@kya-os/mcp-i-core 1.3.10-canary.clientinfo.20251126124133 → 1.3.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/settings.local.json +9 -0
- package/.turbo/turbo-build.log +1 -1
- package/.turbo/turbo-test$colon$coverage.log +3419 -3072
- package/.turbo/turbo-test.log +1805 -1680
- package/coverage/coverage-final.json +59 -56
- package/dist/config/remote-config.d.ts +51 -0
- package/dist/config/remote-config.d.ts.map +1 -1
- package/dist/config/remote-config.js +74 -0
- package/dist/config/remote-config.js.map +1 -1
- package/dist/config.d.ts +1 -1
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +4 -1
- package/dist/config.js.map +1 -1
- package/dist/delegation/did-key-resolver.d.ts +64 -0
- package/dist/delegation/did-key-resolver.d.ts.map +1 -0
- package/dist/delegation/did-key-resolver.js +159 -0
- package/dist/delegation/did-key-resolver.js.map +1 -0
- package/dist/delegation/utils.d.ts +76 -0
- package/dist/delegation/utils.d.ts.map +1 -1
- package/dist/delegation/utils.js +117 -0
- package/dist/delegation/utils.js.map +1 -1
- package/dist/identity/idp-token-resolver.d.ts +17 -1
- package/dist/identity/idp-token-resolver.d.ts.map +1 -1
- package/dist/identity/idp-token-resolver.js +34 -6
- package/dist/identity/idp-token-resolver.js.map +1 -1
- package/dist/identity/idp-token-storage.interface.d.ts +38 -7
- package/dist/identity/idp-token-storage.interface.d.ts.map +1 -1
- package/dist/identity/idp-token-storage.interface.js +2 -0
- package/dist/identity/idp-token-storage.interface.js.map +1 -1
- package/dist/identity/user-did-manager.d.ts +95 -12
- package/dist/identity/user-did-manager.d.ts.map +1 -1
- package/dist/identity/user-did-manager.js +107 -25
- package/dist/identity/user-did-manager.js.map +1 -1
- package/dist/index.d.ts +6 -3
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +24 -2
- package/dist/index.js.map +1 -1
- package/dist/runtime/base.d.ts +25 -8
- package/dist/runtime/base.d.ts.map +1 -1
- package/dist/runtime/base.js +74 -21
- package/dist/runtime/base.js.map +1 -1
- package/dist/services/session-registration.service.d.ts.map +1 -1
- package/dist/services/session-registration.service.js +10 -90
- package/dist/services/session-registration.service.js.map +1 -1
- package/dist/services/tool-context-builder.d.ts +18 -1
- package/dist/services/tool-context-builder.d.ts.map +1 -1
- package/dist/services/tool-context-builder.js +63 -10
- package/dist/services/tool-context-builder.js.map +1 -1
- package/dist/services/tool-protection.service.d.ts +6 -3
- package/dist/services/tool-protection.service.d.ts.map +1 -1
- package/dist/services/tool-protection.service.js +89 -34
- package/dist/services/tool-protection.service.js.map +1 -1
- package/dist/utils/base58.d.ts +31 -0
- package/dist/utils/base58.d.ts.map +1 -0
- package/dist/utils/base58.js +103 -0
- package/dist/utils/base58.js.map +1 -0
- package/dist/utils/did-helpers.d.ts +33 -0
- package/dist/utils/did-helpers.d.ts.map +1 -1
- package/dist/utils/did-helpers.js +53 -0
- package/dist/utils/did-helpers.js.map +1 -1
- package/package.json +3 -3
- package/src/__tests__/identity/user-did-manager.test.ts +64 -45
- package/src/__tests__/integration/full-flow.test.ts +23 -10
- package/src/__tests__/runtime/base-extensions.test.ts +23 -21
- package/src/__tests__/runtime/proof-client-did.test.ts +19 -18
- package/src/__tests__/services/agentshield-integration.test.ts +10 -3
- package/src/__tests__/services/tool-protection-merged-config.test.ts +485 -0
- package/src/__tests__/services/tool-protection.service.test.ts +18 -11
- package/src/config/__tests__/merged-config.spec.ts +445 -0
- package/src/config/remote-config.ts +90 -0
- package/src/config.ts +3 -0
- package/src/delegation/__tests__/did-key-resolver.test.ts +265 -0
- package/src/delegation/__tests__/vc-issuer.test.ts +1 -1
- package/src/delegation/did-key-resolver.ts +179 -0
- package/src/delegation/utils.ts +179 -0
- package/src/identity/idp-token-resolver.ts +41 -7
- package/src/identity/idp-token-storage.interface.ts +42 -7
- package/src/identity/user-did-manager.ts +185 -29
- package/src/index.ts +42 -3
- package/src/runtime/base.ts +84 -21
- package/src/services/session-registration.service.ts +26 -121
- package/src/services/tool-context-builder.ts +75 -10
- package/src/services/tool-protection.service.ts +176 -88
- package/src/utils/__tests__/did-helpers.test.ts +55 -0
- package/src/utils/base58.ts +109 -0
- package/src/utils/did-helpers.ts +60 -0
- package/dist/__tests__/utils/mock-providers.d.ts +0 -103
- package/dist/__tests__/utils/mock-providers.d.ts.map +0 -1
- package/dist/__tests__/utils/mock-providers.js +0 -293
- package/dist/__tests__/utils/mock-providers.js.map +0 -1
package/dist/delegation/utils.js
CHANGED
|
@@ -7,6 +7,10 @@
|
|
|
7
7
|
*/
|
|
8
8
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
9
|
exports.canonicalizeJSON = canonicalizeJSON;
|
|
10
|
+
exports.createUnsignedVCJWT = createUnsignedVCJWT;
|
|
11
|
+
exports.completeVCJWT = completeVCJWT;
|
|
12
|
+
exports.parseVCJWT = parseVCJWT;
|
|
13
|
+
const base64_1 = require("../utils/base64");
|
|
10
14
|
/**
|
|
11
15
|
* JSON canonicalization (RFC 8785)
|
|
12
16
|
*
|
|
@@ -45,4 +49,117 @@ function canonicalizeJSON(obj) {
|
|
|
45
49
|
}
|
|
46
50
|
throw new Error(`Cannot canonicalize type: ${typeof obj}`);
|
|
47
51
|
}
|
|
52
|
+
/**
|
|
53
|
+
* Create unsigned JWT parts (header + payload) for a VC
|
|
54
|
+
*
|
|
55
|
+
* Prepares the VC for signing by extracting standard claims and
|
|
56
|
+
* encoding the header and payload as base64url strings.
