npm - @kya-os/mcp-i-core - Versions diffs - 1.3.12 → 1.3.14 - Mend

@kya-os/mcp-i-core 1.3.12 → 1.3.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (254) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.js +11 -0
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -3169
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/docs/API_REFERENCE.md DELETED Viewed

@@ -1,1362 +0,0 @@
-# API Reference
-Complete API reference for `@kya-os/mcp-i-core` package.
-## Table of Contents
-- [Installation](#installation)
-- [Core Classes](#core-classes)
-  - [DelegationIssuer](#delegationissuer)
-  - [DelegationVerifier](#delegationverifier)
-  - [DelegationGraph](#delegationgraph)
-- [StatusList2021](#statuslist2021)
-  - [StatusList2021Manager](#statuslist2021manager)
-  - [StatusList2021Storage](#statuslist2021storage)
-- [Schema Verification](#schema-verification)
-  - [SchemaVerifier](#schemaverifier)
-  - [SchemaRegistry](#schemaregistry)
-- [Types](#types)
-- [Utilities](#utilities)
-## Installation
-```bash
-npm install @kya-os/mcp-i-core
-# or
-pnpm add @kya-os/mcp-i-core
-# or
-yarn add @kya-os/mcp-i-core
-```
-## Core Classes
-### DelegationIssuer
-Issues W3C Verifiable Credentials for delegation.
-#### Constructor
-```typescript
-new DelegationIssuer(options: DelegationIssuerOptions)
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `options.issuerDid` | `string` | DID of the issuing agent |
-| `options.privateKeyJwk` | `JsonWebKey` | Private key in JWK format |
-| `options.statusListManager?` | `StatusList2021Manager` | Optional status list manager for revocation |
-**Example:**
-```typescript
-import { DelegationIssuer } from '@kya-os/mcp-i-core';
-const issuer = new DelegationIssuer({
-  issuerDid: 'did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
-  privateKeyJwk: {
-    kty: 'OKP',
-    crv: 'Ed25519',
-    d: 'base64-encoded-private-key',
-    x: 'base64-encoded-public-key',
-  },
-});
-```
-#### Methods
-##### `issue()`
-Issue a delegation credential.
-```typescript
-async issue(options: DelegationIssuanceOptions): Promise<DelegationCredential>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `options.subjectDid` | `string` | DID of the delegate (recipient) |
-| `options.constraints` | `DelegationConstraints` | CRISP constraints for the delegation |
-| `options.audience?` | `string` | Target audience URL |
-| `options.expirationDate?` | `string` | ISO 8601 expiration date |
-| `options.credentialStatus?` | `CredentialStatus` | StatusList2021 entry |
-| `options.parentDelegation?` | `string` | Parent delegation ID for chains |
-**Returns:** `Promise<DelegationCredential>` - The issued delegation credential
-**Example:**
-```typescript
-const delegation = await issuer.issue({
-  subjectDid: 'did:key:z6MkrWXJPkxPCuQF7RqeKZFdZqBXz3oCG7PUty5dXLKGzELj',
-  constraints: {
-    budget: {
-      maxCost: 100,
-      currency: 'USD',
-    },
-    scope: {
-      allowedTools: ['read_file', 'write_file'],
-      allowedResources: ['/documents/*'],
-    },
-    time: {
-      notBefore: new Date().toISOString(),
-      notAfter: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
-    },
-  },
-  audience: 'https://api.example.com',
-});
-console.log('Delegation ID:', delegation.id);
-```
-##### `issueWithStatus()`
-Issue a delegation with automatic status list integration.
-```typescript
-async issueWithStatus(options: DelegationIssuanceOptions): Promise<DelegationCredential>
-```
-**Parameters:** Same as `issue()` but `credentialStatus` is automatically generated.
