
+    abstract getIdentity(): Promise<AgentIdentity>;
+    abstract saveIdentity(identity: AgentIdentity): Promise<void>;
+    abstract rotateKeys(): Promise<AgentIdentity>;
+    abstract deleteIdentity(): Promise<void>;
+}
+//# sourceMappingURL=base.d.ts.map

package/src/providers/base.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"base.d.ts","sourceRoot":"","sources":["base.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,8BAAsB,cAAc;IAClC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IACxE,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAC7F,QAAQ,CAAC,eAAe,IAAI,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9E,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACpD,QAAQ,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAC1D;AAED;;GAEG;AACH,8BAAsB,aAAa;IACjC,QAAQ,CAAC,GAAG,IAAI,MAAM;IACtB,QAAQ,CAAC,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO;IACtE,QAAQ,CAAC,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAC/C,QAAQ,CAAC,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM;IACpD,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;CAC3C;AAED;;GAEG;AACH,8BAAsB,aAAa;IACjC,QAAQ,CAAC,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IAC9C,QAAQ,CAAC,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IACnD,QAAQ,CAAC,oBAAoB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IACzD,QAAQ,CAAC,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC;CAC9D;AAED;;GAEG;AACH,8BAAsB,eAAe;IACnC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IACjD,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IACvD,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAC3C,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAC9C,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;CAClD;AAED;;;;;;GAMG;AACH,8BAAsB,kBAAkB;IACtC;;;;OAIG;IACH,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAEhE;;;;;OAKG;IACH,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAEjF,QAAQ,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IACjC,QAAQ,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,aAAa,GAAG,YAAY,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAChC;AAED,8BAAsB,gBAAgB;IACpC,QAAQ,CAAC,WAAW,IAAI,OAAO,CAAC,aAAa,CAAC;IAC9C,QAAQ,CAAC,YAAY,CAAC,QAAQ,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAC7D,QAAQ,CAAC,UAAU,IAAI,OAAO,CAAC,aAAa,CAAC;IAC7C,QAAQ,CAAC,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;CACzC"}

package/src/providers/base.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"base.js","sourceRoot":"","sources":["base.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,MAAM,OAAgB,cAAc;CAMnC;AAED;;GAEG;AACH,MAAM,OAAgB,aAAa;CAMlC;AAED;;GAEG;AACH,MAAM,OAAgB,aAAa;CAKlC;AAED;;GAEG;AACH,MAAM,OAAgB,eAAe;CAMpC;AAED;;;;;;GAMG;AACH,MAAM,OAAgB,kBAAkB;CAkBvC;AAeD,MAAM,OAAgB,gBAAgB;CAKrC"}