|
|
57
|
+
*
|
|
58
|
+
* @param vc - The Verifiable Credential (without proof)
|
|
59
|
+
* @param options - Encoding options
|
|
60
|
+
* @returns Object with encoded parts and signing input
|
|
61
|
+
*/
|
|
62
|
+
function createUnsignedVCJWT(vc, options = {}) {
|
|
63
|
+
// Create JWT header
|
|
64
|
+
const header = {
|
|
65
|
+
alg: 'EdDSA',
|
|
66
|
+
typ: 'JWT',
|
|
67
|
+
};
|
|
68
|
+
if (options.keyId) {
|
|
69
|
+
header.kid = options.keyId;
|
|
70
|
+
}
|
|
71
|
+
// Extract standard claims from VC
|
|
72
|
+
const issuer = typeof vc.issuer === 'string' ? vc.issuer : vc.issuer?.id;
|
|
73
|
+
const subject = vc.credentialSubject?.id;
|
|
74
|
+
// Parse dates to Unix timestamps
|
|
75
|
+
let exp;
|
|
76
|
+
let iat;
|
|
77
|
+
if (vc.expirationDate && typeof vc.expirationDate === 'string') {
|
|
78
|
+
exp = Math.floor(new Date(vc.expirationDate).getTime() / 1000);
|
|
79
|
+
}
|
|
80
|
+
if (vc.issuanceDate && typeof vc.issuanceDate === 'string') {
|
|
81
|
+
iat = Math.floor(new Date(vc.issuanceDate).getTime() / 1000);
|
|
82
|
+
}
|
|
83
|
+
// Remove proof from VC for JWT payload (signature is in JWT itself)
|
|
84
|
+
const vcWithoutProof = { ...vc };
|
|
85
|
+
delete vcWithoutProof.proof;
|
|
86
|
+
// Build JWT payload
|
|
87
|
+
const payload = {
|
|
88
|
+
iss: issuer,
|
|
89
|
+
vc: vcWithoutProof,
|
|
90
|
+
};
|
|
91
|
+
if (subject)
|
|
92
|
+
payload.sub = subject;
|
|
93
|
+
if (exp)
|
|
94
|
+
payload.exp = exp;
|
|
95
|
+
if (iat)
|
|
96
|
+
payload.iat = iat;
|
|
97
|
+
if (vc.id && typeof vc.id === 'string')
|
|
98
|
+
payload.jti = vc.id;
|
|
99
|
+
// Encode header and payload
|
|
100
|
+
const encodedHeader = (0, base64_1.base64urlEncodeFromString)(JSON.stringify(header));
|
|
101
|
+
const encodedPayload = (0, base64_1.base64urlEncodeFromString)(JSON.stringify(payload));
|
|
102
|
+
const signingInput = `${encodedHeader}.${encodedPayload}`;
|
|
103
|
+
return {
|
|
104
|
+
header,
|
|
105
|
+
payload,
|
|
106
|
+
encodedHeader,
|
|
107
|
+
encodedPayload,
|
|
108
|
+
signingInput,
|
|
109
|
+
};
|
|
110
|
+
}
|
|
111
|
+
/**
|
|
112
|
+
* Complete a JWT with a signature
|
|
113
|
+
*
|
|
114
|
+
* Takes the signing input and a base64url-encoded signature to create the final JWT.
|
|
115
|
+
*
|
|
116
|
+
* @param signingInput - The header.payload string that was signed
|
|
117
|
+
* @param signature - Base64url-encoded signature
|
|
118
|
+
* @returns Complete JWT string (header.payload.signature)
|
|
119
|
+
*/
|
|
120
|
+
function completeVCJWT(signingInput, signature) {
|
|
121
|
+
return `${signingInput}.${signature}`;
|
|
122
|
+
}
|
|
123
|
+
/**
|
|
124
|
+
* Parse a VC-JWT and extract the VC
|
|
125
|
+
*
|
|
126
|
+
* Does NOT verify the signature - use with a verification function.