-**Returns:** `Promise<DelegationCredential>` - The issued delegation credential with status
-**Example:**
-```typescript
-const delegation = await issuer.issueWithStatus({
-  subjectDid: 'did:key:z6MkrWXJPkxPCuQF7RqeKZFdZqBXz3oCG7PUty5dXLKGzELj',
-  constraints: {
-    scope: {
-      allowedTools: ['read_file'],
-    },
-  },
-});
-// Automatically includes credentialStatus field
-console.log('Status index:', delegation.credentialStatus?.statusListIndex);
-```
----
-### DelegationVerifier
-Verifies delegation credentials.
-#### Constructor
-```typescript
-new DelegationVerifier(options?: DelegationVerifierOptions)
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `options.didResolver?` | `DIDResolver` | Custom DID resolver |
-| `options.statusListFetcher?` | `StatusListFetcher` | Custom status list fetcher |
-| `options.checkStatus?` | `boolean` | Enable status checking (default: true) |
-| `options.checkExpiration?` | `boolean` | Enable expiration checking (default: true) |
-**Example:**
-```typescript
-import { DelegationVerifier } from '@kya-os/mcp-i-core';
-const verifier = new DelegationVerifier({
-  checkStatus: true,
-  checkExpiration: true,
-});
-```
-#### Methods
-##### `verify()`
-Verify a delegation credential.
-```typescript
-async verify(options: DelegationVerificationOptions): Promise<DelegationVerificationResult>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `options.credential` | `DelegationCredential` | The delegation to verify |
-| `options.expectedAudience?` | `string` | Expected audience (must match) |
-| `options.expectedSubject?` | `string` | Expected subject DID (must match) |
-| `options.checkChain?` | `boolean` | Verify entire delegation chain |
-| `options.now?` | `Date` | Current time for expiration checks |
-**Returns:** `Promise<DelegationVerificationResult>` - Verification result
-**Example:**
-```typescript
-const result = await verifier.verify({
-  credential: delegation,
-  expectedAudience: 'https://api.example.com',
-  checkChain: true,
-});
-if (result.verified) {
-  console.log('✅ Delegation is valid');
-  console.log('Subject:', result.subject);
-  console.log('Issuer:', result.issuer);
-  console.log('Constraints:', result.constraints);
-} else {
-  console.error('❌ Verification failed:', result.error);
-  if (result.statusRevoked) {
-    console.error('  Reason: Credential revoked');
-  }
-  if (result.expired) {
-    console.error('  Reason: Credential expired');
-  }
-}
-```
-##### `verifyChain()`
-Verify a complete delegation chain.
-```typescript
-async verifyChain(delegation: DelegationCredential): Promise<ChainVerificationResult>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `delegation` | `DelegationCredential` | The delegation at the end of the chain |
-**Returns:** `Promise<ChainVerificationResult>` - Chain verification result
-**Example:**
-```typescript
-// Verify multi-level delegation chain
-const result = await verifier.verifyChain(leafDelegation);
-if (result.valid) {
-  console.log('✅ Chain is valid');
-  console.log('Chain length:', result.chain.length);
-  console.log('Root issuer:', result.rootIssuer);
-  // Print chain
-  for (const [i, delegation] of result.chain.entries()) {
-    console.log(`  Level ${i}: ${delegation.issuer} → ${delegation.credentialSubject.id}`);
-  }
-} else {
-  console.error('❌ Chain verification failed');
-  console.error('  Invalid at level:', result.invalidAtLevel);
-  console.error('  Reason:', result.error);
-}
-```
----
-### DelegationGraph
-Manages delegation relationships and cascading revocation.
-#### Constructor
-```typescript
-new DelegationGraph(options?: DelegationGraphOptions)
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `options.storage?` | `GraphStorage` | Custom graph storage backend |
-**Example:**
-```typescript
-import { DelegationGraph } from '@kya-os/mcp-i-core';
-const graph = new DelegationGraph();
-```
-#### Methods
-##### `addDelegation()`
-Add a delegation to the graph.
-```typescript
-async addDelegation(delegation: DelegationCredential): Promise<void>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `delegation` | `DelegationCredential` | The delegation to add |
-**Example:**
-```typescript
-// Build delegation graph
-await graph.addDelegation(parentDelegation);
-await graph.addDelegation(childDelegation1);
-await graph.addDelegation(childDelegation2);
-console.log('Graph size:', await graph.size());
-```
-##### `getChildren()`
-Get all direct children of a delegation.