package/src/providers/base.ts ADDED Viewed

@@ -0,0 +1,96 @@
+/**
+ * Base Provider Classes
+ *
+ * Abstract classes that define the provider interfaces for
+ * platform-specific implementations.
+ */
+/**
+ * Cryptographic operations provider
+ */
+export abstract class CryptoProvider {
+  abstract sign(data: Uint8Array, privateKey: string): Promise<Uint8Array>;
+  abstract verify(data: Uint8Array, signature: Uint8Array, publicKey: string): Promise<boolean>;
+  abstract generateKeyPair(): Promise<{ privateKey: string; publicKey: string }>;
+  abstract hash(data: Uint8Array): Promise<Uint8Array>;
+  abstract randomBytes(length: number): Promise<Uint8Array>;
+}
+/**
+ * Clock/timing operations provider
+ */
+export abstract class ClockProvider {
+  abstract now(): number;
+  abstract isWithinSkew(timestamp: number, skewSeconds: number): boolean;
+  abstract hasExpired(expiresAt: number): boolean;
+  abstract calculateExpiry(ttlSeconds: number): number;
+  abstract format(timestamp: number): string;
+}
+/**
+ * Network fetch operations provider
+ */
+export abstract class FetchProvider {
+  abstract resolveDID(did: string): Promise<any>;
+  abstract fetchStatusList(url: string): Promise<any>;
+  abstract fetchDelegationChain(id: string): Promise<any[]>;
+  abstract fetch(url: string, options?: any): Promise<Response>;
+}
+/**
+ * Storage operations provider
+ */
+export abstract class StorageProvider {
+  abstract get(key: string): Promise<string | null>;
+  abstract set(key: string, value: string): Promise<void>;
+  abstract delete(key: string): Promise<void>;
+  abstract exists(key: string): Promise<boolean>;
+  abstract list(prefix?: string): Promise<string[]>;
+}
+/**
+ * Nonce cache provider
+ * Handles replay prevention
+ *
+ * Nonces should be scoped per agent to prevent cross-agent replay attacks.
+ * When agentDid is provided, implementations should use agent-scoped keys.
+ */
+export abstract class NonceCacheProvider {
+  /**
+   * Check if a nonce has been used
+   * @param nonce - The nonce to check
+   * @param agentDid - Optional agent DID for scoping (prevents cross-agent replay attacks)
+   */
+  abstract has(nonce: string, agentDid?: string): Promise<boolean>;
+  /**
+   * Add a nonce to the cache
+   * @param nonce - The nonce to cache
+   * @param ttlSeconds - Time to live in seconds (callers now pass TTL, not absolute timestamp)
+   * @param agentDid - Optional agent DID for scoping (prevents cross-agent replay attacks)
+   */
+  abstract add(nonce: string, ttlSeconds: number, agentDid?: string): Promise<void>;
+  abstract cleanup(): Promise<void>;
+  abstract destroy(): Promise<void>;
+}
+/**
+ * Identity provider for managing agent identities
+ */
+export interface AgentIdentity {
+  did: string;
+  kid: string;
+  privateKey: string;
+  publicKey: string;
+  createdAt: string;
+  type: 'development' | 'production';
+  metadata?: Record<string, any>;
+}
+export abstract class IdentityProvider {
+  abstract getIdentity(): Promise<AgentIdentity>;
+  abstract saveIdentity(identity: AgentIdentity): Promise<void>;
+  abstract rotateKeys(): Promise<AgentIdentity>;
+  abstract deleteIdentity(): Promise<void>;
+}