|
|
127
|
+
*
|
|
128
|
+
* @param jwt - The JWT string
|
|
129
|
+
* @returns Parsed JWT parts
|
|
130
|
+
*/
|
|
131
|
+
function parseVCJWT(jwt) {
|
|
132
|
+
const parts = jwt.split('.');
|
|
133
|
+
if (parts.length !== 3) {
|
|
134
|
+
return null;
|
|
135
|
+
}
|
|
136
|
+
try {
|
|
137
|
+
// Decode header and payload
|
|
138
|
+
const headerJson = base64urlDecodeToString(parts[0]);
|
|
139
|
+
const payloadJson = base64urlDecodeToString(parts[1]);
|
|
140
|
+
const header = JSON.parse(headerJson);
|
|
141
|
+
const payload = JSON.parse(payloadJson);
|
|
142
|
+
return {
|
|
143
|
+
header,
|
|
144
|
+
payload,
|
|
145
|
+
signature: parts[2],
|
|
146
|
+
signingInput: `${parts[0]}.${parts[1]}`,
|
|
147
|
+
};
|
|
148
|
+
}
|
|
149
|
+
catch {
|
|
150
|
+
return null;
|
|
151
|
+
}
|
|
152
|
+
}
|
|
153
|
+
/**
|
|
154
|
+
* Decode base64url string to string (internal helper)
|
|
155
|
+
*/
|
|
156
|
+
function base64urlDecodeToString(input) {
|
|
157
|
+
// Add padding if needed
|
|
158
|
+
const padded = input + '='.repeat((4 - input.length % 4) % 4);
|
|
159
|
+
const base64 = padded.replace(/-/g, '+').replace(/_/g, '/');
|
|
160
|
+
if (typeof atob !== 'undefined') {
|
|
161
|
+
return atob(base64);
|
|
162
|
+
}
|
|
163
|
+
return Buffer.from(base64, 'base64').toString('utf-8');
|
|
164
|
+
}
|
|
48
165
|
//# sourceMappingURL=utils.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/delegation/utils.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;
|
|
1
|
+
{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/delegation/utils.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAeH,4CAuBC;AAkDD,kDA6DC;AAWD,sCAEC;AAUD,gCA4BC;AAtMD,4CAA4D;AAE5D;;;;;;;;;;GAUG;AACH,SAAgB,gBAAgB,CAAC,GAAQ;IACvC,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,OAAO,GAAG,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;IACpD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IACxD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC3D,OAAO,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACxC,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACrC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YAC7B,MAAM,KAAK,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,GAAG,GAAG,KAAK,CAAC;QAC3C,CAAC,CAAC,CAAC;QACH,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACrC,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,GAAG,EAAE,CAAC,CAAC;AAC7D,CAAC;AAwCD;;;;;;;;;GASG;AACH,SAAgB,mBAAmB,CACjC,EAA2B,EAC3B,UAAgC,EAAE;IAQlC,oBAAoB;IACpB,MAAM,MAAM,GAAgB;QAC1B,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,KAAK;KACX,CAAC;IACF,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,CAAC,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC;IAC7B,CAAC;IAED,kCAAkC;IAClC,MAAM,MAAM,GAAG,OAAO,EAAE,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAE,EAAE,CAAC,MAAkC,EAAE,EAAY,CAAC;IAChH,MAAM,OAAO,GAAI,EAAE,CAAC,iBAA6C,EAAE,EAAwB,CAAC;IAE5F,iCAAiC;IACjC,IAAI,GAAuB,CAAC;IAC5B,IAAI,GAAuB,CAAC;IAE5B,IAAI,EAAE,CAAC,cAAc,IAAI,OAAO,EAAE,CAAC,cAAc,KAAK,QAAQ,EAAE,CAAC;QAC/D,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,EAAE,CAAC,cAAc,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACjE,CAAC;IACD,IAAI,EAAE,CAAC,YAAY,IAAI,OAAO,EAAE,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;QAC3D,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC/D,CAAC;IAED,oEAAoE;IACpE,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC;IACjC,OAAO,cAAc,CAAC,KAAK,CAAC;IAE5B,oBAAoB;IACpB,MAAM,OAAO,GAAiB;QAC5B,GAAG,EAAE,MAAM;QACX,EAAE,EAAE,cAAc;KACnB,CAAC;IAEF,IAAI,OAAO;QAAE,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC;IACnC,IAAI,GAAG;QAAE,OAAO,CAAC,GAAG,GAAG,GAAG,CAAC;IAC3B,IAAI,GAAG;QAAE,OAAO,CAAC,GAAG,GAAG,GAAG,CAAC;IAC3B,IAAI,EAAE,CAAC,EAAE,IAAI,OAAO,EAAE,CAAC,EAAE,KAAK,QAAQ;QAAE,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,CAAC;IAE5D,4BAA4B;IAC5B,MAAM,aAAa,GAAG,IAAA,kCAAyB,EAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACxE,MAAM,cAAc,GAAG,IAAA,kCAAyB,EAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1E,MAAM,YAAY,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;IAE1D,OAAO;QACL,MAAM;QACN,OAAO;QACP,aAAa;QACb,cAAc;QACd,YAAY;KACb,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,aAAa,CAAC,YAAoB,EAAE,SAAiB;IACnE,OAAO,GAAG,YAAY,IAAI,SAAS,EAAE,CAAC;AACxC,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,UAAU,CAAC,GAAW;IAMpC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,4BAA4B;QAC5B,MAAM,UAAU,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACrD,MAAM,WAAW,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAEtD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAgB,CAAC;QACrD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAiB,CAAC;QAExD,OAAO;YACL,MAAM;YACN,OAAO;YACP,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;YACnB,YAAY,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE;SACxC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,KAAa;IAC5C,wBAAwB;IACxB,MAAM,MAAM,GAAG,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9D,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAE5D,IAAI,OAAO,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACzD,CAAC"}
|
|
@@ -4,10 +4,13 @@
|
|
|
4
4
|
* Resolves User DID to IDP access token (MH-7 requirement).
|
|
5
5
|
* Handles token lookup, expiration checking, and automatic refresh.
|
|
6
6
|
*
|
|
7
|
+
* Updated for CRED-003: Returns full token data including usage metadata
|
|
8
|
+
* to support credential providers with custom token usage patterns.