-```typescript
-async getChildren(delegationId: string): Promise<DelegationCredential[]>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `delegationId` | `string` | ID of the parent delegation |
-**Returns:** `Promise<DelegationCredential[]>` - Array of child delegations
-**Example:**
-```typescript
-const children = await graph.getChildren(parentDelegation.id);
-console.log(`Found ${children.length} children`);
-for (const child of children) {
-  console.log(`  - ${child.id} (issued to ${child.credentialSubject.id})`);
-}
-```
-##### `getDescendants()`
-Get all descendants (recursive) of a delegation.
-```typescript
-async getDescendants(delegationId: string): Promise<DelegationCredential[]>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `delegationId` | `string` | ID of the ancestor delegation |
-**Returns:** `Promise<DelegationCredential[]>` - Array of all descendants
-**Example:**
-```typescript
-// Get entire subtree
-const descendants = await graph.getDescendants(rootDelegation.id);
-console.log(`Total descendants: ${descendants.length}`);
-```
-##### `revokeDelegation()`
-Revoke a delegation and optionally all descendants.
-```typescript
-async revokeDelegation(
-  delegationId: string,
-  statusListManager: StatusList2021Manager,
-  options?: RevocationOptions
-): Promise<RevocationResult>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `delegationId` | `string` | ID of delegation to revoke |
-| `statusListManager` | `StatusList2021Manager` | Status list manager |
-| `options.cascade?` | `boolean` | Revoke all descendants (default: true) |
-**Returns:** `Promise<RevocationResult>` - Revocation result with list of revoked IDs
-**Example:**
-```typescript
-// Revoke parent and all children
-const result = await graph.revokeDelegation(
-  parentDelegation.id,
-  statusListManager,
-  { cascade: true }
-);
-console.log('Revoked delegations:', result.revokedIds.length);
-for (const id of result.revokedIds) {
-  console.log(`  - ${id}`);
-}
-```
-##### `getPath()`
-Get the path from root to a delegation.
-```typescript
-async getPath(delegationId: string): Promise<DelegationCredential[]>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `delegationId` | `string` | ID of target delegation |
-**Returns:** `Promise<DelegationCredential[]>` - Array of delegations from root to target
-**Example:**
-```typescript
-const path = await graph.getPath(leafDelegation.id);
-console.log('Delegation chain:');
-for (const [i, delegation] of path.entries()) {
-  console.log(`  ${i + 1}. ${delegation.issuer} → ${delegation.credentialSubject.id}`);
-}
-```
----
-## StatusList2021
-### StatusList2021Manager
-Manages StatusList2021 credentials for revocation.
-#### Constructor
-```typescript
-new StatusList2021Manager(options: StatusList2021ManagerOptions)
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `options.issuerDid` | `string` | DID of the status list issuer |
-| `options.statusListUrl` | `string` | Public URL where status list will be hosted |
-| `options.storage` | `StatusList2021Storage` | Storage backend for bitstrings |
-| `options.privateKeyJwk?` | `JsonWebKey` | Private key for signing status lists |
-**Example:**
-```typescript
-import { StatusList2021Manager, InMemoryStatusListStorage } from '@kya-os/mcp-i-core';
-const manager = new StatusList2021Manager({
-  issuerDid: 'did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
-  statusListUrl: 'https://issuer.example.com/status/1',
-  storage: new InMemoryStatusListStorage(),
-  privateKeyJwk: issuerPrivateKey,
-});
-```
-#### Methods
-##### `createStatusList()`
-Create a new status list credential.