package/src/providers/memory.ts ADDED Viewed

@@ -0,0 +1,142 @@
+/**
+ * Memory-based provider implementations
+ *
+ * Simple in-memory implementations for development and testing.
+ */
+import {
+  StorageProvider,
+  NonceCacheProvider,
+  IdentityProvider,
+  AgentIdentity
+} from './base';
+/**
+ * In-memory storage provider
+ */
+export class MemoryStorageProvider extends StorageProvider {
+  private store: Map<string, string> = new Map();
+  async get(key: string): Promise<string | null> {
+    return this.store.get(key) ?? null;
+  }
+  async set(key: string, value: string): Promise<void> {
+    this.store.set(key, value);
+  }
+  async delete(key: string): Promise<void> {
+    this.store.delete(key);
+  }
+  async exists(key: string): Promise<boolean> {
+    return this.store.has(key);
+  }
+  async list(prefix?: string): Promise<string[]> {
+    const keys = Array.from(this.store.keys());
+    if (prefix) {
+      return keys.filter(k => k.startsWith(prefix));
+    }
+    return keys;
+  }
+}
+/**
+ * In-memory nonce cache provider
+ */
+export class MemoryNonceCacheProvider extends NonceCacheProvider {
+  private nonces: Map<string, number> = new Map();
+  async has(nonce: string, agentDid?: string): Promise<boolean> {
+    const key = agentDid ? `nonce:${agentDid}:${nonce}` : `nonce:${nonce}`;
+    const expiry = this.nonces.get(key);
+    if (!expiry) return false;
+    if (Date.now() > expiry) {
+      this.nonces.delete(key);
+      return false;
+    }
+    return true;
+  }
+  async add(nonce: string, ttlSeconds: number, agentDid?: string): Promise<void> {
+    const key = agentDid ? `nonce:${agentDid}:${nonce}` : `nonce:${nonce}`;
+    // Convert TTL seconds to absolute expiration timestamp for storage
+    const expiresAt = Date.now() + (ttlSeconds * 1000);
+    this.nonces.set(key, expiresAt);
+  }
+  async cleanup(): Promise<void> {
+    const now = Date.now();
+    for (const [nonce, expiry] of this.nonces) {
+      if (now > expiry) {
+        this.nonces.delete(nonce);
+      }
+    }
+  }
+  async destroy(): Promise<void> {
+    this.nonces.clear();
+  }
+}
+/**
+ * In-memory identity provider
+ */
+export class MemoryIdentityProvider extends IdentityProvider {
+  private identity?: AgentIdentity;
+  private cryptoProvider: any;
+  constructor(cryptoProvider?: any) {
+    super();
+    this.cryptoProvider = cryptoProvider;
+  }
+  async getIdentity(): Promise<AgentIdentity> {
+    if (!this.identity) {
+      this.identity = await this.generateIdentity();
+    }
+    return this.identity;
+  }
+  async saveIdentity(identity: AgentIdentity): Promise<void> {
+    this.identity = identity;
+  }
+  async rotateKeys(): Promise<AgentIdentity> {
+    this.identity = await this.generateIdentity();
+    return this.identity;
+  }
+  async deleteIdentity(): Promise<void> {
+    this.identity = undefined;
+  }
+  private async generateIdentity(): Promise<AgentIdentity> {
+    if (!this.cryptoProvider) {
+      throw new Error('Crypto provider required for identity generation');
+    }
+    const keyPair = await this.cryptoProvider.generateKeyPair();
+    const did = this.generateDIDFromPublicKey(keyPair.publicKey);
+    return {
+      did,
+      kid: `${did}#key-1`,
+      privateKey: keyPair.privateKey,
+      publicKey: keyPair.publicKey,
+      createdAt: new Date().toISOString(),
+      type: 'development'
+    };
+  }
+  private generateDIDFromPublicKey(publicKey: string): string {
+    // Simplified DID generation
+    const keyHash = Buffer.from(publicKey, 'base64')
+      .toString('base64url')
+      .substring(0, 32);
+    return `did:key:z${keyHash}`;
+  }
+}

package/src/runtime/audit-logger.ts ADDED Viewed

@@ -0,0 +1,39 @@
+/**
+ * Audit Logger Interface
+ *
+ * Platform-agnostic interface for audit logging in the MCP-I framework.
+ * Implementations should be provided by platform-specific packages.
+ */
+import type { AuditContext, AuditEventContext } from "@kya-os/contracts/audit";
+/**
+ * Interface for audit logging implementations
+ *
+ * This interface is platform-agnostic and can be implemented by:
+ * - Node.js implementations (using Node.js crypto)
+ * - Cloudflare Workers implementations (using Web Crypto API)
+ * - Other platform-specific implementations
+ */
+export interface IAuditLogger {
+  /**
+   * Log an audit record (with session deduplication)
+   *
+   * This method logs audit records using the frozen audit.v1 format.
+   * Only the first call per session is logged (deduplication).
+   *
+   * @param context - Audit context with identity, session, hashes, and verification status
+   */
+  logAuditRecord(context: AuditContext): Promise<void>;
+  /**
+   * Log an event (without session deduplication)
+   *
+   * This method logs events using the frozen audit.v1 format.
+   * Unlike logAuditRecord(), this always logs the event, allowing
+   * multiple events per session (e.g., consent events).
+   *
+   * @param context - Event context with eventType, identity, session, and optional eventData
+   */
+  logEvent(context: AuditEventContext): Promise<void>;
+}