|
|
9
|
+
*
|
|
7
10
|
* @package @kya-os/mcp-i-core
|
|
8
11
|
*/
|
|
9
12
|
import type { IdpTokens } from "@kya-os/contracts/config";
|
|
10
|
-
import type { IIdpTokenStorage } from "./idp-token-storage.interface.js";
|
|
13
|
+
import type { IIdpTokenStorage, IdpTokensWithMetadata } from "./idp-token-storage.interface.js";
|
|
11
14
|
export interface IdpTokenResolverConfig {
|
|
12
15
|
/** Token storage implementation */
|
|
13
16
|
tokenStorage: IIdpTokenStorage;
|
|
@@ -49,5 +52,18 @@ export declare class IdpTokenResolver {
|
|
|
49
52
|
* @returns Access token or null if not found/expired
|
|
50
53
|
*/
|
|
51
54
|
resolveTokenFromDid(userDid: string, provider: string, scopes: string[]): Promise<string | null>;
|
|
55
|
+
/**
|
|
56
|
+
* Resolve User DID to full IDP token data (CRED-003)
|
|
57
|
+
*
|
|
58
|
+
* Returns the full token data including usage metadata for credential providers.
|
|
59
|
+
* This allows ToolContextBuilder to construct appropriate headers based on
|
|
60
|
+
* tokenUsage (cookie/bearer/header) and cookieFormat.
|
|
61
|
+
*
|
|
62
|
+
* @param userDid - User DID to resolve
|
|
63
|
+
* @param provider - OAuth provider name or credential provider
|
|
64
|
+
* @param scopes - Required scopes for token
|
|
65
|
+
* @returns Full token data with metadata or null if not found/expired
|
|
66
|
+
*/
|
|
67
|
+
resolveTokenDataFromDid(userDid: string, provider: string, scopes: string[]): Promise<IdpTokensWithMetadata | null>;
|
|
52
68
|
}
|
|
53
69
|
//# sourceMappingURL=idp-token-resolver.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"idp-token-resolver.d.ts","sourceRoot":"","sources":["../../src/identity/idp-token-resolver.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"idp-token-resolver.d.ts","sourceRoot":"","sources":["../../src/identity/idp-token-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAC;AAEhG,MAAM,WAAW,sBAAsB;IACrC,mCAAmC;IACnC,YAAY,EAAE,gBAAgB,CAAC;IAE/B,sCAAsC;IACtC,YAAY,EAAE;QACZ,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;KACjF,CAAC;IAEF,+CAA+C;IAC/C,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;CACpD;AAED;;;;;;;;;GASG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAEZ;gBAEU,MAAM,EAAE,sBAAsB;IAQ1C;;;;;;;;;;;;;;;;OAgBG;IACG,mBAAmB,CACvB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,GACf,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAKzB;;;;;;;;;;;OAWG;IACG,uBAAuB,CAC3B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,GACf,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC;CAsFzC"}
|
|
@@ -5,6 +5,9 @@
|
|
|
5
5
|
* Resolves User DID to IDP access token (MH-7 requirement).
|
|
6
6
|
* Handles token lookup, expiration checking, and automatic refresh.
|
|
7
7
|
*
|
|
8
|
+
* Updated for CRED-003: Returns full token data including usage metadata
|
|
9
|
+
* to support credential providers with custom token usage patterns.
|
|
10
|
+
*
|
|
8
11
|
* @package @kya-os/mcp-i-core
|
|
9
12
|
*/
|
|
10
13
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
@@ -46,6 +49,22 @@ class IdpTokenResolver {
|
|
|
46
49
|
* @returns Access token or null if not found/expired
|
|
47
50
|
*/
|
|
48
51
|
async resolveTokenFromDid(userDid, provider, scopes) {
|
|
52
|
+
const tokenData = await this.resolveTokenDataFromDid(userDid, provider, scopes);
|
|
53
|
+
return tokenData?.access_token ?? null;
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Resolve User DID to full IDP token data (CRED-003)
|
|
57
|
+
*
|
|
58
|
+
* Returns the full token data including usage metadata for credential providers.
|
|
59
|
+
* This allows ToolContextBuilder to construct appropriate headers based on
|
|
60
|
+
* tokenUsage (cookie/bearer/header) and cookieFormat.