-```typescript
-async createStatusList(options: CreateStatusListOptions): Promise<StatusListCredential>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `options.id` | `string` | Status list credential ID (URL) |
-| `options.purpose` | `'revocation' \| 'suspension'` | Purpose of the status list |
-| `options.length?` | `number` | Initial bitstring length (default: 131072) |
-**Returns:** `Promise<StatusListCredential>` - The status list credential
-**Example:**
-```typescript
-const statusListVC = await manager.createStatusList({
-  id: 'https://issuer.example.com/status/1',
-  purpose: 'revocation',
-});
-console.log('Status list created:', statusListVC.id);
-```
-##### `allocateIndex()`
-Allocate the next available index in the status list.
-```typescript
-async allocateIndex(): Promise<number>
-```
-**Returns:** `Promise<number>` - The allocated index
-**Example:**
-```typescript
-const index = await manager.allocateIndex();
-console.log('Allocated index:', index);
-// Use in credential
-const credentialStatus = {
-  id: `${statusListUrl}#${index}`,
-  type: 'StatusList2021Entry',
-  statusPurpose: 'revocation',
-  statusListIndex: index.toString(),
-  statusListCredential: statusListUrl,
-};
-```
-##### `revokeCredential()`
-Revoke a credential by setting its status list bit to 1.
-```typescript
-async revokeCredential(index: number): Promise<void>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `index` | `number` | Status list index to revoke |
-**Example:**
-```typescript
-await manager.revokeCredential(42);
-console.log('Credential at index 42 revoked');
-```
-##### `unrevokeCredential()`
-Unrevoke a credential by setting its status list bit to 0.
-```typescript
-async unrevokeCredential(index: number): Promise<void>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `index` | `number` | Status list index to unrevoke |
-**Example:**
-```typescript
-await manager.unrevokeCredential(42);
-console.log('Credential at index 42 restored');
-```
-##### `batchRevoke()`
-Revoke multiple credentials atomically.
-```typescript
-async batchRevoke(indexes: number[]): Promise<void>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `indexes` | `number[]` | Array of indexes to revoke |
-**Example:**
-```typescript
-await manager.batchRevoke([42, 100, 250, 1337]);
-console.log('4 credentials revoked');
-```
-##### `checkStatus()`
-Check if a credential is revoked.
-```typescript
-async checkStatus(index: number): Promise<boolean>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `index` | `number` | Status list index to check |
-**Returns:** `Promise<boolean>` - `true` if revoked, `false` if valid
-**Example:**
-```typescript
-const isRevoked = await manager.checkStatus(42);
-if (isRevoked) {
-  console.log('Credential is revoked');
-} else {
-  console.log('Credential is valid');
-}
-```
-##### `getStatusList()`
-Get the current status list credential.
-```typescript
-async getStatusList(url: string): Promise<StatusListCredential>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `url` | `string` | Status list URL |
-**Returns:** `Promise<StatusListCredential>` - The status list credential
-**Example:**
-```typescript
-const statusListVC = await manager.getStatusList(
-  'https://issuer.example.com/status/1'
-);
-console.log('Encoded bitstring:', statusListVC.credentialSubject.encodedList);
-```
-##### `getMetrics()`
-Get status list metrics.
-```typescript
-async getMetrics(): Promise<StatusListMetrics>
-```
-**Returns:** `Promise<StatusListMetrics>` - Status list metrics
-**Example:**
-```typescript
-const metrics = await manager.getMetrics();
-console.log('Metrics:', {
-  allocatedIndexes: metrics.allocatedIndexes,
-  revokedCount: metrics.revokedCount,
-  revocationRate: (metrics.revokedCount / metrics.allocatedIndexes * 100).toFixed(2) + '%',
-  compressedSize: (metrics.compressedSize / 1024).toFixed(2) + 'KB',
-  compressionRatio: (metrics.uncompressedSize / metrics.compressedSize).toFixed(2) + 'x',
-});
-```
----
-### StatusList2021Storage
-Storage interface for status list bitstrings.
-#### Interface
-```typescript
-interface StatusList2021Storage {
-  getBitstring(statusListId: string): Promise<Uint8Array | null>;
-  setBitstring(statusListId: string, bitstring: Uint8Array): Promise<void>;
-  deleteBitstring(statusListId: string): Promise<void>;
-}
-```
-#### Implementations
-##### InMemoryStatusListStorage
-In-memory storage (for development/testing).
-```typescript
-import { InMemoryStatusListStorage } from '@kya-os/mcp-i-core';
-const storage = new InMemoryStatusListStorage();
-```
-##### RedisStatusListStorage
-Redis-backed storage (for production).
-```typescript
-import { RedisStatusListStorage } from '@kya-os/mcp-i-core';
-import Redis from 'ioredis';
-const redis = new Redis(process.env.REDIS_URL);
-const storage = new RedisStatusListStorage({
-  client: redis,
-  keyPrefix: 'statuslist:',
-  ttl: 86400, // 24 hours
-});
-```
-##### DynamoDBStatusListStorage
-AWS DynamoDB storage (for production).
-```typescript
-import { DynamoDBStatusListStorage } from '@kya-os/mcp-i-core';
-import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
-const dynamodb = new DynamoDBClient({ region: 'us-east-1' });
-const storage = new DynamoDBStatusListStorage({
-  client: dynamodb,
-  tableName: 'StatusLists',
-  ttl: 86400,
-});
-```
----
-## Schema Verification
-### SchemaVerifier
-Verifies implementations against JSON Schema draft-07 schemas.
-#### Constructor
-```typescript
-new SchemaVerifier(options?: SchemaVerifierOptions)
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `options.schemaRegistry?` | `SchemaRegistry` | Custom schema registry |
-| `options.strictMode?` | `boolean` | Enable strict validation (default: true) |
-**Example:**
-```typescript
-import { SchemaVerifier } from '@kya-os/mcp-i-core';
-const verifier = new SchemaVerifier({
-  strictMode: true,
-});
-```
-#### Methods
-##### `registerSchema()`
-Register a schema for validation.
-```typescript
-async registerSchema(name: string, schemaUrl: string): Promise<void>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `name` | `string` | Schema identifier |
-| `schemaUrl` | `string` | URL to JSON Schema |
-**Example:**
-```typescript
-await verifier.registerSchema(
-  'delegation-credential',
-  'https://schemas.kya-os.ai/delegation-credential.schema.json'
-);
-```
-##### `verifySchema()`
-Verify an implementation against a registered schema.
-```typescript
-async verifySchema(schemaName: string, implementation: any): Promise<SchemaComplianceReport>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `schemaName` | `string` | Registered schema name |
-| `implementation` | `any` | Implementation to verify |
-**Returns:** `Promise<SchemaComplianceReport>` - Compliance report
-**Example:**
-```typescript
-const report = await verifier.verifySchema('delegation-credential', myDelegation);
-if (report.compliant) {
-  console.log('✅ 100% compliant');
-} else {
-  console.log(`❌ ${report.compliancePercentage}% compliant`);
-  // Show issues
-  console.log('Missing fields:', report.missingFields);
-  for (const [field, result] of Object.entries(report.fieldCompliance)) {
-    if (result.typeMatch === 'mismatch') {
-      console.log(`Field '${field}':`);
-      console.log(`  Expected: ${result.expectedType}`);
-      console.log(`  Actual: ${result.actualType}`);
-    }
-  }
-}
-```
-##### `verifyAll()`
-Verify implementation against multiple schemas.
-```typescript
-async verifyAll(
-  schemas: string[],
-  implementation: any
-): Promise<FullComplianceReport>
-```
-**Parameters:**
-| Name | Type | Description |
-|------|------|-------------|
-| `schemas` | `string[]` | Array of schema names |
-| `implementation` | `any` | Implementation to verify |
-**Returns:** `Promise<FullComplianceReport>` - Compliance report for all schemas
-**Example:**
-```typescript
-const report = await verifier.verifyAll(
-  ['delegation-credential', 'delegation-constraints'],
-  myDelegation
-);
-console.log(`Overall compliance: ${report.overallCompliance}%`);
-for (const [schema, result] of Object.entries(report.schemaResults)) {
-  console.log(`${schema}: ${result.compliancePercentage}%`);
-}
-```
----
-### SchemaRegistry
-Registry for managing schemas.