|
|
61
|
+
*
|
|
62
|
+
* @param userDid - User DID to resolve
|
|
63
|
+
* @param provider - OAuth provider name or credential provider
|
|
64
|
+
* @param scopes - Required scopes for token
|
|
65
|
+
* @returns Full token data with metadata or null if not found/expired
|
|
66
|
+
*/
|
|
67
|
+
async resolveTokenDataFromDid(userDid, provider, scopes) {
|
|
49
68
|
// 1. Look up token from storage
|
|
50
69
|
const storedToken = await this.config.tokenStorage.getToken(userDid, provider, scopes);
|
|
51
70
|
if (!storedToken) {
|
|
@@ -66,18 +85,26 @@ class IdpTokenResolver {
|
|
|
66
85
|
hasRefreshToken: !!storedToken.refresh_token,
|
|
67
86
|
});
|
|
68
87
|
// 3. Refresh if refresh_token available
|
|
88
|
+
// Note: Credential tokens don't support refresh - they require re-authentication
|
|
69
89
|
if (storedToken.refresh_token) {
|
|
70
90
|
const refreshed = await this.config.oauthService.refreshToken(provider, storedToken.refresh_token);
|
|
71
91
|
if (refreshed) {
|
|
72
|
-
// 4. Update storage with new tokens
|
|
73
|
-
|
|
92
|
+
// 4. Update storage with new tokens, preserving usage metadata
|
|
93
|
+
const refreshedWithMetadata = {
|
|
94
|
+
...refreshed,
|
|
95
|
+
tokenUsage: storedToken.tokenUsage,
|
|
96
|
+
tokenHeader: storedToken.tokenHeader,
|
|
97
|
+
cookieFormat: storedToken.cookieFormat,
|
|
98
|
+
apiHeaders: storedToken.apiHeaders,
|
|
99
|
+
};
|
|
100
|
+
await this.config.tokenStorage.storeToken(userDid, provider, scopes, refreshedWithMetadata);
|
|
74
101
|
this.config.logger("[IdpTokenResolver] Token refreshed successfully", {
|
|
75
102
|
userDid: userDid.substring(0, 20) + "...",
|
|
76
103
|
provider,
|
|
77
104
|
expiresAt: new Date(refreshed.expires_at).toISOString(),
|
|
78
105
|
});
|
|
79
|
-
// 5. Return new
|
|
80
|
-
return
|
|
106
|
+
// 5. Return new token data
|
|
107
|
+
return refreshedWithMetadata;
|
|
81
108
|
}
|
|
82
109
|
else {
|
|
83
110
|
this.config.logger("[IdpTokenResolver] Token refresh failed", {
|
|
@@ -95,13 +122,14 @@ class IdpTokenResolver {
|
|
|
95
122
|
return null;
|
|
96
123
|
}
|
|
97
124
|
}
|
|
98
|
-
// 4. Return valid
|
|
125
|
+
// 4. Return valid token data
|
|
99
126
|
this.config.logger("[IdpTokenResolver] Token resolved successfully", {
|
|
100
127
|
userDid: userDid.substring(0, 20) + "...",
|
|
101
128
|
provider,
|
|
102
129
|
expiresAt: new Date(storedToken.expires_at).toISOString(),
|
|
130
|
+
tokenUsage: storedToken.tokenUsage,
|
|
103
131
|
});
|
|
104
|
-
return storedToken
|
|
132
|
+
return storedToken;
|
|
105
133
|
}
|
|
106
134
|
}
|
|
107
135
|
exports.IdpTokenResolver = IdpTokenResolver;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"idp-token-resolver.js","sourceRoot":"","sources":["../../src/identity/idp-token-resolver.ts"],"names":[],"mappings":";AAAA
|
|
1
|
+
{"version":3,"file":"idp-token-resolver.js","sourceRoot":"","sources":["../../src/identity/idp-token-resolver.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AAkBH;;;;;;;;;GASG;AACH,MAAa,gBAAgB;IACnB,MAAM,CAEZ;IAEF,YAAY,MAA8B;QACxC,IAAI,CAAC,MAAM,GAAG;YACZ,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;SACpC,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,mBAAmB,CACvB,OAAe,EACf,QAAgB,EAChB,MAAgB;QAEhB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QAChF,OAAO,SAAS,EAAE,YAAY,IAAI,IAAI,CAAC;IACzC,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,uBAAuB,CAC3B,OAAe,EACf,QAAgB,EAChB,MAAgB;QAEhB,gCAAgC;QAChC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CACzD,OAAO,EACP,QAAQ,EACR,MAAM,CACP,CAAC;QAEF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,oCAAoC,EAAE;gBACvD,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACzC,QAAQ;gBACR,MAAM;aACP,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,sBAAsB;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,WAAW,CAAC,UAAU,GAAG,GAAG,EAAE,CAAC;YACjC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,sDAAsD,EAAE;gBACzE,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACzC,QAAQ;gBACR,SAAS,EAAE,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE;gBACzD,eAAe,EAAE,CAAC,CAAC,WAAW,CAAC,aAAa;aAC7C,CAAC,CAAC;YAEH,wCAAwC;YACxC,iFAAiF;YACjF,IAAI,WAAW,CAAC,aAAa,EAAE,CAAC;gBAC9B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,YAAY,CAC3D,QAAQ,EACR,WAAW,CAAC,aAAa,CAC1B,CAAC;gBAEF,IAAI,SAAS,EAAE,CAAC;oBACd,+DAA+D;oBAC/D,MAAM,qBAAqB,GAA0B;wBACnD,GAAG,SAAS;wBACZ,UAAU,EAAE,WAAW,CAAC,UAAU;wBAClC,WAAW,EAAE,WAAW,CAAC,WAAW;wBACpC,YAAY,EAAE,WAAW,CAAC,YAAY;wBACtC,UAAU,EAAE,WAAW,CAAC,UAAU;qBACnC,CAAC;oBAEF,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,UAAU,CACvC,OAAO,EACP,QAAQ,EACR,MAAM,EACN,qBAAqB,CACtB,CAAC;oBAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,iDAAiD,EAAE;wBACpE,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;wBACzC,QAAQ;wBACR,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE;qBACxD,CAAC,CAAC;oBAEH,2BAA2B;oBAC3B,OAAO,qBAAqB,CAAC;gBAC/B,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,yCAAyC,EAAE;wBAC5D,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;wBACzC,QAAQ;qBACT,CAAC,CAAC;oBACH,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,uDAAuD,EAAE;oBAC1E,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;oBACzC,QAAQ;iBACT,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,gDAAgD,EAAE;YACnE,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;YACzC,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE;YACzD,UAAU,EAAE,WAAW,CAAC,UAAU;SACnC,CAAC,CAAC;QAEH,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;AA7ID,4CA6IC"}
|
|
@@ -5,9 +5,40 @@
|
|
|
5
5
|
* Platform-specific implementations (Cloudflare KV, Node.js database, etc.)
|
|
6
6
|
* implement this interface.
|
|
7
7
|
*
|
|
8
|
+
* Supports both OAuth tokens and credential-based session tokens (CRED-003).
|
|
9
|
+
*
|
|
8
10
|
* @package @kya-os/mcp-i-core
|
|
9
11
|
*/
|
|
10
12
|
import type { IdpTokens } from "@kya-os/contracts/config";
|
|
13
|
+
/**
|
|
14
|
+
* Token usage metadata for credential providers (CRED-003)
|
|
15
|
+
*
|
|
16
|
+
* Specifies how the token should be used in subsequent API calls.
|
|
17
|
+
*/
|
|
18
|
+
export interface TokenUsageMetadata {
|
|
19
|
+
/**
|
|
20
|
+
* How to use the token in requests
|
|
21
|
+
* - "cookie": Send as Cookie header
|
|
22
|
+
* - "bearer": Send as Authorization: Bearer xxx
|
|
23
|
+
* - "header": Send as custom header (specify tokenHeader)
|
|
24
|
+
*/
|
|
25
|
+
tokenUsage?: "cookie" | "bearer" | "header";
|
|
26
|
+
/** Custom header name when tokenUsage is "header" */
|
|
27
|
+
tokenHeader?: string;
|
|
28
|
+
/**
|
|
29
|
+
* Cookie format template when tokenUsage is "cookie"
|
|
30
|
+
* Use {{token}} placeholder for the token value
|
|
31
|
+
* @example "CIX={{token}}; customerCookie={{token}}"
|
|
32
|
+
*/
|
|
33
|
+
cookieFormat?: string;
|
|
34
|
+
/** Additional headers to include in API calls */
|
|
35
|
+
apiHeaders?: Record<string, string>;
|
|
36
|
+
}
|
|
37
|
+
/**
|
|
38
|
+
* Extended IdpTokens with usage metadata (CRED-003)
|
|
39
|
+
*/
|
|
40
|
+
export interface IdpTokensWithMetadata extends IdpTokens, TokenUsageMetadata {
|
|
41
|
+
}
|
|
11
42
|
/**
|
|
12
43
|
* Interface for IDP token storage
|
|
13
44
|
*/
|
|
@@ -16,25 +47,25 @@ export interface IIdpTokenStorage {
|
|
|
16
47
|
* Store IDP tokens
|
|
17
48
|
*
|
|
18
49
|
* @param userDid - User DID to associate tokens with
|
|
19
|
-
* @param provider - OAuth provider name
|
|
50
|
+
* @param provider - OAuth provider name or credential provider
|
|
20
51
|
* @param scopes - Scopes granted for these tokens
|
|
21
|
-
* @param tokens - IDP tokens to store
|
|
52
|
+
* @param tokens - IDP tokens to store (may include usage metadata for credentials)
|
|
22
53
|
*/
|
|
23
|
-
storeToken(userDid: string, provider: string, scopes: string[], tokens: IdpTokens): Promise<void>;
|
|
54
|
+
storeToken(userDid: string, provider: string, scopes: string[], tokens: IdpTokens | IdpTokensWithMetadata): Promise<void>;
|
|
24
55
|
/**
|
|
25
56
|
* Retrieve IDP tokens
|
|
26
57
|
*
|
|
27
58
|
* @param userDid - User DID to retrieve tokens for
|
|
28
|
-
* @param provider - OAuth provider name
|
|
59
|
+
* @param provider - OAuth provider name or credential provider
|
|
29
60
|
* @param scopes - Scopes to retrieve tokens for
|
|
30
|
-
* @returns IDP tokens or null if not found
|
|
61
|
+
* @returns IDP tokens with optional usage metadata or null if not found
|
|
31
62
|
*/
|
|
32
|
-
getToken(userDid: string, provider: string, scopes: string[]): Promise<
|
|
63
|
+
getToken(userDid: string, provider: string, scopes: string[]): Promise<IdpTokensWithMetadata | null>;
|
|
33
64
|
/**
|
|
34
65
|
* Delete IDP tokens
|
|
35
66
|
*
|
|
36
67
|
* @param userDid - User DID
|
|
37
|
-
* @param provider - OAuth provider name
|
|
68
|
+
* @param provider - OAuth provider name or credential provider
|
|
38
69
|
* @param scopes - Scopes
|
|
39
70
|
*/
|
|
40
71
|
deleteToken(userDid: string, provider: string, scopes: string[]): Promise<void>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"idp-token-storage.interface.d.ts","sourceRoot":"","sources":["../../src/identity/idp-token-storage.interface.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"idp-token-storage.interface.d.ts","sourceRoot":"","sources":["../../src/identity/idp-token-storage.interface.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAE1D;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;IAE5C,qDAAqD;IACrD,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,iDAAiD;IACjD,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,qBAAsB,SAAQ,SAAS,EAAE,kBAAkB;CAAG;AAE/E;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;;;;;OAOG;IACH,UAAU,CACR,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,EAChB,MAAM,EAAE,SAAS,GAAG,qBAAqB,GACxC,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;;;;;OAOG;IACH,QAAQ,CACN,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,GACf,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAAC;IAEzC;;;;;;OAMG;IACH,WAAW,CACT,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,GACf,OAAO,CAAC,IAAI,CAAC,CAAC;CAClB"}
|
|
@@ -6,6 +6,8 @@
|
|
|
6
6
|
* Platform-specific implementations (Cloudflare KV, Node.js database, etc.)
|
|
7
7
|
* implement this interface.
|
|
8
8
|
*
|
|
9
|
+
* Supports both OAuth tokens and credential-based session tokens (CRED-003).