-#### Constructor
-```typescript
-new SchemaRegistry(options?: SchemaRegistryOptions)
-```
-**Example:**
-```typescript
-import { SchemaRegistry } from '@kya-os/mcp-i-core';
-const registry = new SchemaRegistry();
-```
-#### Methods
-##### `register()`
-Register a schema.
-```typescript
-async register(name: string, schema: any): Promise<void>
-```
-##### `get()`
-Get a registered schema.
-```typescript
-async get(name: string): Promise<any>
-```
-##### `has()`
-Check if schema is registered.
-```typescript
-async has(name: string): Promise<boolean>
-```
-##### `list()`
-List all registered schemas.
-```typescript
-async list(): Promise<string[]>
-```
----
-## Types
-### DelegationCredential
-W3C Verifiable Credential for delegation.
-```typescript
-interface DelegationCredential {
-  '@context': string[];
-  id: string;
-  type: string[];
-  issuer: string;
-  issuanceDate: string;
-  expirationDate?: string;
-  credentialSubject: {
-    id: string;
-    constraints: DelegationConstraints;
-  };
-  credentialStatus?: CredentialStatus;
-  proof: Ed25519Proof;
-}
-```
-### DelegationConstraints
-CRISP constraints for delegation.
-```typescript
-interface DelegationConstraints {
-  // Cost constraints
-  budget?: {
-    maxCost: number;
-    currency: string;
-  };
-  // Resource constraints
-  resources?: {
-    maxRequests?: number;
-    maxTokens?: number;
-    maxStorage?: number;
-  };
-  // Identity constraints
-  identity?: {
-    requiredDid?: string;
-    allowedIssuers?: string[];
-  };
-  // Scope constraints
-  scope?: {
-    allowedTools?: string[];
-    allowedResources?: string[];
-    deniedTools?: string[];
-    deniedResources?: string[];
-  };
-  // Purpose constraints
-  purpose?: {
-    description: string;
-    category?: string;
-  };
-  // Time constraints
-  time?: {
-    notBefore?: string;
-    notAfter?: string;
-    maxDuration?: number;
-  };
-}
-```
-### DelegationVerificationResult
-Result of delegation verification.
-```typescript
-interface DelegationVerificationResult {
-  verified: boolean;
-  error?: string;
-  subject?: string;
-  issuer?: string;
-  constraints?: DelegationConstraints;
-  statusRevoked?: boolean;
-  expired?: boolean;
-  signatureValid?: boolean;
-}
-```
-### CredentialStatus
-StatusList2021 credential status.
-```typescript
-interface CredentialStatus {
-  id: string;
-  type: 'StatusList2021Entry';
-  statusPurpose: 'revocation' | 'suspension';
-  statusListIndex: string;
-  statusListCredential: string;
-}
-```
-### StatusListCredential
-StatusList2021 credential.
-```typescript
-interface StatusListCredential {
-  '@context': string[];
-  id: string;
-  type: string[];
-  issuer: string;
-  issuanceDate: string;
-  credentialSubject: {
-    id: string;
-    type: 'StatusList2021';
-    statusPurpose: 'revocation' | 'suspension';
-    encodedList: string;
-  };
-  proof: Ed25519Proof;
-}
-```
-### SchemaComplianceReport
-Schema compliance verification report.
-```typescript
-interface SchemaComplianceReport {
-  schemaName: string;
-  schemaUrl: string;
-  compliant: boolean;
-  compliancePercentage: number;
-  totalFields: number;
-  compliantFields: number;
-  fieldCompliance: Record<string, FieldComplianceResult>;
-  missingFields: string[];
-  extraFields: string[];
-  typeMismatches: Record<string, { expected: string; actual: string }>;
-}
-```
-### FieldComplianceResult
-Field-level compliance result.