|
|
10
|
+
*
|
|
9
11
|
* @package @kya-os/mcp-i-core
|
|
10
12
|
*/
|
|
11
13
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"idp-token-storage.interface.js","sourceRoot":"","sources":["../../src/identity/idp-token-storage.interface.ts"],"names":[],"mappings":";AAAA
|
|
1
|
+
{"version":3,"file":"idp-token-storage.interface.js","sourceRoot":"","sources":["../../src/identity/idp-token-storage.interface.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG"}
|
|
@@ -1,11 +1,17 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* User DID Manager
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
* Generates did:key DIDs for users when they join a chat session.
|
|
4
|
+
* Manages user DIDs for MCP-I sessions.
|
|
6
5
|
*
|
|
7
|
-
*
|
|
8
|
-
*
|
|
6
|
+
* Phase 5: Anonymous Sessions Until OAuth
|
|
7
|
+
* - Sessions start anonymous (no userDid) until OAuth completes
|
|
8
|
+
* - User DIDs are resolved via AgentShield identity/resolve after OAuth
|
|
9
|
+
* - Eliminates DID fragmentation (same user = same DID across sessions)
|
|
10
|
+
*
|
|
11
|
+
* DID Resolution Priority:
|
|
12
|
+
* 1. OAuth mapping lookup (persistent)
|
|
13
|
+
* 2. Session storage lookup
|
|
14
|
+
* 3. Return null (session stays anonymous)
|
|
9
15
|
*/
|
|
10
16
|
import { CryptoProvider } from '../providers/base';
|
|
11
17
|
/**
|
|
@@ -29,6 +35,31 @@ export interface OAuthIdentity {
|
|
|
29
35
|
*/
|
|
30
36
|
name?: string;
|
|
31
37
|
}
|
|
38
|
+
/**
|
|
39
|
+
* User key pair for signing VCs
|
|
40
|
+
*
|
|
41
|
+
* Contains both public and private keys in base64 format.
|
|
42
|
+
* SECURITY: Private keys should be encrypted at rest.
|
|
43
|
+
*/
|
|
44
|
+
export interface UserKeyPair {
|
|
45
|
+
/**
|
|
46
|
+
* User DID (did:key format)
|
|
47
|
+
*/
|
|
48
|
+
did: string;
|
|
49
|
+
/**
|
|
50
|
+
* Public key in base64 format
|
|
51
|
+
*/
|
|
52
|
+
publicKey: string;
|
|
53
|
+
/**
|
|
54
|
+
* Private key in base64 format
|
|
55
|
+
* SECURITY: Should be encrypted at rest in production
|
|
56
|
+
*/
|
|
57
|
+
privateKey: string;
|
|
58
|
+
/**
|
|
59
|
+
* Key ID (for JWS header)
|
|
60
|
+
*/
|
|
61
|
+
keyId: string;
|
|
62
|
+
}
|
|
32
63
|
/**
|
|
33
64
|
* User DID storage interface
|
|
34
65
|
*/
|
|
@@ -55,6 +86,26 @@ export interface UserDidStorage {
|
|
|
55
86
|
* If not implemented, OAuth-based storage will be skipped
|
|
56
87
|
*/
|
|
57
88
|
setByOAuth?(provider: string, subject: string, did: string, ttl?: number): Promise<void>;
|
|
89
|
+
/**
|
|
90
|
+
* Get user key pair for a session (optional - for VC signing)
|
|
91
|
+
* If not implemented, VC issuance will not be available for this session
|
|
92
|
+
*/
|
|
93
|
+
getKeyPair?(sessionId: string): Promise<UserKeyPair | null>;
|
|
94
|
+
/**
|
|
95
|
+
* Store user key pair for a session (optional - for VC signing)
|
|
96
|
+
* SECURITY: Implementation should encrypt private keys at rest
|
|
97
|
+
*/
|
|
98
|
+
setKeyPair?(sessionId: string, keyPair: UserKeyPair, ttl?: number): Promise<void>;
|
|
99
|
+
/**
|
|
100
|
+
* Get user key pair by OAuth identity (optional - for persistent key storage)
|
|
101
|
+
* If not implemented, OAuth-based key lookup will be skipped
|
|
102
|
+
*/
|
|
103
|
+
getKeyPairByOAuth?(provider: string, subject: string): Promise<UserKeyPair | null>;
|
|
104
|
+
/**
|
|
105
|
+
* Store user key pair for OAuth identity (optional - for persistent key storage)
|
|
106
|
+
* SECURITY: Implementation should encrypt private keys at rest
|
|
107
|
+
*/
|
|
108
|
+
setKeyPairByOAuth?(provider: string, subject: string, keyPair: UserKeyPair, ttl?: number): Promise<void>;
|
|
58
109
|
}
|
|
59
110
|
/**
|
|
60
111
|
* User DID Manager configuration
|
|
@@ -87,24 +138,47 @@ export interface UserDidManagerConfig {
|
|
|
87
138
|
export declare class UserDidManager {
|
|
88
139
|
private config;
|
|
89
140
|
private sessionDidCache;
|
|
141
|
+
private sessionKeyPairCache;
|
|
90
142
|
constructor(config: UserDidManagerConfig);
|
|
91
143
|
/**
|
|
92
|
-
*
|
|
144
|
+
* Get key pair for a session (for VC signing)
|
|
145
|
+
*
|
|
146
|
+
* Returns the key pair if available, null otherwise.
|
|
147
|
+
* Key pairs are stored when DIDs are generated.
|
|
148
|
+
*
|
|
149
|
+
* @param sessionId - MCP session ID
|
|
150
|
+
* @param oauthIdentity - Optional OAuth identity for persistent lookup
|
|
151
|
+
* @returns UserKeyPair or null if not available
|
|
152
|
+
*/
|
|
153
|
+
getKeyPairForSession(sessionId: string, oauthIdentity?: OAuthIdentity | null): Promise<UserKeyPair | null>;
|
|
154
|
+
/**
|
|
155
|
+
* Get user DID for a session (Phase 5: No ephemeral generation)
|
|
93
156
|
*
|
|
94
157
|
* If a user DID already exists for the session, it is returned.