-```typescript
-interface FieldComplianceResult {
-  present: boolean;
-  expectedType: string;
-  actualType: string | null;
-  typeMatch: 'match' | 'mismatch' | 'absent';
-  valueMatch: 'match' | 'mismatch' | 'absent';
-}
-```
----
-## Utilities
-### `createSchemaVerifier()`
-Factory function to create a SchemaVerifier with default settings.
-```typescript
-function createSchemaVerifier(options?: SchemaVerifierOptions): SchemaVerifier
-```
-**Example:**
-```typescript
-import { createSchemaVerifier } from '@kya-os/mcp-i-core';
-const verifier = createSchemaVerifier();
-await verifier.registerSchema('my-schema', 'https://example.com/schema.json');
-```
-### `verifyDelegation()`
-Helper function to verify a delegation credential.
-```typescript
-async function verifyDelegation(
-  options: DelegationVerificationOptions
-): Promise<DelegationVerificationResult>
-```
-**Example:**
-```typescript
-import { verifyDelegation } from '@kya-os/mcp-i-core';
-const result = await verifyDelegation({
-  credential: delegation,
-  expectedAudience: 'https://api.example.com',
-  checkStatus: true,
-});
-if (result.verified) {
-  console.log('✅ Valid delegation');
-}
-```
-### `parseDID()`
-Parse a DID string into components.
-```typescript
-function parseDID(did: string): ParsedDID
-```
-**Example:**
-```typescript
-import { parseDID } from '@kya-os/mcp-i-core';
-const parsed = parseDID('did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK');
-console.log({
-  method: parsed.method, // 'key'
-  id: parsed.id,         // 'z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
-  full: parsed.full,     // full DID string
-});
-```
-### `canonicalHash()`
-Create a canonical hash of data.
-```typescript
-async function canonicalHash(
-  data: any,
-  algorithm: 'sha256' | 'sha512'
-): Promise<string>
-```
-**Example:**
-```typescript
-import { canonicalHash } from '@kya-os/mcp-i-core';
-const hash = await canonicalHash({ foo: 'bar' }, 'sha256');
-console.log(hash); // "sha256:abc123..."
-```
----
-## Error Handling
-All async methods may throw errors. Always use try-catch:
-```typescript
-import { DelegationIssuer, DelegationError } from '@kya-os/mcp-i-core';
-try {
-  const delegation = await issuer.issue({
-    subjectDid: 'did:key:z6Mkr...',
-    constraints: { /* ... */ },
-  });
-} catch (error) {
-  if (error instanceof DelegationError) {
-    console.error('Delegation error:', error.message);
-    console.error('Code:', error.code);
-  } else {
-    console.error('Unexpected error:', error);
-  }
-}
-```
-### Common Error Codes
-| Code | Description |
-|------|-------------|
-| `INVALID_DID` | DID format is invalid |
-| `INVALID_CONSTRAINTS` | Constraints do not meet schema requirements |
-| `SIGNATURE_FAILED` | Cryptographic signature verification failed |
-| `STATUS_REVOKED` | Credential has been revoked |
-| `EXPIRED` | Credential has expired |
-| `CHAIN_INVALID` | Delegation chain verification failed |
-| `SCHEMA_INVALID` | Schema validation failed |
-| `STATUS_LIST_UNAVAILABLE` | Cannot fetch status list |
----
-## Complete Examples
-### Example 1: Full Delegation Lifecycle
-```typescript
-import {
-  DelegationIssuer,
-  DelegationVerifier,
-  StatusList2021Manager,
-  InMemoryStatusListStorage,
-} from '@kya-os/mcp-i-core';
-async function delegationLifecycle() {
-  // 1. Setup
-  const issuerDid = 'did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK';
-  const delegateDid = 'did:key:z6MkrWXJPkxPCuQF7RqeKZFdZqBXz3oCG7PUty5dXLKGzELj';
-  // 2. Create status list manager
-  const statusListManager = new StatusList2021Manager({
-    issuerDid,
-    statusListUrl: 'https://issuer.example.com/status/1',
-    storage: new InMemoryStatusListStorage(),
-  });
-  await statusListManager.createStatusList({
-    id: 'https://issuer.example.com/status/1',
-    purpose: 'revocation',
-  });
-  // 3. Create issuer
-  const issuer = new DelegationIssuer({
-    issuerDid,
-    privateKeyJwk: issuerPrivateKey,
-    statusListManager,
-  });
-  // 4. Issue delegation
-  const delegation = await issuer.issueWithStatus({
-    subjectDid: delegateDid,
-    constraints: {
-      scope: {
-        allowedTools: ['read_file'],
-        allowedResources: ['/documents/*'],
-      },
-      time: {
-        notAfter: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
-      },
-    },
-  });
-  console.log('✅ Delegation issued:', delegation.id);
-  // 5. Verify delegation
-  const verifier = new DelegationVerifier();
-  const result1 = await verifier.verify({
-    credential: delegation,
-    checkStatus: true,
-    statusListFetcher: async (url) => {
-      return await statusListManager.getStatusList(url);
-    },
-  });
-  console.log('✅ Verification 1:', result1.verified);
-  // 6. Revoke delegation
-  const statusIndex = parseInt(delegation.credentialStatus!.statusListIndex);
-  await statusListManager.revokeCredential(statusIndex);
-  console.log('🔒 Delegation revoked');
-  // 7. Verify again (should fail)
-  const result2 = await verifier.verify({
-    credential: delegation,
-    checkStatus: true,
-    statusListFetcher: async (url) => {
-      return await statusListManager.getStatusList(url);
-    },
-  });
-  console.log('❌ Verification 2:', result2.verified); // false
-  console.log('   Status revoked:', result2.statusRevoked); // true
-}
-```
-### Example 2: Delegation Chains
-```typescript
-import {
-  DelegationIssuer,
-  DelegationGraph,
-  StatusList2021Manager,
-} from '@kya-os/mcp-i-core';
-async function delegationChains() {
-  const issuer = new DelegationIssuer({ /* ... */ });
-  const graph = new DelegationGraph();
-  const statusListManager = new StatusList2021Manager({ /* ... */ });
-  // Issue root delegation
-  const root = await issuer.issue({
-    subjectDid: 'did:key:alice',
-    constraints: {
-      scope: { allowedTools: ['*'] },
-    },
-  });
-  // Issue child delegation
-  const child = await issuer.issue({
-    subjectDid: 'did:key:bob',
-    constraints: {
-      scope: { allowedTools: ['read_file'] },
-    },
-    parentDelegation: root.id,
-  });
-  // Issue grandchild delegation
-  const grandchild = await issuer.issue({
-    subjectDid: 'did:key:charlie',
-    constraints: {
-      scope: { allowedTools: ['read_file'] },
-    },
-    parentDelegation: child.id,
-  });
-  // Build graph
-  await graph.addDelegation(root);
-  await graph.addDelegation(child);
-  await graph.addDelegation(grandchild);
-  // Get chain
-  const chain = await graph.getPath(grandchild.id);
-  console.log('Chain length:', chain.length); // 3
-  // Revoke root (cascades to all children)
-  await graph.revokeDelegation(root.id, statusListManager, { cascade: true });
-  console.log('All delegations revoked');
-}
-```
----
-## TypeScript Configuration
-For best TypeScript experience, use these settings:
-```json
-{
-  "compilerOptions": {
-    "target": "ES2020",
-    "module": "commonjs",
-    "lib": ["ES2020"],
-    "strict": true,
-    "esModuleInterop": true,
-    "skipLibCheck": true,
-    "forceConsistentCasingInFileNames": true,
-    "resolveJsonModule": true
-  }
-}
-```
----
-## Further Reading
-- [W3C VC Delegation Guide](./W3C_VC_DELEGATION_GUIDE.md)
-- [StatusList2021 Guide](./STATUSLIST2021_GUIDE.md)
-- [Compliance Matrix](./COMPLIANCE_MATRIX.md)
-- [W3C Verifiable Credentials](https://www.w3.org/TR/vc-data-model/)
-- [W3C StatusList2021](https://www.w3.org/TR/vc-status-list-2021/)