|
|
95
|
-
* If OAuth identity is provided, checks for persistent user DID mapping
|
|
96
|
-
*
|
|
158
|
+
* If OAuth identity is provided, checks for persistent user DID mapping.
|
|
159
|
+
* Returns null if no DID found - session stays anonymous until OAuth completes.
|
|
97
160
|
*
|
|
98
161
|
* @param sessionId - MCP session ID
|
|
99
162
|
* @param oauthIdentity - Optional OAuth identity for persistent user DID lookup
|
|
100
|
-
* @returns User DID (did:key format)
|
|
163
|
+
* @returns User DID (did:key format) or null if session is anonymous
|
|
101
164
|
*
|
|
102
165
|
* @remarks
|
|
103
|
-
* -
|
|
104
|
-
* -
|
|
105
|
-
* -
|
|
166
|
+
* - Phase 5: Sessions start anonymous, no ephemeral DID generation
|
|
167
|
+
* - User DIDs are resolved via AgentShield after OAuth completes
|
|
168
|
+
* - Returns null if no existing DID found (instead of generating ephemeral)
|
|
106
169
|
*/
|
|
107
|
-
getOrCreateUserDid(sessionId: string, oauthIdentity?: OAuthIdentity | null): Promise<string>;
|
|
170
|
+
getOrCreateUserDid(sessionId: string, oauthIdentity?: OAuthIdentity | null): Promise<string | null>;
|
|
171
|
+
/**
|
|
172
|
+
* Set user DID for a session (Phase 5: After OAuth resolution)
|
|
173
|
+
*
|
|
174
|
+
* Called after AgentShield identity/resolve returns a persistent user DID.
|
|
175
|
+
* Caches the DID and optionally stores in session storage.
|
|
176
|
+
*
|
|
177
|
+
* @param sessionId - MCP session ID
|
|
178
|
+
* @param userDid - Persistent user DID from AgentShield
|
|
179
|
+
* @param oauthIdentity - OAuth identity for creating persistent mappings
|
|
180
|
+
*/
|
|
181
|
+
setUserDidForSession(sessionId: string, userDid: string, oauthIdentity?: OAuthIdentity | null): Promise<void>;
|
|
108
182
|
/**
|
|
109
183
|
* Generate a new ephemeral user DID
|
|
110
184
|
*
|
|
@@ -112,6 +186,15 @@ export declare class UserDidManager {
|
|
|
112
186
|
* did:web can be used if configured, but requires additional setup.
|
|
113
187
|
*/
|
|
114
188
|
private generateUserDid;
|
|
189
|
+
/**
|
|
190
|
+
* Generate a new ephemeral user DID with full key pair
|
|
191
|
+
*
|
|
192
|
+
* Returns the DID along with the key pair for VC signing.
|
|
193
|
+
* Uses did:key format by default.
|
|
194
|
+
*
|
|
195
|
+
* @returns UserKeyPair containing DID, public key, private key, and key ID
|
|
196
|
+
*/
|
|
197
|
+
private generateUserDidWithKeyPair;
|
|
115
198
|
/**
|
|
116
199
|
* Generate did:key from Ed25519 public key bytes
|
|
117
200
|
* Following spec: https://w3c-ccg.github.io/did-method-key/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"user-did-manager.d.ts","sourceRoot":"","sources":["../../src/identity/user-did-manager.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"user-did-manager.d.ts","sourceRoot":"","sources":["../../src/identity/user-did-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAE/C;;OAEG;IACH,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjE;;OAEG;IACH,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC;;;OAGG;IACH,UAAU,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAEvE;;;OAGG;IACH,UAAU,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzF;;;OAGG;IACH,UAAU,CAAC,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAE5D;;;OAGG;IACH,UAAU,CAAC,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAElF;;;OAGG;IACH,iBAAiB,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAEnF;;;OAGG;IACH,iBAAiB,CAAC,CAChB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,WAAW,EACpB,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,OAAO,CAAC,EAAE,cAAc,CAAC;IAEzB;;OAEG;IACH,MAAM,EAAE,cAAc,CAAC;IAEvB;;OAEG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;IAEpB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;GAKG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,eAAe,CAA6B;IACpD,OAAO,CAAC,mBAAmB,CAAkC;gBAEjD,MAAM,EAAE,oBAAoB;IAIxC;;;;;;;;;OASG;IACG,oBAAoB,CACxB,SAAS,EAAE,MAAM,EACjB,aAAa,CAAC,EAAE,aAAa,GAAG,IAAI,GACnC,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IA0C9B;;;;;;;;;;;;;;;OAeG;IACG,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,aAAa,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IA0EzG;;;;;;;;;OASG;IACG,oBAAoB,CACxB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,aAAa,CAAC,EAAE,aAAa,GAAG,IAAI,GACnC,OAAO,CAAC,IAAI,CAAC;IAgChB;;;;;OAKG;YACW,eAAe;IAK7B;;;;;;;OAOG;YACW,0BAA0B;IA4BxC;;;;;OAKG;IACH,OAAO,CAAC,2BAA2B;IAiBnC;;;OAGG;IACH,OAAO,CAAC,YAAY;IAwBpB;;OAEG;IACH,OAAO,CAAC,aAAa;IAerB;;OAEG;IACG,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAkB3D;;OAEG;IACG,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAapD;;OAEG;IACH,UAAU,IAAI,IAAI;CAGnB"}
|